NIST released a report yesterday urging enterprises, government agencies and other IT shops that rely on Secure Shell implementations to re-assess their deployments and be wary of a number of weaknesses plaguing those systems.
Interagency Report 7966 is a guidance document that falls in line with NIST document 800-53 and the White House’s Cybersecurity Framework.
“The report is basically a wake-up call for organizations to start paying attention to how they use Secure Shell,” said SSH, the commercial company behind the Secure Shell protocol, on its blog yesterday.
Secure Shell is a protocol that authenticates and encrypts communication between computer systems conducting automated processes, including patch management, provisioning and some software updates.
“These inter-system connections are often highly privileged–one system gains access to a privileged account on another system,” SSH said. “For example, a patch management application may get access to root accounts or a database application access to the Oracle account.”
In report 7966, NIST recommends public key authentication oversee such automated processes, but that the pairs be managed, including proper provisioning, termination and other monitoring processes of the keys, the document said. NIST said that security of SSH automated access has been largely ignored.
NIST called out a number of common vulnerabilities, including vulnerable implementations where organizations use older, unpatched versions of the crypto software, or implement weak configurations. NIST also warned admins to be on the lookout for poor key management process controls can lead to keys being stolen or leaked.
Organizations were also warned that rogue users could also open backdoors if keys aren’t managed properly, and advises a review of separation of duties policies.
“A lack of proper access controls in Secure Shell environments creates a significant security risk for government agencies. Malicious insiders and external attackers can utilize a lost or stolen Secure Shell user key to gain access to critical systems and assets,” said Tatu Ylonen, inventor of the protocol and SSH CEO, in a statement released yesterday. “Over the past year, SSH has worked with NIST and the White House Office of Science and Technology on this critical and highly sensitive issue. We have worked directly with many organizations to address the vulnerabilities highlighted in this report and fully endorse its recommendations.”
The NIST document recommends four components be part of every SSH implementation: controlled provisioning and termination processes for SSH keys; continuous monitoring and auditing of keys; proper SSH client/server configurations; remediation of existing SSH keys as necessary.
“NIST recognizes the issue but isn’t just throwing stones – the report they just released provides a ton of helpful information,” SSH said in its statement. “It goes through chapter and verse how automated processes using Secure Shell actually work and then goes on to provide practical guidelines and best practices for securing them.”