By Tim Boivin
PortSys announced today that its Total Access Control (TAC) zero trust solution is the first technology to secure Command Line Interface (CLI) controls based on a user’s context of access.
With this announcement, TAC now offers the most robust security for SSH services for CLIs – such as those gained through Unix and Linux platforms and Internet of Things (IoT) devices – while making those services invisible to the Internet.
Why is this important to you? With the drive for digital transformation becoming a top priority across the business world, hackers are increasingly targeting your SSH services to gain entry and then pivot within your network to wreak their havoc.
For instance, late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory for two telemetry servers, a central patient monitoring system, a clinical information system, and three monitor models from GE Healthcare. CISA said “a vulnerability could allow an attacker to obtain access to the SSH private key in configuration files” from these systems.
Picking Up IoT’s Security Slack
The Internet of Things is driving digital transformation efforts across the business world. By the end of this year, more than 30 billion Internet of Things (IoT) devices will be connected to the Internet. That number is expected to balloon to 75 billion devices by 2025.
But the rapid growth in IoT devices also has a dark side for your organization: there are more ways for hackers to get into your infrastructure and do significant damage, with 84% of companies reporting that they have experienced some sort of IoT-related security breach.
The challenge is that most IoT device manufacturers shortchange – or even ignore – security in the rush to get their products to market at the lowest cost. While your employees, partners and customers are increasingly relying on IoT devices to accomplish their missions, you are probably coming to a growing realization that you have to pick up the security slack or risk a devastating attack.
At the center of this overlooked digital transformation security issue is the need to protect access previously gained through SSH Port 22, one of the oldest assigned network protocols on the World Wide Web. It has been a quarter century now since Tatu Ylönen was granted Port 22 for his SSH-1 protocol – just after FTP (Port 21) and predating HTTP (Port 80) and HTTPS (Port 443).
Originally prompted by a password-sniffing attack on Ylönen’s Helsinki University network, SSH over the years has been adopted ubiquitously across the CLI world, especially in Linux and Unix environments. Today, with the rapid growth driven by digital transformation and IoT, there are more CLIs on the Internet than any other protocol. (For instance, most routers and firewalls are running on some flavor of Linux with a CLI interface.)
IoT devices are CLI-heavy – think of all the wireless sensors, meters, remote devices and other business tools used across industries as diverse as manufacturing, retail, healthcare, logistics and utilities, just to name a few. These tools don’t have the more robust web-based or desktop graphical user interfaces (GUIs) you traditionally find in, say, the latest Windows software applications.
CLIs are tricky for you when it comes to security, because they weren’t designed to ask for anything more than a username and password before granting access. Yes, some security policies are built into IoT devices here and there, but mostly they’re utilitarian and ineffective. The original – and still primary – function of a CLI, after all, is to just serve as an interface to a client OS.
Into the Target Breach
As a result, there have been different approaches deployed over the years to secure CLIs, with mixed success, if any at all.
Some organizations choose to put a firewall in front of the CLIs. Others require users to log in through a VPN before granting access to applications. Then there are those who assign a random unused port number in the slim hope that hackers scanning their attack surface won’t uncover their SSH vulnerabilities.
Guess what? Hackers still find those ports, and they have done so for years. In fact, one of the most notorious attacks involving CLIs dates to the Target data breach of 2013. In that breach, hackers used a brute force attack to gain access through a CLI to Target’s HVAC system.
Once they secured that access, the hackers were able to pivot within the network to the point of sale system, where credit cards are processed. From there, they installed malware that netted full customer names, phone numbers, email addresses, payment card numbers, credit care verification codes, and other sensitive data. In addition to gathering insights on 41 million customer payment card accounts, the hackers also seized contact information on more than 60 million Target customers.
The cost to Target of that breach? The retailer settled investigations with 47 states and the District of Columbia to the tune of $18.5 million.
Securing SSH Services with TAC
The Target and GE Healthcare scenarios don’t have to happen to your organization with TAC’s latest innovation for SSH security. TAC’s solution enables you to publish an SSH application, just as you would for HTTP, HTTPS, or other protocols such as RDP and Citrix.
While hackers are trying to find SSH services by port scanning, TAC makes those ports invisible to the outside world. Your end users will get access to those SSH services ONLY when they have been fully vetted and meet your specific security requirements.
Strong authentication technologies not usually available for SSH services – such as 2-factor and multi-factor authentication, device validation, and GeoIP intelligence – are also deployed by TAC to enforce your customized security policies based on a user’s complete context of access. It also removes your need for a terminal client application like PuTTY, since all your SSH connections will be provided by TAC to your users exclusively via any modern browser.
In addition, TAC’s Single Sign-On (SSO) connects your users directly to an SSH session by seamlessly enabling credentials mapping with attributes tied to a CLI. Your users gain session access while commands sent to the CLI by way of your SSH service are fully monitored. This enables you for the first time to do something really cool – block malicious SSH commands based on your user’s context of access.
For instance, if one of your users is on an untrusted device as defined by your own security policies, TAC can block that person from deleting, moving or downloading your files, or changing file names. You control what commands can be executed based on the context of access, negating the opportunity for catastrophic attacks that can be generated through compromised credentials or vulnerable SSH services.
As Digital Transformation initiatives and the Internet of Things continue to grow exponentially, your business will continue to be able to generate actionable insights in real time, improve productivity, expand remote access, and ultimately improve your bottom line.
And with TAC’s innovative approach to protecting SSH network services, you’ll be able to do it more securely than ever.
To read the press release on how TAC is bolstering security for SSH Network services, click on this hyperlink or copy and paste it into your web browser: