Understanding the Impact an FTP Data Breach Can Have on Your Business

Similar documents
Compliance, Security & Control : How Business Drivers Killed FTP

TIBCO Managed File Transfer Suite

End-to-end Processing with TIBCO Managed File Transfer (MFT) Improving Performance and Security during Internet File Transfer

Service-Oriented Integration: Managed File Transfer within an SOA (Service- Oriented Architecture)

Evolution from FTP to Secure File Transfer

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

WHITE PAPER. Preventing Wireless Data Breaches in Retail

whitepaper Build vs. Buy: Pros and Cons of Four Log Management Strategies

whitepaper Five Principles for Integrating Software as a Service Applications

Log Management Solution for IT Big Data

Cyber Protection for Building Automation and Energy Management Systems

Extending the Benefits of SOA beyond the Enterprise

access convergence management performance security

TIBCO Cyber Security Platform. Atif Chaughtai

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

TIBCO Nimbus Cloud Service

Establishing a Data-Centric Approach to Encryption

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Global IT Security Risks: 2012

Securing Your Business with Managed File Transfer

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Brainloop Cloud Security

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Security Issues with Integrated Smart Buildings

Nine Steps to Smart Security for Small Businesses

White Paper. Data Security. The Top Threat Facing Enterprises Today

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

SOLUTION BRIEF. How to Centralize Your Logs with Logging as a Service: Solving Logging Challenges in the Face of Big Data

Predictive Straight- Through Processing

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

SOLUTION BRIEF. Simplifying FISMA and NIST Compliance with the TIBCO LogLogic Compliance Suite

SOLUTION BRIEF. Granular Data Retention Policies

PCI Compliance. Top 10 Questions & Answers

EasiShare Whitepaper - Empowering Your Mobile Workforce

IT Compliance Volume II

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Implementing TIBCO Nimbus with Microsoft SharePoint

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

WHITEPAPER. Beyond Infrastructure Virtualization Platform Virtualization, PaaS and DevOps

CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE

Endpoint Security Management

TechTarget Enterprise Applications Media. Pocket E-Guide

Managing IT Security with Penetration Testing

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

DMZ Gateways: Secret Weapons for Data Security

2015 CENTRI Data Breach Report:

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Partner Collaboration Blueprint for ICD-10 Transition

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Reducing the Cost and Complexity of Web Vulnerability Management

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

Predictive Customer Interaction Management

PCI Wireless Compliance with AirTight WIPS

PCI Compliance Top 10 Questions and Answers

Criticial Need for Stronger Network Security. QualysGuard SaaS-based Vulnerability Management for Stronger Security and Verification of Compliance

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

TIBCO StreamBase High Availability Deploy Mission-Critical TIBCO StreamBase Applications in a Fault Tolerant Configuration

E Commerce and Internet Security

Addressing PCI Compliance

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Building A Secure Microsoft Exchange Continuity Appliance

Defending Against Data Beaches: Internal Controls for Cybersecurity

SOLUTION BRIEF. TIBCO LogLogic A Splunk Management Solution

PCI Compliance for Healthcare

How to complete the Secure Internet Site Declaration (SISD) form

I ve been breached! Now what?

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

The Key to Secure Online Financial Transactions

Gold Lock Desktop White Paper

PCI Data Security Standards (DSS)

Zone Labs Integrity Smarter Enterprise Security

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH

Network Security and the Small Business

Penetration Testing Service. By Comsec Information Security Consulting

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Taking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

controlling the risks and costs surrounding dormant vms

ICTN Enterprise Database Security Issues and Solutions

2012 Endpoint Security Best Practices Survey

The Information Leak Detection & Prevention Guide

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Table of Contents. Page 2/13

PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications

12 Security Camera System Best Practices - Cyber Safe

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Maintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

2015 VORMETRIC INSIDER THREAT REPORT

Information Security Services

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

TMCEC CYBER SECURITY TRAINING

Transcription:

Understanding the Impact an FTP Data Breach Can Have on Your Business

2 TABLE OF CONTENTS 1 INTRODUCTION... 3 2 Major data loss incidents occur daily with disastrous and costly results... 4 3 FTP: The Achilles Heel... 4 4 FTP: Inherently Non-Secure... 6 5 The Alternatives... 7 6 REFERENCES... 8 7 About TIBCO... 8

3 Abstract: With more and more high profile data breaches being reported every day, organizations are being forced to take stock of how they secure and integrate data. Few business events can damage your relationship with customers or derail your business success as drastically as a major data breach. Companies must consider how they may be at risk, and implement best practices to mitigate danger. TIBCO Brief looks at recent data breaches, identifying common points of corporate exposure and ways to eliminate risk. 1. Introduction In a recent information security survey 1 conducted by Information Week, only one-third of U.S. survey respondents cited preventing breaches as their biggest security challenge. At the same time, two-thirds of the respondents indicated that they feel at least as vulnerable to security attacks as they did last year. Why aren t companies significantly more worried about lost or stolen company and customer data? IT organizations often focus significant resources to combat viruses or worms, spyware or malware, and spam. While these problems can cause major disruptions to your network, infect or corrupt files, and negatively exploit your systems in other ways, none can potentially damage your company s business success and harm your relationship with customers as drastically as a major data breach. While minimizing the effect of viruses or worms, spyware or malware, and spam can reduce your headaches, ignoring open ports on FTP servers can easily result in hemorrhaging from your company s vital systems even resulting in irreparable harm to your market position.

4 2. Major data loss incidents occur daily with disastrous and costly results In a highly publicized situation, retailer TJX may be facing anywhere from $500 million to nearly $1 billion in expenses as a result of a data breach. 2 Over 45 million credit and debit card numbers were downloaded by identity thieves.. A Ponemon Institute benchmark survey 3 examined the costs incurred by 35 companies that experienced a data breach and lost protected personal information. Breaches included in this survey came from 15 industry sectors and ranged from less than 4000 to more than 125,000 records. The survey found that costs averaged more than $6.3 million per breach, ranging from $225,000 to almost $35 million. A U.S. Department of Justice study 4 determined that the average loss per incident of data breach was $1.5 million. Compounding this variance in the determination of the cost of a breach, a recent Forrester survey 5 indicated that 25% of respondents did not know, or did not know how to determine, the cost of data security breaches. What does seem clear is that there is a very significant, and sometimes devastating, cost incurred from a data breach. 3. FTP: The Achilles Heel If your organization uses FTP (File Transfer Protocol) to transfer data from one computer to another, you are at real risk of a data breach and losing critical customer and company information. Why does FTP have the potential to be so dangerous? FTP can be used extensively in business, with little oversight involved, and as a result it can literally be taken for granted. It can easily become subject to carelessness. For example, sharing information with a business partner via FTP makes it vulnerable to data breach. Someone in another department in your organization could bring up an FTP server making data on that system vulnerable. The worse part of these scenarios is that you may not even be aware that an intrusion has occurred! FTP file exchanges pose a tremendous risk of data breach and intrusion by hackers.

5 How real is this risk? The Associated Press recently obtained detailed schematics of a military detainee holding facility in southern Iraq, geographical surveys and aerial photographs of two military airfields outside Baghdad, and plans for a new fuel farm at Bagram Air Base in Afghanistan. They were able to download this need-to-know information in several sessions; the data had been posted carelessly to FTP file servers by government agencies and contractors. Mike Baker, Associated Press writer, wrote 6 The posting of private material on publicly available FTP servers is a familiar problem to security experts hired by companies to secure and police the actions of employees who aren t always techsavvy. They [security experts] said files that never should appear online are often left unprotected by inexperienced or careless users who don t know better. Mr. Baker went on to say, File transfer protocol is a relatively old technology that makes files available on the Internet [or a network]. It remains popular for its simplicity, efficiency and low cost. This information obtained by the AP is sensitive and could pose a direct threat to U.S. troops. But what about the threat information contained on an unsecured FTP server could pose to a business like yours? Consider a few other recent FTP exposures: CardSystems, who processed credit card transactions for nearly 120,000 merchants totaling more than $18 billion annually, were essentially forced out of business after 40 million identities were exposed. Amex and Visa told CardSystems that they would no longer do business with the company. 54,000 records were stolen from Newcastle City Council. An unsecured document was exposed on the New Mexico Administrative Office of the Courts FTP server; it contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The Hacker Webzine reports that Fox News had an exposed FTP connection linking out to Ziff Davis. The personal information of uniformed service members and their family members were exposed on an FTP server while being processed by major Department of Defense (DoD) contractor SAIC. As many as 867,000 individuals may have been affected.

6 4. FTP: Inherently Non-Secure FTP is a protocol to easily transfer files on another computer over any network that supports the TCP/IP protocol, such as the Internet or an intranet. Two computers are involved in an FTP transfer: the FTP server, running FTP server software, and a client, running FTP client software. The client computer initiates the connection to the server, and once connected it uploads files to the server or downloads files from the server. The FTP protocol also allows files to be transferred directly from one FTP server to another FTP server. The original FTP protocol is an inherently easy, but insecure way to transfer files. It contains a number of mechanisms that can be exploited to compromise security. The FTP specification allows a client to instruct a server to send files to a third computer. Known as proxy FTP, this feature causes a well-known security problem as a server can be instructed to send data to a port of a third computer never intended to receive the transfer. There is no provision for encrypting data during transfer. Passwords and files are transferred in clear text and can be easily accessed. In addition, the specification permits an unlimited number of attempts to enter a password, facilitating password guessing attacks on the system. Because the FTP protocol is an open standard, it is fairly easy to create FTP server or client software. Most computer platforms support the FTP protocol, so any computer connected to a TCP/IP based network can manipulate files on another computer that permits FTP access on that network virtually regardless of the operating system used. It can also manipulate files on the server by renaming them or even deleting them. The FTP protocol uses two channels: a control channel and a data channel. The connection method can be either active or passive. When using active mode, the client specifies how the transfer is done by choosing a local port and telling the server to send data to that port. The server initiates a connection from port 20 and sends data to the port specified by the client. Firewalls must allow incoming connections to port 20, and hackers can scan the server by initiating connections from port 20. In passive mode, the FTP server opens a random port and sends the client the server s IP address to which to connect. The server chooses a port that has been incremented by one from the last new connection. The server then waits for the connection from the FTP client. Since the client initiates the connection, it is not

7 necessary to put holes in the firewall to facilitate incoming connections. Because the server waits for the client to connect after it has opened a port, a hacker has the opportunity to connect instead of the intended user and gain access to the files. FTP is not a good method to transfer files when authentication is required or when the data is sensitive in nature. If a file transfer is interrupted, the receiver of the transfer has no way to determine if they have received the entire file. Basically, FTP is an unreliable way to conduct critical business communications. Its ease of operation comes with a huge risk and potential cost from data breaches, attacks by hackers and disgruntled employees, and lack of security compliance. Companies utilizing FTP protocol for data transfer aren t even always aware of the amount of unsecured activity that is going on. Are some of your company s information assets sitting out in a network on an unsecured FTP server or an unsecured FTP server of a business partner? In these instances, you will probably never know what s happening with your data. Ignorance, in this case, is not bliss. 5. The Alternatives There are ways to secure FTP servers, such as FTP over SSH or SSL protocol. These solutions address security by providing encryption on messages between the client and the server, but do not provide automation, management, and control of the file transfer process. In addition, they often require complicated scripting, presenting a drain on an organization s IT resources. If you need to transfer files other than just public downloads, a managed file transfer (MFT) solution will provide you total control and visibility of your filebased business processes, with every business process documented, auditable, and accountable. MFT is now a strategic necessity, the linchpin to an overall business information strategy within your company and between your business partners. An integrated MFT solution lets an organization impose security and control over all the enterprise s file-based processes. It is an imperative for any organization to be able to get data to the right place, at the right time, in the right format, with guaranteed delivery while ensuring its security at every step. A leading analyst firm notes that a managed file transfer deployment should be part of an overall integration strategy. Managed file transfer is a critical infrastructure decision, one that you should have to make only once when you implement the correct solution to support your business objectives.

6. REFERENCES: 1. Larry Greenemeir, IT Security: The Data Theft Time Bomb, InformationWeek, July 14, 2007 2. Andy Patrizio, How TJX Became a Lesson in Proper Security, Enterprise, December 5, 2007 3. Ponemon Institute, LLC, 2007 Annual Study: U.S. Cost of a Data Breach, November 2007 (Sponsored by Vontu, Inc. and PGP Corporation) 4. Trusted Strategies, L.L.C., Network Attacks: Analysis of Department of Justice Prosecutions 1999 2006, August 28, 2006 (Commissioned by Phoenix Technologies, Ltd.) 5. Khalid Kark, Calculating The Cost Of a Security Breach, Forrester Research, Inc., April 10, 2007 6. Mike Baker, Military Files Left Unprotected Online, Associated Press, July 12, 2007 7. About TIBCO TIBCO Software Inc. (NASDAQ: TIBX) is a provider of infrastructure software for companies to use on-premise or as part of cloud computing environments. Whether it s efficient claims or trade processing, cross-selling products based on real time customer behavior, or averting a crisis before it happens, TIBCO provides companies the two-second advantage TM - the ability to capture the right information, at the right time, and act on it preemptively for a competitive advantage. More than 4,000 customers worldwide rely on TIBCO to manage information, decisions, processes and applications in real time. Learn more at www.tibco.com. TIBCO Managed File Transfer Suite TIBCO MFT connects people, processes and information, thereby promoting and strengthening the value chain among your partners, customers, and employees both inside and outside of the enterprise. Global Headquarters 3303 Hillview Avenue Palo Alto, CA 94304 Tel: +1 650-846-1000 +1 800-420-8450 Fax: +1 650-846-1005 www.tibco.com 2010 TIBCO, TIBCO Software, and The Two-Second Advantage are trademarks or registered trademarks of TIBCO Software Inc. and its subsidiaries in the United States and/or other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information