Security
Securing a file transfer infrastructure and keeping it secure is an ongoing, never ending task.
Inital Tasks
The initial setup involves the following steps:- Discovery and identification of all systems running file transfer software, whether they may be MFT (Managed File Transfer) products or native FTP,FTPS or SFTP servers
- Review their configuration for best security practices, such as:
- Do they support secure protocols (FTPS, SFTP)?
- Are security risks such as Anonymous Logon disabled?
- Are the banner messages customized to remove information useful for intruders?
- Ensuring the file transfer server software is protected against intrusion attempts
Ongoing Tasks
Ongoing tasks include:
- Repeating the discovery process at regular intervals to discover new systems running file transfer software and ensure they are secured as detailed above.
- Auditing file transfer activity to review which users are accessing data, which files are being transferred where and ensuring that sensitive data is being transferred using secured protocols at all times.
Securing file transfers with Sentry Analytics™
Sentry Analytics™ File Transfer Analytics™ suite can make the process significantly less labor intensive and ensure reliable results.
- Sentry Analytics™ records file transfer activity across all systems and provides a multitude of ways the data can be audited — all with the simple click of a mouse.
In addition it can issue alerts for policy violations, such as when sensitive data is transferred unsecured. - Sentry Auditor™ effortlessly discovers systems running file transfer software including MFT products and native FTP, FTPS and SFTP servers.
It displays which protocols are supported, whether Anonymous Logon is enabled.
It also displays the banner message to help ensure that information useful for intruders has been removed.
Sentry Auditor™ can run unattended in regular intervals and email the results to the appropriate staff for review. - Sentry Armor™ protects file transfer servers against intrusion attempts from outside intruders, malicious employees and contractors and hackers that have breached the corporate network through other means.
More information on securing file transfers
- Resources
- Why is the Threat growing?
- What are Brute Force Attacks?
- What can’t my Firewall protect me?
How to conduct a File Transfer Audit
Your organization needs regular File Transfer Audits to ensure all data movements in your enterprise are conducted responsibly.
Get our Whitepaper “Auditing Complex File Transfer Environments” here:
DownloadWhy is the threat growing?
Most people expect their account to be locked after entering a number of invalid passwords in a row — whether it is when they log on to a computer or when they insert their debit card into an ATM. Not so with FTP. A number of products to aid in automated FTP password hacking make use of the fact that FTP will allow users to enter invalid passwords literally for days without locking the account or alerting anyone. These tools are widely available on the internet, and the instructions on how to use them are even posted on YouTube and other video sharing sites.
FTP hacking tools typically offer two methods of attacks:
Dictionary-based Attacks
While Brute Force Attacks are guaranteed to eventually discover the correct password, the downside is that the may run for a very long time. Attackers therefore often try another, far quicker method first: The Dictionary-based Attack. With that approach, the attacker supplies the tool with a dictionary — a list of words to try as passwords in various combinations. These lists usually consist of human names, pet names, places, TV shows, etc. A sample list might be: ‘adam, Adam, apple, Apple, barbara, Barbara, chicago, Chicago, fido, Fido, house, House,’ etc. Should the Dictionary-based attack fail to find the correct password, then the intruder would resort to the Brute Force Attack instead:
Brute Force Attacks
Brute force attacks let the attacker set a minimum and maximum password length, and the tool will connect to the FTP server and try all possible password combinations matching those criteria in a serial manner, e.g. from aaa to ZZZZZZZZ until it finds the correct password. Some FTP Servers (e.g. on z/OS) do not support case-sensitive passwords, which significantly increases the vulnerability to brute force attacks due to the reduced number of potential password combinations.
What are Brute Force Attacks?
Most people expect their account to be locked after entering a number of invalid passwords in a row — whether it is when they log on to a computer or when they insert their debit card into an ATM. Not so with FTP. A number of products to aid in automated FTP password hacking make use of the fact that FTP will allow users to enter invalid passwords literally for days without locking the account or alerting anyone. These tools are widely available on the internet, and the instructions on how to use them are even posted on YouTube and other video sharing sites.
FTP hacking tools typically offer two methods of attacks:
Dictionary-based Attacks
While Brute Force Attacks are guaranteed to eventually discover the correct password, the downside is that the may run for a very long time. Attackers therefore often try another, far quicker method first: The Dictionary-based Attack. With that approach, the attacker supplies the tool with a dictionary — a list of words to try as passwords in various combinations. These lists usually consist of human names, pet names, places, TV shows, etc. A sample list might be: ‘adam, Adam, apple, Apple, barbara, Barbara, chicago, Chicago, fido, Fido, house, House,’ etc. Should the Dictionary-based attack fail to find the correct password, then the intruder would resort to the Brute Force Attack instead:
Brute Force Attacks
Brute force attacks let the attacker set a minimum and maximum password length, and the tool will connect to the FTP server and try all possible password combinations matching those criteria in a serial manner, e.g. from aaa to ZZZZZZZZ until it finds the correct password. Some FTP Servers (e.g. on z/OS) do not support case-sensitive passwords, which significantly increases the vulnerability to brute force attacks due to the reduced number of potential password combinations.
Why can’t my Firewall protect me?
One of the most common mistakes made is to assume that only Internet-facing FTP Servers need to be protected. The opposite is true. While a firewall is very helpful in keeping the vast majority of amateur hackers, college kids etc. out, firewalls have the following shortfalls:
- Firewalls are no match for professional intruders. Email-based phishing scams and other techniques enable professional intruders to take control of computers on the corporate network despite firewalls being in place.
- The advent of telecommuting and work-from-home days makes corporate devices easier to penetrate, especially when these devices are used by the family members of employees.
- The rising practice of BYOD (Bring Your Own Device) — allowing employees to use personal devices for work purposes — reduces a corporation’s ability to install appropriate safeguards on devices attached to the corporate network.
- Firewalls cannot protect against actions by malicious, disgruntled or misguided employees and contractors having legitimate access to the corporate network. In the recently released report ” Understand The State Of Data Security And Privacy: 2012 To 2013”, Industry Analyst Forrester Group estimates that about 33% of all cases of malicious data thefts are performed by insiders with legitimate access to the network.
Corporations therefore need a second layer of defense – protection against threats from inside the corporate network as well as outside intruders that have penetrated the firewall. Reliable protection can only be achieved by securing each system – especially servers holding sensitive data – as if there were no firewall at all.