Skip to main content
banner image
venafi logo

SSH Study: Are Retailers Doing Enough to Protect Their SSH Keys?

SSH Study: Are Retailers Doing Enough to Protect Their SSH Keys?

retail ssh key security
February 27, 2018 | Eva Hanscom

Retail companies rely on an assortment of connected machines that most other industries don’t use. From credit card terminals to specialized e-commerce services, these machines require unique identities and security.

Secure Shell (SSH) keys are often used to authenticate retail machine identities and, in the process, provide the highest levels of administrative access within retail organizations. However, these powerful assets are routinely untracked, unmanaged and poorly secured. Unfortunately, this makes SSH keys popular targets for cyber criminals.

“Retail machines contain lucrative financial information,” said Nick Hunter, senior digital trust researcher for Venafi. “This makes retailers, and their transactions, prime targets for cyber criminals. Simply put, retailers face unique and significant machine identity threats.”

Venafi recently conducted a study that evaluated how retailers manage and implement SSH in their environments. With participation from 101 IT security professionals from the retail sector, the study reveals a widespread lack of SSH security controls.

For example, 81% of respondents acknowledge they do not have a complete and accurate inventory of all SSH keys. If retailers do not know where their

SSH keys are and how they are managing privileged access, it will be difficult to determine if any SSH keys have been stolen, misused or should not be trusted.

Additional highlights from the study:

  • Users have continuing access to critical assets.
    • Over a third (35%) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to sensitive systems.
       
  • SSH keys are rarely rotated, if at all.
    • Just 35% of respondents rotate SSH keys at least quarterly; 37% said they don’t rotate these keys at all or only do so occasionally. This means that attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.
       
  • Unlimited users can generate SSH keys across many systems.
    • 38% of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems.
       
  • No port forwarding controls can mean big trouble for retailers.
    • 32% say they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to effectively bypass the firewalls between systems, the lack of these controls can allow a cybercriminal with SSH access to rapidly pivot across network segments.
       
  • SSH keys are not audited.
    • Over a third (35%) say SSH entitlements are not featured in their Privileged Access Management (PAM) policies and are rarely audited. Without proper auditing and effective SSH security policies, SSH key weaknesses can go undetected, leaving retailers vulnerable to a wide range of cybersecurity attacks.

Ultimately, it’s crucial for retailers to secure their SSH assets. “To protect their customers and their critical business data, retailers need a strong SSH governance program that provides them with complete visibility of all their SSH keys,” concluded Hunter.

Are retailers doing enough to protect their SSH keys?

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

lawyer reading from legal books on a desk, with a scale in the foreground

Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals]

hands reaching out of laptop screen holding ballot box, another person's hand casting a vote
Encryption

Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.

Man standing in front of a cyber-secured world.

What If You Could Guarantee Eliminating Outages in Your Organization?

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat