Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

SSH Unveils Free Tool to Identify Risks in Secure Shell Environments

New SSH Risk Assessment Tool Enables Auditors and Security Teams to Collect and Report on SSH-Related Access Compliance Issues

New SSH Risk Assessment Tool Enables Auditors and Security Teams to Collect and Report on SSH-Related Access Compliance Issues

At the InfoSecurity Europe Conference taking place this week in London, SSH Communications Security, inventor of the Secure Shell and SFTP protocols, announced a free tool designed to help security teams understand risk and compliance exposures in SSH environments.

Dubbed “SSH Risk Assessor (SRA)”, the tool enables internal and external audit and security teams to collect SSH key information across the environment and provides an assessment of risk exposure.

Additionally, SRA highlights known vulnerabilities in an environment, and provides basic statistics on SSH keys deployed and specific violations of best current practices, the company said.

Managing SSH Risk

Key features offered by SSH Risk Assessor include:

Access Compliance: Identifies organization-specific compliance status with relevant standards

• Identity and Access Governance: Assesses actions needed to achieve compliance

SSH Key Discovery: Provides broad problem-scope capabilities to provide an understanding of the current state of the Secure Shell environment

“The unmanaged proliferation of SSH user keys has emerged a major cyber security risk for enterprises and government agencies of all types and sizes. Lack of proper key management – including centralized creation, rotation and removal – leaves organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA,” the company explained.

Cyber-criminals understand how poorly organizations manage their trust infrastructure, which is why they target digital certificates and SSH keys, Jeff Hudson, CEO of Venafi told SecurityWeek in a recent interview. “They understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management,” Hudson added.

“Trust-based” attacks, such as the ones against certificate authorities, stolen encryption keys, and digital certificates, can cost an organization up to $398 million per incident, according to the 2013 Annual Cost of Failed Trust Report by Ponemon Institute.

Nearly 18 percent said they expected attackers to target weak keys, the report found. Having weak cryptographic keys could cost an organization $125 million in a single attack.

“Companies are being flagged for compliance violations under general guidelines relating to SSH access control,” said Tatu Ylönen, CEO and founder of SSH Communications Security. “SRA provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment. With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives.”

SRA will be available in May 2013, the company said.

Featured Resource: Aberdeen Research – Encryption, Without Tears

Featured ResourceIs Your Enterprise Managing Certificates? Three Reasons It Should Be.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.