For those involved in open and automated access technology, NIST’s Interagency Report 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH) should be of some interest. The full report is here. This is the second public comment period for this draft report and the comment deadline is April 3, 2015.
Although NIST’s purpose of the report is to “assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management”, the framework is ripe with lessons/best practices for information and privacy security measures within any organization with network engineering.
There are at least four major noteworthy components in the report:
Section 4.6: Pivoting. “Malware can be engineered to use SSH keys to spread when automated access is allowed.” Aside from the cautionary tale that a single intrusion event can quickly lead to a network infiltration, an equally important take away is that organizations need to know the location (at all times) of SSH keys so that they can be monitored for unauthorized access/duplication.
Section 4.7: Lack of Knowledge and Human Errors. The report cites to the growing human error component which impacts the security of SSH-based systems. Some of the cited reasons include “complexity of SSH management and the lack of knowledge many administrators have regarding secure SSH configuration and management.” It goes without saying that the human side of the security setup (which can involve thousands of hosts), makes it more likely that an unauthorized key vulnerability can be exploited with any resultant clean-up being very time consuming.
Section 6.2: Cryptographic key management and protection. “Key management and protection is another important component of solution design, including key generation, use, storage, recovery, and destruction.” Organizations should take efforts to ensure that access to keys is always properly restricted, monitored and that retrieval can take place in a short time frame if the need arises.
Section 6.5: Preparing devices for retirement or disposal. “Devices and media that hold private keys should be sanitized or destroyed, unless the keys have been retired/rotated.” Keys that are held in mobile devices should be tracked and removed when not needed. Devices that are retired should ensure data sanitization and/or purging take place. A detailed guide to media sanitization is here.
Interested parties should take the opportunity to provide comments towards the finalization of these future industry standards.