Poorly managed SSH keys pose serious risks for most companies

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9246512/Poorly_managed_SSH_keys_pose_serious_risks_for_most_companies

By Jaikumar Vijayan
Computerworld
February 22, 2014

Many companies are dangerously exposed to threats like the recently 
revealed Mask Advanced Persistent Threat because they don't properly 
manage the Secure Shell (SSH) cryptographic keys used to authenticate 
access to critical internal systems and services.

A Ponemon Institute survey of more than 2,100 systems administrators at 
Global 2000 companies discovered that three out of four enterprises are 
vulnerable to root-level attacks against their systems because of their 
failure to secure SSH keys.

Even though more than half of the surveyed enterprises had suffered 
SSH-key related compromises, 53% said they still had no centralized 
control over the keys and 60% said they had no way to detect new keys 
introduced in the organizations. About 46% said they never change or 
rotate SSH keys -- even though the keys never expire.

Those findings reveal a significant gap in enterprise security controls, 
said Larry Ponemon, founder and CEO of the Ponemon Institute. "It's hard 
to believe that companies allow themselves to be so insecure," he said. 
"This doesn't appear to be a situation where this vulnerability has to 
even be a vulnerability."

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/