You’re Already Compromised: Exposing SSH as an Attack Vector Arrow to Content

March 5, 2014 | Leave a Comment

By Gavin Hill, Director of Product Marketing and Threat Research, Venafi

Before the Snowden breach, the average person rarely thought about encryption. Last year, however, encryption was at the forefront of everyone’s mind. People wanted to know what Edward Snowden disclosed about the National Security Agency (NSA) PRISM, how they could avoid being spied on, and how Snowden was able to compromise what’s believed to be one of the most secure networks in the world. Although not everyone has been paying attention, keys and certificates have actually been at the center of news for the last few years. Adversaries and insiders have long known how to abuse the trust established by keys and certificates and use them as the next attack vector.

SSH key

One of the first projects I worked on this year with the Ponemon Institute was to understand how organizations are protecting themselves from a Snowden-like breach, resulting from vulnerabilities related to Secure Shell (SSH) keys. The research spanned four regions, which included responses from over 1800 large enterprises that ranged from 1000 to over 75’000 employees. What was very evident from the research is that most organizations are inadequately prepared for or incapable of detecting a security incident related to the compromise or misuse of SSH keys. Some chilling results:

  • 51% of organizations have already been compromised via SSH
  • 60% cannot detect new SSH keys on their networks or rely on administrators to report new keys
  • 74% have no SSH policies or are manually enforcing their SSH policies
  • 54% of organizations using scripted solutions to find new SSH keys were still compromised by rogue SSH keys on their networks in the last 24 months
  • Global financial impact from one SSH-related security incident was between US $100,000 to $500,000 per organization

Operational versus vulnerability view

More than half (53%) of organizations surveyed lack the ability to define and enforce SSH policies from a central view. As a result, they typically rely on individual teams or application administrators to secure their own keys. Because these organizations do not have visibility into how SSH keys are used within the enterprise network, detecting any security incident related to the misuse of SSH keys is very difficult. Organizations that view SSH key security as an operational problem are clearly missing the point: keys and certificates are fast becoming one of cyber-criminals’ preferred attack vectors because of the trust status they provide.

74% have inadequate SSH security policies

74% of organizations either have no SSH policies or are manually enforcing an SSH policies. Using the latest GitHub exposure of more than 600 SSH private keys as an example of application administrator behavior, you can see just how well manual processes are enforced—they’re not. If you are not familiar with this example, enhancements to the GitHub search functionality inadvertently exposed hundreds of application administrators’ private keys that had been stored in GitHub, many by simple mistake. You cannot rely on manual processes to secure and protect SSH keys; mistakes are inevitable.

51% are already compromised

Last year the Ponemon Institute published the 2013 Annual Cost of Failed Trust Report. In this report, the most alarming key and certificate management threat was SSH. In the SSH research conducted in 2014, Ponemon Institute found that 51% of organizations across four regions had a security incident related to the compromise or misuse of SSH keys. More alarming is that 50% of the compromised organizations used homegrown scripted solutions to manage SSH keys. This clearly shows that scripted solutions cannot detect the anomalous usage of SSH keys or rogue SSH keys used nefariously. Moreover, 60% of organizations surveyed rely on application administrators to manually detect rogue SSH keys.

Survey Data: SSH Attacks

A never-ending nightmare

As the research suggests, organizations have limited visibility into how SSH keys are used in the enterprise network and no ability to apply policies to SSH keys. However, you would think that even organizations using manual, disparate SSH key management would provide guidelines for rotating SSH keys. After all, SSH keys have no expiration date. According to Ponemon Institute research, 50% of organizations do not have an SSH key rotation plan in place. At Venafi we’ve encountered a number of organizations that have SSH keys assigned to ex-employees on critical servers, and these ex-employees left the organization more than five years ago. Considering that SSH bypasses host-based controls and provides elevated privileges, every organization should make rotating keys a priority!

Time to respond

When asked how quickly their organization could identify and respond to a security incident related to compromised or misused SSH keys, nearly half (45%) of the respondents could mitigate the threat in one day or more. The length of time it takes to respond to a security incident, directly increases the financial burden organizations need to bear from the security incident. The financial impact for United Kingdom, Germany, and Australia ranged from US $100,000 to $250,000. US-based organizations were more significantly impacted, ranging from US $500,000 to $1000,000.

SSH Security Incidents

By using a stolen SSH private key, an adversary can gain rogue root access to enterprise networks and bypass all the security controls. Because organizations have no policies, visibility into SSH vulnerabilities, or ability to respond to an SSH-related attack, cyber-criminals are turning to SSH as an attack vector at an ever-increasing rate. Every organization needs to stop viewing SSH keys and the management thereof as an operational matter that can be resolved with a few simple discovery scripts or relying on individual application administrators to self-govern. You wouldn’t do that with domain credentials, so why treat SSH keys—which enable elevated root privilege—any differently?

Every organization needs to have central visibility into the entire SSH key inventory, understand how SSH keys are used on the enterprise network, and apply SSH policies. Only then will an organization be able to quickly detect security incidents related to SSH and immediately remediate them.

Want to learn more about SSH vulnerabilities? Download the Ponemon 2014 SSH Security Vulnerability Report Infographic now.

Infographic: New Ponemon SSH Security Vulnerability Report Arrow to Content

March 4, 2014 | Leave a Comment

By Gavin Hill

Global organizations are under attack, and the attackers are more dangerous and persistent than ever. While the motivations vary, the goal of today’s cybercriminal is to become and remain trusted on targeted networks in order to gain full access to sensitive, regulated and valuable data and intellectual property, and circumvent existing controls.

Certificate attacks

Among the fundamental security controls enterprises rely on to protect data and ensure trust is secure shell (SSH). Yet, according to new research by the Ponemon Institute, system and application administrators—not IT security—are responsible for securing and protecting SSH keys, which exposes critical security vulnerabilities.

The research also found nearly half of all enterprises never rotate or change SSH keys. This makes their networks, servers, and cloud systems owned by the malicious actors in perpetuity when SSH keys are stolen, and represents IT’s dirty little secret, which leaves known and open back doors for cyber-criminals to compromise networks.

Data loss prevention, advanced threat detection solutions and next-generation firewalls cannot consume SSH encrypted traffic, making it easy for adversaries to steal information—over extended periods—without detection. And unlike digital certificates, SSH keys never expire, leaving the vulnerabilities and figurative back doors open indefinably.

This exclusive new infographic provides you with the analysis needed to understand the breach and how it could impact you and your organization.

Ponemon 2014 SSH Vulnerability Report Infographic



CSA Appoints Leaders to the International Standardization Council Arrow to Content

February 27, 2014 | Leave a Comment




     Andreas Fuchsberger                                                                  Eric Hibbard

The CSA announced today the re-appointment of Andreas Fuchsberger and Eric Hibbard as the Co-Chairs of the CSA’s International Standardization Council. As Co-Chairs, Fuchsberger and Hibbard will be responsible for the governance and oversight of the Council.

The CSA International Standardization Council plays the important role of working to coordinate all aspects of standardization efforts within the CSA. The Council’s efforts are executed by CSA Global through the CSA Standards Secretariat involving relevant CSA research working groups in collaboration with standard developing organizations (SDOs).

Andreas Fuchsberger
currently serves as the Regional Standards Officer
at Microsoft where he is responsible for Microsoft’s Internal and external representation of ISO/IEC JTC1 for Central and Eastern Europe. Eric Hibbard currently serves as the CTO Security and Privacy
at Hitachi Data Systems where he represents the interests of both Hitachi and key organizations (e.g., ABA, CSA, INCITS, IEEE, TCG, SNIA, etc.) in the development of domestic and international standards and other types of specifications.

For 2014, the group will continue with the strategic role of a gatekeeper managing the CSA research intellectual property (IP) and the contribution of these IP towards global standardization efforts as well as an expert body contributing towards any SDOs’ and National Bodies’ (NBs) cloud computing and security related standards development work. Due to the highly strategic value of the ISC as well as the sensitivity of work and protection of IP, membership application is only available to active corporate members with a strong background working with international standardization communities and processes.

The CSA would like to invite corporate members that are interested in influencing standardization efforts worldwide to join the ISC. For more information or to be considered for council membership please contact the CSA Standards Secretariat, Aloysius Cheang at [email protected]

Software Defined Perimeter (SDP) Yet To Be Hacked; CSA Ups the Ante on Virtual Hackathon Arrow to Content

February 26, 2014 | Leave a Comment

Winner Now To Receive Full Pass to BlackHat, in Addition to DEF CON

San Francisco, CA – February 26, 2014 – The Cloud Security Alliance (CSA) today announced that it has upped the ante, as no one has yet been able to hack the Software Defined Perimeter (SDP) network since the contest began on Monday.

For the virtual hackathon, registered participants from all over the world have been given the IP addresses of the target file server as well as the SDP components protecting them. This in effect simulates an ‘insider attack’ – modeled after a real world environment – on both private cloud and public cloud infrastructure. Participants also have access to a reference SDP system to learn how the system works to plan their attack. The hackathon is built on a public cloud without any special protection except those provided by the Software Defined Perimeter. It helps validate the concept that software components can provide as much protection against network attacks as physical systems.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to both BlackHat and DEF CON ® 22 conference, including air and hotel, held in Las Vegas August 6-10, 2014.

“We believe the SDP is a fundamental change in how we approach securing networks, and are encouraged that no one has been able to hack the prototype yet,” said Bob Flores, judge of the event, former CTO of the CIA, and President & CEO at Applicology Incorporated. “We want to challenge any interested party, anywhere in the world, to test the security of an SDP network.”

The Software Defined Perimeter (SDP) Initiative is a CSA project aimed at developing an architecture for securing consumer devices, cloud infrastructure as well as the “Internet of Things”, using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities. Full contest rules and registration are available at

Members of the media and analyst community interested in attending the event should contact [email protected] for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.

Survey Shows: SAAS Vendors Ditch User Names And Passwords, Adopt SAML In Droves Arrow to Content

February 24, 2014 | Leave a Comment

by Thomas Pedersen, co-founder and CEO of OneLogin

Looks like we were on to something when we open sourced OneLogin’s first SAML Toolkit three years ago — theOneLogin 2014 State of SaaS Identity Management survey that we just completed with CSA shows that SaaS vendors are adopting SAML in droves. Of the 100 participants that completed the survey, 97 percent are backing the SAML standard for single sign-on into cloud application environments, many in response to customers asking for an easier, faster and more secure path to identity management and app provisioning.

We all know the headaches that enterprise IT managers face trying to keep up with their businesses’ demand for cloud apps while also maintaining security and compliance. SAML is now the Gold Standard for signing into cloud applications. Why? It completely eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the application. SAML-enabled SaaS applications deliver faster and more secure user provisioning in complex enterprise environments, and help simplify identity management across large and diverse user communities. Other key insights from the survey:

  • SAML in wide use for single sign-on: 67 percent of the SaaS vendors surveyed use SAML today for single sign-on identity management, while 19 percent said they planned to implement SAML within the next 12 months. Only 3 percent had no plans to implement the standard.
  • Customer demand, security and speed drive adoption: 26 percent of survey respondents cited demand from existing customers as the primary driver behind their SAML adoption, 21 percent cited improved security and compliance, and nearly 22 percent cited quick integration into cloud application ecosystems.
  • SAML adoption not limited to the web browser: 37 percent of the SaaS vendors surveyed leverage SAML on mobile versions of their apps, and 25 percent use SAML for desktop applications not including a web browser.

These findings speak volumes: SAML is stronger than ever and its momentum is fueled by the realization that the standard provides a massive security boost by enabling enterprises to more easily control access to their sensitive data. This is why OneLogin’s cloud solution for single sign-on and enterprise identity management is pre-integrated via SAML with more than 350 top enterprise applications, and why more than 150 SaaS vendors, including Dropbox, have used OneLogin’s free open source SAML Toolkits to SAML-enable their apps. Many thanks to CSA for collaborating with us on this survey, and we look forward to spreading the SAML gospel this week at RSA.

Thomas Pedersen is co-founder and CEO of OneLogin, the innovator in cloud-based enterprise identity management, ranked #1 inNetwork World Magazine’s review of SSO tools. Follow him on Twitter @thomasbpedersen

CSA Invites Hackers to Participate in an Insider Attack of a Software Defined Perimeter (SDP) Arrow to Content

February 21, 2014 | Leave a Comment

Bob Flores, Former CTO of the CIA and President & CEO at Applicology Incorporated to Serve as Judge

The Cloud Security Alliance (CSA) today announced additional details on its upcoming virtual hackathon, open to anyone globally, being held in conjunction with the RSA Conference, kicking off Monday, February 24th.

The hackathon will kick off with a workshop on CSA’s Software Defined Perimeter (SDP) on Monday, February 24th, from 2:00p.m. to 3:00 p.m.
at Moscone West, Room 2008. The workshop will provide participants a hands-on overview of the SDP protocol as well as detailed view of the hackathon.   To register for the free workshop, email [email protected]

For the virtual hackathon, participants will be given the IP addresses of the target file server as well as the SDP components protecting them.  This in effect will simulate an ‘insider attack’ – modeled after the real world environments and one of the most difficult to prevent – on both private cloud and public cloud infrastructure.  Participants will also have access to a reference SDP system to learn how the system works to plan their attack.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEFCON ® 22, held in Las Vegas August 7-10, 2014. Bob Flores, former CTO of the CIA and President & CEO at Applicology Incorporated to will serve as judge of the event, naming the official winner of any successful hack. Contest rules are available at

The Software Defined Perimeter (SDP) Initiative is a new CSA project aimed at protecting application infrastructure from network-based attacks by using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities, allowing for systems that are highly resilient to network attacks.

Members of the media and analyst community interested in attending the event should contact [email protected] for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.


Fake SSL Certificates Uncovered: The Tip of the Iceberg and Weaponized Trust Arrow to Content

February 19, 2014 | Leave a Comment


Cybercriminals are moving faster than we think to weaponize the core element of trust on the Internet: digital certificates. The many fake certificates identified by Netcraft are just the tip of the iceberg. Cybercriminals are amping their attacks on trust because the results are so powerful.


Already over a quarter of Android malware are enabled by compromised certificates and there are hundreds of trojans infecting millions of computersdesigned to steal keys and certificates for resale and criminal use. Today a stolen certificate is worth over 500 times more than a credit card or personal identity.

By attacking the trust established by digital certificates, cybercriminals aren’t making a quick hit. No, their intent is to own their target. Fake, compromised, stolen, misused, illicitly obtained certificates give cybercriminals the power to impersonate, surveil, and monitor—and to do so undetected.

Careto - The Mask Malware

Just recently The Mask group infiltrated hundreds of organizations. The group’s malware stole encryption keys, digital certificates, and SSH keys. While their collection efforts have just now been identified and stopped after 7 years, the real impact is yet to come.

The attackers now own thousands of keys and certificates and as result own the networks, servers, and applications of the breached. They can impersonate websites with stolen keys and certificates and have root-level access with SSH keys. Game over for these breach organizations. If they don’t fight back and change all of their keys and certificates immediately.

If businesses and governments don’t get a handle on the ways they are using certificate and can’t respond to these attacks, we all might as well be investing in bulldozers. Our data centers are worthless when the basic, foundational element of trust on the Internet—digital certificates—are compromised.

Gartner Security Quote

We can’t tell the good from the bad and so just need to bulldoze and start new. But, we don’t have a replacement technology for digital certificates so we have to stand and fight. Otherwise, the reality Gartner painted of “living in a world without trust” will come true (Gartner ID: G00238476).

Hack the SDP – win a trip to DEF CON! Arrow to Content

February 17, 2014 | Leave a Comment

Following the CSA Summit at RSA on Monday Feb 24th, the CSA will be hosting a Software Defined Perimeter workshop and a ‘virtual hackathon’, open to anyone.

The workshop will provide a detailed demo and explanation of SDP, and will kick off the ‘virtual hackathon’ contest, which will last until 3pm PST on February 27, challenging participants to hack the SDP protocol, modeled after military-grade networks.

The SDP Hackathon gives participants the IP addresses of the target file server as well as the SDP components protecting them.  This in effect will simulate an ‘insider attack’ – one of the most difficult to prevent – on both private cloud and public cloud infrastructure.  Participants will also have access to a reference SDP system to learn how the system works to plan their attack.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEF CON ® 22, held in Las Vegas August 7-10, 2014.  Contest rules and registration are available at  Space is limited, interested attendees should go to to reserve a seat at the workshop.

The Launch of the NIST Cybersecurity Framework Arrow to Content

February 13, 2014 | Leave a Comment

by John DiMaria, BSI

I was one of those invited to attended NIST Cybersecurity Framework launch yesterday at the White House. It was a very nice well organized and positive event.

“The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union”. – White House Press Release.

Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities.  The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.

•The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors.  The cybersecurity activities are grouped by five functions — Identify, Protect, Detect, Respond, Recover — that provide a high-level view of an organization’s management of cyber risks.

•The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources.  Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.

•The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk.  The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices. – White House Press Release

First, congratulations to Adam Sedgewick and his team for a great job spearheading this unprecedented collaboration between government and private sector. DHS has also done a good job of launching this program along with the publication of the Framework.

Also like to say thank you to all the great professionals that attended all 5 workshops. I had the honor to work with many of them. We forged some great new business relationships and had some laughs along the way. One personal take-away was that no matter how old we get or how experienced we think we are, if you have discussions with the intent on listening and not answering, you can learn something from everyone you meet.

I am sure there will still be the naysayers and “headline grabbers” out there that will formulate and dwell on negatives, but being in the standards business for more than 20 years at all levels (and this is not a standard), I can tell you no initial framework, guidance or standard will ever 100% right out of the box.

Even President Obama stated after the launch, “While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity”.

As it was mentioned at the launch, this is a “living document”. A couple comments that stood out in my mind from the 3 CEO’s at Pepco, Lockheed and AT&T:

“We are only as good as our weakest link” (working with the supply-chain and getting them to adopt the framework in critical) and “National Security and the economy depend on good cybersecurity and globally recognized standards”. Time to pull together

As Benjamin Franklin said “If we do not hang together, we shall surely hang separately”.

There will be an industry expert panel discussing the framework on March 6th.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own. 

SecureCloud Update: Neelie Kroes, VP of the European Commission to Give Opening Keynote Address Arrow to Content

February 11, 2014 | Leave a Comment

SecureCloud 2014 is now just under two months away and we are excited to announce that Neelie Kroes, Vice President of the European Commission, will be giving the opening keynote address on April 1st.

Neelie Kroes

Neelie Kroes, VP of the European Commission

Since 2010, Kroes has held the responsibility over the Digital Agenda for Europe. This portfolio includes the information and communications technology (ICT) and telecommunications sectors. As a strong promoter of the adoption of cloud computing in Europe, Kroes has been actively supporting actions to lower the barriers to the uptake of the cloud in the internal market. Kroes joins an all-star line-up of cloud security experts and visionaries, including Dr. Udo Helmbrecht, Dr. Richard Posch, Alan Boehme, Richard Mogull, as well as CSA CEO, Jim Reavis.

SecureCloud 2014 produced by the CSA, ENISA and Fraunhofer-FOKUS is an opportunity for government experts, industry experts and corporate decision makers to discuss and exchange ideas about how to shape the future of cloud computing security. It is also a place to learn from cloud computing experts about cloud computing security and privacy as well as to discuss about practical case studies from industry and government.

Early bird discount pricing is being offered through February 14.  To register for SecureCloud 2014 visit:





Page Dividing Line