This project plan blueprint is meant for large customer organizations of SSH.com, who need to take actions based on the SSH Tectia Client/Server vulnerability CVE-2021-27891. Its purpose is to describe, on an operational level, the actions that are needed in a customer organization to successfully manage the vulnerability and risks related to it.
The project aims at ensuring that business impacts and risks related to the vulnerability are mitigated to an acceptable level or completely remediated - in a reasonable timeframe with a reasonable effort. Setting up a project is a customer decision based on their own understanding of their situation and risk levels - SSH.com provides customers with support in the form of communications, technical support and where required Professional Services.
Background
As background information at least the following is required:
- Current situation of Tectia in the customer environment: where is it deployed, what use cases are supported, which SW version is currently in production use.
- Current practices for SSH key rotation for both host and user keys
- Specific information for vulnerability risk analysis, such as nature of data handled by Tectia
Project goals
Customer defines specific goals for the project in terms of how the vulnerability will be handled. These should cover at least:
- What is the end status after the project in terms of risk: is the vulnerability remediated completely or sufficiently mitigated. Partial resolution would be e.g. upgrading of Tectia to SW level 6-4.19 without regenerating all host keys. End status can also be reached in phases e.g. so that sufficient mitigation level is reached first and total remediation at a later point of time.
- What is the impact of the resolution work to business? How much work is required from administrators and users? Does it cause IT change work that leads to significant maintenance breaks? Are external services required?
- Target timeframe for mitigation: what stage of mitigation / resolution is reached by when. These timeframe goals are then used as an input for planning the detailed timeline, see below.
Stakeholders
Customer needs to identify relevant stakeholders for a) planning the mitigation activities and b) executing the mitigation activities.
For planning (a), it is recommended to keep details of the risk analysis to a limited group only while more stakeholders may be required to understand the impacts of executing the mitigation activities.
For execution (b), more stakeholders are relevant especially when execution impacts users e.g. in terms of actions needed from them or service impacting maintenance.
Timeline
Customer needs to define a timeline and project task list with responsible parties. Examples of relevant tasks are listed in the following:
- Discovery of current SSH keys and their rotation practices
- Risk analysis of the above-mentioned vulnerabilities and decision making on mitigation / remediation plan
- Upgrading Tectia from any earlier version to SW level 6-4.19
- Actions related to SSH keys - these can be one-time actions to change all the keys and/or implementing a process for regular key rotation