By Tatu Ylonen, founder and SSH Fellow, SSH Communications Security
In practical terms, a Fortune 500 enterprise is hard to “kill” in the physical world, given its large footprint in terms of buildings and processing centers.
That being said, in cyberspace, it can be alarmingly vulnerable, and the potential loss in shareholder value due to an exploited vulnerability could exceed $30 billion and cripple an enterprise.
The most critical and vulnerable part of an enterprise is its information systems. If you can control, corrupt and destroy the servers and the data within them, the enterprise will stop functioning.
90 Percent Unused, 10 Percent Grant Root Access
The access to the tens of thousands of servers in an enterprise, as well as its disaster recovery data centers, is tightly controlled. Surely nothing can penetrate all of them?
Behind the traditional applications, servers are managed by system administrators and various automated tools.
The automated systems need access credentials to gain access to other systems in order for daily communications and operations to function, and they usually use what is called SSH keys, which are also used by system administrators and developers to do their work internally, in order to log in from their workstation to access servers without having to type their password all the time.
In many enterprises about 90 percent of the SSH keys are unused.
That means there is privileged access to critical systems and data that has never been terminated – violating policies, regulations and laws.
It is almost as if employees’ user accounts were never removed when they left, and they had the capability to create new accounts for anyone they like.
Such keys are used to make backups, install patches, manage configurations and implement emergency response procedures, often using automated tools.
To provide the magnitude of the usage of SSH keys, in some enterprises there are more than 5 million automated daily logins using SSH keys – resulting in more than 2 billion logins per year.
How to Penetrate a Fortune 500: Spread Throughout the Enterprise
A typical cyberattack often first penetrates a company computer and then steals passwords or other credentials to gain access to some set of servers. This often involves malware.
Once on a server, the attacker obtains elevated privileges using locally exploitable vulnerabilities to read private SSH keys from the server. Many of these keys grant unrestricted access to other servers and systems.
The attacker uses these keys to gain access to those other servers and repeats the process to move undetected within the enterprise.
Given the high number of keys (10-200 per server on average in most enterprises), it is likely the attack can easily spread to nearly all data centers in the enterprise.
Some companies with more than 100,000 keys are granting access from low-security test and development into production servers alone. Key-based access between data centers is almost always present.
Usually, there are also many SSH keys granting access from individual user accounts to privileged service accounts, bypassing systems that were supposed to monitor privileged access.
To be stealthy and not cause suspicion, the attacker can monitor the server for days or weeks to see which SSH keys are actually used with what servers, and then piggyback on legitimate connections to move undetected.
To bring the enterprise down, the attacker may confuse the system or outright destroy it.
They can modify database records in subtle ways, corrupt backups or render every penetrated server, storage device and router inoperable.
For example, the attacker can reprogram the firmware on routers and switches, install malware into disk drive firmware, network adapter firmware or bios firmware, as well as wipe any data on the affected servers and storage systems, including any penetrated backup systems and disaster recovery systems.
The result? A Fortune 500 would be severely crippled.
It would take the enterprise weeks or months to rebuild and reinstall its systems, and it would likely lose a good number of recent transactions.
How many hours, days or weeks can a typical Fortune 500 be down before the reputation damage is irreparable?
The damage to shareholders could easily exceed $30 billion, given the extent of the damage and the inability to operate or even communicate.
Who would want to do this to an enterprise? Perhaps a nation-state in a cyberwar might conduct such activity to as many enterprises as possible, even attacking multiple enterprises simultaneously.
Perhaps a terrorist organization would want to cause chaos. Perhaps a hacktivist would want to teach investors not to put money in “unethical” enterprises.
Perhaps a criminal organization would want to extract ransom. For many others, the point would be the extracting of information, a breach committed to gain competitive intelligence. In such cases, privacy and regulatory issues would be of paramount concern.
(Learn more about the Secure Shell keys that need to be managed to ensure your organization’s machine and human based access is being monitored and adhering to your security policies. Courtesy of SSH Communications Security and YouTube)
The problem is fundamentally administrative. There is no simple patch or quick fix. Enterprise operations totally depend on automation made possible by SSH keys.
Essentially, enterprises must establish proper management of automated access just as they manage passwords. They must also sort out the legacy mess.
The rough process for addressing the issue is to establish a controlled provisioning process, eliminate unused and policy-violating SSH keys and have application teams justify with sign-off on any remaining keys that give access into the information systems they are responsible for managing. Proper tools can make the process quite effective.
Furthermore, SSH key-based access into backup systems and disaster recovery data centers must be carefully reviewed.
About the author
Tatu Ylonen is the creator of the SSH protocol and the founder of SSH Communications Security.
He is an experienced entrepreneur, manager and engineer. He still keeps up to date with technology and loves the technical side and inventing new technology.
He participates in product architecture design and occasionally writes code when he has time or when he thinks that’s where he can bring the most value.
His primary current interests relate to broader cybersecurity priorities and how to design systems to be more secure. He understands both the big picture and the deep technical issues.
He also wants to solve the massive gap in identity and access management in relation to SSH key based credentials.