SSH Software Addresses Unseen Security Threat to Servers

Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+

Most companies are well aware of the need to protect the user names and passwords of their employees and outside users, such as customers using mobile and online banking.

But few have paid attention to another set of credentials vulnerable to hackers: those that computers use to gain access to each other's files and databases. A cybercriminal who breaks the code encrypting these behind-the-scenes logins could hack into one company computer and from there gain access to all other machines on that network and wreak havoc, according to Tatu Ylonen, the inventor of the Secure Shell (SSH) data-in-transit security protocol and founder and CEO of SSH Communications Security. His company's Information Assurance Platform, released Monday, addresses this issue.

"The big threat is that you have a virus or cyber weapon that uses this," Ylonen. "Once you get in, you could use this to spread to other machines. This could wipe out an infrastructure. I call it a ticking time bomb. It's an existential risk."

SSH is a cryptographic network protocol that secures the login credentials that servers use to authenticate themselves to other servers. It's most commonly used on Linux and Unix operating systems; it's also found in Cisco routers. Large banks have thousands of servers using SSH throughout their networks, Ylonen says. One bank has 200 administrators who spend 10% of their time setting up key-based trusted relationships; the bank has at least 400,000 such relationships in its environment.

"Banks don't know how many of these trusted relationships [between computers] are still in use," Ylonen says. "They don't know who can access what in their environment." This puts them out of compliance with Sarbanes-Oxley rules that require companies to know who has access to financial information. "Every bank is out of compliance with SOX," Ylonen asserts. 

The answer to this problem, Ylonen says, is his company's new software, which discovers the authentication keys and automates the management of those keys, including periodically changing them, just the way typically user passwords need to be changed every three months. Most such keys have never been changed.

This whole problem is "not visible to the end users, it's not visible to the public, and it's often not known by CIOs," Ylonen says. "But it is known by CISOs."

JOIN THE DISCUSSION

SEE MORE IN

RELATED TAGS

'The Law Penalizes the Consumers It Set Out to Protect': Comments of the Week

American Banker readers share their views on the most pressing banking topics of the week. As excerpted from the Comments sections of AmericanBanker.com articles.

(Image: Fotolia)

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

The FinTech 100

FIS and Tata once again top the annual FinTech 100 list of vendors, ranked by revenue; IBM and Hewlett-Packard lead the pack of tech companies serving multiple industries; and Bionym and Silver Tail are among the 10 Tech Companies to Watch.
DAILY ENEWSLETTER UPDATE

A Newsletter featuring Bank Technology News' top stories plus special reports and data

This feature displays payments industry news and analysis from American Banker sibling brand PaymentsSource. Registration is required; for more information contact customer service.

TWITTER
FACEBOOK
LINKEDIN
Already a subscriber? Log in here
Please note you must now log in with your email address and password.