If your organization uses managed file transfer (MFT) software, or if you are considering using an MFT product, you might have noticed a recent event that has given you cause for concern about managed file transfer security. As reported by SecurityWeek on February 3, noted independent cybersecurity researcher and reporter Brian Krebs of Krebs on Security posted a warning to infosec.exchange about a “zero-day remote code injection exploit” affecting a popular MFT software product. A “zero day” vulnerability is a weakness in a product or code that is previously unknown to the maker, thus leaving it open to attack by threat actors.
In response to the zero-day’s discovery the vendor temporarily shut down the MFT service to limit customer exposure and give its team time to fix the issue and issue a patch (distributed on February 7, 2023). It is not known yet whether the vulnerability was successfully exploited by malicious hackers, and the disclosure was only available to authenticated customers. Krebs created an account, obtained the customer advisory, and posted it to infosec.exchange.
You Have Questions, We Have Answers
As news of this situation spreads, a number of MFT cybersecurity questions will come to mind as users of any MFT product are naturally concerned about information security and rely on managed file transfer software to keep data safe during exchanges with partners, vendors, government agencies, and other organizations. As these questions about MFT cybersecurity arise, we want to make sure Coviant Software customers and the public are informed about the implications in a general sense. Here are some common and frequently asked questions related to this incident affecting managed file transfer security that users of other products might have:
I use a different MFT product. Am I vulnerable to this zero-day exploit?
Each software vendor creates their own software in their own way. A vulnerability in one solution does not mean that it exists in all solutions. For example, when the Log4j vulnerability was disclosed, it was severe as the utility was widely used in many—but not all—software products. Our Diplomat MFT family of managed file transfer platforms, for example, was unaffected because we don’t use Log4j, while other software might.
If there are any questions about whether this exploit affects the security of the managed file transfer product you use, you should contact your vendor immediately.
Is Coviant Software’s Diplomat MFT platform safe from this zero-day exploit?
Yes. The vulnerability present in the product in question does not exist with Diplomat MFT. The weakness at issue was related to an option for accessing an administration console in the cloud, and due to bug(s) in the code that implemented an administrative function specific to that product. Because Diplomat MFT is different software that does not have this vulnerable code path, it is not susceptible to this zero-day exploit.
I use a different MFT product. Could a similar vulnerability put my MFT software at risk?
Most software products are complex, and every software product is likely to have some bugs. Some bugs may affect performance, while others may affect security. One strategy software developers use to mitigate the risk of bugs causing severe problems is to lock down code execution paths, making them available only for appropriate access. For example, if you have internet-accessible endpoints, they mabe susceptible to exploitation if a bug exists. To minimize risk, developers may choose to limit access only to authenticated users with an affirmed need. For example, restricting administration and monitoring functions to the corporate network, not the Internet.
My organization uses a solution that was developed in-house. Are we safe?
When information security and data privacy are involved, organizations should only purchase software from reputable vendors who employ good security practices when they develop software. That includes full documentation of every update, conducting regular testing, patching, and security audits, and providing excellent technical and customer support.
I was looking at different MFT options and now I’m concerned about security. What should I do?
Don’t abandon the search. Secure managed file transfer software is still a vital part of any comprehensive data security program. MFT software that automatically encrypts files, uses secure communications protocols, documents processes for auditability, and confirms transfer success and alerts of any trouble is important for sharing vital files throughout the digital supply chain. Financial data, medical data, intellectual property, and other sensitive information that your organization needs to protect should only be shared using a secure managed file transfer platform.
What can I do to ensure my managed file transfer is secure?
Conduct informed due diligence before making an investment in a managed file transfer product. Then, maintaining proper configuration is very important. Understand the software and its security architecture and policies. Do not expose the administration portal to the internet; instead, restrict access to the admin functions of the software to only those secure, back-end networks and/or machines that need access. Use a VPN or Bastion Host to access those administrative tools from remote locations. Ensure your administrative interface is only accessible behind your firewall via your back-end network, and that it is available only to those endpoints that should have access. Use edge gateways into the internet-facing DMZ. Never forsake security in favor of convenience.
What is the difference between Diplomat MFT and other managed file transfer products?
We believe in keeping things simple. After twenty years of providing an excellent managed file transfer platform we’ve learned some things, and that experience means we engineer our award-winning Diplomat MFT to do the task of transfering files simply, securely, and reliably. There are no unnecessary features or endless options–software bloat–increasing product complexity and the risk of failure. A managed file transfer platform should be easy to use, robust, and prioritize cybersecurity.
Using this experience to inform your evaluation of secure MFT products can help you to make a better decision. Of course, we’d be honored if our award-winning Diplomat MFT software were included in your search. We are confident that Diplomat MFT is engineered to be secure and perform as needed at whatever scale or volume you require. And our passion for customer and technical support is tops in the industry.
How can Managed File Transfer Software support your Cybersecurity Strategy?
For an average company, 80% of data exists as files and 30% of business critical processes involve file transfers. The demand on technology to craft business solutions is ever growing, which we’ve seen with the rise of remote working. However, this can allow for greater risks to businesses such as data theft and loss, data breaches and vulnerability to sophisticated malware attacks. Now is the time to ensure your cybersecurity strategy and software tools are able to protect your data infrastructure as best as possible.
Preventing Data Breaches with MFT Cloud Software
There has been some notable data breach horror stories, for example, the 2017 RNC data breach. The data firm they used placed an unencrypted database containing the information of 198 million American voters on an equally unsecured AWS server. If the firm had routinely monitored the cloud for vulnerabilities, the breach could’ve been prevented.
What is a Cybersecurity Strategy?
A cybersecurity strategy tends to be a high-level plan for how an organization will secure and protect its data infrastructure and assets, usually for a 3 to 5 year period. An effective cybersecurity will require good data awareness, data management, company communication along with frequent updates and checks.
How does MFT Software support a Cybersecurity Strategy?
MFT is something we experience in our every day lives with it powering important functions such as healthcare file transfer, global money market exchanges through to order processing and tracking. MFT software alleviates the complexity of file and data transfers by automatically meeting the security, compliance and performance requirements which are necessary to send and receive important business files and sensitive data.
One important way MFT promotes a strong cybersecurity defence is that MFT uses various methods of encryption (i.e PGP encryptiuon) to secure both the contents of a message, called data layer encryption, and the means of transporting that message, called transport layer encryption.
MFT systems are playing an ever-larger role in organizations, replacing legacy file transfer systems and ad hoc tools with a unified, streamlined approach that eliminates waste and duplication.
What are the Data Security Risks of FTP Custom Scripts?
In the past it has been commonplace for IT departments to adopt a DIY approach to file transfer processes and we can’t blame them. Particularly for a business function that may have been overlooked, under resourced and poorly understood. Early days these may have started with manual processes then evolved to legacy FTP scripted solutions.
Any good future-proofed cybersecurity plan would look to identify these custom scripts as posing a possible risk to the data infrastructure and have a plan to remove or at least reduce the reliance on these scripted solutions. Homegrown scripted solutions are trying to handle an ever increasing number of files transfers and contend with a number of complex integrations.
In addition to a loss of productivity, this can invite a range of issues including a lack of control, data security, compliance and visibility. Ultimately, these will impact on a businesses time, resources and costs.
Isn't SFTP and MFT the same?
There is sometimes a misconception that SFTP and MFT are the same thing, however, this could not be further from the truth. Secure File Transfer Protocol (SFTP) is a file protocol for transferring large files over the web by using secure shell encryption to provide a high level of security. Managed File Transfer encompasses a lot more than just being a file transfer protocol. Managed file transfer (MFT) software is a technology platform that enables the secure, reliable, and automated transfer of data between organizations, systems and people. Data reliability, integrity, cyber security and compliance are key fundamentals aspects of any managed file transfer solution.
Can MFT be used to protect Data Security in the Cloud?
The benefits of the cloud have enticed many organizations to adopt, or at least consider, some sort of cloud environment. Gartner forecasts that cloud-deployed organizations will experience fewer security incidents in upcoming years, and in general, cloud-stored data is often considered more secure than data kept on company-run servers.
Managed file transfer (MFT) solutions provide businesses with helpful features such as automation, custom workflows, security settings, audit trails and reports. These features allow businesses to scale up their data exchange requirements and operations, which is especially beneficial when moving to a cloud environment.
It’s important to remember within a cybersecurity strategy that Cloud security is a two-way street. Researching each cloud provider’s cybersecurity methods and selecting the best one for your organization is a vital step toward ensuring your data’s integrity. But it’s not the only step. IT teams are just as responsible for the security of their sensitive business data as the cloud platforms that hold it.
Why is a security-by-design approach to developing a managed file transfer solution important?
Until things change, we’ll keep repeating ourselves: Don’t DIY your managed file transfer solution!
If you think the changes in NCAA football are confusing, you should try managing data for a healthcare organization. But with Diplomat MFT managed file transfer software you won’t have to worry about fumbling the ball.
The MOVEit breach is bad. It will be worse if we don’t use it as an excuse to examine and improve our cyber readiness.
Do you know who has access to your managed file transfer software? Identity and access management within your environment is more critical than ever. In this blog, you’ll learn how to prevent insider threats to your secure file transfers.
Another organization complained about the cost of commercial MFT. We aren’t buying their gripe because we’ve done the math.
Secure your File Transfers with Diplomat MFT v9.1
With an intuitive, no-code approach to file transfer and synchronization workflow creation, Diplomat MFT allows anyone to synchronize content over any of Diplomat MFT’s supported protocols, file systems, SFTP, FTP/S, and even cloud storage providers like AWS S3, Google Cloud Storage, and Azure Blobs/Files. This makes it simple for customers who need to make replica copies of files, such as web content, when sharing with other systems.