[BreachExchange] 10 Common File Transfer Risks and How to Avoid Them

Destry Winant destry at riskbasedsecurity.com
Mon Jul 30 23:22:02 EDT 2018


http://www.cyberdefensemagazine.com/10-common-file-transfer-risks-and-how-to-avoid-them/

Have you ever caught yourself saying one of the following?

- “We don’t have an IT department, so I FTP from my desktop.”
- “I don’t need special software to transfer files; I have email.”
- “We’re a small/mid-sized organization. We don’t have to worry about risks.”
- “As a large company, I’m pretty sure we have this covered.”

It’s easy to assume you’re protected from vulnerabilities.
Unfortunately, though, you might not be.

File transfer risks are everywhere these days—in emails, on open
ports, and through use of unsecure technologies like FTP or the DMZ,
just to name a few. Most organizations have discovered the benefits of
instructing their teams on strong cybersecurity practices and
protocols, but even the most knowledgeable can fall victim to hidden
data vulnerabilities.

Are you protected against commonly missed exposures when sharing or
transferring your files? Check your processes against this list to
find out.



Risk #1: Giving away user IDs and passwords via FTP transfers.

FTP isn’t a secure transfer protocol. Even worse, it doesn’t encrypt
user credentials—that data is sent in the clear. That means your
files, including important sign-on information, can be sniffed and
stolen during transit.

What’s the solution? Use secure protocols (i.e. SFTP and OpenPGP) and
encrypt your passwords/user IDs to ensure they aren’t exposed or
stolen while you’re transferring files.



Risk #2: Sending unsecured plain text emails.

Using regular emails to send mission-critical files means that
sensitive data is communicated through a vulnerable platform. Not only
is the data stored on your mail providers’ servers, where it can later
be compromised, but there’s always a risk that an email will be sent
to the wrong recipient.

What’s the solution? Utilize a secure mail server and take advantage
of encrypted file storage retrieval with password access to avoid
sending important information via vulnerable emails.



Risk #3: Exposing data to the DMZ (Demilitarized Zone).

Files are often temporarily stored in the DMZ by trading partners, and
these files are at a higher risk of being accessed by hackers because
the DMZ is more exposed to the internet. Using the DMZ can also
require the use of manual scripts, which can in turn create more
vulnerabilities.

What’s the solution? Don’t store your data in the DMZ! Instead,
install a reverse proxy gateway and keep all data, even files from
trading partners, inside your private network.



Risk #4: Having open ports in your network.

Inbound firewall rules allow hackers to gain basic access to your
network. This can give them enough privileges to compromise your
environment and get into your critical applications, services, and
even your production systems.

What’s the solution? Eliminate your network’s open ports by
communicating through a reverse proxy, and avoid risk by ensuring your
PC firewalls and security patches are maintained.



Risk #5: Using your own proxy software.

While it may be cheaper up front to make homegrown solutions for your
organization, implementing your own proxy software often means using
older technology that has misleading or incorrect configurations.
Furthermore, inbound and outbound port configurations are required.

What’s the solution? Swap out your homegrown proxy for modernized
reverse proxy technology and maintain control within your private
network (again, not in the DMZ).



Risk #6: Writing and maintaining scripts.

Manual scripts are prone to human error. They are time-consuming to
create, difficult to maintain, and frustrating to audit. A lack of
security mandates and compliance reporting for scripts make them a
liability in the case of a data breach.

What’s the solution? Ditch the scripts. Use a centralized, role-based
scripting solution to process your file transfers. Bonus points if it
sends you error notifications and includes auditing and reporting
functionality.



Risk #7: Using free, outdated PC applications.

PC applications can be risky and antiquated. They often need dedicated
personnel for administration, and because they’re free, they’re
usually dependent on community advice and reporting for issues, bugs,
and updates.

What’s the solution? Invest in a secure file transfer solution, one
that provides administration and training, offers help with
compliance, and is regularly updated.



Risk #8: Not having proper key and certificate management.

Without a solid KMS (key management system) in place, you’re more
vulnerable to hackers and renegade employees gaining access to your
systems. Stolen user IDs and passwords can be used by anyone, but keys
and certificates can’t.

What’s the solution? Implement proper key and certificate management
by installing an encrypted key management system with role-based and
logged access to key or certificate updates.



Risk #9: Lacking internal security controls.

Many places that need security are often overlooked, including
customer sign-ons, allowed IP addresses, automatic IP blacklists, and
unblocked brute-force attacks.

What’s the solution? Reinforce your internal security controls! Get
granular with your cybersecurity and build a secure infrastructure
that allows communication with controlled access.



Risk #10: Not securing your system with the right permissions.

Remember, FTP is not a secure method for transferring important data.
You are vulnerable if you use it in your organization!

What’s the solution? Avoid FTP. Disable it and use SFTP, FTPS, HTTPS,
or AS2 instead to safeguard your communications.

For more information on each of these commonly-missed vulnerabilities,
watch this free, on-demand webinar from GoAnywhere: Are You Avoiding
These Top 10 File Transfer Risks?


More information about the BreachExchange mailing list