Page 84 - Cyber Warnings
P. 84
The Fatal Danger Lurking in Today s Fortune 500
By Tatu Ylonen, founder and SSH Fellow, SSH Communications Security
It takes a special combination of leaders, ideas and processes to become a Fortune 500
company. By the time an enterprise has reached this status, it has gained significant resources
and name recognition, fueled by innovative ideas and the drive to succeed. But if the enterprise
does not address a critical danger lurking in its information systems, it could quickly become a
Fortune 0.
Access Gone Wild
Enterprises carefully control access to servers and disaster recovery data centers. Behind the
traditional applications, servers are managed by system administrators and various automated
tools.
The automated systems need credentials to gain access to other systems in order for daily
communications and operations to function, and they usually use what is called SSH keys,
which are also used by system administrators and developers to do their work internally, in
order to log in from their workstation to access servers without having to type their password all
the time.
Roughly 90 percent of the SSH keys are unused in the average enterprise. That means there is
privileged access to critical systems and data that has never been terminated – violating
policies, regulations and laws. It is almost as if employees’ user accounts were never removed
when they left, and they had the capability to create new accounts for anyone they like.
Even more worrisome is the fact that about10 percent of the SSH keys grant root access
(highest-level administrative access).
Such keys are used to make backups, install patches, manage configurations and implement
emergency response procedures, often using automated tools.
To provide the magnitude of the usage of SSH keys, in some enterprises there are more than 5
million automated daily logins using SSH keys – resulting in more than 2 billion logins per year.
The SSH Stealth Attack
A cybercriminal begins an attack by gaining access to a company computer and then steals
passwords or other credentials to gain access to a set of servers. This often involves malware.
Once on a server, the attacker obtains elevated privileges using locally exploitable
vulnerabilities to read private SSH keys from the server. Many of these keys grant unrestricted
access to other servers and systems.
84 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
