SSH Blog

Showing Articles: 1630 of 30

Jun 13 2014

All Threats are Insider Threats

Back in the day when the enterprise security model was a hardened perimeter protecting the internal "trusted" network, security vendors seized on the notion that businesses need protection from their employees - the insider threat.

Studies were commissioned to show how much malicious insiders were costing businesses. More recent studies indicate the majority of data breaches are carried out by…

Keep Reading

May 28 2014

Identity & Access Management: Don’t get Death Starred!

Many things seem impenetrable until a “small vulnerability” is exploited. The phrase “small vulnerability” almost sounds like an oxymoron when you think about it.  Take the fable of one Luke Skywalker and the Death Star.  In the story Luke exploited a small two-meter-wide thermal exhaust port in the Death Star’s design to destroy the ultimate weapon and break the back of the Galactic Empire in their moment of triumph. To make matters worse the Empire was warned about this “small vulnerability”, but the Galactic bureaucrats reasoned that the risk was small and the whistleblowers were overestimating rebels’ chances…

Keep Reading

May 19 2014

Just A Heartbleed Away: The Dirty Little Secret in IT Security is Creating A Major Risk

One of the major lessons learned from the Heartbleed Bug is just how vulnerable critical IT components, like encryption, are. The potential impact of these vulnerabilities can be severe and far-reaching. To make matters worse, a lack of management controls and visibility, especially in ubiquitously deployed software, enables cyber criminals…

Keep Reading

May 14 2014

Eliminating FTP Enterprise Wide: The Panacea is Closer than You Think

FTP is one of the most significant security risks in many enterprise environments. Despite long standing open audit findings and internal mandates, a surprising number of organizations still pass customer data, credit card information, intellectual property and other sensitive information in the clear. Failing to prioritize the elimination of FTP can be traced to the misconceptions…

Keep Reading

May 8 2014

Invisible at Infosecurity Europe 2014? Definitely Not

The major tube strike that was conducted in London during the first two days of Infosecurity Europe 2014 didn’t seem to have had an impact on the visitors count. Held from April 30 to May 1 at Earl’s Court, Infosecurity Europe is the biggest IT Security related exhibition in Europe, and supposedly brought close to 15,000 visitors there this year. And of course, we participated with a stand and speaking sessions, not to miss out on the opportunity to meet up with customers and…

Keep Reading

Apr 30 2014

Free Can Make You Bleed

By now anyone concernedwith internet security has heard about the Heartbleed security vulnerability in OpenSSL.  What you may not be aware of is how much money and personal information is riding on this “free” security program and others like it (OpenSSH).  Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced…

Keep Reading

Apr 27 2014

Privileged Users – Not Malicious But Still a Threat

One of challenges security architects face is finding the right balance between security and end user convenience. This conflict is typified by the example of password policies. A too stringent policy drives users to write down their passwords on sticky notes (thus defeating the security objective) and a too weak policy leaves passwords exposed to cracking…

Keep Reading

Apr 10 2014

SSH Communications Security Comments on Heartbleed Vulnerability

Key Facts: 

  • SSH Communications Security’s products are not affected by the Heartbleed flaw. Customers are advised to patch any server where the vulnerable OpenSSL software is installed.
  • Due to the pervasive nature of the Heartbleed vulnerability, the length of time the flaw has been in place and the broad access that an attacker could potentially obtain, SSH Communications Security is recommending that all Secure Shell keys used to establish trust relationship with affected systems should be changed immediately after the Heartbleed patch has been installed, and should be a part of your organization’s standard remediation…

Keep Reading

Apr 4 2014

Five Reasons Why You Should Monitor & Control [All of] Your Secure Shell Traffic

How many times have we heard “the perimeter isn’t secure”? In fact, with BYOD, cloud and the extended enterprise, it’s hard to define what the perimeter is anymore.  The concept of a porous perimeter that can’t be trusted is the foundation of the Zero Trust model of security and many organizations are adopting this approach. Here are five reasons why monitoring and controlling Secure Shell should be included in your organization's Zero Trust…

Keep Reading

Mar 18 2014

People Centered Security: Themes from The Gartner IAM Summit

Growing up, we get a lot of conflicting advice. We are told  “look before you leap” but also “nothing ventured nothing gained”. The book of clichés is littered with other examples. The world of Identity and Access Management is similarly conflicted. On the one hand, IAM  should be transparent to the user and simple to administer. On the other hand, IAM must enforce the principle of least privilege. These goals are mutually exclusive. Why? It is just too complex to define specifically the fine grained access each user needs in order to perform their job and manage that access over time in a dynamic work environment. The result is too many job roles, too many exceptions and ultimately weaker, not stronger…

Keep Reading

Mar 17 2014

Key Based Trust from a Process-Driven Goalkeeper's Perspective

Like for any goalkeeper, the worse thing - other than a torn ACL - is getting scored on. During my playing days, I was obsessed with the concept of how to organize my defense in a way to minimize goals against as well as minimize opportunities of my opponents. My teammates used to joke and wonder how I played at the level I did. I was not particularly fast or strong, did not have particularly great hands and was not super athletic in any way. But I was quite good at programming my defense and midfield to run a repeatable process to make it very difficult for opponents to penetrate. Unlike soccer, where you are most likely going to get scored on at some point, businesses must keep a zero goals against average for their entire…

Keep Reading

Mar 4 2014

RSA Conference 2014 Wrap Up

This year’s RSA Conference 2014 was filled with energy and great insights as well as controversy. Here are a few of the trends and topics that I saw at this year’s show.

Energy: Encryption and access controls are up there at the top of the list
There was a huge uptick in the overall energy at the show. Our booth was inundated with people asking questions and wanting to learn more about our…

Keep Reading

Feb 11 2014

APT The Mask (aka Careto) Targets Secure Shell Keys

Kaspersky Labs recently revealed the details of a sophisticated APT named “The Mask” or by its Spanish name “Careto”. The Mask is known to have infected at least 380 unique victims in over 31 countries. In operation since 2007, the primary targets of this APT are government institutions, diplomatic offices, energy companies, research institutions, private equity firms and political activist organizations. The sophistication and targets of the APT suggest it is the work of nation-state actors as opposed to criminal…

Keep Reading

Feb 10 2014

Think Back-end Security from an Enterprise Perspective

As I travel and talk to our existing and expanding customer base I am noticing something that I did not see before. In my meetings and with technical staff and management I am noticing an exciting trend of more and more distributed network and server staff becoming interested in System z. The replace the mainframe crowd seems to realize that these “dinosaurs” cannot be replaced anytime soon and are starting to try to understand, integrate and embrace what was a dying technology. This presents a challenge to us System Z folk in how we open up our once vaulted…

Keep Reading

Feb 9 2014

Warfare on the Virtual Battlefield

At last year’s Gartner Risk Management Conference in the DC metro area, I attended a seminar where some of Gartner’s analysts were looking out on the horizon – 2020 to be exact – to give their perspective on where CyberSecuity was heading.  Gartner basically identified two uncertain forces that they think will impact their potential…

Keep Reading