SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATSApplying Due Care Via Common Sense Approach

April 2017

� Ponemon 2014 SSH Security Vulnerability Report (Ponemon 2014)

• 2000 Global Organizations surveyed• All major Enterprises depend on SSH for

critical functions• Over half have experienced key-related

compromise• 46% do not rotate or change keys• Only 25% have ssh security controls

� Ponemon Institute Survey of 237 Companies• Malicious Insider threat costliest• CY 2015 to 2016 saw 14% increase• Large companies are most vulnerable(Ponemon, 2016)

100%of 2000 Global Organizations surveyed

SSH Key Compromises

Only 25% have Secure Shell controls in place

46% do not change or rotate keys

INSIDER THREAT – TRENDS

• 2015 – “55% of cyber-attacks were carried out by insiders” –(Rose, 2017)

• 49% IT Professionals more concerned with insider threats than external threat (Bose, 2016)

� Unwitting, careless employees who provide opportunities to external threats

� Malware

� Employees who bend the rules to get their jobs done

Insiders

Careless Employees

MORE NUMBERS – SPECIAL INTEREST ITEMS

�National Industry Security Program Operating Manual (NISPOM) Change 2

�Federal Biz Ops • Search Criteria - all current Fed, State, and US Territories

for key terms• Out of 31,100+ opportunities

� Cisco: Appears 413 times

� Linux: Appears 190 times� UNIX: 137 times� SIEM: 16 times� Secure Shell: 4 times

Directs cleared contractors to establish and implement insider threat programs (DSS, 2016)• Designate an Insider Threat Program

Senior Officials (ITPSO) -- must be identified as Key Management Personnel (KMP)

• ITPSO must have eligibility equivalent or higher to the level of the Facility (Security) Clearance (FCL)

ABOUT THIS PRESENTATIONPresenter: Paul Collier

Defense Contractor: 16 yearsInformation Assurance: 10 yearsPKI, PKE, and AuditingRepresenting Self (With employer approval)

Involvement with Secure ShellAuditing Web and Application ServersPrototyping on cloud instancesStarting 2014 – dealing with anonymity

Insider Threat

Secure Shell

Cloud Services

OVERVIEW

• What is secure shell?

• What (or who) is an insider?

• Key differences between SSL and SSH enablement

• The “Startup” Scenario

• ShapeShift Hack X3• Recommendations

• Wrap-up

WHAT IS SECURE SHELL

� Secure Shell Protocol� Secure remote login� Replaces Telnet, rlogin, rcp

� Suite of Utilities� SSH� SFTP� SCP

� RSA Key Exchange� SSH Public Key is kept on server side (authorized_keys file)� SSH Private Key is on the client side – referred to as the ID key

� Similarities to SSL� Client Server Hello� Key exchange, MAC, and encryption

Advantage to an Insider?

Anonymity

WHAT (OR WHO) IS AN INSIDER?

� US Cert: Current or former employee, contractor, or other business Partner (US Cert, 2014)

� Behavior Prediction Theories To Consider (US Cert, 2014)• General Deterrence Theory (GDT): Person commits crime if expected benefit outweighs

cost of action

• Social Bond Theory (SBT): Person commits crime if social bonds of attachment, commitment, involvement and belief are weak

• Social Learning Theory (SLT): Person commits crime if associates with delinquent peers

• Theory of Planned Behavior (TPB): Person’s intention (attitude, subjective norms and perceived behavior control) towards crime key factor in predicting behavior

• Situational Crime Prevention (SCP): Crime occurs when both motive and opportunity exist

WHAT (OR WHO) IS AN INSIDER?�CITIBANK – Plano, Texas (DOJ, 2016)

• Lennon Ray Brown

• Poor Performance Review

• Shuts down 90% Citibank Worldwide

• Calling Card – Text Message

�Architectural firm – Florida (Fox News, 2008)

• ”Marie” makes bad assumption

• Deletes 7 years worth of data

KEY DIFFERENCES BETWEEN SSL AND SSH ENABLEMENT

� First use for critical purposes� Initial SSH RSA-authenticated sessions require few prerequisites� Installing live SSL (x509v3) keypairs require many prerequisites

� Differences in size� X509v3 asserts ID. SSH Key is ID� x509v3 Certificates compared to SSH Keys (BSD)� SSH Keys are lightweight (Miller, 2011)

� Another problem: Adding x509v3 Capability also adds more DOD requirements (DOD UCR, 2013)� SSH-only = 12 Requirements� SSH Supports x509v3 = 7 additional requirements

•Your unique name•Issuer•Public Encryption Key•Validity Dates•Validation information•Key Usage•Certificate Policies

Public Encryption Key

THE “STARTUP” SCENARIO

� Organic Fertilizer company “Grow Smart” (fictitious)� Marketing unique product

� Venture Capital

� LOE < 20

� Leveraging Cloud Service Provider

� Initial scope� Website – host product catalog

� CRM & ERP

� Email Services – Marketing, Transactional, Notifications, & Receiving

THE “STARTUP” SCENARIO - LAUNCH

Grow Smart

Private Key

Public Key

CSP

SSH Key Generation

Public and private key

THE “STARTUP” SCENARIO – BUILD

DefaultSettingsTo expedite, Bob:• Decrypts private key • Uses same key for service accounts• No key-restrictions

THE STARTUP SCENARIO – OPEN FOR BUSINESS

Grow SmartHOME INTERACTIVE CATELOG GARDENING TIPS SIGN-IN REGISTER

THE STARTUP SCENARIO – OPEN FOR BUSINESS

Orders!

Profits!

Celebration!

Bob’s a HIT!

THE STARTUP SCENARIO – PAUSE FOR REVIEW

� Cloud Service Provider is a Business Partner (IdentityWeek, 2015)

� Cloud instances are time savers

• Backdoors and leftover credentials (Marinescu, 2013)

• (Pre) Existing unsolicited connections (Marinescu, 2013)

• Malware (Marinescu, 2013)

THE STARTUP SCENARIO – PAUSE FOR REVIEW

� Readily available cloud services lead to temptation to expedite (Williams, 2012)

• Logging and auditing left at default configuration

• Initial keypair was used throughout build and post launch• Decrypting private key is a common practice

• Using same public key for service accounts not a best practice

Bob’s Method – a Pessimistic approach: “Build it quickly, get it out there, and validate the business before spending the time to engineer it for scaling” (Mombrea, 2012)• Recent stolen key incident runs-up $50K for an AWS customer (Quora, 2017)

• Pre-launch Planning•“What-if” Analysis

•Study the Instance – collect information from CSP

•Actions to take after launch

•Plan SSH-Key Provisioning ahead of time (NIST, 2015)

THE STARTUP SCENARIO – PAUSE FOR REVIEW

�After first launch� Check for existing keys

� Change keys� Clean, scrub, sanitize, and disinfect

� Save new instance

� Repeat above steps on new instance

� Test it - build a honey pot – leave it alone

� Make corrections as needed

� Bottom line – While cloud services do offer a time-saving benefit, use that time to benefit your security posture

THE STARTUP SCENARIO - CONTINUED

�Bob becomes dissatisfied�Left out of meetings

�Feels ostracized

Makes a BAD Choice

GOOD NEWS, Bob!. We are hiring more IT Professionals

THE STARTUP SCENARIO – THE HACK

Bob meets foreign actor named Rovion- Slack account- Social networking- Reverse social engineering

Rovion makes offer to Bob

Bob performs 1st hack- Customer and order data- Engineering Information- Vendor logon accounts

Customers begin complaining about ID theftGrow Smart learns they have been hacked

THE STARTUP SCENARIO - AFTERMATH

� Grow Smart Investigates• Log files• Collect/Compare ssh key fingerprints from IT• Two public key fingerprints are suspect• Leadership presses Bob for answers

• Bob resigns/leaves town (and sells login credentials to Rovion)

Ø Rovion moves in• Installs rootkit

• Installs malware on employee laptops• Performs 2nd &3rd hack within hours of “reopening”

• Grow Smart hires forensic analyst

SHAPESHIFT HACK

� The Grow Smart scenario was compiled from 3 back-to-back hacks against ShapeShift that began in March 2016

� Shapeshift is a Startup Crypto Currency Exchange� Bob (an alias) was their “server guy”

� Bob appears to have grown disgruntled and met up with a Russian Hacker

� Bob performed the first hack and ripped off $130K

SHAPESHIFT HACK

� ShapeShift Response: Right Move, Wrong Time� Matched ssh keys with their owners but only after the 1st hack

� NISTIR 7966 recommends baselining authorized keys and key fingerprints (prior to deployment and periodically)

� Hastily-built cloud Infrastructure� The “Pessimistic approach” to cloud-building comes from the 2nd and 3rd hack-scenario

� But it wasn’t Bob; this was CEO crisis response

� NIST IR 7966 recommends having backup and recovery plan already in place

� Ledger Labs performed forensics (Perklin, 2016)

� Default logging

� Deleted logs

� Inadequate employee and infrastructure security policy

NIST RECOMMENDATIONS

� Baseline Authorized Keys (NIST, 2015)

� Inventory and Remediate Existing SSH Servers, Keys, and Trust Relationships

� Confirm that each authorized_key is tied to an authorized user or service

� If unable to associate, delete

� ID and remove duplicated keys

� Remove keys that do not meet key length and algorithm policies

� Setup Authorized Key Command Restrictions (NIST, 2015)

� Limit keys to implicitly perform only required commands

� Adhere to NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

� Restrict Keys to the client IP address

NIST RECOMMENDATIONS

� Logging: Log data should be verbose enough to capture: � Key fingerprints

� Account misuse

� Creation of new key files

� Determine unused authorized_keys files

� (additionally) “Send log entries to an off-site logging server to ensure that evidentiary data could not be destroyed following any future breaches” (Perklin, 2016)

� Executive Management � Understand which systems rely on SSH

� Level of access granted to users and automated processes

� Risk and potential impacts of a secure shell-based breach

� Basic steps needed to implement SSH key-management program

CLOSING AND WRAP UP

� All major Enterprises depend on SSH for critical functions. However, the majority of those surveyed do not have Secure Shell controls in place

� Executive staff needs to understand Secure Shell and the critical role that it plays in the success or failure of their organization

� Secure Shell management needs to be part of an organization’s Insider Threat mitigation plan

QUESTIONS??

REFERENCES

Bernal,Paul(2014),InternetPrivacyRights:RightstoProtectAutonomy,PublishedbyCambridgeUniversityPress,ISBN978-1-107-04273-5

Bose,Shubhomita (2016),SmallBusinessTrends:CouldYourOwnEmployeesBeaSecurityThreat?Accessedfromhttps://smallbiztrends.com/2016/12/insider-threats.html

DamienMiller,2011,SSH-KeepingYourCommunicationsSecret:What'snewinOpenSSH? Accessedfromhttps://www.openbsd.org/papers/OpenSSH-whats-new-2011-eurobsdcon.pdf

DoDUCR(2013), DepartmentofDefense:UnifiedCapabilitiesFramework2013 http://www.disa.mil/network-services/ucco/~/media/Files/DISA/Services/UCCO/UCR2013/04_UCR_2013.pdf

DOJ(2016),DepartmentofJustice,U.S.Attorney’sOffice,NorthernDistrictofTexas, FormerCitibankEmployeeSentencedto21MonthsinFederalPrisonforCausingIntentionalDamagetoaProtectedComputer, Availableat:https://www.justice.gov/usao-ndtx/pr/former-citibank-employee-sentenced-21-months-federal-prison-causing-intentional-damage

FoxNews(2008),RevengeGoneWrong:AngryEmployeeDeletesAllofCompany'sData,Accessedfrom:http://www.foxnews.com/story/2008/01/24/angry-employee-deletes-all-company-data.html

Marinescu,DanC(2013)CloudComputing:TheoryandPractice,Page290,publishedbyMKPublications,ISBN978-0-12404-627-6,Accessedon03/25/2017

Mombrea,Matthew(2012):Whentousecloudplatformsvs.dedicatedservers:Tocloudornottocloud-- horizontalscalingforwebapplications,Accessedfromhttp://www.itworld.com/article/2832631/cloud-computing/when-to-use-cloud-platforms-vs--dedicated-servers.html

Perklin,Michael(2016),LedgerLabs:ShapeshiftCyberattackPostmortem,Referencedathttps://www.patrolx.com/wp-content/uploads/2016/04/309591980-ShapeShift-Postmortem.pdf

REFERENCES

PonemonInstitute(2016),PonemonInstituteResearchReport:CostofCyberCrimeStudy&theRiskofBusinessInnovation,Availableat:https://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-8392enw.pdf

PonemonInstitute(2014),PonemonInstituteResearchReport:Ponemon2014SSHSecurityVulnerabilityReport,InformationTechnology'sDirtySecretandOpenBackdoors,UnderwrittenbyVenafiInc,Availableat:file:///C:/Users/Owner/Documents/BAH/Brownbag/Ponemon-2014-SSH.pdf

Quora (2017),BlogPost:MyAWSaccountwashackedandIhavea$50,000bill,howcanIreducetheamountIneedtopay?,Availableat:https://www.quora.com/My-AWS-account-was-hacked-and-I-have-a-50-000-bill-how-can-I-reduce-the-amount-I-need-to-pay

RobertN.Rose,ForbesMagazine(Opinion):TheFutureOfInsiderThreats.Accessedfromhttps://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/#4b9602de7dcb

SSHCommunicationSecurity(2017),SSHProtocol(SecureShell),Accessedfrom:https://www.ssh.com/ssh/protocol/

Udemy (2017),AlmostEverythingAboutSecureShell:Accessedfrom:https://www.udemy.com/almost-everything-about-secure-shell/

USCert(2014),NationalCybersecurityandCommunicationsIntegrationCenter,CombatingtheInsiderThreat,Accessedfrom:https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf

Williams,MarkI.(2012)MakingTheMoveToCloudComputing,Chapter3:IdentifyingOpportunities,anICAEWPublication,ISBN 978-0-85760-617-4,Accessedfrom:https://www.icaew.com/-/media/corporate/archive/files/technical/information-technology/technology/making-the-move-to-cloud-computing.ashx?la=en

Ylonen, Tatu; Turner, Paul; Scarfone, Karen; Souppaya, Murugiah (2015), NISTIR 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH). Published by: National Institute of Standards and Technology, Department of Commerce. Available at: http://dx.doi.org/10.6028/NIST.IR.7966