image

Security

Secur­ing a file trans­fer infra­struc­ture and keep­ing it secure is an ongo­ing, never end­ing task.

Ini­tal Tasks

The ini­tial setup involves the fol­low­ing steps:
  • Dis­cov­ery and iden­ti­fi­ca­tion of all sys­tems run­ning file trans­fer soft­ware, whether they may be MFT (Man­aged File Trans­fer) prod­ucts or native FTP,FTPS or SFTP servers
  • Review their con­fig­u­ra­tion for best secu­rity prac­tices, such as:
    • Do they sup­port secure pro­to­cols (FTPS, SFTP)?
    • Are secu­rity risks such as Anony­mous Logon disabled?
    • Are the ban­ner mes­sages cus­tomized to remove infor­ma­tion use­ful for intruders?
  • Ensur­ing the file trans­fer server soft­ware is pro­tected against intru­sion attempts

Ongo­ing Tasks

Ongo­ing tasks include:

  • Repeat­ing the dis­cov­ery process at reg­u­lar inter­vals to dis­cover new sys­tems run­ning file trans­fer soft­ware and ensure they are secured as detailed above.
  • Audit­ing file trans­fer activ­ity to review which users are access­ing data, which files are being trans­ferred where and ensur­ing that sen­si­tive data is being trans­ferred using secured pro­to­cols at all times.

Secur­ing file trans­fers with Sen­try Analytics™

Sen­try Ana­lyt­ics™ File Trans­fer Ana­lyt­ics™ suite can make the process sig­nif­i­cantly less labor inten­sive and ensure reli­able results.

  • Sen­try Ana­lyt­ics™ records file trans­fer activ­ity across all sys­tems and pro­vides a mul­ti­tude of ways the data can be audited — all with the sim­ple click of a mouse.
    In addi­tion it can issue alerts for pol­icy vio­la­tions, such as when sen­si­tive data is trans­ferred unsecured.
  • Sen­try Audi­tor™ effort­lessly dis­cov­ers sys­tems run­ning file trans­fer soft­ware includ­ing MFT prod­ucts and native FTP, FTPS and SFTP servers.
    It dis­plays which pro­to­cols are sup­ported, whether Anony­mous Logon is enabled.
    It also dis­plays the ban­ner mes­sage to help ensure that infor­ma­tion use­ful for intrud­ers has been removed.
    Sen­try Audi­tor™ can run unat­tended in reg­u­lar inter­vals and email the results to the appro­pri­ate staff for review.
  • Sen­try Armor™ pro­tects file trans­fer servers against intru­sion attempts from out­side intrud­ers, mali­cious employ­ees and con­trac­tors and hack­ers that have breached the cor­po­rate net­work through other means.

Next Steps




White Paper:
Com­mon Mis­con­cep­tions
about File Trans­fer Security

Quick Read:
What you need to know
about Brute Force Attacks






Sen­try Armor™ Datasheet

Sen­try Armor™ Tech­Pa­per

Con­tact us for more infor­ma­tion

More infor­ma­tion on secur­ing file transfers

  • Resources
  • Why is the Threat grow­ing?
  • What are Brute Force Attacks?
  • What can’t my Fire­wall pro­tect me?
image image

FTP Server Attacks

FTP Server Attacks are con­stantly on the rise, as they require lit­tle skill.

Get our Whitepa­per “Com­mon Mis­con­cep­tions about File Trans­fer Secu­rity” here:

Down­load

Why is the threat growing?

Most peo­ple expect their account to be locked after enter­ing a num­ber of invalid pass­words in a row — whether it is when they log on to a com­puter or when they insert their debit card into an ATM. Not so with FTP. A num­ber of prod­ucts to aid in auto­mated FTP pass­word hack­ing make use of the fact that FTP will allow users to enter invalid pass­words lit­er­ally for days with­out lock­ing the account or alert­ing any­one. These tools are widely avail­able on the inter­net, and the instruc­tions on how to use them are even posted on YouTube and other video shar­ing sites.

FTP hack­ing tools typ­i­cally offer two meth­ods of attacks:

Dictionary-​based Attacks

While Brute Force Attacks are guar­an­teed to even­tu­ally dis­cover the cor­rect pass­word, the down­side is that the may run for a very long time. Attack­ers there­fore often try another, far quicker method first: The Dictionary-​based Attack. With that approach, the attacker sup­plies the tool with a dic­tio­nary — a list of words to try as pass­words in var­i­ous com­bi­na­tions. These lists usu­ally con­sist of human names, pet names, places, TV shows, etc. A sam­ple list might be: ‘adam, Adam, apple, Apple, bar­bara, Bar­bara, chicago, Chicago, fido, Fido, house, House,’ etc. Should the Dictionary-​based attack fail to find the cor­rect pass­word, then the intruder would resort to the Brute Force Attack instead:

Brute Force Attacks

Brute force attacks let the attacker set a min­i­mum and max­i­mum pass­word length, and the tool will con­nect to the FTP server and try all pos­si­ble pass­word com­bi­na­tions match­ing those cri­te­ria in a ser­ial man­ner, e.g. from aaa to ZZZZZZZZ until it finds the cor­rect pass­word. Some FTP Servers (e.g. on z/​OS) do not sup­port case-​sensitive pass­words, which sig­nif­i­cantly increases the vul­ner­a­bil­ity to brute force attacks due to the reduced num­ber of poten­tial pass­word combinations.

What are Brute Force Attacks?

Most peo­ple expect their account to be locked after enter­ing a num­ber of invalid pass­words in a row — whether it is when they log on to a com­puter or when they insert their debit card into an ATM. Not so with FTP. A num­ber of prod­ucts to aid in auto­mated FTP pass­word hack­ing make use of the fact that FTP will allow users to enter invalid pass­words lit­er­ally for days with­out lock­ing the account or alert­ing any­one. These tools are widely avail­able on the inter­net, and the instruc­tions on how to use them are even posted on YouTube and other video shar­ing sites.

FTP hack­ing tools typ­i­cally offer two meth­ods of attacks:

Dictionary-​based Attacks

While Brute Force Attacks are guar­an­teed to even­tu­ally dis­cover the cor­rect pass­word, the down­side is that the may run for a very long time. Attack­ers there­fore often try another, far quicker method first: The Dictionary-​based Attack. With that approach, the attacker sup­plies the tool with a dic­tio­nary — a list of words to try as pass­words in var­i­ous com­bi­na­tions. These lists usu­ally con­sist of human names, pet names, places, TV shows, etc. A sam­ple list might be: ‘adam, Adam, apple, Apple, bar­bara, Bar­bara, chicago, Chicago, fido, Fido, house, House,’ etc. Should the Dictionary-​based attack fail to find the cor­rect pass­word, then the intruder would resort to the Brute Force Attack instead:

Brute Force Attacks

Brute force attacks let the attacker set a min­i­mum and max­i­mum pass­word length, and the tool will con­nect to the FTP server and try all pos­si­ble pass­word com­bi­na­tions match­ing those cri­te­ria in a ser­ial man­ner, e.g. from aaa to ZZZZZZZZ until it finds the cor­rect pass­word. Some FTP Servers (e.g. on z/​OS) do not sup­port case-​sensitive pass­words, which sig­nif­i­cantly increases the vul­ner­a­bil­ity to brute force attacks due to the reduced num­ber of poten­tial pass­word combinations.

Why can’t my Fire­wall pro­tect me?

One of the most com­mon mis­takes made is to assume that only Internet-​facing FTP Servers need to be pro­tected. The oppo­site is true. While a fire­wall is very help­ful in keep­ing the vast major­ity of ama­teur hack­ers, col­lege kids etc. out, fire­walls have the fol­low­ing shortfalls:

  • Fire­walls are no match for pro­fes­sional intrud­ers. Email-​based phish­ing scams and other tech­niques enable pro­fes­sional intrud­ers to take con­trol of com­put­ers on the cor­po­rate net­work despite fire­walls being in place.
  • The advent of telecom­mut­ing and work-​from-​home days makes cor­po­rate devices eas­ier to pen­e­trate, espe­cially when these devices are used by the fam­ily mem­bers of employees.
  • The ris­ing prac­tice of BYOD (Bring Your Own Device) — allow­ing employ­ees to use per­sonal devices for work pur­poses — reduces a corporation’s abil­ity to install appro­pri­ate safe­guards on devices attached to the cor­po­rate network.
  • Fire­walls can­not pro­tect against actions by mali­cious, dis­grun­tled or mis­guided employ­ees and con­trac­tors hav­ing legit­i­mate access to the cor­po­rate net­work. In the recently released report ” Under­stand The State Of Data Secu­rity And Pri­vacy: 2012 To 2013, Indus­try Ana­lyst For­rester Group esti­mates that about 33% of all cases of mali­cious data thefts are per­formed by insid­ers with legit­i­mate access to the network.

Cor­po­ra­tions there­fore need a sec­ond layer of defense – pro­tec­tion against threats from inside the cor­po­rate net­work as well as out­side intrud­ers that have pen­e­trated the fire­wall. Reli­able pro­tec­tion can only be achieved by secur­ing each sys­tem – espe­cially servers hold­ing sen­si­tive data – as if there were no fire­wall at all.