Safeguarding Your SSH Configurations with ssh-audit

In the vast ocean of network security, SSH (Secure Shell) stands as a towering lighthouse guarding the data traffic to and from your servers. However, how do you ensure that this lighthouse is in optimal condition? Enter ssh-audit, a tool for auditing your SSH server and client configurations.

Ssh-audit supports SSH1 and SSH2 protocol servers, diving deep into the SSH configurations to grab banners, recognize the software and operating systems involved, and even detect compression settings. It gathers information on key exchanges, host keys, encryption, and message authentication code algorithms, providing a comprehensive report on their status.

Getting started with ssh-audit is a breeze. Clone the repository from GitHub, and with a few commands in your terminal, you’re on your way to auditing your SSH configurations. The tool fetches algorithm information, outputting details such as availability, removal or disabling status, and security strength (unsafe, weak, legacy, etc). Moreover, it provides algorithm recommendations based on the recognized software version, aligning your settings with industry standards.

The icing on the cake? Ssh-audit outputs security information, including related issues and assigned CVE (Common Vulnerabilities and Exposures) list, offering you a clear picture of the security posture of your SSH setups.

With ssh-audit, not only do you get to audit your SSH configurations, but you also receive actionable insights to harden your SSH setups against potential threats. So, the next time you’re looking to bolster your network security, try ssh-audit and sail smoothly in the turbulent waters of cyber threats.

Note that MSI has no relationship with the tool or the authors. We just found the tool useful for infosec teams.

 * Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

Video: Auditing Authentication Mechanisms

Here’s a quick video walkthrough of the presentation around auditing authentication mechanisms. 

We are getting some great feedback on this one, and people are rising to the challenge of doing audits for their organizations. Many folks are finding some quite unexpected results! 

Let me know on Twitter (@lbhuston) what you discover! 

 

As always, thanks for reading and watching! 

How Does an IT Audit Differ from a Security Assessment?

One of the most common questions that I get asked is about the differences between an IT Audit and a Security Assessment. Hopefully, this quick overview helps to remove some of the confusion around these terms, which should not be used interchangeably.

What Is A Security Assessment?

A Security Assessment is a focused, proactive evaluation of an organization’s cybersecurity landscape that identifies potential risks and opportunities for improvement. The objective of conducting a Security Assessment is to provide an overview of an organization’s current state in terms of its cybersecurity posture. To do this, the currently implemented controls and systems are tested for resilience against common vulnerabilities and forms of attack.

Security assessments may, or may not, include penetration tests. However, they should always check for potential vulnerabilities. These reviews are best conducted by an independent third party.

What Is an IT Audit?

An IT Audit is a comprehensive review of your organization’s information technology (IT) infrastructure. It provides a detailed analysis of how well you are managing your IT resources, including hardware, software, networks, applications, policies, procedures, and controls.

It compares your current state of operations against a prescribed set of standards, controls, or requirements. These types of reviews are often conducted by an internal audit or an internal team, though many smaller firms use external consultants to complete them, as well.

What’s the Difference?

The difference between an IT Audit and a Security Assessment is one of scope. An IT Audit will typically focus on a single area or set of areas while a Security Assessment may cover multiple areas. For example, an IT Audit may include an examination of the organization’s capabilities to comply with a specific standard, for example, HIPAA, while a security assessment would test the cyber-security controls’ around your HIPAA data for effectiveness against common forms of attack.

In the end, an IT Audit is useful for getting a high-level overview of the gap between a required set of controls or standards, while a Security Assessment provides specific insights into how well the controls you have in place are protecting you and your assets.

What to Do with the Data

Once you have the insights provided by these engagements, you can easily use the data to update your security policies, implement additional internal controls to create an acceptable level of risks, revise your standard operating procedures or increase your network security and application-level protection.

Often, how the results of these engagements are used can be a major difference between the maturity level of your cybersecurity program. These processes should be used on at least a yearly basis for small firms, and on an ongoing basis for larger, more mature firms. Doing so will greatly improve your organizational security posture over time.

For more information on these types of engagements, or to discuss either an IT Audit or a Security Assessment, please get in touch with MicroSolved (info@microsolved.com or 614-351-1237). We would love to put our nearly 30 years of experience to work for you!

 

 

Touchdown Task for August – Change Management Audit

This month, we urge all infosec teams to engage in a quick 30 minute audit of your change management processes.

Here are some quick win questions to ask of the change management team:

  • How often does the change management team meet & what is the time frame for turning around a change order?
  • What percentage of actual changes to the environment went through the change process in the last 12 months?
  • Where can we locate the documents that specifically describe the change management process and when were they last revised?
  • Please describe how exceptions to the change management process are handled.
  • How are changes to the environment audited against what was provided to the change management team?
  • What happens if a change is identified that did NOT go through the change management process?

There are plenty of online guidance sources for additional questions and audit processes, but these quick wins will get you started. As always, thanks for reading and keep working on your monthly touchdown tasks. Be sure to touch base with us on Twitter (@microsolved) should you have any questions about the work plans.

August Touchdown Task: Change Management Audit

This month’s touchdown task is to take a quick audit of your organization’s change management process. Give it a quick walkthrough.

  • Make sure that you are tracking when admins make changes to machine configurations or network device configs
  • Are proper peer review and approval processes being followed?
  • Check to make sure that the proper folks are in the loop for various kinds of communication, error handling and reporting
  • Review risk acceptance for changes and make sure it meets your expected processes
  • Examine a couple of changes and walk them through the entire process to see if things are falling through the cracks
  • Update any change management documentation to reflect new processes or technologies that may be in place now

Give this a quick review this month and you can rest assured for a while that change management is working strongly. With the coming fall and holiday rush ahead, you’ll know you have this base covered and can depend on it as a good foundation for the rest of your security initiatives. 

Until next time, as always, thanks for reading and stay safe out there! 

Terminal Services Attack Reductions Redux

Last week, we published a post about the high frequency of probes, scans and attacks against exposed Windows Terminal Services from the Internet. Many folks commented on Twitter to me about some of the things that can be done to minimize the risk of these exposures. As we indicated in the previous post, the best suggestions are to eliminate them altogether by placing Terminal Services exposures behind VPN connections or through the implementation of tokens/multi-factor authentication. 

Another idea is to implement specific firewall rules that block access to all but a specific set of IP addresses (such as the home IP address range of your admins or that of a specific jump host, etc.) This can go a long way to minimizing the frequency of interaction with the attack surfaces by random attacker tools, probes and scans. It also raises the bar slightly for more focused attackers by forcing them to target specific systems (where you can deploy increased monitoring).

In addition, a new tool for auditing the configuration of Terminal Services implementations came to our attention. This tool, called “rdp-sec-check”, was written by Portcullis Security and is available to the public. Our testing of the tool showed it to be quite useful in determining the configuration of exposed Terminal Services and in creating a path for hardening them wherever deployed. (Keep in mind, it is likely useful to harden the Terminal Services implementations internally to critical systems as well…)

Note that we particularly loved that the tool could be used REMOTELY. This makes it useful to audit multiple customer implementations, as well as to check RDP exposures during penetration testing engagements. 

Thanks to Portcullis for making this tool available. Hopefully between this tool to harden your deployments and our advice to minimize the exposures, we can all drive down some of the compromises and breaches that result from poor RDP implementations.

If you would like to create some threat metrics for what port 3389 Terminal Services exposures might look like for your organization, get in touch and we can discuss either metrics from the HITME or how to use HoneyPoint to gather such metrics for yourself

PS – Special thanks to @SecRunner for pointing out that many cloud hosting providers make Terminal Server available with default configurations when provisioning cloud systems in an ad-hoc manner. This is likely a HUGE cause for concern and may be what is keeping scans and probes for 3389/TCP so active, particularly amongst cloud-hosted HITME end points.

PSS – We also thought you might enjoy seeing a sample of the videos that show entry level attackers exactly how to crack weak passwords via Terminal Services using tools easily available on the Internet. These kinds of videos are common for low hanging fruit attack vectors. This video was randomly pulled from the Twitter stream with a search. We did not make it and are not responsible for its content. It may not be safe for work (NSFW), depending on your organization’s policies.