Venafi, the leading provider of Next-Generation Trust Protection, today announced Ponemon Institute research which reveals enterprises tolerate security vulnerabilities by allowing open door, root-level access in the 2014 SSH Security Vulnerability Report. Underwritten by Venafi, the report exposes how cybercriminals are exploiting the lack of visibility and control over SSH keys used to authenticate administrators, servers, and clouds. 46% of the 1,854 respondents reported their servers and networks are left open and can be owned forever by attackers because they fail to rotate SSH keys. Not surprisingly, 51% of organizations reported already being breached by an attack using SSH.
This hole in enterprise security has not gone unnoticed. The recently uncovered Mask operation steals SSH keys to impersonate, surveil, collect, and decrypt its targets’ communications and data (analysis and recommendation for those breached available here). If SSH keys are not replaced after intrusions like The Mask attacks, enterprise networks remain owned by the attackers. The Ponemon research also found that 60% of organizations could not detect rogue SSH keys on their networks since system administrators self-police SSH keys using manual processes.
Tweet this: 2014 #Ponemon #SSH Vulnerability Report finds 74% leave open root-level access without systems to protect SSH keys
Secure Shell (SSH) is the fundamental security system enterprises rely on to connect system administrators and automated processes to services, appliances, and cloud services over an authenticated, encryption channel. Payment servers, healthcare databases, cloud platforms, and even air traffic control systems are accessed and controlled by administrators via SSH keys. Because SSH keys never expire, cybercriminals and insiders alike gain almost permanent ownership of systems and networks by stealing SSH keys. Data loss prevention, advanced threat detection solutions and next-generation firewalls cannot examine SSH encrypted traffic, which allows adversaries to steal information over extended periods without detection.
Tweet this: 2014 #Ponemon #SSH Vulnerability Report finds 46% of networks can be permanently owned by stealing SSH keys
“Frequently, we look at a wide range of different IT security issues that impact global organizations. This study stands out as it reveals the damage that a single, unprotected SSH key can cause,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Although SSH keys are an IT security technology, they are often left unchecked in the hands of a wide-range of administrators that are not, in theory or practice, IT security experts. This dirty little secret, revealed by the survey, is further evidence that root access to the world’s most sensitive data is widely available and largely unprotected, leaving many organizations open to perpetual cyberattacks and compromises.”
Tweet this: @Venafi urges #TheMask breached to replace #SSH keys or bulldoze the data center to clean up
“CEOs, CIOs, CISOs and other IT security executives are tolerant to the point of insanity when it comes to controlling, protecting and detecting SSH, the most widely used security and authentication technology between administrators, servers, and clouds,” said Venafi CEO Jeff Hudson. “This is a dangerous situation, akin to giving the foxes the keys to the hen houses. They have allowed SSH security to spin out of control, which in fact places their organizations in jeopardy. The total inability to respond to a breach by rotating all SSH keys means CISOs should be investing more in bulldozers for their data centers than firewalls.”
Tweet this: #Infographic: @Venafi finds insanity in action with 60% of enterprises relying on sysadmins to self-police #SSH keys
Download the full Ponemon 2014 SSH Security Vulnerability Report
Download the Information Security’s Dirty Little Secret infographic
This report includes a survey of 1,854 respondents from Global 2000 enterprises in four countries: Australia, Germany, the U.K. and the U.S. More than 50 percent of respondents are employed in companies with 1,000 to 10,000 employees.
To get the latest news and information about Venafi:
Visit our blog at http://www.venafi.com/blog
Follow us on Twitter: @Venafi
Follow us on LinkedIn: http://www.linkedin.com/company/venafi
Follow us on Google+: https://www.google.com/+VenafiCo
Follow us on Facebook: https://www.facebook.com/Venafi
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.