Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

How to Topple a Fortune 500: The Key is in a Tiny Piece of Infrastructure

By Tatu Ylonen
keys-cyber-enews
May 4, 2017

Fortune 500 companies tend to have a large physical footprint: multiple locations with numerous buildings and well-developed infrastructure. They are solid companies with a track record of success and the bank accounts to prove it. But aside from this seeming show of invulnerability, today’s innovative cyber threats level the playing field. Fortune 500s are just as susceptible as other companies to attack, and the fallout can cripple or destroy an enterprise.

The Pervasive, Hidden Security Danger

Though enterprises run a tight security ship in terms of access to their tens of thousands of servers and disaster recovery data centers, there is a common danger that can bring them all down.

This is because servers are managed by system administrators and various automated tools. The automated systems need access credentials to gain access to other systems in order for daily communications and operations to function, and they usually use SSH keys – which are also used by system administrators and developers to do their work internally – in order to log in from their workstation to access servers without having to type their password all the time.

Organizations are often shocked to discover that about 90 percent of their SSH keys are unused. That means there is privileged access to critical systems and data that has never been terminated – violating policies, regulations and laws. It is almost as if employees’ user accounts were never removed when they left, and they had the capability to create new accounts for anyone they like.

This is a dangerous scenario in itself, but there is more. Typically, 10 percent of the SSH keys grant root access (highest-level administrative access). Such keys are used to make backups, install patches, manage configurations and implement emergency response procedures, often using automated tools. To provide the magnitude of the usage of SSH keys, in some enterprises there are more than 5 million automated daily logins using SSH keys – resulting in more than 2 billion logins per year.

Anatomy of a Fortune 500 Cyberattack

A cybercriminal usually penetrates a company computer first and then steals passwords or other credentials to gain access to some set of servers. This often involves malware. Once on a server, the attacker obtains elevated privileges using locally exploitable vulnerabilities to read private SSH keys from the server. Many of these keys grant unrestricted access to other servers and systems. The attacker uses these keys to gain access to those other servers and repeats the process to move undetected within the enterprise.

Because there are so many SSH keys available – 10 to 200 per server on average in most enterprises – it is likely the attack can easily spread to nearly all data centers in the enterprise. Some companies with more than 100,000 keys are granting access from low-security test and development into production servers alone. Key-based access between data centers is almost always present. Usually, there are also many SSH keys granting access from individual user accounts to privileged service accounts, bypassing systems that were supposed to monitor privileged access.

Cybercriminals employ another clever tactic here to avoid detection: they may monitor the server for days or weeks to see which SSH keys are actually used with what servers, and then piggyback on legitimate connections to move undetected.

The Stealth Attack

With SSH keys in hand, an attacker can take down the entire enterprise by confusing the system or destroying it. They can modify database records in subtle ways, corrupt backups or render every penetrated server, storage device and router inoperable. For example, the attacker can reprogram the firmware on routers and switches, install malware into disk drive firmware, network adapter firmware or bios firmware, as well as wipe any data on the affected servers and storage systems, including any penetrated backup systems and disaster recovery systems.

This would stop a Fortune 500 in its tracks and require weeks or months to rebuild and reinstall its systems, and it would likely lose a good number of recent transactions. How many hours, days or weeks can a typical Fortune 500 be down before the reputation damage is irreparable? The damage to shareholders could easily exceed $30 billion, given the extent of the damage and the inability to operate or even communicate.

There are a variety of bad actors who could accomplish this level of attack, and for a variety of reasons. Perhaps a nation-state in a cyberwar might conduct such activity to as many enterprises as possible, even attacking multiple enterprises simultaneously. Perhaps a terrorist organization would want to cause chaos. Perhaps a hacktivist would want to teach investors not to put money in “unethical” enterprises. Perhaps a criminal organization would want to extract ransom. For many others, the point would be the extracting of information, a breach committed to gain competitive intelligence. In such cases, privacy and regulatory issues would be of paramount concern.

The SSH Action Plan

The nature of the problem is such that there is no quick fix. This is primarily an administrative issue. Enterprise operations totally depend on automation made possible by SSH keys. Essentially, enterprises must establish proper management of automated access just as they manage passwords. They must also sort out the legacy mess.

An action plan for proper SSH key management involves several steps. Enterprises must first establish a controlled process to provision keys. Eliminating SSH keys that are not being used or that violate policy is critical. Application teams must be able to justify with sign-off on any remaining keys that give access into the information systems they are managing. Finding tools to help automate this process is critical, since it is far too large a task to do by hand. In addition, review SSH key-based access into backup systems and disaster recovery data centers. Fortune 500s can significantly reduce the threat to the enterprise and focus on creating shareholder value instead of apologizing for careless access control.

KEYWORDS: cyber attack cybersecurity management data breach incident management SSH keys

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tatu Ylonen is the creator of the SSH protocol and the founder of SSH Communications Security. He is an experienced entrepreneur, manager and engineer. He still keeps up to date with technology and loves the technical side and inventing new technology. He participates in product architecture design and occasionally writes code when he has time or when he thinks that’s where he can bring the most value. His primary current interests relate to broader cybersecurity priorities and how to design systems to be more secure. He understands both the big picture and the deep technical issues. He also wants to solve the massive gap in identity and access management in relation to SSH key based credentials.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Loader

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • visitor management office

    Digital security infrastructure unlocks the door to a more secure return to the office

    See More
  • cyber_lock

    COVID-19 and the need for a national cyber director: How the response to the pandemic illustrates the importance of a leadership

    See More
  • insurance-freepik

    The beginning of a beautiful friendship: How the insurance industry can partner with IT to create true digital transformation

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!