Security in the world of machine-to-machine (M2M) communications is a mess, according to Tatu Ylönen, founder and CEO of SSH Communications Security in Helsinki, Finland.
Ylönen told me as we met over breakfast near Washington, D.C., that few IT managers and even fewer C-level managers really have an inkling of the security risks posed by M2M communications, which run constantly in their businesses every day.
Ylönen, who is the inventor of the Secure Shell security protocol, said the vast majority of communications between servers, virtual machines and even within virtualized environments use authentication that takes advantage of Secure Shell public keys and the SSH protocol.
He explained that nearly all communications controlled by applications to retrieve or process data, exchange data with other applications or even communicate between different parts of applications use SSH authentication. Likewise, the devices in the Internet of things authenticate their presence on the Web using SSH.
Now, Ylönen’s company has received the results of a study by Forrester Consulting that examines the state of penetration of M2M communications in companies. The study found that virtually all companies use M2M communications in some way, and well over half, 62 percent, expect that to increase.
In addition, more than half of all financial institutions use M2M for billing in some way, while more than half of all companies use it for logistics and customer service.
The problem, according to Ylönen and to the survey is that only a few companies realize that M2M communications has a critical role in security, even in those companies that say data security is a top priority.
What they don’t realize, he said, is that the keys to secure communications used by M2M processes can provide unfettered access to the servers or other devices with which they connect. In other words, you can gain access to your data systems using an SSH key at the same level as you could with an administrator password.
“Managers aren’t paying attention,” he said. Ylönen said he thinks that part of the problem is that many businesses base their security on what’s required to pass an audit, and not necessarily what’s required to keep information secure. “They have to fill out a checklist,” he said.
Furthermore, most auditors have no idea how to determine what sort of access is granted by SSH communications, he said. Unlike names and passwords, which are relatively easy to manage and audit, auditors in general seem to have no appreciation or understanding of the access available to M2M communications using SSH keys.
Poor Security Key Management Poses Cyber Threat to Internet of Things
Because auditors and managers, for that matter, don’t really understand how SSH keys work, the result is that security management is weak at best.
Ylönen said nation-state sponsored cyber-spies and crime syndicates are taking advantage of this weak management. It’s possible to look at the access logs of machines that have established communications with the target organization and sometimes determine the source of the SSH keys, he said.
While it’s certainly possible to audit and secure access to SSH keys, most companies don’t know how to do it. For those companies, SSH makes a free audit tool called the SSH Risk Assessor, which gathers the keys and information on how they’re being used and allows managers and auditors to determine a company’s compliance exposure.
Most managers, Ylönen said, have no idea how many SSH keys exist at their company and as a result are unable to manage them in any meaningful way. “If you ask someone how many SSH keys they have,” he said, “they’ll be off by an order of magnitude or two orders of magnitude.”
In addition IT managers in general don’t realize that controlling keys is as important as controlling user names and passwords. Even though compliance standards require that they be controlled, the importance of the keys and the failure by many companies to properly manage them usually extend to a failure to audit their use as well. Ylönen said that it’s a common joke in the security community that, when asked, security managers admit to changing their keys “every 20 years.”
So how big a deal is key management and key auditing? Some major data breaches, perhaps including last year’s costly breach of Target’s point-of-sale system, may be directly related to either failing to manage the keys needed to access a company’s network or failing to manage the level of privilege those keys gain when used for access. While we don’t know for sure if it was improperly managed SSH keys that led to the Target breach, it’s certainly possible that it was.
Unfortunately, this isn’t a solution that an IT manager can handle alone. The sheer number of SSH transactions that take place in a virtualized system is beyond the capability of a single person. But by using tools such as SSH’s Risk Assessor software, it might be possible to get started.