SSH Communications Security Provides Free Risk Assessor Tool

By Peter Bernstein July 30, 2013

You have to like SSH Communications Security for its sense of time and place. At the 16th annual Black Hat USA hackers conclave in personal risk taking epicenter Las Vegas, they unveiled SSH Risk Assessor (SRA).

This is a free tool that provides users with a clear report on risk and compliance exposures in a Secure Shell environment. In fact, the company did not just unveil it, it made it available for immediate download on SSH's website. 

Inventors of the popular Secure Shell and SFTP protocols for securing data at rest and on the move, SSH Communications Security is keenly aware of the challenges IT departments are facing today. The complexity of managing risks is increasing exponentially. 

Image via Shutterstock

Realities are that due to BYOD and the cloud giving more access to people, devices, applications, third-party content, etc., the vectors of vulnerability are exploding. Hence, the level of risk to critical corporate information being compromised has exploded as well. This has made a priority for IT to have tools that can give them better visibility over what is and should be secured and managed, along with the ability to better understand and manage risk.

The SRA provides priceless visibility and actionable insights for free    

The SSH Risk Assessor provides IT with an unprecedented view of where encryption keys are along with as the name states the ability to assess compliance along with the actions needed to improve it to meet various government mandates and corporate governance policies and rules. 

The problem SRA is addressing is non-trivial. SSH has found that there is widespread mismanagement of Secure Shell keys. This includes the lack of centralized creation, rotation and removal. This mismanagement has left organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST and FISMA.

The SRA tool gives security auditors and administrators valuable decision support with respect to identity and access governance in SSH environments. The tool report highlights known vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of best current practices.

Key points about the SRA include:

  • Secure Shell Risk Assessment: Industry-first key location and risk-assessment technology available for free
  • Secure Shell Key Discovery: Provides broad problem-scope capabilities to provide an understanding of the current state of the Secure Shell environment
  • Access Compliance: Identifies organization-specific compliance status with relevant standards
  • Identity and Access Governance: Assesses actions needed to achieve compliance

I had an opportunity to discuss the tool with Jason Thompson, director of global marketing for SSH Communications Security. As he noted, there has been a problem with security intelligence around encryption: “It has been a problem that has been hidden with no unified best practices in place. If people don’t know they have a risk this does not come up, but more and more customers are failing audits and that is when they discover they have a problem. SRA is designed to give them visibility and awareness and actionable insights in a world where not knowing can have enormous consequences.” 

Thompson added, “What makes SRA unique is that it enables security professionals, auditors and compliance officers to quickly assess risks in their Secure Shell environments using their existing architecture. Deployment is lightweight, meaning current state data can be collected using existing user accounts and there is no need to install cumbersome agents. We have made this tool available at no cost to the network security community, and have designed it to complement other risk assessment and penetration testing solutions focused on identifying holes in an organization's security fabric."

It should be noted that SSH’s customers include many of the largest banks in the world. In surveying its customers, SSH found many had no idea their network environments were home to over 100,000 lost Secure Shell keys, which happen to provide root access to their most sensitive data. Worse, these customers had no way to discover how many lost keys they had, no way to find where they were and thus no way to know how much risk they were taking on. 

The SRA gives them visibility into finding all of those keys and a sound analytical foundation for assessing the level of risk in their Secure Shell environments. In short, it helps start remediation of those hidden problems. It is means IT can be more responsive and proactive so that the possibility of audit failures greatly decreases.

Thompson put a bit of granularity on this, saying, "Our beta users have found the SRA to be very helpful in the Secure Shell key discovery process. Most found that their assumptions about their environment were significantly different from what the data ultimately showed. SRA provides actionable data that captures a snapshot of a portion of user's environment and determine if they need to remediate any security and compliance issues based on data driven decision making, not dangerous guess work.”

Thompson’s last point is salient: security and risk management in a world where the bad guys are becoming bolder and more sophisticated in their attacks, where the vectors of vulnerability are increasing, cannot and should not be left to guess work.  

There is an old saying that “the truth will set you free.” The nice thing about SRA is that it allows Secure Shell environments to get the truth for free, and this type of knowledge really is power. That is a message that should resonate well with organizations of all sizes along with auditors in the government and commercial space who, as Thompson says, “should make SRA a  standard part of their security and compliance tool kit."

Edited by Alisen Downey
Related Articles

WannaCry Ransomware Holds Files Hostage: Best Practices to Avoid Being a Victim

By: Special Guest    5/23/2017

More than 200,000 computers in more than 150 countries were crippled by a massive ransomware attack, dubbed WannaCry, and security experts warned that…

Read More

LeoSat Secures Japanese Investment for Enterprise Broadband Satellite Network

By: Doug Mohney    5/23/2017

Another broadband satellite cloud network moved closer to reality this month, with LeoSat securing an investment from SKY Perfect JSAT (SJC) Corporati…

Read More

Organizations Can Combat WannaCry & Jaff Ransomware With Well Instrumented DNS

By: Special Guest    5/22/2017

The Infoblox Intelligence Unit observed two global malware outbreaks on Friday, May 12. Although there is no indication that the two attacks were rela…

Read More

The WannaCry Attack Was Years in the Making

By: Kayla Matthews    5/19/2017

WannaCry doesn't operate like you'd expect. That is, it's not a seedy application or form of spam that self-installs on your computer because you clic…

Read More

Google Crosses Lines, Puts Google Assistant on iPhone

By: Steve Anderson    5/18/2017

Google threatens Siri's dominance on iPhone by offering Google Assistant on the device.

Read More