personal healthcare information

This Thursday, January 28th is Data Privacy Day (aka Data Protection Day in Europe).  The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. To honor Data Privacy Day, here are some ways you can protect personal healthcare information (PHI) in-motion, an area of focus for healthcare IT teams handling PHI.

Personal Healthcare Info is a Hacker’s Dream

PHI is considered to be the most sought after data by cyber criminals in 2016. Hackers are moving away from other forms of cyber crime such as that which targets bank accounts. Instead they are focusing more on PHI due to the amount of data contained within it. Valuable data within PHI includes social security numbers, insurance policy info, credit card info, and more.

The lack of a consistent approach to data security throughout the healthcare industry also makes healthcare data easier to obtain. The easier it is to steal, the more lucrative the data becomes to hackers. The healthcare industry has had less time than others to adapt to growing security vulnerabilities, and online criminals don’t take long to take notice.

GDPR and the End of Safe Harbor

It’s not news that governments around the globe are doing their part to promote data privacy. They are doing this by legislating data protection of personal data, and reinforcing with significant penalties for non-compliance.  Check out the recent agreement on the European Data Protection Regulation as the most recent example.

What is changing, however, is the rapid growth in data integration across the open Internet between hospitals, service providers like payment processors, insurance companies, government agencies, cloud applications and health information exchanges.  The borderless enterprise is a fact of life.

Using Encryption to Meet Data Privacy Regulations

It’s well known that a security strategy focused on perimeter defense is not good enough. For one reason, healthcare data must move outside its trusted network.  Encryption is the best means to limit access to protected data, since only those with the encryption key can read it. But there are other factors to look at when considering technology to protect data in motion, particularly when compliance with HIPAA or other governmental data privacy regulations is an issue.

Briefly when evaluating cyphers for file encryption, described in FIPS 197, its important to consider key size, eg 128, 192 or 256 bit, which affects security.   It’s also worth considering products with FIPS 140-2 certified cyphers accredited for use by the US government as an added measure of confidence.

Here are several other things to consider to protect data in motion and ensure compliance:

  • End-to-end encryption: Encrypting files while in-transit and at rest protects data from access on trusted servers via malware or malicious agents with secure access to trusted network
  • Visibility for audit: Reports and dashboards to provide centralized access to all transfer activity across the organization can reduce audit time and improve compliance
  • Integration with organizational user directories: LDAP or SAML 2 integration to user directories or identity provider solutions not only improves access control and reduces administrative tasks, but can also provide single sign-on capability and multi-factor authentication
  • Integration with other IT controls: While data integration extends beyond perimeter defense systems, consider integrate with data scanning systems. Antivirus protects your network from malware from incoming files and Data Loss Prevention (DLP) stops protected data from leaving.
  • End-point access to data integration services: There are more constituents than ever that participate in data exchange. Each has unique needs and likely require one or more of the following services:
    • Secure file transfer from any device or platform
    • Access status of data movement to manage Service Level Agreements (SLAs)
    • Schedule or monitor pre-defined automated transfer activities
  • Access control: With the growing number of participants including those outside the company it’s more important then ever to carefully manage access with role-based security.  Ensuring each have appropriate access to the required data and services.
  • File transfer automation: Automation can eliminate misdirected transfers by employees and external access to the trusted network.  Using a file transfer automation tool can also can significantly reduce IT administration time and backlog for business integration process enhancement requests.

Become Privacy Safe Starting with This Webinar

Protecting PHI within the healthcare system doesn’t have to be painful for hospital administrators or doctors to appropriately access PHI, but it does mean having the right technology and good training in place. And in honor of Data Privacy Day, don’t you want to tell your customers that their data is safe? You will be one step closer by signing up to tomorrow’s live webinar.

Learn how you can implement health data privacy controls to secure your healthcare data >> Register Here

For more on this topic register to hear David Lacey, former CISO, security expert, and who drafted original text behind ISO 27001, speak about implementing HIPAA and other healthcare security controls with a managed file transfer solution.

government-monitoringWeb security consists of multiple moving parts that can move in opposite directions. As a result, actions or technologies that improve one aspect of security may weaken another. Some enhancements might end up compromising your overall Web security.

An entanglement of just this sort builds even more complexity around the issue of government monitoring. Should Web traffic be limited in how much merits encryption? Should law enforcement have “back door” access to encrypted activity? More to the point, what are the security implications of these policies or standards with respect to your department?

This concern isn’t about government traffic monitoring in general, however strong (and mixed) many people’s feelings may be about the government monitoring personal content. Your questions relating to encryption are narrower and less ideological, in a sense, because they carry profound implications for your company’s Web security.

A Double-Edged Sword

Online encryption wars are not new; as Cat Zakrzewski reports at TechCrunch, the debate goes back two decades. With so many growing more concerned about Web security, though, the issue has new urgency. In a nutshell: It is widely agreed in cybersecurity that encryption — particularly end-to-end encryption — is one of the most powerful tools in your infosec toolbox. For thieves, stolen data is a worthless jumble if they can’t read it. That’s the point of encryption.

End-to-end encryption provides a layer of protection to data over its full journey, from sender to recipient. Wherever thieves may intercept it along the way, all they can steal is gibberish. Law enforcement’s concern about this depth of encryption, however, is that anyone can use it — from terrorists to common criminals, both of whom have particularly strong reason to avoid being overheard. Moreover, new categories of malware, such as ransomware, work by encrypting the victim’s data so the blackmailer can then demand assets before decrypting it to make it usable again.

For Whom the Key Works

This problem is difficult, but not unusual: If lockboxes are available, cybercriminals can use them to protect their own nefarious secrets. The effective legal response is to then require that all lawfully sold lockboxes come with a universal passkey available to the police, who can then open them. There’s your back-door access.

But that’s where things get complicated. If a universal passkey for back-door access exists, it could potentially fall into the hands of unauthorized users — who can use it to read any encrypted message they intercept. Your personal mail, your bank’s account records, whatever they get access to.

(The NSA and its affiliates abroad can build their own encryption engines without this vulnerability, but such high-powered technology isn’t cheap — beyond the means of most criminals, terrorists and the like, of course.)

More Keys, More Endpoints

A special passkey available to law enforcement would presumably be very closely held, and not the sort of thing bad actors are likely to get their hands on by compromising an FBI clerk’s computer. But the primary concern in cybersecurity is that the software mods needed to provide a back door would make encryption less robust. This means encryption will be less effective for all uses, even the most legitimate ones.

In essence, a lock that two different keys can open is inherently easier for a burglar to pick. According to Reuters, White House cybersecurity coordinator Michael Daniel acknowledged he knew no one in the security community who agreed with him that a back door wouldn’t compromise encryption.

Crucially, this problem is independent of any concern about the governmental misuse of back-door decryption technology. Even if no government agency ever used the back door to decrypt a message, its existence makes it possible for a third party to reverse-engineer the key, or exploit a subtle bug in the backdoor functionality — thus enabling them to read the once-encrypted messages.

Encryption isn’t an absolute security protection; nothing is. But it is one of the most powerful security tools available, and your team is rightfully concerned about the risks of compromising it.

Don’t look now, but you and your IT team may be in the trucking and secure-transport business. And naturally, you’ll need end-to-end encryption.

Every day, your business is a virtual loading dock, packaging data and shipping it out to users who, now, have more than one way to receive it. All of it is valuable, or you wouldn’t be transferring it. And much of it is highly sensitive, filled with your intellectual property and your customers’ financial information.

With respect to file transfer, you’re probably transferring larger files (and more of them). With respect to the cloud, much of this file warehousing takes place at remote locations where your data gets trucked over the Web. And with regard to today’s highly sophisticated cybercrime rings, hackers would love to get their hands on it before it hits its destination. Securing it for transit with end-to-end encryption is, without a doubt, a pretty darn good idea.

What Is End-to-End Encryption?

What exactly is end-to-end encryption? Wired‘s Andy Greenberg said it best: a procedure in which “messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between.”

The servers that forward the file along the pipeline act as “illiterate messengers” passing along messages whose contents they can’t read themselves. More specifically, this form of encryption relies on public-key cryptography, wherein the user provides a public key that anyone can use to encrypt a message. However, only the user’s personal key can decrypt it to read the information.

To put it another way, the truck drivers don’t carry a key to the trailer’s cargo door, so they can’t be tricked or suborned into letting the truck get pilfered.

Data Protection Is In Your Hands

Vendors promise to encrypt files in transit, but this means the trucking company holds the key to the data, not you. Their security may be excellent, but you don’t have control over it. What’s this mean? You shouldn’t rely solely on their protection.

The list of big-enterprise breaches keeps growing, Target and Sony falling victim to two of the most spectacular as of late. Regarding a recent hack of British telecom carrier, TalkTalk, Jeff Goldman at eSecurity Planet quotes one security specialist’s advice: “Any company that collects, stores or transmits personal information needs to encrypt that data at rest and in transit.”

Apart from shipping your data on storage media in a physical lockbox, encryption is the only tool that can protect your data while it is in someone else’s possession.

Encryption Helps After Data Theft Has Occurred

The use of encryption points to a couple of fundamental points about security. One is that no security technology, including this one, is invulnerable. A so-called man-in-the-middle attack can trick senders into using the attacker’s public key rather than that of the intended recipient. Or, an attacker can hack your own computer and simply steal your private key.

These security measures can’t make data theft impossible; rather, it’s all about making data theft as difficult as possible. Encryption increases the chance that even if data is physically stolen, those behind it will be unable to read or use it.

Keep in mind that the subjective nature of security means there’s nothing wrong with adding multiple layers of protection. As noted at ZDNet, security experts consider it best practice to encrypt data in this way at all times — at rest as well as in transit. End-to-end encryption works particularly well in the latter, adding that critical extra layer of protection while data is out on the open superhighway and exposed to the world’s most precise attacks. Don’t let your data leave home without it.

Protecting-FTP-Servers-Exposed

In a recent webinar, “What’s the Future of Your FTP?”, I looked at the key regulatory compliance features within file transfer solutions. Requirements for protecting data being transferred internally or externally vary, but there are commonalities across industry regulations, national and state laws, and security specs.

I identified the ISO 27001 Control groups relevant to file transfer and mapped them to the following regulations: PCI DSS, HIPAA (section 164), SOX, Basel II/III, and FFEIC (Exam Handbook Page).  The right file transfer technology can help organizations satisfy requirements across a range of controls including policy, access control, encryption, and business continuity.

Risk Assessment Justifies Expenditures

A risk assessment will help prioritize organizational weaknesses and justify technology expenditures to best meet critical needs.  Your risk assessment will likely identify:

  • Types of data that require protection such as personally identifiable information or corporate financial data
  • Common vulnerabilities like a lack of encryption or a confirmation of the receipt of a file transfer
  • Typical risks associated with file transfers such as transfer failures, data loss, or data breach

Your next step might be to identify the biggest risks for your infrastructure. Then assess and rank identified risks. Finally, define mitigating controls for the highest priority risks.

The Most Useful Managed File Transfer Technology Features

Consider what managed file transfer can do (below) to identify cost effective mitigation controls to prioritized risks.  When evaluating relative importance of each feature, consider ease of use (for both administrators and end-users), and ability to integrate with other systems.

  • Authorization, authentication and access control: Consider the need for non-repudiation, single sign-on, and integration to user management services like Active Directory/LDAP or SAML (two identity provider solutions).
  • Logging and reporting: Implement a centralized scalable repository for automated report generation and distribution, and protect end user access to logs and reports.
  • Encryption: For encryption in transit and encryption at rest, consider using AES 256-bit and SHA 512 file integrity. Use TLS instead of SSL protocols since PCI DSS no longer recognizes SSL or early TLS versions as strong cryptography due to identified vulnerabilities like Heartbleed
  • File management and disposition: Use automated disposition rules like file compression and encryption before a transfer and file deletion after a specified time limit after a transfer
  • Data scanning: Add integration to anti-virus (AV) or data loss prevention (DLP) solutions
  • Policy enforcement: Dictate and enforce password policies, lockout rules, and alerts/notifications
  • Failover and disaster recovery: Use single server failover and automated failover to remote locations in order to meet SLAs of zero downtime and to prevent data loss
  • Client flexibility: Set up FTP client support, email client, and web browsers

Watch the full webinar for more details like:

  • Full list of managed file transfer technology features as options for risk mitigation controls
  • Overview of recent regulatory changes
  • ISO 27001 IT controls mapped to key regulations and specifications

social-banner-FT-future-2od

For the second installment of my three-part series on file transfer encryption for Ipswitch, I’ll go a little deeper into the how-to’s. (These posts are based on a recent webinar I did with the folks here, available for replay.)

encryption
How will you use file encryption to protect data?

Understanding the basics of file transfer encryption is absolutely critical for securing your file transfer data. However, solely understanding the basics won’t do you much good. You also must understand how exactly you can use it to secure your company’s most private files, and to create an exceptional trail with no unbroken chain of custody. ‎

How will you use encryption?

The type of encryption being used is not as important as how the encryption is done. You must understand how the keys are managed, and the proclivity for files’ encrypted copies to become lost and to fall into the wrong hands.

Utilizing a fairly modern encryption algorithm or product (such as PGP) is a great start, but what it really boils down to is the key handling and execution. If this process is too complicated then someone will end up bypassing it and, most likely, utilize another application (such as Dropbox). This means that every step you took to privatize and secure your data is completely lost. You have completely circumvented the PGP encryption.

Keeping your data integrity

Many of these transaction files have direct financial impact. As scary as this will sound, unauthorized modification transaction is one of the easiest ways to commit fraud.

There is no “one size fits all” for data integrity and file transfer. You have to support the different protocols and types of encryption based on what works best for your company specifically. Although PGP provides data integrity – it enables the user to sign the data and the file to ensure that it wasn’t modified while in transit – it’s just a part of the solution.

Some organizations chose to utilize manual tracking in order to ensure that their check sums are not tampered with at the end of a transaction. However, this completely stands in the way of automation and slows down the process.

Utilizing access control

How different parties access and upload their personal files, while not giving access to other parties’ files, can become incredibly complicated. Many companies find that it become even more difficult when they’re using FTP or custom web applications. Here, if you get past the first level of security, then generally everyone can receive access to everyone else’s files.

Utilizing access controls for both passwords and accounts are critical. If you don’t have a policy built in then your company becomes very vulnerable for attack. But if you do have a policy, be sure to think about how you will be able to unlock accounts when they become mistakenly locked. Also bear in mind that FTP and custom applications are found to be very insecure as well. There is rudimentary authentication in both and many, many holes.

Understanding compliance auditing requirements

Anything that comes into compliance brings with it the need to be audible, or the ability to have a regular trail to track. You must be able to show each access and operation on a file: downloads, uploads, when it was deleted, when it was encrypted, if/when it was decrypted, when it was deleted after being decrypted, etc.

If you choose to use FTP then you will have an audit trail in both your FTP logs and in the file system for the files exposed to FTP. However, relying on native auditing like will be extremely difficult because the information is fragmented, making it extremely cryptic and difficult to interpret – let alone correlate – with one other. Custom web apps are difficult to use because there is no audit log. You will have to employ someone to modify the code to include this tracking capability.

What do you find the most difficult about auditing data for a file transfer? Be sure to leave your thoughts in the comments section below.

Next Steps

If you’re interested in learning more about encryption and file transfer security, be sure to check out the full webinar by clicking here.

And you’re always welcome to visit my own site (UltimateWindowsSecurity.com) for news and analysis.

Randy Franklin Smith
Click here to access replay the “File Transfer Security: Top 8 Risks to Assess & Address” webinar

 

 

My name is Randy Franklin Smith and I’m guest blogging a three-part series on file transfer security for Ipswitch, starting today with the important of file transfer encryption. These posts are based on a recent webinar I did with the folks here, available for replay if you like.

Encryption Options

The Internet is a scary place for businesses, which is obviously why many are paying closer attention to best practices for securing their file transfers. Among those best practices: encryption. Basically, there are three options for encrypting file transfer data: FTPS, SFTP and HTTPS. All three are heavily used for internal to external, or business to business, transfers.

Lock down your file transfer data at rest and in motion
Lock down your file transfer data

The fastest of the three and the most widely implemented option is FTPS, or FTP over SSL. However, it has both implicit and explicit notes, and a range of data ports must be available for use, whereas SFTP only requires one port, making it the one of the simpler options for encryption.

On the other hand, while FTPS and SFTP are great to use within servers, HTTPS is better for interactive, human-based transfers. Ultimately, all three of these options (FTPS, SFTP and HTTPS) will automatically and transparently encrypt a company’s data and protect it from being snipped as its traversing over the Internet, it just boils down to your specific company’s needs for which one is right for you.

Why It’s Crucial to Encrypt Data at Rest …

Not only is it important to encrypt data as you transfer files from one server to the next, but it is equally important to protect and encrypt these data as it rests on your home server. Why? Two reasons. One, data exchange files are particularly vulnerable because it’s a file in a very easily-consumed format. Encrypting this resting file adds a new level of protection against potential hackers. Two, file transfer servers on the internet are more exposed to an attack.

By encrypting data at rest, the hacker would not only have to break into the server, but they would also have to find the key to decrypt the data. This will make their task longer and more strenuous, and enables your organization with ample time to notify the authorities and track down the hacker.

Yes, your company may be utilizing a firewall, DMZ or a reverse proxy, but even with these things in place you’re still relevantly exposed because all three are connected to the outside world, while a file transfer is not. During this day of cyber theft, it’s important for organizations to take a strategic and defensive approach by protecting their data – regardless as to whether it is in motion or at rest.

Data That May Be Accessed By or Shared With Third Parties

When a company shares a file with another company, they typically are using a storage vendor that has automatic encryption. However, these storage vendors typically require that all of your users are authenticated to a domain before use. So what happens when you need to transfer a fire to a company that has not been authenticated? What options do you have? Must you only work with vendors that have been authenticated? Your company will need a different way of ensuring that the files, both being transferred and at rest, are encrypted.

Most companies have a policy in place that every file needs to be encrypted before it’s transferred, typically using PGP. PGP is a failsafe for companies to ensure that if someone uploads a file, that it’s encrypted without the third party having to be tech-savvy and implementing it. However, while PGP is valuable, there is the potential that something will break and the file won’t be PGP encrypted.

Is PGP Alone Good Enough to Manage File Security?

So what happens with PGP breaks? Or better yet, is PGP strong enough to protect a company’s most crucial and private files? Many customers leverage PGP and praise its effectiveness. And, yes, PGP is incredibly effective in the hands of security experts and practitioners. These professionals understand security cyphers and keys, and know how to fix something if it breaks.

However, for the less tech-savvy among us, what happens is a scenario similar to this: We are given a login for decrypting a file transfer. If we are unable to figure it out, we typically ask someone else in the office for help. Now this code is no longer private, because someone else has been given access.

Simply put, you wouldn’t implement a firewall and state that your entire network is safe. No, you would take the precautious measure to ensure your employees and your customers that your system is secure. And this is exactly how PGP should be treated. You should have PGP in place, but you should also take the extra security measures to ensure that your network is protected.

Next Steps

If you’re interested in learning more about encryption and file transfer security, be sure to check out the full webinar by clicking here.

And you’re always welcome to visit my own site (UltimateWindowsSecurity.com) for news and analysis.

Randy Franklin Smith
Click here to access replay the “File Transfer Security: Top 8 Risks to Assess & Address” webinar

 

 

 

pgp file transfer encyrptionWhen you’re moving files containing sensitive information, you want to make sure it’s encrypted and not available to prying eyes, whether the data is at rest or in motion. A proven way to protect files before, during, and after transfer is via PGP file encryption. In this post, I’ll go through key considerations for PGP, as well as the importance of integrity checking.

First a brief definition of PGP: this program for encryption and decryption uses a public key model. In this model, one party shares the key with other parties to encrypt the data, and then uses the private key to decrypt the data. Here is an expanded definition of PGP.

Now on to five areas to consider for PGP:

1) Don’t let PGP bog down processes. Perhaps your company wants to maintain its current processes involving PGP or needs to continue supporting PGP because your business partners use it. No matter how PGP is being used as part of the file-transfer process, it’s important to ensure that the process doesn’t get slowed down because of the signing, encryption, decryption and key exchange steps.

2) Make it easy to use PGP. Many PGP libraries – and the associated encrypting/decrypting process – are command-line driven. As a result, it can be tedious to use them. But some products allow you to manage PGP from a GUI, which is a desirable option for most organizations and users who need to manage the process.

3) Ensure interoperability. In addition, you want to ensure you can easily and securely share files with any company. To do that, you not only need to support their encryption method of choice, but all possible encryption libraries. The OpenPGP file encryption standard enables interoperability between most libraries, and is the preferred choice these days for PGP, so look for a solution that supports this.

4) PGP is optional. Organizations that adopt managed file transfer often recognize the ability to eliminate PGP encryption from the equation because they understand their files are being secured at the transport layer. That said, make sure your solution is using the strongest possible SSL or TLS ciphers during data transport.

5) Rule out file tampering. Part of ensuring files are securely transferred is to be able to validate that transferred files have not been compromised in any way either before, during or after transfer. Integrity checking uses hashing to verify that the file sent from the source is the same file received. In other words, it allows you confirm that the file’s contents have not changed between the time it was sent and received – or during its subsequent storage.

You can perform integrity checking when using PGP if the sender signs the data. Look for a solution that lets you log all authentication integrity-checking details so you have an audit trail.

Managed File Transfer & PGP
Advanced file transfer solutions take measures to address these concerns. Specifically, Managed File Transfer (MFT) systems can aid with PGP encryption and decryption by offering easy-to-use key management that allows administrators to import, export and create keys from a simple user interface. From there, these solutions should allow administrators to easily create automated processes with just a couple clicks to encrypt or decrypt files on a scheduled or event-driven basis. And they should make it possible to do all this while being fully audited and logged in one system.

Want to learn more about encryption, person-to-person file transfer, compliance, logging, and central management? Download this free eBook .

Ericka Chickowski did a nice job in her Dark Reading article on how old-fashioned FTP introduces unnecessarily levels of compliance and security risks to organizations.  And here’s an alarming data point from Harris Interactive – approximately 50% of organizations are currently using the FTP protocol to send and exchange files and data.

Talk of security concerns with FTP is certainly not new.  FTP was never designed to provide any type of encryption, making it possible for data to be compromised while in-transit.  A common answer for this is to use encrypted standards-based protocols such as SSL/FTPS and SSH/SFTP.

Luckily, modern managed file transfer solutions deliver not only the security you know your business requires, but also the visibility and control that IT needs to properly govern company information.

Ipswitch’s Greg Faubert offers his thoughts in the Dark Reading article:

“While FTP is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy…. The PCI standards look specifically at the security surrounding your FTP environment. It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls.”

And yet, somehow, many organizations continue to rely on unencrypted FTP to transport mission-critical or sensitive information.  For those guilty, here are a few steps to help you get started in migrating away from antiquated FTP.  And don’t worry, it won’t be painful.

This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.

My answer:  “Use both of them, together!”

For starters, here’s a real quick summary of both encryption types:

  • Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS.  Leading solutions use encryption strengths up to 256-bit.
  • File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents.  PGP is commonly used to encrypt files.

I believe that using both together provides a double-layer of protection.  The transport protects the files as they are moving…. And the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.

Here’s an analogy:  Think of transport encryption as an armored truck that’s transporting money from say a retail store to a bank.  99.999% of the time that armored Brinks truck will securely transport your delivery without any incident.  But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.

One last piece of advice:  Ensure that your organization has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information.  Although it’s an amazing accomplishment that FTP is still functional after 40 years, please please please realize that FTP is does not provide any encryption or guaranteed delivery – not to mention that tactically deployed FTP servers scattered throughout your organization lack the visibility, management and enforcement capabilities that modern Managed File Transfer solutions deploy.

Word has quickly spread that a serious weakness has been discovered in the Secure Sockets Layer (SSL) protocol that allows attackers to silently decrypt data that’s passing between a web server and an end-user browser.

All reports indicate that this vulnerability affects the SSL protocol itself and is not specific to any operating system, browser or software/hardware product.  This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 and TLS 1.0 traffic.  It primarily impacts HTTPS web traffic, since the browser is the primary attack method.

SSL and TLS are two of the industry standard technologies that Ipswitch File Transfer solutions use to encrypt data while in-transit.  Additional technologies such as AES transport encryption, PGP file encryption, and the encrypted FTPS and SFTP protocols are also used to secure data.  As always, we recommend a defense-in-depth approach for protecting sensitive data.

At this point the vulnerability is not considered a high risk.  Ipswitch is closely monitoring the situation closely and will implement recommendations and provide updates if this turns into a serious threat.  We agree with Microsoft’s recommendation to prioritize  the RC4 cipher suite and to enable TLS 1.1 in client and server.  And given the choice, use the unaffected FTPS and SFTP protocols (and not HTTPS) until this vulnerability investigation is complete.  Microsoft has also issued a fix fix that enables support for TLS 1.1 in Internet Explorer on Windows 7 and Windows 2008.

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Here’s a great article by Brian O’Connell of CPA Site Solutions on how to deal with email security difficulties.  The context of the article is from the perspective of the accounting industry, but I’d say it’s an extremely universal topic that actually impacts almost every kind of company today.

The premise of the article is that email is generally accepted as a dependable way to communicate and share files…. And then he points out that in reality, email isn’t very safe.  Sound familiar?  – And for you encrypted email lovers out there (you know who you are), I’d like to quickly mention that while encryption can make it harder to open an email or attachment, it does nothing to prevent it from being intercepted.

Brian draws a very important difference between “security” and “privacy” that I want to highlight.

“Privacy is the shield that protects a person’s identity while actively sharing information via the web.

Where privacy is about keeping the door locked, security is about the lock itself.

Security is the actual online authentication and authorization protocols that networks use to protect information and the audit system used to verify the overall system’s effectiveness.”

While I agree that the distinction is important, I’d also like to point out that an organization must protect both the security and privacy of confidential information in order to comply with the growing number of data protection laws and compliance mandates.   I wouldn’t worry too much about the distinctions, but instead focus on the need to have visibility and governance over all files, data and information that are being shared both within your company and also externally with business partners and customers.