Most companies are well aware of the need to protect the user names and passwords of their employees and outside users, such as customers using mobile and online banking.
But few have paid attention to another set of credentials vulnerable to hackers: those that computers use to gain access to each other's files and databases. A cybercriminal who breaks the code encrypting these behind-the-scenes logins could hack into one company computer and from there gain access to all other machines on that network and wreak havoc, according to Tatu Ylonen, the inventor of the Secure Shell (SSH) data-in-transit security protocol and founder and CEO of SSH Communications Security. His company's Information Assurance Platform, released Monday, addresses this issue.
"The big threat is that you have a virus or cyber weapon that uses this," Ylonen. "Once you get in, you could use this to spread to other machines. This could wipe out an infrastructure. I call it a ticking time bomb. It's an existential risk."
SSH is a cryptographic network protocol that secures the login credentials that servers use to authenticate themselves to other servers. It's most commonly used on Linux and Unix operating systems; it's also found in Cisco routers. Large banks have thousands of servers using SSH throughout their networks, Ylonen says. One bank has 200 administrators who spend 10% of their time setting up key-based trusted relationships; the bank has at least 400,000 such relationships in its environment.
"Banks don't know how many of these trusted relationships [between computers] are still in use," Ylonen says. "They don't know who can access what in their environment." This puts them out of compliance with Sarbanes-Oxley rules that require companies to know who has access to financial information. "Every bank is out of compliance with SOX," Ylonen asserts.
The answer to this problem, Ylonen says, is his company's new software, which discovers the authentication keys and automates the management of those keys, including periodically changing them, just the way typically user passwords need to be changed every three months. Most such keys have never been changed.
This whole problem is "not visible to the end users, it's not visible to the public, and it's often not known by CIOs," Ylonen says. "But it is known by CISOs."