"The wind and the waves are always on the side of the ablest navigator.
- Edmund Gibbon
The financial industry is facing a perfect storm: a combination of factors that will combine in a cascading manner to create a negative and unexpected outcome in 2018. Not that the current state of affairs is great – a recent article in Infosecurity Magazine outlines that financial services firms are hit by security incidents 300 times more frequently than businesses in other industries.
How can this get worse? Below is a list of factors for why the storm is on the horizon. After all, the financial services industry is one of the most heavily regulated. Trust relationships between customers and financial companies is intrinsic to the industry and its survival. The SSH protocol is in fact the backbone of today’s worldwide secure economy.
There are both macro and micro factors driving a perfect storm.
Macro Factors: More Complexity and More Unpredictability
- The threat surface is increasing because of larger and more complex networks. This is only likely to continue with the massive rise in cloud platforms, sophisticated mobile stacks and the advent of Enterprise-present IOT and embedded systems.
- The bad guys are getting more sophisticated, stockpiling delivery mechanisms and payloads and developing sophisticated supply chains and cyber assets, as exemplified by the SWIFT incident and concerns over payment systems.
- Third party and supply chain risk increases exposure as more outsourcing takes place and more complex and global business ecosystems emerge.
- Insider threats stemming from the dark web, which has been reaching out to insiders to buy their SSH login credentials.
Micro Factors: SSH Key Management
- What if a master password existed that provided access to your most critical applications?
- This password never expired and was essentially untraceable, granting the person access to your organization’s critical systems and sensitive information.
- What if this password was many years old and you have no way of knowing if it has been compromised.
This is happening today with an encryption protocol that has existed for the last 20 years, quietly doing its’s work while spreading because of the growth of an open source distribution model. SSH uses encryption keys that have been forgotten yet provide the most critical form of access into our networks.
Who uses SSH in your organization? More people than you probably realize…
- IT administrators use the SSH protocol to remotely access operating systems, application databases and network devices.
- Developers accessing systems, moving code between systems and into cloud environments.
- Applications on autopilot securely moving data between applications, both on premise and to the cloud.
- Supply chain vendors and outsourced managed service providers that support and maintain corporate networks.
Perhaps the most worrisome application of the SSH protocol comes from hackers and malicious insiders; it is their preferred method to move laterally throughout our networks. In many financial institutions, accountability, manageability, goverance and even knowledge of these keys is unclear, opening the door to compliance violations. At the heart of the issue is access control. It’s all about protecting the data (PII, credit card data, etc.) and making sure it has authorized access. It doesn’t matter whether access is being requested by a machine, admin or business user. Recently ISACA issued guideance to the compliance and audit community on how to leverage SSH key manageamet best practices titled “SSH: Practitioner Considerations.”
In a specific customer case, 10,000 Unix/Linux hosts, lacked strong SSH key management that equated to 1.5 million application keys granting access and 70,000 keys each for database administrator and system admins. There can be up to one billion authentications per year granting access. The majority of the access available via these keys is obsolete, having been assigned to employees or third parties who no longer work with or for the financial institution.
The Coming Storm
The growing number of SSH keys without time expiration and the growing complexity of our business environment provides the factors necessary for a negative and unexpected outcome – a perfect storm.
How SSH Can Help
SSH Communications Security offers financial institutions:
- a Risk Assessment https://www.ssh.com/products/ssh-risk-assessment/ that delivers a detailed analysis of risks around SSH mismanagement.
- a workshop on SSH key management best practices
- Universal SSH Key Manager®-a product offering that addresses SSH key management issues
As Joseph Nocera of PwC noted, “cyber expectations are growing. Firms need to balance rapid innovation with the need to provide both seamless customer service and privacy protection.”
SSH is committed to partnering with you to provide clear sailing and prevent the factors that could conspire to threaten your organization with a perfect storm.
Any fool can carry on, but a wise man knows how to shorten sail in time.
- Joseph Conrad