VP of Compliance with extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. Key areas of focus include: Information Technology, Internal Controls over financial reporting, Sarbanes-Oxley, PCI DSS, and HIPAA/HITECH compliance. Experienced in security training and awareness as part of corporate governance and regulatory compliance. ISACA Member & CISA Certified
In 1995 the Secure Shell (SSH) protocol was invented and it soon became the gold standard for data-in-transit security. Today Secure Shell is one of the most widely used protocols in the world. In an effort to shed the light on SSH and to ensure organizations are aware of SSH key based access, Tatu Ylonen along with key leaders in the industry partnered with NIST to publish NISTIR 7966.
Let us take a step back and look at NIST, NISTIR and then the new NISTIR 7966 publication.
What is NIST?
National Institute of Standards, founded in 1901 and now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical laboratories. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
What is NISTIR?
NIST Internal or Interagency Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.
What is NISTIR 7966?
NISTIR 7966 is titled “Security of Interactive and Automated Access Management Using Secure Shell (SSH).” It was published as a draft in August 2014, a second draft in March 2015 and now an official standard as of October 2015. This publication assists organizations in understanding the basics of SSH interactive and automated access management in an enterprise, focusing on the management of SSH user keys.
To summarize this publication - users and hosts must be able to access other hosts in an interactive or automated fashion, often with very high privileges. This is necessary for a variety of reasons, including file transfers, disaster recovery, privileged access management, software and patch management, and dynamic cloud provisioning. Accessing other hosts is often accomplished using the Secure Shell (SSH) protocol. The SSH protocol supports several mechanisms for interactive and automated authentication. Management of this access requires proper provisioning, termination, and monitoring processes. However, the security of SSH key based access has been largely ignored to date.
Let us dig deeper into NISTIR 7966.
NISTIR 7966 publication covers the SSH protocol, SSH common use cases, authentication types, vulnerabilities in SSH-based access and recommended practices for management.
- SSH is a protocol for securely logging into a remote host and executing commands on that host.
- SSH software is natively included and used as the primary remote administration mechanism for many operating systems and devices.
- SSH is embedded behind the scenes into a wide variety of technologies.
- SSH is used for integrating hosts and automating their operations.
There are three (3) common use cases for SSH:
- Interactive use – Adequate security controls around interactive use of SSH minimizes risks around privileged access and the monitoring of.
- File transfers – Ensuring secure transmission of sensitive information (PII, ePHI, etc.) brings organizations into compliance with PCI DSS, HIPAA HITECH, Euro data protection rules and the states’ security breach legislations.
- Point-to-Point tunneling – Using SSH when implementing VPN for remote access ensure adequate protection of data transmitted between two hosts and minimizes risks associated with 3rd party access. This has a huge impact on financial organizations required to comply with privileged access controls as dictated by internal controls.
NISTIR 7966 covers above listed common use cases in the context of user and automated access. It further describes the primary categories of vulnerabilities in SSH-based interactive and automated access:
- Vulnerable SSH implementation
- Improperly configured access controls
- Stolen, leaked, derived, and unterminated SSH user keys
- Backdoors (unaudited user keys)
- Unintended usage of user keys
- Lack of knowledge and human errors
The publication concludes with recommended practices for management. Effectively securing SSH access consists of defining clear policies and implementing management, operational and technical security controls. Operational processes can be optimized by automating SSH user key setups and removals and related approval, documentation, monitoring, and audit processes.
It is critical to note the following:
- Appendix A maps this IR to the “Security and Privacy Controls for Federal Information Systems and Organizations” NIST SP 800-53 rev 4. Federal agencies are under more pressure to take this IR into consideration to better manage their security controls.
- Appendix B maps the Cybersecurity framework’s most pertinent subcategories for securing SSH-based automated access management.
So Why is this important to you?
NISTIR 7966 details everything an individual needs to know about the SSH protocol and the security of interactive and automated access management using SSH. It is critical to educate the masses about SSH, its wide usage and deployments and how to manage them based on industry best practices.
Education has to rise to the level of executive management. Many executives are not aware of the central role SSH keys play in the secure management and operation of mission critical infrastructure and the significant breaches that can occur if they are exploited. Without sufficient executive education for both security and operationally focused executives, SSH key management initiatives can get derailed by other seemingly higher priorities, leaving an organization vulnerable.
Unfortunately still today many organizations have ignored the security of SSH key based access. SSH keys are the same as user credentials and must be managed as such. Here are some examples and statistics we have found regarding SSH:
- Large Global Bank Discovered:
- 10,000 servers on their network
- 5 million SSH keys identified
- 10% (150,000) user keys are unknown with elevated access
- 80% SSH usage is machine to machine
- Approximately 50 SSH user keys identified per host
- Additional facts uncovered through major organizations engagements:
- Secure Shell key-based authentications easily number in the hundreds of millions annually
- Secure Shell is often second or third in the number of authentications, usually only trailing customer logins via the web and employee logins to various internal applications
- 90% of the time the credentials used to authenticate are not properly managed, including provisioning, assignment, rotation, etc.
- In every enterprise we have worked with, we have found on average, 1 unknown root key for every 10 servers
- In some of the largest environments we have tested 90% of keys are inactive or redundant. This is because virtually no one removes keys once they are deployed and over time they just keep piling up.
- IP’s were accessing the production environment with unknown keys and often from places where access to those servers is a policy violation
We hope that NISTIR 7966 is an eye opener to many. We are also hoping it will answer questions and address concerns surrounding security of SSH key management. We encourage you to dig deeper into NISTIR 7966 and continue to ask yourself “Am I compliant or am I susceptible to a breach?”
We strongly encourage you to reach out to SSH Communications Security for assistance in all aspects of the SSH protocol and to discuss how you can further secure your SSH keys in your environment.
Automated access - refers to accessing a host from another host in an automated fashion (without human intervention). SSH is frequently used for automated access for a variety of purposes, including managing large IT environments, integrating applications, and provisioning virtual machines in cloud services.
PII – Personally Identifiable Information per NIST 800-122 – is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
ePHI – Electronically Protected Health Information per HHS - The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).” “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
NIST - http://www.nist.gov/
NISTIR 7966 - http://dx.doi.org/10.6028/NIST.IR.7966
NIST SP 800-53 Revision 4 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Cybersecurity Framework - http://www.nist.gov/cyberframework/
Security Breach Legislations – http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Euro Data Protection Reform - http://ec.europa.eu/justice/data-protection/index_en.htm