NIST IR 7966: Guidance on SSH Keys
One area of the National Institute of Standard and Technology (NIST) responsibility is the establishment of cybersecurity standards and guidelines for US Federal government agencies. The private sector must be prepared for regulatory and standards bodies to follow suit.
On October 30th, 2015, the Computer Security Division of NIST released the final version of Interagency Report 7966 (NISTIR 7966), “Security of Interactive and Automated Access Management Using Secure Shell (SSH).” The purpose of this document is to assist organizations in understanding the basics of SSH and SSH access management in an enterprise, focusing on the management of SSH user keys. It describes the primary categories of vulnerabilities in SSH user key management and recommends practices for planning and implementing SSH access management based on (SP) 800-53 and the President’s Cybersecurity Framework.
The use of SSH grew in a grassroots fashion from system administration, and its deployment never got much management attention or planning in most organizations. It was a standard component requiring no purchasing decision. It is the “Invisible Plumbing” that runs in nearly all systems and is most often seen as being owned by the “IT department”.
As a result, the Computer Security Division of NIST concluded that poor SSH access controls within Information Technology (IT) environments constitute a major operational and security risk that could be best addressed by publishing IR 7966.
What vulnerabilities does NIST bring forward?
Public key authentication is inherently more secure than other forms such as passwords. That is why NIST recommends public key, especially in support of process automation. Improperly managed SSH keys can be leveraged by attackers to penetrate the IT infrastructure and move freely across a network without detection. NIST has identiﬁed many categories of vulnerabilities that organizations are most often exposed to and should evaluate within the scope of their security assessments. Let’s name a few:
- Vulnerable SSH implementation that may allow for unauthorized access to systems.
- Improperly configured access controls is highly susceptible to enabling unauthorized access.
- Stolen, leaked, derived, and unterminated SSH user keys.
- Backdoors (unaudited user keys) can be used to create a “backdoor”.
- Unintended usage of user keys for purposes for which they were not intended.
- Lack of knowledge and human errors.
What risks do organizations face today?
Vulnerabilities of course introduce risks!! Organizations across many industries with varying regulations have excelled over the years with governing access to production systems. Unfortunately, the majority missed the hidden access - SSH keys. Production environments leverage SSH keys access across the board from local data centers, to off shore locations and of course into the cloud.
NIST did an excellent job in identifying the risks related with poorly managed SSH keys environments. To name a few:
- Employees who may have left or transferred out of an organization may have leftover unauthorized access to production.
- Lack of segregation of duties where individuals have unauthorized access to production systems.
- Unneeded keys remain authorized on system.
- Private keys without passphrase protection.
- Keys not rotated regularly or at all. Key rotation is a basic requirement for protecting credentials.
- Ineffective access controls resulting in audit findings and exceptions.
- Human errors in manual key setup and removal process.
Why is this important?
Controlling access to information systems is critical for information security. Access controls exist on many levels and use many technologies. The levels include physical restrictions on access to hardware; logical controls for accessing network interfaces, hardware management ports on servers, virtualization hypervisors, operating system (OS) user accounts, and information through database systems; and logical controls implemented by applications.
Considering the fact that SSH keys have been deploying to all production environments, unnoticed, unmanaged and uncontrolled just opens the door for intentional or unintentional harm. To ensure effective controls to protect what’s important, organizations cannot delay the inclusion of SSH keys access in identity and privileged access management programs, provisioning programs and access governance programs.
Taking it a step further, as auditors and regulators are becoming aware of this access gap, you can be rest assured that the next audit checklist you face will include SSH keys.
The new guideline NIST IR 7966 from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government. NIST 800-53 and associated Interagency Reports are widely accepted industry standard best practices, even for commercial entities that are not doing business with the Federal government.
NIST puts forth some excellent best practice recommendations that paves the way to better security and compliance:
- Implement clearly defined SSH key management policies and procedures.
- Secure your SSH implementations
- Control SSH identities and authorized keys
- Establish continuous monitoring and audit process
- Inventory and remediate
- Automate the process
- Educate, Educate and Educate the masses.
The good news is that the initial steps in dealing with these issues are not difficult or costly. Initially organizations must find out to what extent their environments are exposed to the risks identiﬁed. Skilled personnel with the right tools can accomplish these initial steps within a matter of days.
Organizations that acquire and use automated SSH key management products should be able to significantly decrease their risks related to SSH access with a reasonable amount of effort. Without automation, most organizations will struggle to remediate the existing SSH environment and to properly secure new SSH usage.
SSH Communications Security offers training, services and products that help organizations address the issues NIST has raised. Working together with your staff, we can provide a comprehensive evaluation of your current environment and recommend effective approaches for remediation.
Download NIST IR 7966
ISACA has published audit guidance around SSH. See ISACA SSH Audit Practitioner Considerations Guidance.