SSH Software Addresses Unseen Security Threat to Servers

Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+
Partner Insights

Most companies are well aware of the need to protect the user names and passwords of their employees and outside users, such as customers using mobile and online banking.

But few have paid attention to another set of credentials vulnerable to hackers: those that computers use to gain access to each other's files and databases. A cybercriminal who breaks the code encrypting these behind-the-scenes logins could hack into one company computer and from there gain access to all other machines on that network and wreak havoc, according to Tatu Ylonen, the inventor of the Secure Shell (SSH) data-in-transit security protocol and founder and CEO of SSH Communications Security. His company's Information Assurance Platform, released Monday, addresses this issue.

"The big threat is that you have a virus or cyber weapon that uses this," Ylonen. "Once you get in, you could use this to spread to other machines. This could wipe out an infrastructure. I call it a ticking time bomb. It's an existential risk."

SSH is a cryptographic network protocol that secures the login credentials that servers use to authenticate themselves to other servers. It's most commonly used on Linux and Unix operating systems; it's also found in Cisco routers. Large banks have thousands of servers using SSH throughout their networks, Ylonen says. One bank has 200 administrators who spend 10% of their time setting up key-based trusted relationships; the bank has at least 400,000 such relationships in its environment.

"Banks don't know how many of these trusted relationships [between computers] are still in use," Ylonen says. "They don't know who can access what in their environment." This puts them out of compliance with Sarbanes-Oxley rules that require companies to know who has access to financial information. "Every bank is out of compliance with SOX," Ylonen asserts. 

The answer to this problem, Ylonen says, is his company's new software, which discovers the authentication keys and automates the management of those keys, including periodically changing them, just the way typically user passwords need to be changed every three months. Most such keys have never been changed.

This whole problem is "not visible to the end users, it's not visible to the public, and it's often not known by CIOs," Ylonen says. "But it is known by CISOs."

JOIN THE DISCUSSION

SEE MORE IN

RELATED TAGS

Five Mobile App Features that Show Yes, Banks Can Innovate

Fintech startups claim to out-innovate banks. But financial institutions sometimes break new ground. Here are five examples of banks that are testing and launching mobile app features capable of much more than showing an account balance.

Image: iStock

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.