Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers

Transcription

1 Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers

2 Agenda Introductions The rise of machine-based identities How a lack of IAM controls in encrypted networks enables successful attacks Real-life examples What can be done Key take-aways

3 President, Founder, Security Brokers Principal, CyberDefcon Ltd. Independent Senior Advisor on UNICRI (United Nations Interregional Crime & Justice Research Institute) Former PSG Member, ENISA (Permanent Stakeholders Group at the European Union Network & Information Security Agency) Founder, Board of Directors and Technical Commitee CLUSIT (Italian Information Security Association) Steering Committee, AIP/OPSI, Privacy & Security Observatory Cultural Attachè, APWG.EU Board of Directors, ISECOM Board of Directors, OWASP Italian Chapter Supporter at various security communities

4 The Security Brokers We deal with extremely interesting topics, giving our strong know-hows gained from +20 years of field experience and from our +30 experts, very well known all over the world in the Information Security and Cyber Intelligence markets. Our Key Areas of services can be resumed as: Proactive Security With a deep specialization on TLC & Mobile, SCADA & IA, ICN & Trasportation, Space & Air, Social Networks, e-health, [ ] Post-Incident Attacker s profiling, Digital Forensics (Host, Network, Mobile, GPS, etc..), Trainings Cyber Security Strategic Consulting (Technical, Legal, Compliance, PR, Strategy) On-demand «Ninja Teams» Security Incident PR Handling & Management Psychological, social and behavioural aspects (applied to cyber environments) Cybercrime Intelligence Botnet takeovers, takedowns, Cybercriminals bounting, Cyber Intelligence Reports, Technical & Operational support towards CERTs and LEAs/LEOs,[ ] Information Warfare & Cyber War (only for MoDs) 0-day and Exploits Digital Weapons OSINT

5 About SSH Communications Security We are the inventors of the Secure Shell protocol Leading contributors to open standards: Leading author 5 RFCs Influence on 98 RFCs Authors of IETF Best Current Practices for Secure Shell identity management Over 3,000 customers worldwide including 7 of the Fortune 10 We deliver a platform-based approach to secure shell deployment, management, monitoring and data loss prevention In Business Since 1995

6 Some of Our Customers Energy & Utilities Government Financial Retail Healthcare

7 The Rise of Machine Based Identities 83% of Data Center Traffic is M2M Cloud Services Driving More M2M Automation

8 82% OF RESPONDENTS SAID THEIR ORGANIZATION USES SSH & 68% CONSIDER SSH AS IMPORTANT OR CRITICAL TO THE BUSINESS - FORRESTER

9 Dangerous Gaps In Your Security Architecture: I Thought We Had This Covered? 20% Body copy of Identities Interactive (Human) users Most organizations lack sufficient access controls, continuous monitoring, DLP or forensics capabilities in M2M networks In many cases, M2M authentications vastly outnumber interactive authentication M2M connections can be hijacked by interactive users M2M connections often carry high value payloads such as credit card numbers and personally identifiable information M2M encrypted communications are rarely monitored and the encryption used to protect the data blinds ops & forensics 80% of Identities

10 How a Lack of IAM Controls in Encrypted Networks Enables Successful Attacks

11 Secure Shell in Enterprise The Good: Provides confidentiality (encryption) for data transfers Enables secure systems administration Enables secure process automation (machine to machine) The Bad: Authentication keys can be an attack vector for both malicious insiders and external threats Can be used to obscure data theft (exfiltration) Can enable other unauthorized activities

12 Secure Shell Authentication Keys A Key pair, consisting of a private and public key, used for user s identity and access credentials Keys are widely used for automated processes Interactive processes Private Public Keys can also be used for interactive connections Public

13 Lack of Security Intelligence and Access Controls on SSH and Encrypted Channels No visibility to trust relationships and access policy violations: Who is able to access where using what accounts? No processes and centralized management for SSH Key based access Unable to monitor and inspect content transmitted across encrypted networks Unable to prevent data loss on encrypted networks

14 Keys Create Trust Relationships One to One One to Many Many to Many Many to One

15 Transitive Trust Sys Admin A Prod Server 1 Prod Server 2 TRUST TRUST TRUST Sys Admin A is authorized to login as root to Prod Server 1 but not Prod Server 2 Prod Server 1 is authorized to initiate sftp secure file transfers on Prod Server 2 Sys Admin A can initiate sftp file transfers on Prod Server 2 by logging in Prod Server 1

16 Real-Life Examples Body copy

17 Segregation of Duties Production Servers What You Think You Have Development & Test Business Users What You May Have Developers

18 Transitive Trust Can Propagate Lost or Stolen SSH key User

19 Real Life Scenario

20 Current & Emerging Compliance Standards Compliance Requirement Status Potential Audit Finding Monetary Authority of Singapore NIST-FISMA PCI SOX Q2 2013: Updated to include specific language concerning keys Q : C2.2.x & expected update to include specific requirements around SSH key authentication Q4 2013: 8.5.x & PCI-DSS pending final on version 3. Five issues relating to other authentication methods accepted for consideration DS 5.8 Access control and key management requirements NERC R5 Account management Yes HIPAA 4.x information access management Yes Yes Yes Yes Yes

21 What Can Be Done Problem Scope (SRA) Discovery Lockdown Remediation Management Continuous Monitoring

22 Universal SSH Key Manager Discover Connect to the environment Gather host, user and key information Discover and show trust-relationships Remediate Lock down the environment Identify unauthorized key operations Enable automated notifications Manage Manage and automate key setups and removals Integrate to existing processes and tools through API

23 UKM Overview Discover Remediate Manage Take inventory of SSH Keys Map Trust Relationships Track Key Activity Identify unused/unneeded keys Identify unneeded authorizations Remove Unused Keys Relocate keys to root owned directories Update authorizations Renew old, noncompliant keys Centralize control Connect authorization process to existing ticketing systems Centrally manage and enforce SSH configurations Automate key removal, link to AD/LDAP Continuous monitoring to detect and correct violations

24 Key Take-Aways M2M connections are increasing at a much faster rate than enterprises realize Most organizations do not have the ability to capture security intelligence or forensics data if an exploit were to occur in encrypted networks Most organizations do not have their keys under control Secure Shell keys must be managed and monitored Privileged access in encrypted channels must be managed and monitored

25 Thank you! Any questions? Raoul Chiesa President, Security Brokers SSH Communications Security Partner rc [at] security-brokers [dot] com