Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

SSH Unveils Free Tool to Identify Risks in Secure Shell Environments

New SSH Risk Assessment Tool Enables Auditors and Security Teams to Collect and Report on SSH-Related Access Compliance Issues

New SSH Risk Assessment Tool Enables Auditors and Security Teams to Collect and Report on SSH-Related Access Compliance Issues

At the InfoSecurity Europe Conference taking place this week in London, SSH Communications Security, inventor of the Secure Shell and SFTP protocols, announced a free tool designed to help security teams understand risk and compliance exposures in SSH environments.

Dubbed “SSH Risk Assessor (SRA)”, the tool enables internal and external audit and security teams to collect SSH key information across the environment and provides an assessment of risk exposure.

Additionally, SRA highlights known vulnerabilities in an environment, and provides basic statistics on SSH keys deployed and specific violations of best current practices, the company said.

Managing SSH Risk

Key features offered by SSH Risk Assessor include:

Access Compliance: Identifies organization-specific compliance status with relevant standards

• Identity and Access Governance: Assesses actions needed to achieve compliance

SSH Key Discovery: Provides broad problem-scope capabilities to provide an understanding of the current state of the Secure Shell environment

Advertisement. Scroll to continue reading.

“The unmanaged proliferation of SSH user keys has emerged a major cyber security risk for enterprises and government agencies of all types and sizes. Lack of proper key management – including centralized creation, rotation and removal – leaves organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA,” the company explained.

Cyber-criminals understand how poorly organizations manage their trust infrastructure, which is why they target digital certificates and SSH keys, Jeff Hudson, CEO of Venafi told SecurityWeek in a recent interview. “They understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management,” Hudson added.

“Trust-based” attacks, such as the ones against certificate authorities, stolen encryption keys, and digital certificates, can cost an organization up to $398 million per incident, according to the 2013 Annual Cost of Failed Trust Report by Ponemon Institute.

Nearly 18 percent said they expected attackers to target weak keys, the report found. Having weak cryptographic keys could cost an organization $125 million in a single attack.

“Companies are being flagged for compliance violations under general guidelines relating to SSH access control,” said Tatu Ylönen, CEO and founder of SSH Communications Security. “SRA provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment. With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives.”

SRA will be available in May 2013, the company said.

Featured Resource: Aberdeen Research – Encryption, Without Tears

Featured ResourceIs Your Enterprise Managing Certificates? Three Reasons It Should Be.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.