Skip to main content
banner image
venafi logo

SSH Study: How Safe are the SSH Keys Used by Financial Services?

SSH Study: How Safe are the SSH Keys Used by Financial Services?

SSH key security for financial services
December 7, 2017 | Emil Hanscom

Secure Shell (SSH) keys provide administrators the highest levels of administrative access in financial services organizations. However, these powerful assets are routinely untracked, unmanaged and poorly secured. Unfortunately, this makes SSH keys popular targets for cyber criminals.

“Cyber criminals can leverage compromised SSH keys to gain elevated access to servers and perform nefarious activities, all while remaining undetected,” said Nick Hunter, senior technical manager for Venafi. “In addition, bad actors know that a single SSH key will often be copied across hundreds or thousands of systems.”

Threats that leverage SSH privileged access are especially serious in the financial service sector, where malicious actors can literally access lucrative assets and private information.

Venafi recently conducted a study that evaluated how financial service organizations manage and implement SSH in their environments. With participation from 100 IT security professionals from the finance sector, the study reveals a widespread lack of SSH security controls.

For example, 69% of the respondents admit they do not actively rotate keys, even when an administrator leaves their organization, which can allow the former employees to have ongoing, privileged access to critical systems.

Additional highlights from the study:

  • There is no way to determine if keys have been stolen, misused or should not be trusted.
    • 85% of the respondents say they do not have a complete and accurate inventory of all SSH keys.
  • Unlimited users can generate SSH keys across many systems.
    • 61% do not restrict the number of SSH administrators. These administrators tend to be inconsistent about following security controls leaving organizations without any inventory or regular review of SSH trust relationships.
  • Attackers can gain elevated privileges.
    • Just 29% rotate keys on a quarterly or more frequent basis. 36% say they don’t rotate keys at all or only do so occasionally. This means that attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.
  • No port forwarding controls can mean big trouble for organizations.
    • 29% say they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to effectively bypass the firewalls between systems, the lack of these controls can allow a cybercriminal with SSH access to rapidly pivot across network segments.
  • SSH keys are not audited.
    • Nearly a third (31%) say SSH entitlements are not featured in their Privileged Access Management (PAM) policies and are rarely audited. Without proper auditing and effective SSH security policies, SSH key weaknesses can go undetected, leaving financial services organizations vulnerable to a wide range of cybersecurity attacks.

The financial service sector faces unique and sophisticated cyber security threats. This disregard for SSH security can have profound and devastating consequences on customer privacy and security risk.

Nick concluded: “Cyber criminals can use compromised keys to move throughout a financial services organization, creating additional backdoors and setting up beachheads for their operations.”

Is your financial services organization protecting its SSH keys?

Like this blog? We think you will love this.
Featured Blog

From Babuk Source Code to Darkside Custom Listings — Exposing a Thriving Ransomware Marketplace on the Dark Web

Research: Venafi and Forensic Pathways

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more