Managed file transfer security is back in the news, and for the wrong reasons. A major data breach back in February resulted in the compromise and exfiltration of a lot of sensitive data from scores of companies, including many healthcare organizations. Because of it the HIPAA-protected health information (PHI) of nearly a million individuals was affected. Then, earlier this month, news broke that the same cl0p ransomware group responsible for the February attack had exploited another managed file transfer (MFT) software product. Within a few days, the list of affected organizations—including well-known brands like the BBC and British Airways—began to grow.
When one managed file transfer product is breached it can be chalked up as a symptom of the digital world we live in today. When two managed file transfer products are breached in so short a timeframe, people might start asking questions about MFT security and wondering if it is a coincidence or a trend. As a developer and vendor of the secure, managed file transfer product Diplomat MFT, we want to provide some insights that might help assuage fears and to give our customers and others information to help assure file transfer security, and to keep the integrity of their systems and data intact.
Seven Best Practices for File Transfer Security
I am not going to “name and shame” the vendors involved. That’s bad form and of little help to anyone. Also, there are too many unknowns and so all I would be doing is exploiting an unfortunate event and further muddying the waters. My purpose is simply to add clarity to current events from the perspective of someone who has been deeply involved in the managed file transfer market for more than twenty years. Whether you use our products or someone else’s, there are seven things you should do immediately to make sure your managed file transfer security is intact.
- Don’t Expose Your Administrative Interface to the Public Internet. A common thread in these recent attacks, whether the software is deployed on-premises or as a SaaS application, seems to be an internet-facing administration dashboard. If you find that is the case with your MFT software, you should immediately move your dashboard behind the firewall. And use a VPN or Bastion Host (aka “jump box”) to access administrative tools remotely.
- Take a Zero Trust Approach to Domain Access by whitelisting trusted IP addresses and setting stringent automated-blacklist settings. Be sure to use your MFT features that automatically disable malicious activities on user accounts, which help to prevent things like brute force password attacks. Grant access to only those internal resources that are required for the desired workflows — for example, don’t grant your MFT server unfettered access to your SAN. Give it only the access it needs to execute the workflows required by the business.
- Lock Down Delegated User Access by only granting privileges to employees with a “need to access” and establishing multi-factor authentication (MFA) for those individuals. Be sure to employ good “password hygiene” by requiring strong passwords and rotate them regularly.
- Minimize the Number of Open Ports through which data is transferred by using a gateway to ensure that no files are ever stored in your DMZ, and to eliminate the need for inbound holes in the internal firewall. For file transfer protocols, be sure to open only those inbound firewall holes that are strictly required—we recommend that you isolate all file transfer traffic to SFTP, which is highly secure and only requires a single port to be opened in your firewall if you are hosting an SFTP server. Furthermore, be sure to use an MFT Gateway in your DMZ to ensure that you isolate your Internet-facing DMZ from your secure, back-end network.
- Automate File Encryption for All Transfers to ensure any outbound data is protected in transit. PGP is an excellent way to secure files at rest, and to ensure that only intended recipients have access to the data you are transferring. PGP also supports digital signatures on the encrypted data, ensuring a proper “chain of custody” and validating the provenance of the data.
- Automate Transfers Whenever Possible and execute all file transfers over encrypted channels using SFTP, the most secure option. Automation removes the human error element from file transfers, while encrypted file transfer protocols such as SFTP or FTPS ensure that data is safe from any eyes spying on the network traffic. Automation provides a file transfer mechanism that is regulated and free from human error. Vetting and on-boarding trading partners prior to defining and establishing automated transfers and other business processes maximizes security by avoiding human-interactive based file transfers like web portals from your MFT vendors. Historically, this has been the biggest attack surface for exploiting vulnerabilities for data exfiltration and ransom. If you absolutely need to provide a human-interactive way to deposit or pick up files, consider using best-in-class offerings that specialize in this behavior, such as ShareFile, Box, or Dropbox. MFT solutions easily integrate with these systems, and are far better at automated, secure file transfer.
- Keep your software up to date. We often see old software at the root of security incidents. These problems could have been prevented if the user had simply kept the software up to date. Vendors are constantly releasing software updates to improve function and security—not to make your lives miserable in setting up maintenance windows and updating software, or to bludgeon you with new features. The majority of software updates exist to address bugs, including security problems. MFT users must keep their software up-to-date to stay safe.
Importantly, test all assumptions and create a policy of regularly running attack simulations or penetration testing to ensure that your managed file transfer systems and processes are not vulnerable to known exploits. Hackers are crafty and relentless and will take advantage of organizations that are not diligent in mitigating known security vulnerabilities. And if you have any questions specific to your managed file transfer software, contact them for assistance. While every MFT product executes the same basic function, each vendor builds their products differently and are in the best position to answer questions specific to their products.
Attack Prevention and Detection
Finally, please remember that security is not only about prevention; but there is also a need for detection and response. No software will ever be perfectly safe from attacks, so it is important that you not only do your best to stay safe, but also have the ability to quickly understand when a system is exploited. For an MFT solution, be sure that you always leverage the auditing and alerting mechanisms available to you. If data is flowing in unexpected ways or to the wrong places, you must have visibility into those processes and a way to quickly respond in order to minimize the impact and then rectify the situation.
It is worth noting that the file transfer security vulnerability common to the recent attacks is not present with Diplomat MFT. We have chosen not to offer our products as a SaaS application. And while we are compatible with all the major cloud vendors for the purposes of accessing and transferring data to and from cloud storage, we do not have a code path that makes the Diplomat MFT administration interface accessible via the cloud. That said, we would be more than happy to double-check your deployment of Diplomat MFT to make sure it is properly configured.
Managed File Transfer is a Business Mainstay
Secure managed file transfer software should be a mainstay in any organization’s cybersecurity strategy. MFT remains an important function for conducting business and managing data in accordance with information security and data privacy regulations. MFT software that automatically encrypts files, uses secure communications protocols, documents processes for auditability, and confirms transfer success and alerts of any trouble is important for sharing vital files throughout the digital supply chain. Financial data, medical data, intellectual property, and other sensitive information that your organization needs to protect should only be shared using a secure managed file transfer platform.
Coviant Software’s award-winning Diplomat MFT is secure, easy to deploy and use, and right-sized for the needs of every organization. And our pricing is transparent and ethical to make sure cost is never a barrier to file transfer security. Contact us if you have questions, or to schedule a demonstration.