New NIST Best Practices for Managing SSH

By | In Blog | November 03rd, 2014

New NIST Best Practices for Managing SSHSecurity breaches are a top-of-mind concern throughout enterprises, which is why adopting best practices for technology use and implementations is increasingly important.

To this end, the US National Institute of Standards and Technology issued a draft of its best practices recommendations for Secure Shell or SSH, a cryptographic network protocol used to secure services between two networked computers. Most often, these communications are between systems or accounts with high privilege levels, such as connections made between a database application and an Oracle account.

may use SSH for various automated processes such as file transfers, backups, patch management, and database updates. Managing the secure shell keys properly is also a factor for many companies and organizations required to comply with various data management regulations such as the Sarbanes-Oxley Act of 2002, which dictates how publically-held companies store electronic records.

The problem is not trivial. As Network World’s Ellen Messmer explains:

When improperly managed, SSH keys can be used by attackers to penetrate the organization’s IT infrastructure. A Ponemon Institute study earlier this year of more than 2,100 systems administrators at Global 2000 companies found that three out of the four enterprises were vulnerable to root-level attacks against their systems because of failure to secure SSH keys, and more than half admitted to SSH-key-related compromises.

SSH Key Security

In addition to network vulnerabilities created by improper SSH implementations, mismanaged and stolen keys can create unacceptable security risks. One problem occurs when keys are not properly or rigorously audited. This gives unscrupulous, unauthorized users the opportunity to create backdoors that enable the network to be breached, often repeatedly, without detection.

Tatu Ylönen, lead author of the report as well as the creator of the protocol, told Security Week:

A lack of proper access controls in Secure Shell environments creates a significant security risk for government agencies. Malicious insiders and external attackers can utilize a lost or stolen Secure Shell user key to gain access to critical systems and assets. We have worked directly with many organizations to address the vulnerabilities highlighted in this report and fully endorse its recommendations.

SSH Password Authentication

Among those recommendations are several suggestions on how to implement password authentication. SSH has two different types of password authentication mechanisms: basic password authentication and keyboard-interactive authentication. The guidance states that passwords used for automated access should be rotated frequently to prevent security breaches and advises against using host-based authentication for automated access.

Jonathan Lewis, director of product marketing for SSH Communications Security,whose chief executive officer created the protocol, observed:

NIST recognizes the issue but isn’t just throwing stones—the report they just released provides a ton of helpful information. It goes through chapter and verse how automated processes using Secure Shell actually work and then goes on to provide practical guidelines and best practices for securing them.

SSH Key Management

One problem is that once SSH is deployed the system is neglected or forgotten. Key management is critical. Karen Scarfone, another of the protocol authors, told BankInfo Security that organizations have to institute best practices for securing and tracking keys before they are issued.

It’s a lot harder to secure SSH keys after you’ve already got deployments out there. Unfortunately, we’ve heard of organizations that now have hundreds of thousands of SSH keys — and now we’re asking them now to go audit and review these hundreds of thousands of keys.

The draft document—Security of Automated Access Management Using Secure Shell — is available for download. No timeline for finalization has been provided.

Image by maxkabakov/123RF.

Contact Us
John Kaufling
Vice President and Practice Leader of Application Services
John Kaufling has more than 20 years of experience in the IT industry, including more than 12 years as an Oracle EBS database administrator at Level 3 Communications and at Oracle Corporation. His specialties include implementations, upgrades, performance tuning and extensive capability to support the product. John’s work with Oracle apps database administration has included experience with SOA suite, Veritas Cluster, Oracle DataGuard, Load Balancing from Resonate, Cisco and BigIP and extensive experience with Oracle self-service applications and self-service framework technology.

Leave a Reply

Your email address will not be published.
Required fields are marked (*).