When a young Finnish programmer named Tatu Ylönen conjured up the Secure Shell (SSH) coding protocol in 1995, he had no inkling of the pivotal role his creation would play in the rapid evolution of network-centric commerce.
And Ylönen certainly never imagined that one day he would be consumed with spreading awareness about a darker aspect of SSH: his protocol – or, more precisely, how SSH has come to be used as part of the core plumbing of the Internet – is posing a potentially devastating exposure to essentially all major business networks on the planet.
With the security community pressing battles to repel phishing, ransomware and Advanced Persistent Threat (APT) attacks, SSH hasn’t gotten the attention that it should. Yet it looms as the next great attack vector. And it is already on the radar of elite criminal hackers.
If SSH exposures aren’t acknowledged and proactively addressed soon, intruders will surely move to take full advantage. Some already have done so, Ylönen tells me.
“It is a massive risk,” Ylönen says. “It pretty much affects every vertical, every organization that’s dependent on information systems.”
Some context is instructive. Ylönen designed SSH some 20 years ago as a simple tool to encrypt logon passwords and data as one software application connected and transferred data to the next. Because he created his protocol as part of the open-source coding community, SSH was, and is, available for anyone to use, bereft of any licensing fees.
SSH rapidly emerged as the go-to means for automating, and thus speeding up, secure data transfers. The software engineers who developed Unix, Linux, Windows, Cisco, Oracle and other core networking components baked SSH deep into the plumbing that enables digital systems to interconnect.
And even today, leading vendors continue to rely on SSH to administer data transfers to disaster-recovery systems and to servers in the cloud.
But here is the rub, and it is profound. Because SSH is part of the open-source coding community, no one vendor has ever stepped forward to established procedures for monitoring and managing something called SSH keys, essentially the passwords enabling all those automated connections.
The result is that countless SSH keys created in the early iterations of business networks still exist and lie dormant in their respective networks, Ylönen reports. And many more are continually being created and activated.
This is chilling: An attacker, be it an untrustworthy insider or an intruder probing for weaknesses, needs to wrangle possession of just one SSH key to wreak havoc.
There already have been SSH attacks acknowledged and discussed within the cybersecurity community, Ylönen says. And financial firms, as a sector, are beginning to address this fresh exposure. Ylönen’s company, SSH Communications Security, is in the business of helping organizations proactively account for, and manage, SSH keys.
Meanwhile, the National Institute of Standards and Technology (NIST) recently issued an SSH advisory. Ylönen says this is a step toward getting US companies to account for SSH keys as part of complying with healthcare records privacy rules, under the Health Insurance Portability and Accountability Act (HIPAA) and investor protection rules, under the Sarbanes-Oxley Act.
What Ylönen recently discovered at one Wall Street financial firm, with over 100,000 employees, highlights what this exposure can look like at a large enterprise. His company spent three years scouring 500 of the firm’s critical business applications, dispersed across 15,000 servers.
“We found 3 million SSH keys from that environment,” Ylönen says. “And 90 percent of these keys were never used. Ten percent, 300,000 keys, granted root access that allowed doing anything on those servers.”
Ylönen says awareness in vertical industries outside of the financial sector is “fairly limited” although access management vendors are knowledgeable, and auditors are starting to pay heed.
For the moment, the criminals hunting for SSH keys are likely focusing on large enterprises. That’s where the richest veins of data lie.
Yet this is also another huge reminder as to why it is imperative for small and medium sized businesses to embrace security best-practices–and make sure they are not the weak link in the supply chain.
Third-party risk–the notion that a contractor could inadvertently expose the first-party organization to a network breach–is a tangible and growing concern. As part of addressing SSH risks, you can bet large companies will increasingly insist on partnering only with suppliers that have their security act together.
I applaud Ylönen’s efforts, hope awareness of this gains steam and that companies in all industries begin proactively managing their SSH keys — before a crippling attack on a critical system plays out.