Select Page

New NIST Best Practices for Managing SSH

John Kaufling | | November 3, 2014

New NIST Best Practices for Managing SSHSecurity breaches are a top-of-mind concern throughout enterprises, which is why adopting best practices for technology use and implementations is increasingly important.

To this end, the US National Institute of Standards and Technology issued a draft of its best practices recommendations for Secure Shell or SSH, a cryptographic network protocol used to secure services between two networked computers. Most often, these communications are between systems or accounts with high privilege levels, such as connections made between a database application and an Oracle account.

may use SSH for various automated processes such as file transfers, backups, patch management, and database updates. Managing the secure shell keys properly is also a factor for many companies and organizations required to comply with various data management regulations such as the Sarbanes-Oxley Act of 2002, which dictates how publically-held companies store electronic records.

The problem is not trivial. As Network World’s Ellen Messmer explains:

When improperly managed, SSH keys can be used by attackers to penetrate the organization’s IT infrastructure. A Ponemon Institute study earlier this year of more than 2,100 systems administrators at Global 2000 companies found that three out of the four enterprises were vulnerable to root-level attacks against their systems because of failure to secure SSH keys, and more than half admitted to SSH-key-related compromises.

SSH Key Security

In addition to network vulnerabilities created by improper SSH implementations, mismanaged and stolen keys can create unacceptable security risks. One problem occurs when keys are not properly or rigorously audited. This gives unscrupulous, unauthorized users the opportunity to create backdoors that enable the network to be breached, often repeatedly, without detection.

Tatu Ylönen, lead author of the report as well as the creator of the protocol, told Security Week:

A lack of proper access controls in Secure Shell environments creates a significant security risk for government agencies. Malicious insiders and external attackers can utilize a lost or stolen Secure Shell user key to gain access to critical systems and assets. We have worked directly with many organizations to address the vulnerabilities highlighted in this report and fully endorse its recommendations.

SSH Password Authentication

Among those recommendations are several suggestions on how to implement password authentication. SSH has two different types of password authentication mechanisms: basic password authentication and keyboard-interactive authentication. The guidance states that passwords used for automated access should be rotated frequently to prevent security breaches and advises against using host-based authentication for automated access.

Jonathan Lewis, director of product marketing for SSH Communications Security,whose chief executive officer created the protocol, observed:

NIST recognizes the issue but isn’t just throwing stones—the report they just released provides a ton of helpful information. It goes through chapter and verse how automated processes using Secure Shell actually work and then goes on to provide practical guidelines and best practices for securing them.

SSH Key Management

One problem is that once SSH is deployed the system is neglected or forgotten. Key management is critical. Karen Scarfone, another of the protocol authors, told BankInfo Security that organizations have to institute best practices for securing and tracking keys before they are issued.

It’s a lot harder to secure SSH keys after you’ve already got deployments out there. Unfortunately, we’ve heard of organizations that now have hundreds of thousands of SSH keys — and now we’re asking them now to go audit and review these hundreds of thousands of keys.

The draft document—Security of Automated Access Management Using Secure Shell — is available for download. No timeline for finalization has been provided.

Image by maxkabakov/123RF.

12c Upgrade Bug with SQL Tuning Advisor

This blog post outlines steps to take on Oracle upgrade 11.2 to 12.1 if you’re having performance problems. Oracle offers a patch and work around to BUG 20540751.

Megan Elphingstone | March 22, 2017

Oracle EPM Cloud Vs. On-Premises: What’s the Difference?

EPM applications help measure the business performance. This post will help you choose the best EPM solutions for your organization’s needs and objectives.

Bobby Ellis | April 10, 2018
code

Recover a Table from an RMAN Backup in an Oracle 12c

This blog post will is to show a table restore for one table in a container database

Megan Elphingstone | February 2, 2017

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.

CONTACT US

Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.

EXPLORE JOBS