You have to like SSH Communications Security for its sense of time and place. At the 16th annual Black Hat USA hackers conclave in personal risk taking epicenter Las Vegas, they unveiled SSH Risk Assessor (SRA).

This is a free tool that provides users with a clear report on risk and compliance exposures in a Secure Shell environment. In fact, the company did not just unveil it, it made it available for immediate download on SSH's website. 

Inventors of the popular Secure Shell and SFTP protocols for securing data at rest and on the move, SSH Communications Security is keenly aware of the challenges IT departments are facing today. The complexity of managing risks is increasing exponentially. 


Image via Shutterstock

Realities are that due to BYOD and the cloud giving more access to people, devices, applications, third-party content, etc., the vectors of vulnerability are exploding. Hence, the level of risk to critical corporate information being compromised has exploded as well. This has made a priority for IT to have tools that can give them better visibility over what is and should be secured and managed, along with the ability to better understand and manage risk.

The SRA provides priceless visibility and actionable insights for free    

The SSH Risk Assessor provides IT with an unprecedented view of where encryption keys are along with as the name states the ability to assess compliance along with the actions needed to improve it to meet various government mandates and corporate governance policies and rules. 

The problem SRA is addressing is non-trivial. SSH has found that there is widespread mismanagement of Secure Shell keys. This includes the lack of centralized creation, rotation and removal. This mismanagement has left organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST and FISMA.

The SRA tool gives security auditors and administrators valuable decision support with respect to identity and access governance in SSH environments. The tool report highlights known vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of best current practices.

Key points about the SRA include:

• Secure Shell Risk Assessment: Industry-first key location and risk-assessment technology available for free
• Secure Shell Key Discovery: Provides broad problem-scope capabilities to provide an understanding of the current state of the Secure Shell environment
• Access Compliance: Identifies organization-specific compliance status with relevant standards
• Identity and Access Governance: Assesses actions needed to achieve compliance

I had an opportunity to discuss the tool with Jason Thompson, director of global marketing for SSH Communications Security. As he noted, there has been a problem with security intelligence around encryption: “It has been a problem that has been hidden with no unified best practices in place. If people don’t know they have a risk this does not come up, but more and more customers are failing audits and that is when they discover they have a problem. SRA is designed to give them visibility and awareness and actionable insights in a world where not knowing can have enormous consequences.” 

Thompson added, “What makes SRA unique is that it enables security professionals, auditors and compliance officers to quickly assess risks in their Secure Shell environments using their existing architecture. Deployment is lightweight, meaning current state data can be collected using existing user accounts and there is no need to install cumbersome agents. We have made this tool available at no cost to the network security community, and have designed it to complement other risk assessment and penetration testing solutions focused on identifying holes in an organization's security fabric."

It should be noted that SSH’s customers include many of the largest banks in the world. In surveying its customers, SSH found many had no idea their network environments were home to over 100,000 lost Secure Shell keys, which happen to provide root access to their most sensitive data. Worse, these customers had no way to discover how many lost keys they had, no way to find where they were and thus no way to know how much risk they were taking on. 

The SRA gives them visibility into finding all of those keys and a sound analytical foundation for assessing the level of risk in their Secure Shell environments. In short, it helps start remediation of those hidden problems. It is means IT can be more responsive and proactive so that the possibility of audit failures greatly decreases.

Thompson put a bit of granularity on this, saying, "Our beta users have found the SRA to be very helpful in the Secure Shell key discovery process. Most found that their assumptions about their environment were significantly different from what the data ultimately showed. SRA provides actionable data that captures a snapshot of a portion of user's environment and determine if they need to remediate any security and compliance issues based on data driven decision making, not dangerous guess work.”

Thompson’s last point is salient: security and risk management in a world where the bad guys are becoming bolder and more sophisticated in their attacks, where the vectors of vulnerability are increasing, cannot and should not be left to guess work.  

There is an old saying that “the truth will set you free.” The nice thing about SRA is that it allows Secure Shell environments to get the truth for free, and this type of knowledge really is power. That is a message that should resonate well with organizations of all sizes along with auditors in the government and commercial space who, as Thompson says, “should make SRA a  standard part of their security and compliance tool kit."