Managed file transfer (MFT) is one of those technologies that has been around forever and often gets overlooked. The MFT ball got rolling in the 1970s with the introduction of file transfer protocol (FTP) and by the 1980s rudimentary MFT processes were in use and improvements in capacity, automation, and security soon followed. Because most organizations depend on the reliable transfer of data to efficiently conduct business, manage operations, and fulfill their missions, managed file transfer software quickly took off. Large enterprises, smaller companies, and organizations representing industries like financial services, healthcare, manufacturing, retail, government and more bought commercial MFT products or deployed do-it-yourself software and then moved on.
Gray Clouds and Silver Linings
Skip forward a few decades and managed file transfer software is back in the spotlight thanks to a series of unfortunate events that occurred earlier this year. Because of several devastating attacks against some well-known MFT products, the role that the technology plays in back-office operations is getting a second look. And if gray clouds do have silver linings, some good may come out of managed file transfer’s dark days. Here are some examples of what I mean.
- As the fallout from data breaches affecting GoAnywhere and MOVEit became evident, we had several customers reach out to us to inquire about their deployments of Diplomat MFT. Because the vulnerabilities exploited by threat actors affected internet-facing administration dashboards, they wanted to know if they were exposed to that weakness. The short answer? No. But even beyond questions specific to our technology, the conversations we had indicated that many enterprises realized a need to review data management and movement practices that might otherwise be taken for granted.
- There is renewed attention and awareness on the risks associated with digital supply chains. We have fielded questions from customers about their level of exposure if their systems are secure, but they exchange files with other organizations who were affected by the breaches. (Because of those conversations we are in discussion with some large enterprises about standardizing file transfers with trading partners using Diplomat MFT.)
- Recognizing a need, and the crucial position that MFT products play, researchers with cybersecurity firm Rapid7 began looking at different managed file transfer products to identify other potential vulnerabilities. For example, since the attacks on GoAnywhere and MOVEit, the company’s lab has examined and, in cooperation with the companies involved, disclosed vulnerabilities with products from JScape, Globalscape, and South River Technologies following the development and distribution of fixes.
Some of the issues discovered include attack techniques like:
- “Zip slip” that allows attackers to use an unauthenticated path to deliver a weaponized payload via a .zip file.
- A code execution attack that could give threat actors complete control of the MFT platform.
- Attacks that use an unauthenticated file path to conduct a remote code execution.
- An API exploit that can be used to grant privileges to the attacker.
Potential data leaks and disclosures associated with file size, readable password hashes, and other risks. Some were minor and only present under very specific circumstances. All were useful to the vendors affected, affording them the opportunity to fix the issue and improve product security.
Test, Fix, Retest
The takeaway for us (and any technology vendor for that matter) underscores the fact that all software products are designed and created by humans and, therefore, imperfect. We know that the process of creating and upgrading any product is hard. Our recent release of Diplomat MFT 9.2 was the culmination of a great deal of testing, fixing, and retesting. Like many companies, we take pride in our “secure-by-design” approach to product development. But we can’t afford to be complacent and strive for continuous improvement.
If you are looking for a secure managed file transfer product we’d be honored to figure into your plans. Whether you want to have a conversation to get answers for your MFT questions, or take a free test drive of our Diplomat MFT solution, the choice is yours.
