Archive for January, 2011

FTP “Lack of Security” Exposed

Posted by on Monday, 24 January, 2011

Apollo Project CSM Simulator Computers and ConsolesFTP was designed as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. In the 1970s, if you wanted to secure a server from unwanted access, you simply locked the computer room door. User access to data was controlled by the basic User ID and password scenario. (Right is a reminder of how much technology has advanced since the 1970s. The photograph,  taken December 11, 1975, is the Apollo Project CSM Simulator Computers and Consoles. Photo Courtesy of NASA.)

The Internet did not yet exist and the personal computer revolution was still a decade away.

Today, the security of business file transfers is of paramount importance. The exchange of business records between computing systems, between enterprises, and even across international borders has become critical to the global economy.

Yet, the original native FTP facility of TCP/IP wasn’t designed for the requirements of the modern, globally connected enterprise. FTP’s basic security mechanisms – the User ID and password — have long ago been outdated by advances in network sleuthing technologies, hackers, malware, and the proliferation of millions of network-attached users.

Risks associated with using native (standard) FTP include:

  • Native FTP does not encrypt data.
  • A user’s name and password are transferred in clear text when logging on and can therefore be easily recognized.
  • The use of FTP scripts or batch files leaves User IDs and passwords in the open, where they can easily be hacked.
  • FTP alone, does not meet compliance regulations. (For example: HIPAA, SOX, State Privacy Laws, etc.)
  • When using an FTP connection, the transferred data could “stray” to a remote computer and not arrive at their intended destination leaving your data exposed for third parties or hackers to intercept.
  • Conventional FTP does not natively maintain a record of file transfers.

The first step is to examine how FTP is being used in your organization. The next step is to identify how your organization needs to manage and secure everyone’s file transfers. The final step is to evaluate what type of Managed File Transfer Product your company needs.

For more information download our White Paper – Beyond FTP: Securing and Managing File Transfers.

Compliance and Regulations for Sensitive Data Transfers

Posted by on Monday, 10 January, 2011

Secured ComputerHighly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.

Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.

Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data.  For instance:

  • PCI DSS requires that credit card numbers are encrypted while “at rest” and “in motion”.  Failure to do so can result in severe fines and potential loss of your merchant account.
  • HIPAA requires that healthcare records are secured to protect the privacy of patients.
  • State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.

Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.

Related Blog: PCI DSS v2.0

Was FTP Behind the Wikileaks Breach?

Posted by on Monday, 3 January, 2011

November and December were difficult months for IT security.

Wikileaks began on Sunday November 28th publishing 251,287 leaked United States embassy cables, the largest set of confidential documents ever to be released into the public domain. How do security officials believe these documents were originally retrieved by the alleged source, Pfc. Bradley Manning? Many security professionals are wondering if FTP was the software mechanism used.

Also in the news was the security breach at the popular publication Gawker.com. Over the weekend of December 11, Gawker discovered that 1.2 million accounts were compromised, the infrastructure breached, and access to MySQL databases raided. Gawker internal FTP credentials were listed as a part of the breach.

Gawker’s problems prompted Social Networking giant LinkedIn to reset the passwords of all users that had Gawker.com accounts, for fear of contamination by hackers who had gained Gawker profile information.

Smaller national headlines of other breaches included the theft of an undisclosed number of email addresses, birth-dates, and other information by a contractor working for McDonalds.

Also, it was reported that a mailing list was pilfered from the drugstore giant Walgreens. In addition, a leak of law enforcement data was reported by a Mesa County, Colorado.

Finally, a popular Open Source FTP server software application, ProFTPD version 1.3.3c, was distributed containing a malicious backdoor that permits hackers to access FTP credentials. It is thought the attackers took advantage of an un-patched security flaw in the FTP daemon to gain access to the server and exchange distribution files.

What do these various breaches have in common? The threats may be too diverse to slip into a single category, but the likely culprit is the use of powerful native FTP, without proper, secure management. Once a doorway is left open, native unmanaged FTP access can wreak havoc in any organization.

It doesn’t have to be this way. Using a managed secure file server like Linoma Software’s GoAnywhere Services – which has granular permissions and security controls, along with detailed audit logs and alerts – IT can monitor and better secure and control its data resources.

Regardless of how your organization or your trusted business partners are configured to exchange data, isn’t it time to consider a better way to manage your company’s file transfer security?

Related Blog Post: Are You Confident Your FTP Credentials are Secure?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved