Secure Shell keys are routinely untracked, unmanaged and poorly secured in financial service organizations even though they provide the highest levels of administrative access in those organizations, according to new research.

Salt Lake City-based Venafi recently conducted a study that evaluated how finservs manage and implement SSH, which are network protocols for securing remote connections between computers, as well as providing strong authentication. One hundred IT security professionals from the financial services industry participated in the study, which revealed a widespread lack of SSH security controls.

For example, 69% of respondents from the financial services industry admit they do not actively rotate keys, even when an administrator leaves their organization. This allows former employees to have ongoing privileged access to critical and sensitive systems.

Recommended For You

Other key findings of the study include:

  • Sixty-one percent do not restrict the number of SSH administrators, which allows an unlimited number of users the ability to generate SSH keys across large numbers of systems.
  • Eighty-five percent do not have a complete and accurate inventory of all SSH keys.  Without a comprehensive inventory finservs can't determine missing or stolen keys.
  • Just 29% percent of respondents rotate keys on a quarterly or more frequent basis; 36% said they don't rotate keys at all or only do so occasionally. Attackers who gain access to SSH keys retain ongoing privileged access until the rotation of keys.
  • Thirty-nine percent of respondents said they do not enforce no port forwarding for SSH. Because port forwarding allows users to effectively bypass the firewalls between systems, a cybercriminal with SSH access can rapidly pivot across network segments.
  • Thirty-one percent of respondents said they exclude SSH entitlements from their Privileged Access Management policies and rarely audit them. Without proper auditing and effective SSH security policies, crucial weaknesses can go undetected, leaving financial services organizations vulnerable to a wide range of cybersecurity attacks.

 

"Cyber criminals can leverage compromised SSH keys to gain elevated access to servers and perform nefarious activities, all while remaining undetected," Nick Hunter, senior technical manager for Venafi, said. "In addition, they know that a single SSH key will often be copied across hundreds or thousands of systems. Cybercriminals can use compromised keys to move throughout a financial services organization, creating additional backdoors and setting up beachheads for their operations."

Dimensional Research conducted the study earlier this year. It analyzed responses from security professionals in the financial services sector in the U.S., U.K. and Germany.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).