SSH keys being poorly managed

In both a blog and a press release, security vendor Venafi has raised warnings over SSH keys. The problem is not the SSH keys themselves but how companies choose to handle them. The data comes from a survey which ET was given access to. Surprisingly, there is little variation across national borders. There is also limited differences based on company size and industry. This suggests that the problem is widespread and one that needs urgent addressing.

According to Nick Hunter, senior technical manager for Venafi: “A compromised SSH key in the wrong hands can be extremely dangerous. Cybercriminals can use them to access systems from remote locations, evade security tools, and often use the same key to access more systems. Based on these results, it’s very clear that most organizations have not implemented SSH security policies and restricted SSH access configurations because they do not understand the risks of SSH and how it affects their security posture.”

What does the survey reveal?

Nothing good. Conducted across The US, UK and Germany it focused solely on SSH keys and how they were used. It asked about the number of systems protected, if there was an accurate and up-to-date inventory of SSH keys and who had access to them. It also looked at the processes in place to create, manage and prevent abuse of SSH keys.

Among the findings it is clear that:

  • Just under 30% of organisations have a complete inventory of SSH Keys. 20% have no inventory at all.
  • 16% believe their inventory is accurate while 10% believe it is not accurate at all.
  • 40% restrict the number of administrators who can manage SSH. 13% allow all administrators to manage SSH on systems they control.
  • 41% require both password and public key authentication although 28% rely on just password.
  • Only 1.5% use SSH on all automated applications/scripts with a further 6% using them on more than 75%.
  • 29% claim that they have policies that require all automated processes utilising SSH to use both passwords and public key-based authentication.
  • 47% allow keys to be used from anywhere.

There are some concerns among these numbers. For example the very low level of SSH security around automated applications and scripts. It is hard to see how this number is not higher as we move to digital transformation (DT). DT is about automation and the tighter integration between systems from multiple companies. Not enforcing SSH on automated applications and scripts is a serious risk.

Security and management of SSH keys also very poor

Reviewing what SSH keys are being used and if a user still needs access is essential. When companies were asked about their key management and approach things get worse.

33% require system and application owners to review their SSH entitled as part of their Privileged Access Management (PAM) policies. However, 16% only do this yearly and 10% do no review at all.

Only 53% of organisations admit to having an effective process for removing SSH keys when SSH users change job or are terminated. This number is in line with the number of companies that do not block user accounts when they leave. It allows a disaffected ex-employee to cause problems long after they have left the company.

Key rotation is about minimising risk should a key be compromised. Despite this, only 5% rotate their keys more frequently than every three months. 12% only rotate annually while 20% don’t rotate keys with a further 20% randomly doing this. All of this means that attackers have plenty of time to exploit compromised keys.

These are worrying numbers and show a lack of control and process management. It also shows a serious failure to understand the threat to SSH keys from attackers.

SSH Keys are under constant attack

Mark Maunder, CEO Wordfence / Feedjit Inc
Mark Maunder, CEO Wordfence / Feedjit Inc

Mark Maunder, CEO, Wordfence gives another warning over the risk of SSH key breaches. In a blog post, Maunder says that Wordfence has seen a significant spike in SSH private key scanning activity. He warns that: “If your private SSH key ever gets out, anyone can use it to sign in to a server where you have set up key-based authentication.”

One of the things that Maunder suggests is to prevent the use of stolen private SSH keys, users should protect them with a password. However, as seen in the Venafi survey, this is not commonplace. Maunders warning also shows how serious the risk is of allowing SSH keys to be used from anywhere. This also puts context to the 47% of respondents to Venafi who said they do not restrict where SSH can be used from.

What does this mean

SSH keys are essential to protect systems. However, like many security solutions it is only as strong as the processes and controls around it. Venafi has discovered that customers are not paying enough attention to the basics. To make matters worse, customers failing to rotate keys leave systems open to attack for long periods.

Wordfence has also spotted a significant increase in attacks against SSH. Its CEO, Mark Maunder suggests that this may be due to hackers having success with capturing such keys.

Put the two together and it is clear that security teams need to act quickly. A review of all SSH keys and who has access needs to be carried out. More regular checks and key rotation is also required. One of the biggest steps is improving controls and making sure keys are changed when staff leave or move to a new role.


Please enter your comment!
Please enter your name here