SSH Risk Assessment - Understand Your SSH Keys

SSH Risk Assessment is a security assessment service that delivers a detailed analysis of how SSH (Secure Shell) is deployed and used in your network and provides an estimate of your SSH key management problem. It is a health check for your SSH environment.

The Problem

In a recent Forrester survey, over 65% of enterprises reported that SSH is critical or important to their business. It is used by systems administrators and for automated processes such as database updates, disaster recovery, software management, and cloud provisioning. However, lax management controls over SSH expose organizations to data breach risk and compliance violations.

CISOs and security staff have an obligation to identify and resolve significant risk and compliance exposures before they fail an important audit or, much worse, before they get hacked. Unfortunately, most organizations lack the tools, time, and expertise needed to do a thorough assessment.

Risks of unmanaged SSH keys include:

The Solution

SSH Risk Assessment is an assessment service that addresses this need to have more information around the use of SSH and SSH key related authentication within your organization. It leverages our in-depth technology expertise, our custom-developed scanning and reporting software and our wide-ranging experience with thousands of customers to provide a service that is fast, efficient, and effective. You get actionable information that is packaged for the C-Suite and backed up by the details and data your technical staff needs to plan for any needed remediations.

  • Fast - Completed in 5 days and requires only a few hours of your staff time.
  • Non-invasive - Our tools do not require software agents to be installed and do not make any changes on your hosts. No private keys are collected or moved.
  • Comprehensive - You get an analysis of the most significant risks including compelling visualizations of trust relationships.
  • Compliance - Tailored to the compliance mandates of your business - such as Sarbanes-Oxley, PCI DSS, NIST Cybersecurity Framework, HIPAA, NIST 800-53, BASEL III, or others.
  • Prioritized - We tell you what to focus on first and why.
  • Safe - No information or data leaves your control.

After the assessment, you may choose to use the Universal SSH Key Management or look at competing solutions for addressing SSH key management. You may also want to look at how to prevent SSH tunneling from providing access from the outside to the internal network, how to monitor and audit external SSH connections and record sessions for analytics and forensics.

Details: What You Get

Data itemExplanation
Key managementReview and analysis of policies and procedures for lifecycle management of public/private key pairs
Separation of dutiesScan and discovery of any SSH authorizations that cross dev and prod environments
Authorizations to rootDiscovery of all keys authorized for root access
Transitive trust analysisAnalysis of which keys provide broadest access into the network
Key size reportReport and statistics on key sizes. Weak keys highlighted.
Key age reportAnalysis and statistics on key age. Keys older than 2 years and older than 5 years highlighted.
Key protection analysisReport on private keys stored in clear text and/or transmitted in clear text
Least privilege analysisReview of service and root account access authorizations
Privilege escalationReview of whether current SSH configurations and controls prevent unintended escalations of access
SSH software managementReport on SSH versions in use. Identifies any insecure versions that should be upgraded.
ComplianceReport on potential audit findings for selected compliance mandates (PCI DSS, Federal Cybersecurity Framework, NIST 800-53, MAS, BASEL II & III, and others)
Summary and recommendationsHighlight most risks and compliance issues, recommendations and alternatives for remediation
Onsite consultationOur consultant will meet with you to review the findings and recommendations

Technical Specifications

Supported platforms for scanning

  • HP-UX 11v1, 11v2, 11v3
  • IBM AIX 5.3, 6.1, 7.1
  • Oracle Solaris 8, 9, 10, 11
  • Oracle Enterprise Linux 5.4, 5.5, 5.6, 5.7
  • Red Hat Enterprise Linux 4, 5, 6, 7
  • SUSE Linux Enterprise Server 9, 10, 11, 12

Supported SSH versions for scanning

  • Tectia SSH 6.0 or newer
  • OpenSSH 4.0 or newer

All scanned systems must have Perl 5.6 or newer installed.

Scope up to 500 servers. More can be custom quoted.