[PPT] - SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT PowerPoint Presentation

SLIDE 1

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

Applying Due Care Via Common Sense Approach

April 2017

SLIDE 2

Ponemon 2014 SSH Security Vulnerability

Report (Ponemon 2014)

2000 Global Organizations surveyed
All major Enterprises depend on SSH for

critical functions

Over half have experienced key-related

compromise

46% do not rotate or change keys
Only 25% have ssh security controls

Ponemon Institute Survey of 237 Companies

Malicious Insider threat costliest
CY 2015 to 2016 saw 14% increase
Large companies are most vulnerable

(Ponemon, 2016)

100%

f 2000 Global

Organizations surveyed SSH Key Compromises

Only 25%

have Secure Shell controls in place

46%

do not change or rotate keys

SLIDE 3

INSIDER THREAT – TRENDS

2015 – “55% of cyber-attacks

were carried out by insiders” –

(Rose, 2017)

49% IT Professionals more

concerned with insider threats than external threat (Bose, 2016)

Unwitting, careless employees

who provide opportunities to external threats

Malware Employees who bend the rules

to get their jobs done Insiders Careless Employees

SLIDE 4

MORE NUMBERS – SPECIAL INTEREST ITEMS

National Industry Security Program

Operating Manual (NISPOM) Change 2

Federal Biz Ops

Search Criteria - all current Fed, State, and US Territories

for key terms

Out of 31,100+ opportunities

Cisco: Appears 413 times

Linux: Appears 190 times UNIX: 137 times SIEM: 16 times Secure Shell: 4 times

Directs cleared contractors to establish and implement insider threat programs (DSS, 2016)

Designate an Insider Threat Program

Senior Officials (ITPSO) -- must be identified as Key Management Personnel (KMP)

ITPSO must have eligibility equivalent or

higher to the level of the Facility (Security) Clearance (FCL)

SLIDE 5

ABOUT THIS PRESENTATION

Presenter: Paul Collier Defense Contractor: 16 years Information Assurance: 10 years PKI, PKE, and Auditing Representing Self (With employer approval) Involvement with Secure Shell Auditing Web and Application Servers Prototyping on cloud instances Starting 2014 – dealing with anonymity

Insider Threat Secure Shell Cloud Services

SLIDE 6

OVERVIEW

What is secure shell?
What (or who) is an insider?
Key differences between SSL and SSH enablement
The “Startup” Scenario
ShapeShift Hack X3
Recommendations
Wrap-up

SLIDE 7

WHAT IS SECURE SHELL

Secure Shell Protocol

Secure remote login Replaces Telnet, rlogin, rcp

Suite of Utilities

SSH SFTP SCP

RSA Key Exchange

SSH Public Key is kept on server side (authorized_keys file) SSH Private Key is on the client side – referred to as the ID key

Similarities to SSL

Client Server Hello Key exchange, MAC, and encryption

Advantage to an Insider? Anonymity

SLIDE 8

WHAT (OR WHO) IS AN INSIDER?

US Cert: Current or former employee, contractor, or other business

Partner (US Cert, 2014)

Behavior Prediction Theories To Consider (US Cert, 2014)

General Deterrence Theory (GDT): Person commits crime if expected benefit outweighs

cost of action

Social Bond Theory (SBT): Person commits crime if social bonds of attachment,

commitment, involvement and belief are weak

Social Learning Theory (SLT): Person commits crime if associates with delinquent peers
Theory of Planned Behavior (TPB): Person’s intention (attitude, subjective norms and

perceived behavior control) towards crime key factor in predicting behavior

Situational Crime Prevention (SCP): Crime occurs when both motive and opportunity exist

SLIDE 9

WHAT (OR WHO) IS AN INSIDER?

CITIBANK – Plano, Texas (DOJ, 2016)

Lennon Ray Brown
Poor Performance Review
Shuts down 90% Citibank Worldwide
Calling Card – Text Message

Architectural firm – Florida (Fox News, 2008)

”Marie” makes bad assumption
Deletes 7 years worth of data

SLIDE 10

KEY DIFFERENCES BETWEEN SSL AND SSH ENABLEMENT

First use for critical purposes

Initial SSH RSA-authenticated sessions require few prerequisites Installing live SSL (x509v3) keypairs require many prerequisites

Differences in size

X509v3 asserts ID. SSH Key is ID x509v3 Certificates compared to SSH Keys (BSD) SSH Keys are lightweight (Miller, 2011)

Another problem: Adding x509v3 Capability also adds more DOD

requirements (DOD UCR, 2013)

SSH-only = 12 Requirements SSH Supports x509v3 = 7 additional requirements

Your unique name
Issuer
Public Encryption Key
Validity Dates
Validation information
Key Usage
Certificate Policies

Public Encryption Key

SLIDE 11

THE “STARTUP” SCENARIO

Organic Fertilizer company “Grow Smart” (fictitious)

Marketing unique product Venture Capital LOE < 20 Leveraging Cloud Service Provider

Initial scope

Website – host product catalog CRM & ERP Email Services – Marketing, Transactional, Notifications, &

Receiving

SLIDE 12

THE “STARTUP” SCENARIO - LAUNCH

Grow Smart

Private Key Public Key

CSP

SSH Key Generation

Public and private key

SLIDE 13

THE “STARTUP” SCENARIO – BUILD

Default Settings To expedite, Bob:

Decrypts private key
Uses same key for service accounts
No key-restrictions

SLIDE 14

THE STARTUP SCENARIO – OPEN FOR BUSINESS

Grow Smart

HOME INTERACTIVE CATELOG GARDENING TIPS SIGN-IN REGISTER

SLIDE 15

THE STARTUP SCENARIO – OPEN FOR BUSINESS

Orders! Profits! Celebration! Bob’s a HIT!

SLIDE 16

THE STARTUP SCENARIO – PAUSE FOR REVIEW

Cloud Service Provider is a Business Partner (IdentityWeek, 2015) Cloud instances are time savers

Backdoors and leftover credentials (Marinescu, 2013)
(Pre) Existing unsolicited connections (Marinescu, 2013)
Malware (Marinescu, 2013)

SLIDE 17

THE STARTUP SCENARIO – PAUSE FOR REVIEW

Readily available cloud services lead to temptation to expedite (Williams, 2012)

Logging and auditing left at default configuration
Initial keypair was used throughout build and post launch
Decrypting private key is a common practice
Using same public key for service accounts not a best practice

Bob’s Method – a Pessimistic approach: “Build it quickly, get it out there, and validate the business before spending the time to engineer it for scaling”

(Mombrea, 2012)

Recent stolen key incident runs-up $50K for an AWS customer (Quora, 2017)
Pre-launch Planning
“What-if” Analysis
Study the Instance – collect information from CSP
Actions to take after launch
Plan SSH-Key Provisioning ahead of time (NIST, 2015)

SLIDE 18

THE STARTUP SCENARIO – PAUSE FOR REVIEW

After first launch

Check for existing keys Change keys Clean, scrub, sanitize, and disinfect Save new instance Repeat above steps on new instance Test it - build a honey pot – leave it alone Make corrections as needed

Bottom line – While cloud services do offer a time-saving benefit, use that

time to benefit your security posture

SLIDE 19

THE STARTUP SCENARIO - CONTINUED

Bob becomes dissatisfied Left out of meetings Feels ostracized

Makes a BAD Choice

GOOD NEWS, Bob!. We are hiring more IT Professionals

SLIDE 20

THE STARTUP SCENARIO – THE HACK

Bob meets foreign actor named Rovion

Slack account
Social networking
Reverse social engineering

Rovion makes offer to Bob Bob performs 1st hack

Customer and order data
Engineering Information
Vendor logon accounts

Customers begin complaining about ID theft Grow Smart learns they have been hacked

SLIDE 21

THE STARTUP SCENARIO - AFTERMATH

Grow Smart Investigates

Log files
Collect/Compare ssh key fingerprints from IT
Two public key fingerprints are suspect
Leadership presses Bob for answers
Bob resigns/leaves town (and sells login credentials to Rovion)

Ø Rovion moves in

Installs rootkit
Installs malware on employee laptops
Performs 2nd &3rd hack within hours of “reopening”
Grow Smart hires forensic analyst

SLIDE 22

SHAPESHIFT HACK

The Grow Smart scenario was compiled from 3 back-to-back

hacks against ShapeShift that began in March 2016

Shapeshift is a Startup Crypto Currency Exchange Bob (an alias) was their “server guy” Bob appears to have grown disgruntled and met up with a

Russian Hacker

Bob performed the first hack and ripped off $130K

SLIDE 23

SHAPESHIFT HACK

ShapeShift Response: Right Move, Wrong Time

Matched ssh keys with their owners but only after the 1st hack NISTIR 7966 recommends baselining authorized keys and key fingerprints (prior to deployment

and periodically)

Hastily-built cloud Infrastructure

The “Pessimistic approach” to cloud-building comes from the 2nd and 3rd hack-scenario But it wasn’t Bob; this was CEO crisis response NIST IR 7966 recommends having backup and recovery plan already in place

Ledger Labs performed forensics (Perklin, 2016)

Default logging Deleted logs Inadequate employee and infrastructure security policy

SLIDE 24

NIST RECOMMENDATIONS

Baseline Authorized Keys (NIST, 2015)

Inventory and Remediate Existing SSH Servers, Keys, and Trust Relationships Confirm that each authorized_key is tied to an authorized user or service If unable to associate, delete ID and remove duplicated keys Remove keys that do not meet key length and algorithm policies

Setup Authorized Key Command Restrictions (NIST, 2015)

Limit keys to implicitly perform only required commands Adhere to NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Restrict Keys to the client IP address

SLIDE 25

NIST RECOMMENDATIONS

Logging: Log data should be verbose enough to capture:

Key fingerprints Account misuse Creation of new key files Determine unused authorized_keys files

(additionally) “Send log entries to an off-site logging server to ensure that evidentiary data could not be destroyed following any future breaches” (Perklin, 2016)

Executive Management

Understand which systems rely on SSH Level of access granted to users and automated processes Risk and potential impacts of a secure shell-based breach Basic steps needed to implement SSH key-management program

SLIDE 26

CLOSING AND WRAP UP

All major Enterprises depend on SSH for critical functions.

However, the majority of those surveyed do not have Secure Shell controls in place

Executive staff needs to understand Secure Shell and the critical

role that it plays in the success or failure of their organization

Secure Shell management needs to be part of an organization’s

Insider Threat mitigation plan

SLIDE 27

QUESTIONS? ?

SLIDE 28

REFERENCES

Bernal, Paul (2014), Internet Privacy Rights: Rights to Protect Autonomy, Published by Cambridge University Press, ISBN 978-1-107-04273-5 Bose, Shubhomita (2016), Small Business Trends: Could Your Own Employees Be a Security Threat? Accessed from https://smallbiztrends.com/2016/12/insider- threats.html Damien Miller, 2011, SSH-Keeping Your Communications Secret: What's new in OpenSSH? Accessed from https://www.openbsd.org/papers/OpenSSH-whats-new- 2011-eurobsdcon.pdf DoD UCR (2013), Department of Defense: Unified Capabilities Framework 2013 http://www.disa.mil/network- services/ucco/~/media/Files/DISA/Services/UCCO/UCR2013/04_UCR_2013.pdf DOJ (2016),Department of Justice, U.S. Attorney’s Office, Northern District of Texas, Former Citibank Employee Sentenced to 21 Months in Federal Prison for Causing Intentional Damage to a Protected Computer, Available at: https://www.justice.gov/usao-ndtx/pr/former-citibank-employee-sentenced-21-months-federal- prison-causing-intentional-damage Fox News (2008), Revenge Gone Wrong: Angry Employee Deletes All of Company's Data, Accessed from: http://www.foxnews.com/story/2008/01/24/angry- employee-deletes-all-company-data.html Marinescu, Dan C (2013) Cloud Computing: Theory and Practice, Page 290, published by MK Publications, ISBN 978-0-12404-627-6, Accessed on 03/25/2017 Mombrea, Matthew (2012): When to use cloud platforms vs. dedicated servers: To cloud or not to cloud -- horizontal scaling for web applications, Accessed from http://www.itworld.com/article/2832631/cloud-computing/when-to-use-cloud-platforms-vs--dedicated-servers.html Perklin, Michael (2016), Ledger Labs: Shapeshift Cyberattack Postmortem, Referenced at https://www.patrolx.com/wp-content/uploads/2016/04/309591980- ShapeShift-Postmortem.pdf

SLIDE 29

REFERENCES

Ponemon Institute (2016), Ponemon Institute Research Report: Cost of Cyber Crime Study & the Risk of Business Innovation, Available at: https://ssl.www8.hp.com/ww/en/secure/pdf/4aa6- 8392enw.pdf Ponemon Institute (2014), Ponemon Institute Research Report: Ponemon 2014 SSH Security Vulnerability Report, Information Technology's Dirty Secret and Open Backdoors, Underwritten by Venafi Inc, Available at: file:///C:/Users/Owner/Documents/BAH/Brownbag/Ponemon-2014-SSH.pdf Quora (2017), Blog Post: My AWS account was hacked and I have a $50,000 bill, how can I reduce the amount I need to pay?, Available at: https://www.quora.com/My-AWS-account-was-hacked- and-I-have-a-50-000-bill-how-can-I-reduce-the-amount-I-need-to-pay Robert N. Rose, Forbes Magazine (Opinion): The Future Of Insider Threats. Accessed from https://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/#4b9602de7dcb SSH Communication Security (2017), SSH Protocol (Secure Shell), Accessed from: https://www.ssh.com/ssh/protocol/ Udemy (2017), Almost Everything About Secure Shell: Accessed from: https://www.udemy.com/almost-everything-about-secure-shell/ US Cert (2014), National Cybersecurity and Communications Integration Center, Combating the Insider Threat, Accessed from : https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf Williams, Mark I. (2012) Making The Move To Cloud Computing, Chapter 3: Identifying Opportunities, an ICAEW Publication, ISBN 978-0-85760-617-4, Accessed from: https://www.icaew.com/- /media/corporate/archive/files/technical/information-technology/technology/making-the-move-to-cloud-computing.ashx?la=en Ylonen, Tatu; Turner, Paul; Scarfone, Karen; Souppaya, Murugiah (2015), NISTIR 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH). Published by: National Institute of Standards and Technology, Department of Commerce. Available at: http://dx.doi.org/10.6028/NIST.IR.7966