SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS Applying Due Care Via Common Sense Approach April 2017
SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATSApplying Due Care Via Common Sense Approach
April 2017
� Ponemon 2014 SSH Security Vulnerability Report (Ponemon 2014)
• 2000 Global Organizations surveyed• All major Enterprises depend on SSH for
critical functions• Over half have experienced key-related
compromise• 46% do not rotate or change keys• Only 25% have ssh security controls
� Ponemon Institute Survey of 237 Companies• Malicious Insider threat costliest• CY 2015 to 2016 saw 14% increase• Large companies are most vulnerable(Ponemon, 2016)
100%of 2000 Global Organizations surveyed
SSH Key Compromises
Only 25% have Secure Shell controls in place
46% do not change or rotate keys
INSIDER THREAT – TRENDS
• 2015 – “55% of cyber-attacks were carried out by insiders” –(Rose, 2017)
• 49% IT Professionals more concerned with insider threats than external threat (Bose, 2016)
� Unwitting, careless employees who provide opportunities to external threats
� Malware
� Employees who bend the rules to get their jobs done
Insiders
Careless Employees
MORE NUMBERS – SPECIAL INTEREST ITEMS
�National Industry Security Program Operating Manual (NISPOM) Change 2
�Federal Biz Ops • Search Criteria - all current Fed, State, and US Territories
for key terms• Out of 31,100+ opportunities
� Cisco: Appears 413 times
� Linux: Appears 190 times� UNIX: 137 times� SIEM: 16 times� Secure Shell: 4 times
Directs cleared contractors to establish and implement insider threat programs (DSS, 2016)• Designate an Insider Threat Program
Senior Officials (ITPSO) -- must be identified as Key Management Personnel (KMP)
• ITPSO must have eligibility equivalent or higher to the level of the Facility (Security) Clearance (FCL)
ABOUT THIS PRESENTATIONPresenter: Paul Collier
Defense Contractor: 16 yearsInformation Assurance: 10 yearsPKI, PKE, and AuditingRepresenting Self (With employer approval)
Involvement with Secure ShellAuditing Web and Application ServersPrototyping on cloud instancesStarting 2014 – dealing with anonymity
Insider Threat
Secure Shell
Cloud Services
OVERVIEW
• What is secure shell?
• What (or who) is an insider?
• Key differences between SSL and SSH enablement
• The “Startup” Scenario
• ShapeShift Hack X3• Recommendations
• Wrap-up
WHAT IS SECURE SHELL
� Secure Shell Protocol� Secure remote login� Replaces Telnet, rlogin, rcp
� Suite of Utilities� SSH� SFTP� SCP
� RSA Key Exchange� SSH Public Key is kept on server side (authorized_keys file)� SSH Private Key is on the client side – referred to as the ID key
� Similarities to SSL� Client Server Hello� Key exchange, MAC, and encryption
Advantage to an Insider?
Anonymity
WHAT (OR WHO) IS AN INSIDER?
� US Cert: Current or former employee, contractor, or other business Partner (US Cert, 2014)
� Behavior Prediction Theories To Consider (US Cert, 2014)• General Deterrence Theory (GDT): Person commits crime if expected benefit outweighs
cost of action
• Social Bond Theory (SBT): Person commits crime if social bonds of attachment, commitment, involvement and belief are weak
• Social Learning Theory (SLT): Person commits crime if associates with delinquent peers
• Theory of Planned Behavior (TPB): Person’s intention (attitude, subjective norms and perceived behavior control) towards crime key factor in predicting behavior
• Situational Crime Prevention (SCP): Crime occurs when both motive and opportunity exist
WHAT (OR WHO) IS AN INSIDER?�CITIBANK – Plano, Texas (DOJ, 2016)
• Lennon Ray Brown
• Poor Performance Review
• Shuts down 90% Citibank Worldwide
• Calling Card – Text Message
�Architectural firm – Florida (Fox News, 2008)
• ”Marie” makes bad assumption
• Deletes 7 years worth of data
KEY DIFFERENCES BETWEEN SSL AND SSH ENABLEMENT
� First use for critical purposes� Initial SSH RSA-authenticated sessions require few prerequisites� Installing live SSL (x509v3) keypairs require many prerequisites
� Differences in size� X509v3 asserts ID. SSH Key is ID� x509v3 Certificates compared to SSH Keys (BSD)� SSH Keys are lightweight (Miller, 2011)
� Another problem: Adding x509v3 Capability also adds more DOD requirements (DOD UCR, 2013)� SSH-only = 12 Requirements� SSH Supports x509v3 = 7 additional requirements
•Your unique name•Issuer•Public Encryption Key•Validity Dates•Validation information•Key Usage•Certificate Policies
Public Encryption Key
THE “STARTUP” SCENARIO
� Organic Fertilizer company “Grow Smart” (fictitious)� Marketing unique product
� Venture Capital
� LOE < 20
� Leveraging Cloud Service Provider
� Initial scope� Website – host product catalog
� CRM & ERP
� Email Services – Marketing, Transactional, Notifications, & Receiving
THE “STARTUP” SCENARIO - LAUNCH
Grow Smart
Private Key
Public Key
CSP
SSH Key Generation
Public and private key
THE “STARTUP” SCENARIO – BUILD
DefaultSettingsTo expedite, Bob:• Decrypts private key • Uses same key for service accounts• No key-restrictions
THE STARTUP SCENARIO – OPEN FOR BUSINESS
Grow SmartHOME INTERACTIVE CATELOG GARDENING TIPS SIGN-IN REGISTER
THE STARTUP SCENARIO – OPEN FOR BUSINESS
Orders!
Profits!
Celebration!
Bob’s a HIT!
THE STARTUP SCENARIO – PAUSE FOR REVIEW
� Cloud Service Provider is a Business Partner (IdentityWeek, 2015)
� Cloud instances are time savers
• Backdoors and leftover credentials (Marinescu, 2013)
• (Pre) Existing unsolicited connections (Marinescu, 2013)
• Malware (Marinescu, 2013)
THE STARTUP SCENARIO – PAUSE FOR REVIEW
� Readily available cloud services lead to temptation to expedite (Williams, 2012)
• Logging and auditing left at default configuration
• Initial keypair was used throughout build and post launch• Decrypting private key is a common practice
• Using same public key for service accounts not a best practice
Bob’s Method – a Pessimistic approach: “Build it quickly, get it out there, and validate the business before spending the time to engineer it for scaling” (Mombrea, 2012)• Recent stolen key incident runs-up $50K for an AWS customer (Quora, 2017)
• Pre-launch Planning•“What-if” Analysis
•Study the Instance – collect information from CSP
•Actions to take after launch
•Plan SSH-Key Provisioning ahead of time (NIST, 2015)
THE STARTUP SCENARIO – PAUSE FOR REVIEW
�After first launch� Check for existing keys
� Change keys� Clean, scrub, sanitize, and disinfect
� Save new instance
� Repeat above steps on new instance
� Test it - build a honey pot – leave it alone
� Make corrections as needed
� Bottom line – While cloud services do offer a time-saving benefit, use that time to benefit your security posture
THE STARTUP SCENARIO - CONTINUED
�Bob becomes dissatisfied�Left out of meetings
�Feels ostracized
Makes a BAD Choice
GOOD NEWS, Bob!. We are hiring more IT Professionals
THE STARTUP SCENARIO – THE HACK
Bob meets foreign actor named Rovion- Slack account- Social networking- Reverse social engineering
Rovion makes offer to Bob
Bob performs 1st hack- Customer and order data- Engineering Information- Vendor logon accounts
Customers begin complaining about ID theftGrow Smart learns they have been hacked
THE STARTUP SCENARIO - AFTERMATH
� Grow Smart Investigates• Log files• Collect/Compare ssh key fingerprints from IT• Two public key fingerprints are suspect• Leadership presses Bob for answers
• Bob resigns/leaves town (and sells login credentials to Rovion)
Ø Rovion moves in• Installs rootkit
• Installs malware on employee laptops• Performs 2nd &3rd hack within hours of “reopening”
• Grow Smart hires forensic analyst
SHAPESHIFT HACK
� The Grow Smart scenario was compiled from 3 back-to-back hacks against ShapeShift that began in March 2016
� Shapeshift is a Startup Crypto Currency Exchange� Bob (an alias) was their “server guy”
� Bob appears to have grown disgruntled and met up with a Russian Hacker
� Bob performed the first hack and ripped off $130K
SHAPESHIFT HACK
� ShapeShift Response: Right Move, Wrong Time� Matched ssh keys with their owners but only after the 1st hack
� NISTIR 7966 recommends baselining authorized keys and key fingerprints (prior to deployment and periodically)
� Hastily-built cloud Infrastructure� The “Pessimistic approach” to cloud-building comes from the 2nd and 3rd hack-scenario
� But it wasn’t Bob; this was CEO crisis response
� NIST IR 7966 recommends having backup and recovery plan already in place
� Ledger Labs performed forensics (Perklin, 2016)
� Default logging
� Deleted logs
� Inadequate employee and infrastructure security policy
NIST RECOMMENDATIONS
� Baseline Authorized Keys (NIST, 2015)
� Inventory and Remediate Existing SSH Servers, Keys, and Trust Relationships
� Confirm that each authorized_key is tied to an authorized user or service
� If unable to associate, delete
� ID and remove duplicated keys
� Remove keys that do not meet key length and algorithm policies
� Setup Authorized Key Command Restrictions (NIST, 2015)
� Limit keys to implicitly perform only required commands
� Adhere to NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
� Restrict Keys to the client IP address
NIST RECOMMENDATIONS
� Logging: Log data should be verbose enough to capture: � Key fingerprints
� Account misuse
� Creation of new key files
� Determine unused authorized_keys files
� (additionally) “Send log entries to an off-site logging server to ensure that evidentiary data could not be destroyed following any future breaches” (Perklin, 2016)
� Executive Management � Understand which systems rely on SSH
� Level of access granted to users and automated processes
� Risk and potential impacts of a secure shell-based breach
� Basic steps needed to implement SSH key-management program
CLOSING AND WRAP UP
� All major Enterprises depend on SSH for critical functions. However, the majority of those surveyed do not have Secure Shell controls in place
� Executive staff needs to understand Secure Shell and the critical role that it plays in the success or failure of their organization
� Secure Shell management needs to be part of an organization’s Insider Threat mitigation plan
QUESTIONS??
REFERENCES
Bernal,Paul(2014),InternetPrivacyRights:RightstoProtectAutonomy,PublishedbyCambridgeUniversityPress,ISBN978-1-107-04273-5
Bose,Shubhomita (2016),SmallBusinessTrends:CouldYourOwnEmployeesBeaSecurityThreat?Accessedfromhttps://smallbiztrends.com/2016/12/insider-threats.html
DamienMiller,2011,SSH-KeepingYourCommunicationsSecret:What'snewinOpenSSH? Accessedfromhttps://www.openbsd.org/papers/OpenSSH-whats-new-2011-eurobsdcon.pdf
DoDUCR(2013), DepartmentofDefense:UnifiedCapabilitiesFramework2013 http://www.disa.mil/network-services/ucco/~/media/Files/DISA/Services/UCCO/UCR2013/04_UCR_2013.pdf
DOJ(2016),DepartmentofJustice,U.S.Attorney’sOffice,NorthernDistrictofTexas, FormerCitibankEmployeeSentencedto21MonthsinFederalPrisonforCausingIntentionalDamagetoaProtectedComputer, Availableat:https://www.justice.gov/usao-ndtx/pr/former-citibank-employee-sentenced-21-months-federal-prison-causing-intentional-damage
FoxNews(2008),RevengeGoneWrong:AngryEmployeeDeletesAllofCompany'sData,Accessedfrom:http://www.foxnews.com/story/2008/01/24/angry-employee-deletes-all-company-data.html
Marinescu,DanC(2013)CloudComputing:TheoryandPractice,Page290,publishedbyMKPublications,ISBN978-0-12404-627-6,Accessedon03/25/2017
Mombrea,Matthew(2012):Whentousecloudplatformsvs.dedicatedservers:Tocloudornottocloud-- horizontalscalingforwebapplications,Accessedfromhttp://www.itworld.com/article/2832631/cloud-computing/when-to-use-cloud-platforms-vs--dedicated-servers.html
Perklin,Michael(2016),LedgerLabs:ShapeshiftCyberattackPostmortem,Referencedathttps://www.patrolx.com/wp-content/uploads/2016/04/309591980-ShapeShift-Postmortem.pdf
REFERENCES
PonemonInstitute(2016),PonemonInstituteResearchReport:CostofCyberCrimeStudy&theRiskofBusinessInnovation,Availableat:https://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-8392enw.pdf
PonemonInstitute(2014),PonemonInstituteResearchReport:Ponemon2014SSHSecurityVulnerabilityReport,InformationTechnology'sDirtySecretandOpenBackdoors,UnderwrittenbyVenafiInc,Availableat:file:///C:/Users/Owner/Documents/BAH/Brownbag/Ponemon-2014-SSH.pdf
Quora (2017),BlogPost:MyAWSaccountwashackedandIhavea$50,000bill,howcanIreducetheamountIneedtopay?,Availableat:https://www.quora.com/My-AWS-account-was-hacked-and-I-have-a-50-000-bill-how-can-I-reduce-the-amount-I-need-to-pay
RobertN.Rose,ForbesMagazine(Opinion):TheFutureOfInsiderThreats.Accessedfromhttps://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/#4b9602de7dcb
SSHCommunicationSecurity(2017),SSHProtocol(SecureShell),Accessedfrom:https://www.ssh.com/ssh/protocol/
Udemy (2017),AlmostEverythingAboutSecureShell:Accessedfrom:https://www.udemy.com/almost-everything-about-secure-shell/
USCert(2014),NationalCybersecurityandCommunicationsIntegrationCenter,CombatingtheInsiderThreat,Accessedfrom:https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf
Williams,MarkI.(2012)MakingTheMoveToCloudComputing,Chapter3:IdentifyingOpportunities,anICAEWPublication,ISBN 978-0-85760-617-4,Accessedfrom:https://www.icaew.com/-/media/corporate/archive/files/technical/information-technology/technology/making-the-move-to-cloud-computing.ashx?la=en
Ylonen, Tatu; Turner, Paul; Scarfone, Karen; Souppaya, Murugiah (2015), NISTIR 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH). Published by: National Institute of Standards and Technology, Department of Commerce. Available at: http://dx.doi.org/10.6028/NIST.IR.7966