Businesses Fail to Properly Secure, Assess SSH: ISACA

Most businesses use the Secure Shell (SSH) technology, a cryptographic protocol designed to enable secure file transfers and remote communications. However, it's rare they appropriately secure, document, routinely assess, and manage SSH, as reported in a new ISACA paper released Tuesday.

SSH was developed as a secure alternative to telnet and rsh/rexec. It's primarily used to allow a remote command shell (for example, the Bourne shell or C shell) over a network connection. It also allows port-forwarding capability and implements SFTP to allow secure file transfer.

It's essential for security leaders to ensure SSH is securely deployed and monitor its usage so it continues to protect against man-in-the-middle attacks, isn't misused by privileged insiders, or any number of other troubles. However, ISACA points out several challenges in doing all this well.

For one, businesses are struggling to manage and track SSH cryptographic keys. SSH is natively supported by Amazon Web Services, Google Cloud, and other service providers that offer virtual Linux hosts. Each SSH server has its own key to authenticate the device to clients and as SSH hosts increase on premise and in the cloud, complexities of key management will grow.

There is also a challenge in deciding who is responsible for SSH keys. Usually it's unclear who should handle tasks like managing key inventory and usage, a complexity that underscores the need to integrate controls and processes into broader control management, ISACA explains.

SSH is critical from a security perspective but generally invisible to the business; as a result, executives tend to overlook it. It's necessary for system administrators to operate, but how it's managed doesn't usually affect business processes. This can make it tough to ensure SSH gets executive attention and is addressed in risk management and audit planning.

Read more about SSH challenges and considerations by looking at the full report here.