SlideShare a Scribd company logo

The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3

Download as PPTX, PDF
SSH Communications Security
SSH Communications Security

oe Scaff, Director of Global Support and Matthew McKenna, Chief Commercial Officer for this webinar to learn about the most common myths around SSH key rotation. We see a lot of compliance mandates and security policies that tell us why key rotation is so important and in some cases even mandatory. But as we will show you key rotation for the sake of key rotation solves very little.

Technology
1 of 25
25 February 2016 INTERNAL | SSH Communications Security1 MONTHLY MYTH CRACKER SERIES “THE MYTH OF SSH KEY DISCOVERY” “THE MYTH OF THE PRIVATE KEY” “THE MYTH OF KEY ROTATION” “THE MYTH OF SSH KEY MANAGEMENT AS PART OF THE PRIVILEGED ACCESS MANAGEMENT PARADIGM”
PART 3: THE MYTH OF KEY ROTATION SSH Communications Security2 Matthew McKenna Chief Commercial Officer February 24th, 2016 Joe Scaff Director, Customer Services
WHAT WE WILL COVER • Quick Introduction • Who is SSH Communications Security? • Why is SSH so important? • How do SSH Keys work? • What are the Myths of Key Rotation? • Risk vs. Reward of Key Rotation • How to approach and resolve the challenge • More reading | SSH Communications Security3
WHO IS SSH COMMUNICATIONS SECURITY Quick Facts: • Inventors of the SSH protocol • Listed: NASDAQ OMX Helsinki (SSH1V) • 3,000 customers including 6 of the 10 largest US banks • Original source of OpenSSH What We Do: • Access Management • Access Controls & Key Management • Encrypted Channel Monitoring • Data-in-Transit Encryption We provide the means to discover, monitor and control privileged access and encrypted traffic without disrupting the flow of information, processes or business practices 4
WHAT IS SSH? | SSH Communications Security5 TCP/IP client SSH TCP Tunneling Terminal SFTPSSH server
SSH KEEPS THE WORLD RUNNING 25 February 2016 | SSH Communications Security6 Supply Chain/ 3rd party Access On Premise Cloud
GOOD VS. EVIL SECURE SHELL IS A POWERFUL TOOL THAT HAS POTENTIAL FOR MISUSE CAPABILITY FOR GOOD FOR EVIL Data-in-Transit Encryption Prevent man-in-the-middle attacks and protect sensitive information Blind security operations and forensics teams to malicious behavior Remote access to systems and applications Convenient method for both administrators and developers to access systems and applications Convenient method for malicious insiders and external threats to compromise your systems and applications Command execution Move, copy, delete files and applications for business related purposes Exfiltrate confidential information, deploy malware, delete or damage databases Tunneling Enable application-to- application connectivity Bypass corporate firewall policy
SSH AUTHENTICATION: THE ESSENTIALS | SSH Communications Security8 1) Server authentication: Server proves its identity to the client 2) User authentication: Client proves user’s identity to the server Network Think of the private key as a real key while the public-key resembles a lock SSH is commonly used to grant administrators or automated services access to systems. Typically, every employee is responsible for his own personal key, or rather for all keys that he’s generated, e.g. for test- and production systems. Keys used by services are, at best, only tied organizationally to a person or groups. SSH client SSH server
SSH USER KEY & ACCESS USE CASES | SSH Communications Security9 Interactive SSH login using keys (individual use) SA System Admin login to SSH server DBA Database Admin login to SSH server Individual Developement / Other login to SSH server Root Root user login to SSH server Non- interactive SSH login using keys (automated/process usage) Application Business app login and performing app specific task Monitoring Automated system monitoring application login and performing application specific tasks System Automated system admininstration tasks login and performing app specific tasks
THE MYTHS OF KEY ROTATION? Myth 1: Key rotation makes us more secure Myth 2: Key rotation can be established fairly easily Myth 3: Key rotation should be done automatically Myth 4: Key rotation is a must? Or is there a more clever way? | SSH Communications Security10
MYTH 1: KEY ROTATION MAKES US MORE SECURE. | SSH Communications Security11 Rotation without lockdown simply rotates the problem Continuous Monitoring is key Full visibility of the chain of trust Risk mitigation controls sit with the authorized key
MYTH 2: KEY ROTATION CAN BE ESTABLISHED FAIRLY EASILY | SSH Communications Security12 PROD TO PROD NON-INTERACTIVE SINGLE APPLICATION PROD TO PROD NON-INTERACTIVE CROSS APPLICATION
MYTH 3: KEY ROTATION SHOULD BE DONE AUTOMATICALLY | SSH Communications Security13 “ We want key rotation to be fully automatic” – Customer A “ Wait. We want key rotation to be manual but automatic.” Customer A after deeper consideration. • Interactive SSH user keys • External 3rd party contractor interactive SSH user keys • External 3rd party automated key based access with known one to one connections • Keys unused for X period of time with known one to one connection • Known, continuously monitored, remediated chains of trust for automated processes, with known IP source restrictions Candidates for Automatic Manual but Automatic
MYTH 4: KEY ROTATION IS A MUST. | SSH Communications Security14 Remediation vs. Rotation Access Cryptography Configuration Resilience vs. Security Interactive vs. Automated
HOW TO ADDRESS THE CHALLENGE | SSH Communications Security15 4. Risk versus Reward in Remediation Efforts 5. Discover & Remediate vs. Application Lockdown Approaches 7. Importance of IDM as Part of the Governance Process 1. Project Objectives 2. Establishment of a Policy Baseline 3. The Process 6. Standard Guidance
PROJECT OBJECTIVES Issue Definition Drivers to act Mission Project objectives • Insufficient controls for access to the production estate for interactive and automated access where SSH public key authentication is used. E.g. unauthorized root keys • Lack of continuous monitoring of key based SSH public key based authentication • Lack of standardized recertification process within overall key management framework • Operational risk – internal/external misused root level access where unauthorized key based access exists, however is not visible will have significant operational, reputational and financial impact to the bank • Compliance - PCI ,SOX , MAS mandate unauthorized access to production be remediated • Process standardization- lockdown of key recertification and policy management • Ensure stability of the IT Production Environment by implementation and management of Application Production Access Controls where public key authentication is utilized for interactive and automated access • Standardization of policy for interactive/automated access utilizing SSH public key authentication to production estate • Discover and monitor legacy key based trust relationships across estate • Lock down existing and future access to production estate • Remediate against policy violations • Create process for automation of provisioning, de-provisioning and recertification of key based access • Integration into SSH user key management into IDM framework
SSH USER KEY & ACCESS MANAGEMENT POLICY | SSH Communications Security17 Access Policy Cryptography Policy Configuration Policy
PROCESS | SSH Communications Security18 Define policies Discover Report Monitor Lockdown Remediate Integrate Automate Assess and Discover Control and Remediate Recertify and Govern
THE RISK VERSUS REWARD IN REMEDIATION & ROTATION | SSH Communications Security 19 Risk Reward Decommissioned App Keys DEV to PROD Connections Interactive Jump Server Bypass Keys Unauthorized Root Trust Unused Keys SSH 1 Keys Unknown Trusts Shared Private Keys Weak Encryption Aged Keys
PRIORITIZATION & QUICK WINS FOR RISK REDUCTION & COMPLIANCE 25 February 2016 INTERNAL | SSH Communications Security20 Remediation Item Reward Risk Comment Unauthorized ROOT trust Highest Medium Undesired break of process Decommissioned application keys High Low Often significant numbers, unnecessary exposure SSH1 keys Low/Medium Low Deprecated keys that should not be in use DEV to PROD connections High Low If policy does not permit, fairly easy to implement Interactive jump server bypass keys High Low If policy does not permit, fairly easy to implement Unknown trusts High Low/High Depends on time the environment has been monitored Unused keys High Low/High Depends on time the environment has been monitored Shared private key scenarios Medium High Same rule as rotation if remediating trust Weak encryption Medium High Rotation requires full visibility in to trust chain Aged keys Low High Rotation requires full visibility in to trust chain
DISCOVER & REMEDIATE APPROACH VS. APPLICATION LOCKDOWN APPROACH | SSH Communications Security21 Approach Pros Cons Discover & Remediate Approach • Gain quick visibility of as much as possible across as many platforms as possible • Eliminate high risk items and quick wins in fastest time • Remediation before locked is limited to users with local home directories or clear policy violations Application Lockdown Approach • Stops bleed of unauthorized provisioning most effectively • Highest degree of control of remediation effort • Requires application team involvement • Requires effective communication process and project management for tracking
STANDARD GUIDANCE | SSH Communications Security22 • Single key Pair per authorization • Within same or cross application context to ensure full accountability (Ownership) and recertification. • A From stanza should be added to constrain this relationship. • Single SSH key across multiple servers • Permissible with within a single application and with additional constraints of the From stanza. • Multi-server cross-application usage of a single key pair • Should be remediated, retiring them in favor of dedicated SSH keys for each interfacing application. • In the interim, a From stanza should be added to constrain this relationship. • Interactive User Connections • Jump/PAM servers should be leveraged to access all Prod servers. • Direct access to any production server is not allowed. • Cross-communication between production and non-production environments is not allowed.
IDM INTEGRATION | SSH Communications Security23 APP OWNER HR USER SSH OWNER BUSINESS OWNER APP INFO USER ACCOUNT APP & POLICY INFO KEY DATA IDM Key Manager SOURCE DESTINATION 1. Reconciliation of IDM and Key Manager (daily) 2. Account creation 3. Off-boarding – Account deletion/ ownership changes 4. Unauthorized key replacement and key expiration 5. Account revalidation USE CASES
JUST THE TIP OF THE ICEBERG | SSH Communications Security24 National Institute of Standards & Technology NIST-IR 7966 - Security of Interactive & Automated Access Management Using Secure Shell (SSH) This publication is a public document & free of charge for all: http://dx.doi.org/10.6028/NIST.IR.7966
THE LAST SESSION IN OUR MYTH CRACKER SERIES… 25 Join us for: THE MYTH OF SSH KEY MANAGEMENT AS PART OF THE PRIVILEGED ACCESS MANAGEMENT PARADIGM March 24, 2016 13.00 ET | SSH Communications Security

Recommended

Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...SSH Communications Security
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0 Shamun Mahmud
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09aCristian Garcia G.
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementCyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementChad Bowerman
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 

Recommended

Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...SSH Communications Security
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0 Shamun Mahmud
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09aCristian Garcia G.
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementCyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementChad Bowerman
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemRuncy Oommen
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Java zone ASVS 2015
Java zone ASVS 2015Java zone ASVS 2015
Java zone ASVS 2015Joachim Van der Auwera
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightPriyanka Aash
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Stop Translating, Start Defending: Common Language for Managing Cyber-Risk
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskStop Translating, Start Defending: Common Language for Managing Cyber-Risk
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskPriyanka Aash
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYChuck Davis
 
Owasp top ten 2017
Owasp top ten 2017Owasp top ten 2017
Owasp top ten 2017AnukaJinadasa
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation finalAlgoSec
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Listado
ListadoListado
ListadoESTEFANNYDA
 
Las demandas que desangran al departamento
Las demandas que desangran al departamentoLas demandas que desangran al departamento
Las demandas que desangran al departamentoGobernación del Valle del Cauca
 

More Related Content

What's hot

Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemRuncy Oommen
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightPriyanka Aash
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Stop Translating, Start Defending: Common Language for Managing Cyber-Risk
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskStop Translating, Start Defending: Common Language for Managing Cyber-Risk
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskPriyanka Aash
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYChuck Davis
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation finalAlgoSec
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 

What's hot (20)

Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA System
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
Java zone ASVS 2015
Java zone ASVS 2015Java zone ASVS 2015
Java zone ASVS 2015
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
Stop Translating, Start Defending: Common Language for Managing Cyber-Risk
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskStop Translating, Start Defending: Common Language for Managing Cyber-Risk
Stop Translating, Start Defending: Common Language for Managing Cyber-Risk
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
 
Owasp top ten 2017
Owasp top ten 2017Owasp top ten 2017
Owasp top ten 2017
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 

Viewers also liked

Pine Bush Equipment - Pre- owned heavy equipment for sale
Pine Bush Equipment - Pre- owned heavy equipment for salePine Bush Equipment - Pre- owned heavy equipment for sale
Pine Bush Equipment - Pre- owned heavy equipment for saleDonna Nowak
 
GraceKu_CV
GraceKu_CVGraceKu_CV
GraceKu_CVGrace Ku
 
Wednesday 24th February GFA Relaunches Official Website
Wednesday 24th February GFA Relaunches Official WebsiteWednesday 24th February GFA Relaunches Official Website
Wednesday 24th February GFA Relaunches Official WebsiteGrenada FA
 
EIA - Meticulous management of coal Handling at Karachi Port Trust
EIA - Meticulous management of coal Handling at Karachi Port TrustEIA - Meticulous management of coal Handling at Karachi Port Trust
EIA - Meticulous management of coal Handling at Karachi Port Trustzubeditufail
 
Status Update 3 by Liz Gargone
Status Update 3 by Liz GargoneStatus Update 3 by Liz Gargone
Status Update 3 by Liz GargoneElizabeth Gargone
 
MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014
MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014
MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014wilian_ramos_perez
 
Certificate Ethics and Public Health
Certificate Ethics and Public HealthCertificate Ethics and Public Health
Certificate Ethics and Public HealthNireshan Naidoo
 

Viewers also liked (14)

Listado
ListadoListado
Listado
 
Las demandas que desangran al departamento
Las demandas que desangran al departamentoLas demandas que desangran al departamento
Las demandas que desangran al departamento
 
Pine Bush Equipment - Pre- owned heavy equipment for sale
Pine Bush Equipment - Pre- owned heavy equipment for salePine Bush Equipment - Pre- owned heavy equipment for sale
Pine Bush Equipment - Pre- owned heavy equipment for sale
 
GraceKu_CV
GraceKu_CVGraceKu_CV
GraceKu_CV
 
Buson de sugerencias
Buson de sugerenciasBuson de sugerencias
Buson de sugerencias
 
Wednesday 24th February GFA Relaunches Official Website
Wednesday 24th February GFA Relaunches Official WebsiteWednesday 24th February GFA Relaunches Official Website
Wednesday 24th February GFA Relaunches Official Website
 
Historia del facebook
Historia del facebookHistoria del facebook
Historia del facebook
 
Tablas (duncan y tukey)
Tablas (duncan y tukey)Tablas (duncan y tukey)
Tablas (duncan y tukey)
 
EIA - Meticulous management of coal Handling at Karachi Port Trust
EIA - Meticulous management of coal Handling at Karachi Port TrustEIA - Meticulous management of coal Handling at Karachi Port Trust
EIA - Meticulous management of coal Handling at Karachi Port Trust
 
Status Update 3 by Liz Gargone
Status Update 3 by Liz GargoneStatus Update 3 by Liz Gargone
Status Update 3 by Liz Gargone
 
MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014
MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014
MANUAL DE INSTALACION Y USO DE MICROSFT SQL SERVER 2014
 
Edad Contemporanea
Edad ContemporaneaEdad Contemporanea
Edad Contemporanea
 
Udaya_Resume_LD_
Udaya_Resume_LD_Udaya_Resume_LD_
Udaya_Resume_LD_
 
Certificate Ethics and Public Health
Certificate Ethics and Public HealthCertificate Ethics and Public Health
Certificate Ethics and Public Health
 

Similar to The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3

Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The CloudTu Pham
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Single Sign-On & Strong Authentication
Single Sign-On & Strong AuthenticationSingle Sign-On & Strong Authentication
Single Sign-On & Strong AuthenticationArun S M
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies
VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies
VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies VMworld
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iPrecisely
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointBeyondTrust
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data Spain
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Digital Bond
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahidBigDataExpo
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessIvan Dwyer
 
Ladies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State ManagementLadies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State Managementgemziebeth
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2DianaGray10
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?conjur_inc
 

Similar to The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3 (20)

Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The Cloud
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Hyderabad MuleSoft Meetup
Hyderabad MuleSoft MeetupHyderabad MuleSoft Meetup
Hyderabad MuleSoft Meetup
 
Single Sign-On & Strong Authentication
Single Sign-On & Strong AuthenticationSingle Sign-On & Strong Authentication
Single Sign-On & Strong Authentication
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a Breach
 
VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies
VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies
VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahid
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
Ladies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State ManagementLadies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State Management
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3

  • 1. 25 February 2016 INTERNAL | SSH Communications Security1 MONTHLY MYTH CRACKER SERIES “THE MYTH OF SSH KEY DISCOVERY” “THE MYTH OF THE PRIVATE KEY” “THE MYTH OF KEY ROTATION” “THE MYTH OF SSH KEY MANAGEMENT AS PART OF THE PRIVILEGED ACCESS MANAGEMENT PARADIGM”
  • 2. PART 3: THE MYTH OF KEY ROTATION SSH Communications Security2 Matthew McKenna Chief Commercial Officer February 24th, 2016 Joe Scaff Director, Customer Services
  • 3. WHAT WE WILL COVER • Quick Introduction • Who is SSH Communications Security? • Why is SSH so important? • How do SSH Keys work? • What are the Myths of Key Rotation? • Risk vs. Reward of Key Rotation • How to approach and resolve the challenge • More reading | SSH Communications Security3
  • 4. WHO IS SSH COMMUNICATIONS SECURITY Quick Facts: • Inventors of the SSH protocol • Listed: NASDAQ OMX Helsinki (SSH1V) • 3,000 customers including 6 of the 10 largest US banks • Original source of OpenSSH What We Do: • Access Management • Access Controls & Key Management • Encrypted Channel Monitoring • Data-in-Transit Encryption We provide the means to discover, monitor and control privileged access and encrypted traffic without disrupting the flow of information, processes or business practices 4
  • 5. WHAT IS SSH? | SSH Communications Security5 TCP/IP client SSH TCP Tunneling Terminal SFTPSSH server
  • 6. SSH KEEPS THE WORLD RUNNING 25 February 2016 | SSH Communications Security6 Supply Chain/ 3rd party Access On Premise Cloud
  • 7. GOOD VS. EVIL SECURE SHELL IS A POWERFUL TOOL THAT HAS POTENTIAL FOR MISUSE CAPABILITY FOR GOOD FOR EVIL Data-in-Transit Encryption Prevent man-in-the-middle attacks and protect sensitive information Blind security operations and forensics teams to malicious behavior Remote access to systems and applications Convenient method for both administrators and developers to access systems and applications Convenient method for malicious insiders and external threats to compromise your systems and applications Command execution Move, copy, delete files and applications for business related purposes Exfiltrate confidential information, deploy malware, delete or damage databases Tunneling Enable application-to- application connectivity Bypass corporate firewall policy
  • 8. SSH AUTHENTICATION: THE ESSENTIALS | SSH Communications Security8 1) Server authentication: Server proves its identity to the client 2) User authentication: Client proves user’s identity to the server Network Think of the private key as a real key while the public-key resembles a lock SSH is commonly used to grant administrators or automated services access to systems. Typically, every employee is responsible for his own personal key, or rather for all keys that he’s generated, e.g. for test- and production systems. Keys used by services are, at best, only tied organizationally to a person or groups. SSH client SSH server
  • 9. SSH USER KEY & ACCESS USE CASES | SSH Communications Security9 Interactive SSH login using keys (individual use) SA System Admin login to SSH server DBA Database Admin login to SSH server Individual Developement / Other login to SSH server Root Root user login to SSH server Non- interactive SSH login using keys (automated/process usage) Application Business app login and performing app specific task Monitoring Automated system monitoring application login and performing application specific tasks System Automated system admininstration tasks login and performing app specific tasks
  • 10. THE MYTHS OF KEY ROTATION? Myth 1: Key rotation makes us more secure Myth 2: Key rotation can be established fairly easily Myth 3: Key rotation should be done automatically Myth 4: Key rotation is a must? Or is there a more clever way? | SSH Communications Security10
  • 11. MYTH 1: KEY ROTATION MAKES US MORE SECURE. | SSH Communications Security11 Rotation without lockdown simply rotates the problem Continuous Monitoring is key Full visibility of the chain of trust Risk mitigation controls sit with the authorized key
  • 12. MYTH 2: KEY ROTATION CAN BE ESTABLISHED FAIRLY EASILY | SSH Communications Security12 PROD TO PROD NON-INTERACTIVE SINGLE APPLICATION PROD TO PROD NON-INTERACTIVE CROSS APPLICATION
  • 13. MYTH 3: KEY ROTATION SHOULD BE DONE AUTOMATICALLY | SSH Communications Security13 “ We want key rotation to be fully automatic” – Customer A “ Wait. We want key rotation to be manual but automatic.” Customer A after deeper consideration. • Interactive SSH user keys • External 3rd party contractor interactive SSH user keys • External 3rd party automated key based access with known one to one connections • Keys unused for X period of time with known one to one connection • Known, continuously monitored, remediated chains of trust for automated processes, with known IP source restrictions Candidates for Automatic Manual but Automatic
  • 14. MYTH 4: KEY ROTATION IS A MUST. | SSH Communications Security14 Remediation vs. Rotation Access Cryptography Configuration Resilience vs. Security Interactive vs. Automated
  • 15. HOW TO ADDRESS THE CHALLENGE | SSH Communications Security15 4. Risk versus Reward in Remediation Efforts 5. Discover & Remediate vs. Application Lockdown Approaches 7. Importance of IDM as Part of the Governance Process 1. Project Objectives 2. Establishment of a Policy Baseline 3. The Process 6. Standard Guidance
  • 16. PROJECT OBJECTIVES Issue Definition Drivers to act Mission Project objectives • Insufficient controls for access to the production estate for interactive and automated access where SSH public key authentication is used. E.g. unauthorized root keys • Lack of continuous monitoring of key based SSH public key based authentication • Lack of standardized recertification process within overall key management framework • Operational risk – internal/external misused root level access where unauthorized key based access exists, however is not visible will have significant operational, reputational and financial impact to the bank • Compliance - PCI ,SOX , MAS mandate unauthorized access to production be remediated • Process standardization- lockdown of key recertification and policy management • Ensure stability of the IT Production Environment by implementation and management of Application Production Access Controls where public key authentication is utilized for interactive and automated access • Standardization of policy for interactive/automated access utilizing SSH public key authentication to production estate • Discover and monitor legacy key based trust relationships across estate • Lock down existing and future access to production estate • Remediate against policy violations • Create process for automation of provisioning, de-provisioning and recertification of key based access • Integration into SSH user key management into IDM framework
  • 17. SSH USER KEY & ACCESS MANAGEMENT POLICY | SSH Communications Security17 Access Policy Cryptography Policy Configuration Policy
  • 18. PROCESS | SSH Communications Security18 Define policies Discover Report Monitor Lockdown Remediate Integrate Automate Assess and Discover Control and Remediate Recertify and Govern
  • 19. THE RISK VERSUS REWARD IN REMEDIATION & ROTATION | SSH Communications Security 19 Risk Reward Decommissioned App Keys DEV to PROD Connections Interactive Jump Server Bypass Keys Unauthorized Root Trust Unused Keys SSH 1 Keys Unknown Trusts Shared Private Keys Weak Encryption Aged Keys
  • 20. PRIORITIZATION & QUICK WINS FOR RISK REDUCTION & COMPLIANCE 25 February 2016 INTERNAL | SSH Communications Security20 Remediation Item Reward Risk Comment Unauthorized ROOT trust Highest Medium Undesired break of process Decommissioned application keys High Low Often significant numbers, unnecessary exposure SSH1 keys Low/Medium Low Deprecated keys that should not be in use DEV to PROD connections High Low If policy does not permit, fairly easy to implement Interactive jump server bypass keys High Low If policy does not permit, fairly easy to implement Unknown trusts High Low/High Depends on time the environment has been monitored Unused keys High Low/High Depends on time the environment has been monitored Shared private key scenarios Medium High Same rule as rotation if remediating trust Weak encryption Medium High Rotation requires full visibility in to trust chain Aged keys Low High Rotation requires full visibility in to trust chain
  • 21. DISCOVER & REMEDIATE APPROACH VS. APPLICATION LOCKDOWN APPROACH | SSH Communications Security21 Approach Pros Cons Discover & Remediate Approach • Gain quick visibility of as much as possible across as many platforms as possible • Eliminate high risk items and quick wins in fastest time • Remediation before locked is limited to users with local home directories or clear policy violations Application Lockdown Approach • Stops bleed of unauthorized provisioning most effectively • Highest degree of control of remediation effort • Requires application team involvement • Requires effective communication process and project management for tracking
  • 22. STANDARD GUIDANCE | SSH Communications Security22 • Single key Pair per authorization • Within same or cross application context to ensure full accountability (Ownership) and recertification. • A From stanza should be added to constrain this relationship. • Single SSH key across multiple servers • Permissible with within a single application and with additional constraints of the From stanza. • Multi-server cross-application usage of a single key pair • Should be remediated, retiring them in favor of dedicated SSH keys for each interfacing application. • In the interim, a From stanza should be added to constrain this relationship. • Interactive User Connections • Jump/PAM servers should be leveraged to access all Prod servers. • Direct access to any production server is not allowed. • Cross-communication between production and non-production environments is not allowed.
  • 23. IDM INTEGRATION | SSH Communications Security23 APP OWNER HR USER SSH OWNER BUSINESS OWNER APP INFO USER ACCOUNT APP & POLICY INFO KEY DATA IDM Key Manager SOURCE DESTINATION 1. Reconciliation of IDM and Key Manager (daily) 2. Account creation 3. Off-boarding – Account deletion/ ownership changes 4. Unauthorized key replacement and key expiration 5. Account revalidation USE CASES
  • 24. JUST THE TIP OF THE ICEBERG | SSH Communications Security24 National Institute of Standards & Technology NIST-IR 7966 - Security of Interactive & Automated Access Management Using Secure Shell (SSH) This publication is a public document & free of charge for all: http://dx.doi.org/10.6028/NIST.IR.7966
  • 25. THE LAST SESSION IN OUR MYTH CRACKER SERIES… 25 Join us for: THE MYTH OF SSH KEY MANAGEMENT AS PART OF THE PRIVILEGED ACCESS MANAGEMENT PARADIGM March 24, 2016 13.00 ET | SSH Communications Security

Editor's Notes

  1. Welcome to our Myth Crackers Series were we will be going over