Identity fraud cost American consumers $18 billion last year, with a new victim hit every two seconds, according to Javelin Strategy & Research. The prevalence of identity theft is a sobering reminder of the unending threats faced by enterprises, financial institutions and government agencies. Even though malicious actors are using increasingly complex attacks to breach security systems and steal data, vulnerabilities in crucial security elements like encryption are seldom addressed.
IT security teams are well acquainted with encryption, and sometimes familiarity can blind these teams to real problems. Encryption technology is often viewed today as a commodity to “set and forget” rather than to be constantly monitored, assessed and upgraded as needed. Without proper visibility, hackers are able to effect a large attack surface as soon as they see an opportunity. If remediation processes are not in place, as is often the case, hackers can continue to exploit the breach.
The success of identity fraudsters offers clear evidence that “secure” data is not necessarily secure. Such is the case when network keys are improperly managed. In Secure Shell (SSH) networks, key-based authentication is one of the more common methods used to gain access to critical information. Keys are easy to create and, at the most basic level, are simple text files that can be easily uploaded to the appropriate system. Associated with each key is an identity: either a person or machine that grants access to information assets and performs specific tasks, such as transferring a file or dropping a database, depending on the assigned authorizations. In the case of Secure Shell keys, those basic text files provide access to some of the most critical information in an organization.
It is possible that over the span of a decade or so, an enterprise could amass a significant number of keys—that is, potentially dangerous open doors—assigned to its many employees, contractors and applications. In one example, a major bank with around 15,000 hosts had over 1.5 million keys circulating in its network environment. Around 10 percent of those keys—150,000—provided high-level administrator access. This level of key mismanagement can occur because encryption is often perceived merely as a tool.
Necessity is the mother of invention, and IT personnel are great at inventing workarounds—though not always safely. System administrators and application developers will often deploy keys to gain easier access to systems they are working on. These keys grant a fairly high level of privilege and are often used across multiple systems, creating a one-to-many relationship. In many cases, employees or contractors who are terminated—or even simply reassigned to other tasks that no longer require the same access—continue to carry access via Secure Shell keys. The assumption is that terminating the account is enough. Unfortunately, this is not the case when Secure Shell keys are involved; the keys must also be removed or the access remains in place.
Unmonitored Secure Shell keys can also be used to subvert privileged-access-management (PAM) systems. Many PAM systems use a gateway or jump host that administrators log into to access network assets. PAM solutions connect with user directories to assign privilege, monitor user actions and record actions that have taken place. It sounds like an airtight method for monitoring administrators, until one realizes how easy it is for an administrator to log into the gateway, deploy a key and then log in using key authentication—a clever way to work around any PAM safeguards in place.
Skirting Around Safeguards
There is more to the story than unmonitored or poorly monitored access when it comes to encrypted environments. Conventional PAM solutions, which use gateways and focus on interactive users only, are designed to monitor administrator activities. Unfortunately, as mentioned above, they end up being fairly easy to circumvent. Additionally, encryption blinds attackers the same way it blinds security operations and forensics teams. For this reason, encrypted traffic is rarely monitored and is allowed to flow freely in and out of the network environment. This situation creates obvious risks and negates security intelligence capabilities to a large degree.
An Internet search for “SSH firewall” returns a number of instructive articles on how to use Secure Shell to bypass corporate firewalls. This is actually a common and clever workaround policy that unfortunately creates a huge security risk. To eliminate this risk, the organization must decrypt and inspect the traffic.
Monitoring Encrypted Channels
Decrypting Secure Shell traffic is a step in the right direction. Doing so without interfering with the network requires that an organization use an inline proxy with access to the private keys: essentially a friendly man-in-the-middle. When successfully deployed, 100 percent of encrypted traffic for interactive users and M2M identities can be monitored. Also, because this process is done at the network level, it’s impossible for malicious parties to execute a workaround. With this method, enterprises can proactively detect suspicious or out-of-policy traffic. This strategy is called encrypted-channel monitoring and represents the next generation in the evolution of PAM.
Using this kind of monitoring solves the challenge of decrypting traffic at the perimeter and helps organizations move away from a gateway approach to PAM. At the same time, it prevents attackers from using the organization’s own encryption technology against it. In addition, an organization can use inline access controls and user profiling to control what activities a user can undertake. For example, policy controls can be enforced to forbid file transfers from certain critical systems. With the more advanced solutions, an organization can even block subchannels from running inside the encrypted tunnel—the preferred method of quickly exfiltrating data.
When encryption technologies are implemented without effective monitoring or appropriate access controls, layered defenses are blinded. A major vulnerability could potentially compromise the entire server, which could in turn expose other areas of the network to subsequent attacks.
Encryption technology has been used everywhere for years, but not to its full extent. It has been deployed and ignored or actively bypassed for the most part, allowing for poor key management and potential security disasters. The plague of identity fraud alone should remind IT security professionals that in this day and age of advanced security threats, they cannot rest on their encryption laurels.
Instead, they should manage their encrypted networks according to best practices to ensure the utmost level of protection. IT administrators cannot assume that PAM is sufficient when multiple workarounds and mismanagement on their own part often defeats it. They must enable layered defenses and proactively monitor their networks. Data security is too important to be lackadaisical about; best practices such as those listed above must be implemented to protect against today’s advanced threats.
About the Author
Jason Thompson is Director of Global Marketing for SSH Communications Security. He brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Before joining SSH, Jason worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. He holds a BA from Colorado State University and an MA from the University of North Carolina at Wilmington.