Fortune 500 companies tend to have a large physical footprint: multiple locations with numerous buildings and well-developed infrastructure. They are solid companies with a track record of success and the bank accounts to prove it. But aside from this seeming show of invulnerability, today’s innovative cyber threats level the playing field. Fortune 500s are just as susceptible as other companies to attack, and the fallout can cripple or destroy an enterprise.
The Pervasive, Hidden Security Danger
Though enterprises run a tight security ship in terms of access to their tens of thousands of servers and disaster recovery data centers, there is a common danger that can bring them all down.
This is because servers are managed by system administrators and various automated tools. The automated systems need access credentials to gain access to other systems in order for daily communications and operations to function, and they usually use SSH keys – which are also used by system administrators and developers to do their work internally – in order to log in from their workstation to access servers without having to type their password all the time.
Organizations are often shocked to discover that about 90 percent of their SSH keys are unused. That means there is privileged access to critical systems and data that has never been terminated – violating policies, regulations and laws. It is almost as if employees’ user accounts were never removed when they left, and they had the capability to create new accounts for anyone they like.
This is a dangerous scenario in itself, but there is more. Typically, 10 percent of the SSH keys grant root access (highest-level administrative access). Such keys are used to make backups, install patches, manage configurations and implement emergency response procedures, often using automated tools. To provide the magnitude of the usage of SSH keys, in some enterprises there are more than 5 million automated daily logins using SSH keys – resulting in more than 2 billion logins per year.
Anatomy of a Fortune 500 Cyberattack
A cybercriminal usually penetrates a company computer first and then steals passwords or other credentials to gain access to some set of servers. This often involves malware. Once on a server, the attacker obtains elevated privileges using locally exploitable vulnerabilities to read private SSH keys from the server. Many of these keys grant unrestricted access to other servers and systems. The attacker uses these keys to gain access to those other servers and repeats the process to move undetected within the enterprise.
Because there are so many SSH keys available – 10 to 200 per server on average in most enterprises – it is likely the attack can easily spread to nearly all data centers in the enterprise. Some companies with more than 100,000 keys are granting access from low-security test and development into production servers alone. Key-based access between data centers is almost always present. Usually, there are also many SSH keys granting access from individual user accounts to privileged service accounts, bypassing systems that were supposed to monitor privileged access.
Cybercriminals employ another clever tactic here to avoid detection: they may monitor the server for days or weeks to see which SSH keys are actually used with what servers, and then piggyback on legitimate connections to move undetected.
The Stealth Attack
With SSH keys in hand, an attacker can take down the entire enterprise by confusing the system or destroying it. They can modify database records in subtle ways, corrupt backups or render every penetrated server, storage device and router inoperable. For example, the attacker can reprogram the firmware on routers and switches, install malware into disk drive firmware, network adapter firmware or bios firmware, as well as wipe any data on the affected servers and storage systems, including any penetrated backup systems and disaster recovery systems.
This would stop a Fortune 500 in its tracks and require weeks or months to rebuild and reinstall its systems, and it would likely lose a good number of recent transactions. How many hours, days or weeks can a typical Fortune 500 be down before the reputation damage is irreparable? The damage to shareholders could easily exceed $30 billion, given the extent of the damage and the inability to operate or even communicate.
There are a variety of bad actors who could accomplish this level of attack, and for a variety of reasons. Perhaps a nation-state in a cyberwar might conduct such activity to as many enterprises as possible, even attacking multiple enterprises simultaneously. Perhaps a terrorist organization would want to cause chaos. Perhaps a hacktivist would want to teach investors not to put money in “unethical” enterprises. Perhaps a criminal organization would want to extract ransom. For many others, the point would be the extracting of information, a breach committed to gain competitive intelligence. In such cases, privacy and regulatory issues would be of paramount concern.
The SSH Action Plan
The nature of the problem is such that there is no quick fix. This is primarily an administrative issue. Enterprise operations totally depend on automation made possible by SSH keys. Essentially, enterprises must establish proper management of automated access just as they manage passwords. They must also sort out the legacy mess.
An action plan for proper SSH key management involves several steps. Enterprises must first establish a controlled process to provision keys. Eliminating SSH keys that are not being used or that violate policy is critical. Application teams must be able to justify with sign-off on any remaining keys that give access into the information systems they are managing. Finding tools to help automate this process is critical, since it is far too large a task to do by hand. In addition, review SSH key-based access into backup systems and disaster recovery data centers. Fortune 500s can significantly reduce the threat to the enterprise and focus on creating shareholder value instead of apologizing for careless access control.
