collier-securing secure shell interactive and automated ... · - social networking - reverse social...
TRANSCRIPT
SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATSApplying Due Care Via Common Sense Approach
April 2017
� Ponemon 2014 SSH Security Vulnerability Report (Ponemon 2014)
• 2000 Global Organizations surveyed• All major Enterprises depend on SSH for
critical functions• Over half have experienced key-related
compromise• 46% do not rotate or change keys• Only 25% have ssh security controls
� Ponemon Institute Survey of 237 Companies• Malicious Insider threat costliest• CY 2015 to 2016 saw 14% increase• Large companies are most vulnerable(Ponemon, 2016)
100%of 2000 Global Organizations surveyed
SSH Key Compromises
Only 25% have Secure Shell controls in place
46% do not change or rotate keys
INSIDER THREAT – TRENDS
• 2015 – “55% of cyber-attacks were carried out by insiders” –(Rose, 2017)
• 49% IT Professionals more concerned with insider threats than external threat (Bose, 2016)
� Unwitting, careless employees who provide opportunities to external threats
� Malware
� Employees who bend the rules to get their jobs done
Insiders
Careless Employees
MORE NUMBERS – SPECIAL INTEREST ITEMS
�National Industry Security Program Operating Manual (NISPOM) Change 2
�Federal Biz Ops • Search Criteria - all current Fed, State, and US Territories
for key terms• Out of 31,100+ opportunities
� Cisco: Appears 413 times
� Linux: Appears 190 times� UNIX: 137 times� SIEM: 16 times� Secure Shell: 4 times
Directs cleared contractors to establish and implement insider threat programs (DSS, 2016)• Designate an Insider Threat Program
Senior Officials (ITPSO) -- must be identified as Key Management Personnel (KMP)
• ITPSO must have eligibility equivalent or higher to the level of the Facility (Security) Clearance (FCL)
ABOUT THIS PRESENTATIONPresenter: Paul Collier
Defense Contractor: 16 yearsInformation Assurance: 10 yearsPKI, PKE, and AuditingRepresenting Self (With employer approval)
Involvement with Secure ShellAuditing Web and Application ServersPrototyping on cloud instancesStarting 2014 – dealing with anonymity
Insider Threat
Secure Shell
Cloud Services
OVERVIEW
• What is secure shell?
• What (or who) is an insider?
• Key differences between SSL and SSH enablement
• The “Startup” Scenario
• ShapeShift Hack X3• Recommendations
• Wrap-up
WHAT IS SECURE SHELL
� Secure Shell Protocol� Secure remote login� Replaces Telnet, rlogin, rcp
� Suite of Utilities� SSH� SFTP� SCP
� RSA Key Exchange� SSH Public Key is kept on server side (authorized_keys file)� SSH Private Key is on the client side – referred to as the ID key
� Similarities to SSL� Client Server Hello� Key exchange, MAC, and encryption
Advantage to an Insider?
Anonymity
WHAT (OR WHO) IS AN INSIDER?
� US Cert: Current or former employee, contractor, or other business Partner (US Cert, 2014)
� Behavior Prediction Theories To Consider (US Cert, 2014)• General Deterrence Theory (GDT): Person commits crime if expected benefit outweighs
cost of action
• Social Bond Theory (SBT): Person commits crime if social bonds of attachment, commitment, involvement and belief are weak
• Social Learning Theory (SLT): Person commits crime if associates with delinquent peers
• Theory of Planned Behavior (TPB): Person’s intention (attitude, subjective norms and perceived behavior control) towards crime key factor in predicting behavior
• Situational Crime Prevention (SCP): Crime occurs when both motive and opportunity exist
WHAT (OR WHO) IS AN INSIDER?�CITIBANK – Plano, Texas (DOJ, 2016)
• Lennon Ray Brown
• Poor Performance Review
• Shuts down 90% Citibank Worldwide
• Calling Card – Text Message
�Architectural firm – Florida (Fox News, 2008)
• ”Marie” makes bad assumption
• Deletes 7 years worth of data
KEY DIFFERENCES BETWEEN SSL AND SSH ENABLEMENT
� First use for critical purposes� Initial SSH RSA-authenticated sessions require few prerequisites� Installing live SSL (x509v3) keypairs require many prerequisites
� Differences in size� X509v3 asserts ID. SSH Key is ID� x509v3 Certificates compared to SSH Keys (BSD)� SSH Keys are lightweight (Miller, 2011)
� Another problem: Adding x509v3 Capability also adds more DOD requirements (DOD UCR, 2013)� SSH-only = 12 Requirements� SSH Supports x509v3 = 7 additional requirements
•Your unique name•Issuer•Public Encryption Key•Validity Dates•Validation information•Key Usage•Certificate Policies
Public Encryption Key
THE “STARTUP” SCENARIO
� Organic Fertilizer company “Grow Smart” (fictitious)� Marketing unique product
� Venture Capital
� LOE < 20
� Leveraging Cloud Service Provider
� Initial scope� Website – host product catalog
� CRM & ERP
� Email Services – Marketing, Transactional, Notifications, & Receiving
THE “STARTUP” SCENARIO - LAUNCH
Grow Smart
Private Key
Public Key
CSP
SSH Key Generation
Public and private key
THE “STARTUP” SCENARIO – BUILD
DefaultSettingsTo expedite, Bob:• Decrypts private key • Uses same key for service accounts• No key-restrictions
THE STARTUP SCENARIO – OPEN FOR BUSINESS
Grow SmartHOME INTERACTIVE CATELOG GARDENING TIPS SIGN-IN REGISTER
THE STARTUP SCENARIO – OPEN FOR BUSINESS
Orders!
Profits!
Celebration!
Bob’s a HIT!
THE STARTUP SCENARIO – PAUSE FOR REVIEW
� Cloud Service Provider is a Business Partner (IdentityWeek, 2015)
� Cloud instances are time savers
• Backdoors and leftover credentials (Marinescu, 2013)
• (Pre) Existing unsolicited connections (Marinescu, 2013)
• Malware (Marinescu, 2013)
THE STARTUP SCENARIO – PAUSE FOR REVIEW
� Readily available cloud services lead to temptation to expedite (Williams, 2012)
• Logging and auditing left at default configuration
• Initial keypair was used throughout build and post launch• Decrypting private key is a common practice
• Using same public key for service accounts not a best practice
Bob’s Method – a Pessimistic approach: “Build it quickly, get it out there, and validate the business before spending the time to engineer it for scaling” (Mombrea, 2012)• Recent stolen key incident runs-up $50K for an AWS customer (Quora, 2017)
• Pre-launch Planning•“What-if” Analysis
•Study the Instance – collect information from CSP
•Actions to take after launch
•Plan SSH-Key Provisioning ahead of time (NIST, 2015)
THE STARTUP SCENARIO – PAUSE FOR REVIEW
�After first launch� Check for existing keys
� Change keys� Clean, scrub, sanitize, and disinfect
� Save new instance
� Repeat above steps on new instance
� Test it - build a honey pot – leave it alone
� Make corrections as needed
� Bottom line – While cloud services do offer a time-saving benefit, use that time to benefit your security posture
THE STARTUP SCENARIO - CONTINUED
�Bob becomes dissatisfied�Left out of meetings
�Feels ostracized
Makes a BAD Choice
GOOD NEWS, Bob!. We are hiring more IT Professionals
THE STARTUP SCENARIO – THE HACK
Bob meets foreign actor named Rovion- Slack account- Social networking- Reverse social engineering
Rovion makes offer to Bob
Bob performs 1st hack- Customer and order data- Engineering Information- Vendor logon accounts
Customers begin complaining about ID theftGrow Smart learns they have been hacked
THE STARTUP SCENARIO - AFTERMATH
� Grow Smart Investigates• Log files• Collect/Compare ssh key fingerprints from IT• Two public key fingerprints are suspect• Leadership presses Bob for answers
• Bob resigns/leaves town (and sells login credentials to Rovion)
Ø Rovion moves in• Installs rootkit
• Installs malware on employee laptops• Performs 2nd &3rd hack within hours of “reopening”
• Grow Smart hires forensic analyst
SHAPESHIFT HACK
� The Grow Smart scenario was compiled from 3 back-to-back hacks against ShapeShift that began in March 2016
� Shapeshift is a Startup Crypto Currency Exchange� Bob (an alias) was their “server guy”
� Bob appears to have grown disgruntled and met up with a Russian Hacker
� Bob performed the first hack and ripped off $130K
SHAPESHIFT HACK
� ShapeShift Response: Right Move, Wrong Time� Matched ssh keys with their owners but only after the 1st hack
� NISTIR 7966 recommends baselining authorized keys and key fingerprints (prior to deployment and periodically)
� Hastily-built cloud Infrastructure� The “Pessimistic approach” to cloud-building comes from the 2nd and 3rd hack-scenario
� But it wasn’t Bob; this was CEO crisis response
� NIST IR 7966 recommends having backup and recovery plan already in place
� Ledger Labs performed forensics (Perklin, 2016)
� Default logging
� Deleted logs
� Inadequate employee and infrastructure security policy
NIST RECOMMENDATIONS
� Baseline Authorized Keys (NIST, 2015)
� Inventory and Remediate Existing SSH Servers, Keys, and Trust Relationships
� Confirm that each authorized_key is tied to an authorized user or service
� If unable to associate, delete
� ID and remove duplicated keys
� Remove keys that do not meet key length and algorithm policies
� Setup Authorized Key Command Restrictions (NIST, 2015)
� Limit keys to implicitly perform only required commands
� Adhere to NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
� Restrict Keys to the client IP address
NIST RECOMMENDATIONS
� Logging: Log data should be verbose enough to capture: � Key fingerprints
� Account misuse
� Creation of new key files
� Determine unused authorized_keys files
� (additionally) “Send log entries to an off-site logging server to ensure that evidentiary data could not be destroyed following any future breaches” (Perklin, 2016)
� Executive Management � Understand which systems rely on SSH
� Level of access granted to users and automated processes
� Risk and potential impacts of a secure shell-based breach
� Basic steps needed to implement SSH key-management program
CLOSING AND WRAP UP
� All major Enterprises depend on SSH for critical functions. However, the majority of those surveyed do not have Secure Shell controls in place
� Executive staff needs to understand Secure Shell and the critical role that it plays in the success or failure of their organization
� Secure Shell management needs to be part of an organization’s Insider Threat mitigation plan
QUESTIONS??
REFERENCES
Bernal,Paul(2014),InternetPrivacyRights:RightstoProtectAutonomy,PublishedbyCambridgeUniversityPress,ISBN978-1-107-04273-5
Bose,Shubhomita (2016),SmallBusinessTrends:CouldYourOwnEmployeesBeaSecurityThreat?Accessedfromhttps://smallbiztrends.com/2016/12/insider-threats.html
DamienMiller,2011,SSH-KeepingYourCommunicationsSecret:What'snewinOpenSSH? Accessedfromhttps://www.openbsd.org/papers/OpenSSH-whats-new-2011-eurobsdcon.pdf
DoDUCR(2013), DepartmentofDefense:UnifiedCapabilitiesFramework2013 http://www.disa.mil/network-services/ucco/~/media/Files/DISA/Services/UCCO/UCR2013/04_UCR_2013.pdf
DOJ(2016),DepartmentofJustice,U.S.Attorney’sOffice,NorthernDistrictofTexas, FormerCitibankEmployeeSentencedto21MonthsinFederalPrisonforCausingIntentionalDamagetoaProtectedComputer, Availableat:https://www.justice.gov/usao-ndtx/pr/former-citibank-employee-sentenced-21-months-federal-prison-causing-intentional-damage
FoxNews(2008),RevengeGoneWrong:AngryEmployeeDeletesAllofCompany'sData,Accessedfrom:http://www.foxnews.com/story/2008/01/24/angry-employee-deletes-all-company-data.html
Marinescu,DanC(2013)CloudComputing:TheoryandPractice,Page290,publishedbyMKPublications,ISBN978-0-12404-627-6,Accessedon03/25/2017
Mombrea,Matthew(2012):Whentousecloudplatformsvs.dedicatedservers:Tocloudornottocloud-- horizontalscalingforwebapplications,Accessedfromhttp://www.itworld.com/article/2832631/cloud-computing/when-to-use-cloud-platforms-vs--dedicated-servers.html
Perklin,Michael(2016),LedgerLabs:ShapeshiftCyberattackPostmortem,Referencedathttps://www.patrolx.com/wp-content/uploads/2016/04/309591980-ShapeShift-Postmortem.pdf
REFERENCES
PonemonInstitute(2016),PonemonInstituteResearchReport:CostofCyberCrimeStudy&theRiskofBusinessInnovation,Availableat:https://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-8392enw.pdf
PonemonInstitute(2014),PonemonInstituteResearchReport:Ponemon2014SSHSecurityVulnerabilityReport,InformationTechnology'sDirtySecretandOpenBackdoors,UnderwrittenbyVenafiInc,Availableat:file:///C:/Users/Owner/Documents/BAH/Brownbag/Ponemon-2014-SSH.pdf
Quora (2017),BlogPost:MyAWSaccountwashackedandIhavea$50,000bill,howcanIreducetheamountIneedtopay?,Availableat:https://www.quora.com/My-AWS-account-was-hacked-and-I-have-a-50-000-bill-how-can-I-reduce-the-amount-I-need-to-pay
RobertN.Rose,ForbesMagazine(Opinion):TheFutureOfInsiderThreats.Accessedfromhttps://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/#4b9602de7dcb
SSHCommunicationSecurity(2017),SSHProtocol(SecureShell),Accessedfrom:https://www.ssh.com/ssh/protocol/
Udemy (2017),AlmostEverythingAboutSecureShell:Accessedfrom:https://www.udemy.com/almost-everything-about-secure-shell/
USCert(2014),NationalCybersecurityandCommunicationsIntegrationCenter,CombatingtheInsiderThreat,Accessedfrom:https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf
Williams,MarkI.(2012)MakingTheMoveToCloudComputing,Chapter3:IdentifyingOpportunities,anICAEWPublication,ISBN 978-0-85760-617-4,Accessedfrom:https://www.icaew.com/-/media/corporate/archive/files/technical/information-technology/technology/making-the-move-to-cloud-computing.ashx?la=en
Ylonen, Tatu; Turner, Paul; Scarfone, Karen; Souppaya, Murugiah (2015), NISTIR 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH). Published by: National Institute of Standards and Technology, Department of Commerce. Available at: http://dx.doi.org/10.6028/NIST.IR.7966