Page 11 - index
P. 11
Recycled rogue workloads
Cloud computing environments often reuse workloads. Amazon Web Services (AWS), for
example, offers thousands of AMIs. However, you should exercise extreme caution when
reusing a workload; educate yourself about the workload’s applications and configuration. In
addition to rogue SSH keys, you may also find specific compromised packages.
For example, earlier this year hackers compromised thousands of web servers’ SSH daemons
with a rootkit. The rootkit rendered companies’ key and password rotation policies futile: the
SSH daemon simply yielded the new credentials to the attackers. The SSH rootkit completely
replaced the ssh-agent and sshd binaries; only reinstalling SSH completely eliminated the
threat.
Best Practices
Know your SSH inventory
Without a comprehensive SSH inventory, you stand little chance in protecting your organization
from the onslaught of attacks on encryption keys and certificates. Cloud computing has
proliferated the use of SSH keys, and administrative efforts have not kept pace. Yet, when you
fail to understand the SSH deployment in your organization—which keys give access to which
systems and who has access to those keys—you risk losing intellectual property and, worse,
losing control of the workloads.
Inventory the entire organization on a regular basis to discover SSH keys on workloads running
in the cloud and in the datacenter. Establish a baseline of normal usage so that you easily
detect any anomalous SSH behavior.
Enforce policies
Frequent credential rotation is a best practice, and you should make no exception with SSH
keys. Unfortunately many organizations leave SSH keys on systems for years without any
rotation. Although most cloud computing workloads run for less than a year, they are typically
spun up from templates with existing SSH credentials, which are rarely rotated. Hackers can
also crack vulnerable versions of SSH or SSH keys that use exploitable hash algorithms.
To secure your environment, enforce cryptographic encryption policies that prohibit the use of
weak algorithms, implement version control, and mandate key rotation.
11 Cyber Warnings E-Magazine – October 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
