SSH Risk Assessment - Understand Your SSH Keys
SSH Risk Assessment is a security assessment service that delivers a detailed analysis of how SSH (Secure Shell) is deployed and used in your network and provides an estimate of your SSH key management problem. It is a health check for your SSH environment.
In a recent Forrester survey, over 65% of enterprises reported that SSH is critical or important to their business. It is used by systems administrators and for automated processes such as database updates, disaster recovery, software management, and cloud provisioning. However, lax management controls over SSH expose organizations to data breach risk and compliance violations.
CISOs and security staff have an obligation to identify and resolve significant risk and compliance exposures before they fail an important audit or, much worse, before they get hacked. Unfortunately, most organizations lack the tools, time, and expertise needed to do a thorough assessment.
Risks of unmanaged SSH keys include:
- Loss of business continuity
- Reputation loss
- Criminal and civil liability from non-compliance
- No control of who can access what data or systems
- Hackers and malware utilizing SSH to spread
- Backdoors from public Internet into intranet
SSH Risk Assessment is an assessment service that addresses this need to have more information around the use of SSH and SSH key related authentication within your organization. It leverages our in-depth technology expertise, our custom-developed scanning and reporting software and our wide-ranging experience with thousands of customers to provide a service that is fast, efficient, and effective. You get actionable information that is packaged for the C-Suite and backed up by the details and data your technical staff needs to plan for any needed remediations.
- Fast - Completed in 5 days and requires only a few hours of your staff time.
- Non-invasive - Our tools do not require software agents to be installed and do not make any changes on your hosts. No private keys are collected or moved.
- Comprehensive - You get an analysis of the most significant risks including compelling visualizations of trust relationships.
- Compliance - Tailored to the compliance mandates of your business - such as Sarbanes-Oxley, PCI DSS, NIST Cybersecurity Framework, HIPAA, NIST 800-53, BASEL III, or others.
- Prioritized - We tell you what to focus on first and why.
- Safe - No information or data leaves your control.
After the assessment, you may choose to use the Universal SSH Key Management or look at competing solutions for addressing SSH key management. You may also want to look at how to prevent SSH tunneling from providing access from the outside to the internal network, how to monitor and audit external SSH connections and record sessions for analytics and forensics.
Details: What You Get
|Key management||Review and analysis of policies and procedures for lifecycle management of public/private key pairs|
|Separation of duties||Scan and discovery of any SSH authorizations that cross dev and prod environments|
|Authorizations to root||Discovery of all keys authorized for root access|
|Transitive trust analysis||Analysis of which keys provide broadest access into the network|
|Key size report||Report and statistics on key sizes. Weak keys highlighted.|
|Key age report||Analysis and statistics on key age. Keys older than 2 years and older than 5 years highlighted.|
|Key protection analysis||Report on private keys stored in clear text and/or transmitted in clear text|
|Least privilege analysis||Review of service and root account access authorizations|
|Privilege escalation||Review of whether current SSH configurations and controls prevent unintended escalations of access|
|SSH software management||Report on SSH versions in use. Identifies any insecure versions that should be upgraded.|
|Compliance||Report on potential audit findings for selected compliance mandates (PCI DSS, Federal Cybersecurity Framework, NIST 800-53, MAS, BASEL II & III, and others)|
|Summary and recommendations||Highlight most risks and compliance issues, recommendations and alternatives for remediation|
|Onsite consultation||Our consultant will meet with you to review the findings and recommendations|
Supported platforms for scanning
- HP-UX 11v1, 11v2, 11v3
- IBM AIX 5.3, 6.1, 7.1
- Oracle Solaris 8, 9, 10, 11
- Oracle Enterprise Linux 5.4, 5.5, 5.6, 5.7
- Red Hat Enterprise Linux 4, 5, 6, 7
- SUSE Linux Enterprise Server 9, 10, 11, 12
Supported SSH versions for scanning
- Tectia SSH 6.0 or newer
- OpenSSH 4.0 or newer
All scanned systems must have Perl 5.6 or newer installed.
Scope up to 500 servers. More can be custom quoted.