– Jason Thompson, Vice President of Global Marketing, SSH Communications Security, says:
The McAfee Labs Threat Report: Fourth Quarter 2013 revealed a 3,850 percent increase in digitally signed malware since 2012. Cyber-criminals are well acquainted with the opportunities presented by unprotected keys and certificates. They are able to go after a huge attack surface as soon as they identify a vulnerability and act without leaving a trace. A lack of management controls and visibility, coupled with a lack of remediation, can spell disaster for organizations.
Encryption is critical to mitigating the effects of such attacks, but here too companies are falling short. Because the cost of technology decreases as it gains wide acceptance, organizations tend to view encryption technology as a commodity. This often leads to complacency on the part of IT managers and executives—after all, encryption is encryption, right?—which can lead to costly security breaches.
It’s no secret that software has vulnerabilities that get exploited. Typically, it’s not the software itself or the encryption protocol that is the problem. In many cases, it’s that encryption management is left largely in the domain of IT application developers or system administrators and has never been properly managed with access controls, monitoring and proactive data loss prevention.
No Doorman on Duty
While vulnerabilities such as Heartbleed have helped bring the management of encrypted networks front and center, there is still a lot more happening below the surface that needs to be addressed.
Key-based authentication is one of the more common methods used to gain access to critical information in Secure Shell networks. Keys are easy to create and at the most basic level, simple text files that can be easily uploaded to the appropriate system. Associated with each key is an identity: either a person or machine that grants access to information assets and performs specific tasks, such as transferring a file or dropping a database, depending on the assigned authorizations. In the case of Secure Shell keys, those basic text files provide access to some of the most critical information within an organization.
With all of the employees, contractors and applications that have been assigned keys over a decade or more, there are potentially over a million keys present in any single enterprise. In one example, a major bank with around 15,000 hosts had over 1.5 million keys circulating within its network environment. Around 10 percent of those keys – or 150,000 – provided high-level administrator access. This represents an incredible number of open doors that no one was monitoring.
It may seem ridiculous in hindsight that an organization’s security outlook could get to this state, but it happens primarily because encryption is often perceived as a tool. And since nothing appears on the surface to be out of place, no processes are shut down and no one is alerted to the problem.
Ease of use is often a factor here. System administrators and application developers will often deploy keys in order to readily gain access to systems they are working on. These keys grant a fairly high level of privilege and are often used across multiple systems, creating a one-to-many relationship. In many cases, employees or contractors who are terminated – or even simply reassigned to other tasks that no longer require the same clearance – continue to carry access via Secure Shell keys; the assumption is that terminating the account is enough. Unfortunately, this is not the case when Secure Shell keys are involved. The keys must also be removed or the access remains in place.
The use of unmonitored Secure Shell keys to subvert privileged access management systems (PAMs) is another common danger. Many PAM systems use a gateway or jump host that administrators log into to gain access to network assets. PAM solutions connect with user directories to assign privilege, monitor user actions and record which actions have taken place. Sounds like an airtight way to monitor administrators, right? It is, until one realizes how easy it is for an administrator to log into the gateway, deploy a key and then log in using key authentication, a clever method of working around any PAM safeguards in place.
Blinding and Bypassing
Lack of access control is just part of the story in encrypted environments. Conventional PAM solutions, which use gateways and focus on interactive users only, are designed to monitor administrator activities. Unfortunately, as mentioned above, they end up being fairly easy to work around. Additionally, encryption blinds attackers the same way it blinds security operations and forensics teams. For this reason, encrypted traffic is rarely monitored and is allowed to flow freely in and out of the network environment. This creates obvious risks and negates security intelligence capabilities to a large extent.
If one searches for “SSH firewall,” the result is a number of highly instructive articles on how to use Secure Shell to bypass corporate firewalls. This is actually a pretty common and clever workaround policy that unfortunately creates a huge security risk. In order to eliminate this risk, the organization must decrypt and inspect the traffic.
Encrypted channel monitoring
An organization would need to use an inline proxy with access to the private keys, essentially a friendly man-in-the-middle, to decrypt Secure Shell traffic without interfering with the network.
Network administrators can monitor 100 percent of encrypted traffic for both interactive users and M2M identities when an inline proxy is successfully deployed. Also, because this is done at the network level, it’s not possible for malicious parties to execute a workaround. With this method, enterprises can proactively detect suspicious, or out-of-policy traffic. This is called encrypted channel monitoring and represents the next generation in the evolution of PAM. Encrypted channel monitoring helps organizations move away from a gateway approach to PAM and solve the challenge of decrypting traffic at the perimeter, while simultaneously preventing attackers from using the organization’s own encryption technology against itself.
To control what activities a user can undertake, an organization can also use inline access controls and user profiling. For example, policy controls can be enforced to forbid file transfers from certain critical systems. With the more advanced solutions, an organization can even block subchannels from running inside the encrypted tunnel, the preferred method of quickly exfiltrating data.
Encryption technologies are often deployed in the absence of proper access controls or effective monitoring, which also blinds layered defenses. A major vulnerability like Heartbleed potentially compromises the entire server, which could in turn expose other areas of the network to subsequent attacks.
The Way Ahead
Encryption technology has been widely used by the technology community for
over a decade, deployed ubiquitously in applications, data centers and other foundation infrastructure. What Heartbleed showed the industry is that widely used, critical technologies have lived for far too long below the surface.
Centralized provisioning and other best practices for managing encrypted networks are not established in the majority of enterprises despite the obvious risks of not having them. Encrypted channel monitoring is rarely implemented, and many IT administrators assume that conventional PAM is solving this problem, when in reality easy workarounds can render it ineffective.
Most IT security managers grasp the importance of the components of network security – except when it comes to encryption solutions. Encryption can no longer be viewed as a commoditized solution that is set and then forgotten. As the volume of SSL threats continues to escalate, organizations need to make sure that proactive monitoring is in place and that layered defenses are enabled. This all-inclusive approach to encrypted channel monitoring will help companies better protect their critical data assets
About the Author:
Jason Thompson is Director of Global Marketing for SSH Communications Security. Mr. Thompson brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, Mr. Thompson worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.