By Tatu Ylonen, founder and SSH Fellow, SSH Communications Security

It takes a special combination of leaders, ideas, and processes to become a Fortune 500 company. By the time an enterprise has reached this status, it has gained significant resources and name recognition, fueled by innovative ideas and the drive to succeed. But if the enterprise does not address a critical danger lurking in its information systems, it could quickly become a Fortune 0.

Access Gone Wild
Enterprises carefully control access to servers and disaster recovery data centers. Behind the traditional applications, servers are managed by system administrators and various automated tools.

The automated systems need credentials to gain access to other systems in order for daily communications and operations to function, and they usually use what is called SSH keys, which are also used by system administrators and developers to do their work internally, in order to log in from their workstation to access servers without having to type their password all the time.

Roughly 90 percent of the SSH keys are unused in the average enterprise. That means there is privileged access to critical systems and data that has never been terminated – violating policies, regulations, and laws. It is almost as if employees’ user accounts were never removed when they left, and they had the capability to create new accounts for anyone they like.

Even more worrisome is the fact that about10 percent of the SSH keys grant root access (highest-level administrative access).

Such keys are used to make backups, install patches, manage configurations and implement emergency response procedures, often using automated tools.

To provide the magnitude of the usage of SSH keys, in some enterprises there are more than 5 million automated daily logins using SSH keys – resulting in more than 2 billion logins per year.

The SSH Stealth Attack
A cybercriminal begins an attack by gaining access to a company computer and then steals passwords or other credentials to gain access to a set of servers. This often involves malware.

Once on a server, the attacker obtains elevated privileges using locally exploitable vulnerabilities to read private SSH keys from the server. Many of these keys grant unrestricted access to other servers and systems.

The attacker uses these keys to gain access to those other servers and repeats the process to move undetected within the enterprise.

It is likely that the attack can easily spread to nearly all data centers in the enterprise, given the high number of keys (10-200 per server on average in most enterprises).

Some companies with more than 100,000 keys are granting access from low-security test and development into production servers alone. Key-based access between data centers is almost always present.

Usually, there are also many SSH keys granting access from individual user accounts to privileged service accounts, bypassing systems that were supposed to monitor privileged access.

Cybercriminals use sophisticated means to avoid detection. They can monitor the server for days or weeks to see which SSH keys are actually used with which servers and then piggyback on legitimate connections to move undetected.

Bringing the Fortune 500 to Its Knees
At this point, the digital interloper may confuse the system or destroy it outright. They can modify database records in subtle ways, corrupt backups or render every penetrated server, storage device and router are inoperable.

For example, the attacker can reprogram the firmware on routers and switches, install malware into disk drive firmware, network adapter firmware or bios firmware, as well as wipe any data on the affected servers and storage systems, including any penetrated backup systems and disaster recovery systems.

This would be a crippling blow for a Fortune 500. IT teams would need weeks or months to rebuild and reinstall its systems, and it would likely lose a good number of recent transactions.

How many hours, days or weeks can a typical Fortune 500 be down before the reputation damage is irreparable?

The damage to shareholders could easily exceed $30 billion, given the extent of the damage and the inability to operate or even communicate.

These days, there are multiple possible reasons for launching such an attack. Perhaps a nation-state in a cyber war might conduct such activity to as many enterprises as possible, even attacking multiple enterprises simultaneously.

Perhaps a terrorist organization wants to cause chaos. Perhaps a hacktivist wants to teach investors not to put money in “unethical” enterprises. Perhaps a criminal organization wants to extract a ransom.

For many others, the point would be to extract information, a breach committed to gain competitive intelligence. In such cases, privacy and regulatory issues would be of paramount concern.

Steps to Security
Essentially, this is an administrative problem. No quick fix is available. Enterprise operations totally depend on automation made possible by SSH keys. Enterprises must establish proper management of automated access just as they manage passwords. They must also sort out the legacy mess.

The sooner this is accomplished, the sooner the enterprise can rest easier. The first step is to establish a controlled provisioning process. Unused and policy-violating SSH keys must be destroyed, and application teams need to justify with sign-off on any remaining keys that provide access to the information systems they are responsible for managing.
Tools are available today to assist with this process, as the problem is typically too large to tackle manually.

As a final step, carefully review SSH key-based access into backup systems and disaster recovery data centers to close the loop. Fortune 500s and other enterprises that take these steps have taken back control of a situation that could otherwise devastate them and their shareholders.

About the Author
Tatu Ylonen is the founder and SSH Fellow of SSH Communications Security and the creator of the SSH protocol and the founder of SSH Communications Security. He is an experienced entrepreneur, manager, and engineer. He still keeps up to date with technology and loves the technical side and inventing new technology.
He participates in product architecture design and occasionally writes code when he has time or when he thinks that’s where he can bring the most value.
His primary current interests relate to broader cybersecurity priorities and how to design systems to be more secure. He understands both the big picture and the deep technical issues. He also wants to solve the massive gap in identity and access management in relation to SSH key-based credentials.
Tatu can be reached online at @tjssh and at the company website: