New SSH Risk Assessment Tool Enables Auditors and Security Teams to Collect and Report on SSH-Related Access Compliance Issues
At the InfoSecurity Europe Conference taking place this week in London, SSH Communications Security, inventor of the Secure Shell and SFTP protocols, announced a free tool designed to help security teams understand risk and compliance exposures in SSH environments.
Dubbed “SSH Risk Assessor (SRA)”, the tool enables internal and external audit and security teams to collect SSH key information across the environment and provides an assessment of risk exposure.
Additionally, SRA highlights known vulnerabilities in an environment, and provides basic statistics on SSH keys deployed and specific violations of best current practices, the company said.
Key features offered by SSH Risk Assessor include:
• Access Compliance: Identifies organization-specific compliance status with relevant standards
• Identity and Access Governance: Assesses actions needed to achieve compliance
• SSH Key Discovery: Provides broad problem-scope capabilities to provide an understanding of the current state of the Secure Shell environment
“The unmanaged proliferation of SSH user keys has emerged a major cyber security risk for enterprises and government agencies of all types and sizes. Lack of proper key management – including centralized creation, rotation and removal – leaves organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA,” the company explained.
Cyber-criminals understand how poorly organizations manage their trust infrastructure, which is why they target digital certificates and SSH keys, Jeff Hudson, CEO of Venafi told SecurityWeek in a recent interview. “They understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management,” Hudson added.
“Trust-based” attacks, such as the ones against certificate authorities, stolen encryption keys, and digital certificates, can cost an organization up to $398 million per incident, according to the 2013 Annual Cost of Failed Trust Report by Ponemon Institute.
Nearly 18 percent said they expected attackers to target weak keys, the report found. Having weak cryptographic keys could cost an organization $125 million in a single attack.
“Companies are being flagged for compliance violations under general guidelines relating to SSH access control,” said Tatu Ylönen, CEO and founder of SSH Communications Security. “SRA provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment. With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives.”
SRA will be available in May 2013, the company said.
Featured Resource: Aberdeen Research – Encryption, Without Tears
Featured Resource: Is Your Enterprise Managing Certificates? Three Reasons It Should Be.