Because auditors and managers, for that matter, don't really understand how SSH keys work, the result is that security management is weak at best.
Ylönen said nation-state sponsored cyber-spies and crime syndicates are taking advantage of this weak management. It's possible to look at the access logs of machines that have established communications with the target organization and sometimes determine the source of the SSH keys, he said.
While it's certainly possible to audit and secure access to SSH keys, most companies don't know how to do it. For those companies, SSH makes a free audit tool called the SSH Risk Assessor, which gathers the keys and information on how they're being used and allows managers and auditors to determine a company's compliance exposure.
Most managers, Ylönen said, have no idea how many SSH keys exist at their company and as a result are unable to manage them in any meaningful way. "If you ask someone how many SSH keys they have," he said, "they'll be off by an order of magnitude or two orders of magnitude."
In addition IT managers in general don't realize that controlling keys is as important as controlling user names and passwords. Even though compliance standards require that they be controlled, the importance of the keys and the failure by many companies to properly manage them usually extend to a failure to audit their use as well. Ylönen said that it's a common joke in the security community that, when asked, security managers admit to changing their keys "every 20 years."
So how big a deal is key management and key auditing? Some major data breaches, perhaps including last year's costly breach of Target's point-of-sale system, may be directly related to either failing to manage the keys needed to access a company's network or failing to manage the level of privilege those keys gain when used for access. While we don't know for sure if it was improperly managed SSH keys that led to the Target breach, it's certainly possible that it was.
Unfortunately, this isn't a solution that an IT manager can handle alone. The sheer number of SSH transactions that take place in a virtualized system is beyond the capability of a single person. But by using tools such as SSH's Risk Assessor software, it might be possible to get started.