All businesses are aware of the importance of cybersecurity, but some areas are perhaps given more focus than others. Today a lot of work is done around securing ‘human identity’; ensuring usernames and passwords are kept safe and biometric systems are secure. However, there’s another area that many security experts feel is overlooked – machine identity.
“There’s a lot of awareness around the people problem, because we can understand what this means,” Keven Bocek, vice president of security strategy and threat intelligence at cybersecurity firm Venafi, tells IT Pro. “Whereas, with machine identity, the scope and scale is far greater.”
Just like human users, machines also need to authenticate their identity when communicating with each other, and use cryptographic keys and digital certificates to do so. The majority use the Secure Shell (SSH) network protocol to secure remote connections to cloud-based systems, VPNs and connected devices, automating processes and giving privileged access to a company’s most critical systems including servers and databases.
Are you aware of all the SSH keys in your organisation?
Within global enterprises, including banks, retailers and airlines, you’ll find millions of SSH keys, yet many businesses struggle to manage, understand and account for all their machine identities.
“According to Security Brief, only 10% of organisations believe they have ‘complete and accurate intelligence’ on the SSH keys within their operation,” notes Caitlin Egen, a cybersecurity consultant at data protection consultancy HewardMills.
In the wrong hands, SSH keys can be used to bypass security controls, escalate privileged access to networks and data, insert backdoors into systems and move laterally through systems undetected. This activity can continue “for days, weeks or months due to the sophisticated nature of the threat, compounding the negative impact on an organisation”, says Egen. Therefore, it’s imperative that businesses get a better understanding of machine identity and ensure their systems are secure.
A growing threat
Now is the time to take action, as SSH exploitation is becoming more common. Previously, the ability to use and steal SSH keys was limited to nation states and advanced bad actors, but recent research by Venafi found that SSH stealing techniques are becoming increasingly commoditised.
“SSH exploitation capabilities are being added to commodity malware; whether that’s to infiltrate via brute forcing, [take advantage of] weak authentication of SSH, steal SSH keys or add the attacker’s SSH key to an affected machine in order to remain persistent and open a back door into that machine,” explains Yana Blachman, a threat intelligence specialist at Venafi, and former Israeli intelligence operative.
These kinds of attacks “have trickled down from nation states and advanced persistent threats (APTs) down to the ‘street hackers’”, she says.
Blachman shares the example of Trickbot. First appearing as a banking trojan back in 2016, by 2019 it had evolved into a flexible, universal malware that had introduced the capability to steal SSH keys and look for information that could reveal other hosts trusted by that machine. So far it’s known to have compromised more than 250 million email accounts.
The IT Pro Podcast: How do we fix security?
We discuss why firms keep making the same security mistakes with guests Graham Cluley and Stu Peck
Blachman recommends the first step businesses take is to identify their existing SSH keys and get visibility on who they belong to, what they’re used for and what they communicate with. Every company should keep a protected and up-to-date log of every active key across the business.
“Once you know what you have you can then monitor, rotate and remove keys as necessary, and in the case of an infection or compromise, be able to quickly remediate that threat,” she says.
Securing machine identities – the challenges
Ensuring machine identities stay secure does have its challenges however. Firstly, there's the growing provision of open Wi-Fi in office spaces. “If they offer ‘open wifi’, businesses need to make sure it's locked down,” advises Rick Chandler, chair of BCS’ Communications Management Association (CMA) specialist group. “Also, businesses need to ensure that a criminal hasn’t set up a spoof that staff can connect to that takes them somewhere else. It’s not just cybercriminals hacking into your network, it's also making sure there isn’t a backdoor where information is going out.”
Then there’s the risk from devices employees may bring in from home, or vice versa. The rise of BYOD (bring your own device) saw more staff working on their own devices, connecting machines that may be less secure onto the business network and potentially putting the company at risk. On the flip side, using company hardware at home could also create opportunities for cybercriminals, as machines connect to networks that may be less secure.
“This is particularly an issue to consider currently, with the COVID-19 pandemic forcing the many employees to work from home,” notes Chandler. “Machines must have the right software installed to protect the enterprise.”
The growth of IoT
The spread of the Internet of Things (IoT) also compounds these challenges as many more devices – some the company’s, some the employee’s own devices – may now access a company’s network. Chandler highlights that these devices should always be evaluated for security before being allowed onto an enterprise’s network and that more work needs to be done not only to ensure privacy by design but also throughout a device’s operating life.
A recent IoT Security Foundation (IoTSF) survey found that 85% of consumer IoT device manufacturers questioned don’t allow for vulnerability reporting, which would otherwise enable vendors to be alerted to weaknesses that could be exploited by hackers. Of those that did allow it, many used a weakened policy, with over a third (36.6%) indicating no timeline of disclosure. “It’s crucial that security mitigations are managed beyond the design stage and throughout operating life,” said the IoTSF’s managing director John Moor of the report.
To ensure businesses stay secure, Chandler recommends they look at Cyber Essentials certification. This is a UK Government-backed framework that promotes a strong foundation of cyber security, which will soon include IoT.
The introduction of standards
Work is also being done to improve IoT device security via new standards that will ensure devices meet a minimum level of security. This includes the European Telecommunication Standards Institution’s (ETSI) EN 303 645 standard and the UK’s IoT security law plans.
“Things will get better,” says Chandler. “There’s work underway on quite comprehensive standards around privacy and security by design. The awareness has come more from consumers than businesses, and these standards are aimed at consumer devices, but if they’re good for consumers they should also be good for business. I’d urge businesses to look into Cyber Essentials, keep an eye open for the new standards, and start to insist on them from their vendors.”
