Does your business rely on the Secure Copy Protocol (SCP) to enable remote users to exchange files with each other and with customers and business partners? If so, it might be time to consider another approach!
In 2019, ZDNet identified the Secure Copy Protocol (SCP) as one of the “scariest hacks and vulnerabilities” of the year. All SCP implementations since 1983 were found to be vulnerable to four security bugs.
The news came as a bit of a shock for those who thought SCP provides a secure method for transferring files. That’s understandable given that the protocol contains the SecureShell (SSH) protocol, which uses cryptography algorithms such as the Advanced Encryption Standard (AES) and the Standard Hashing Algorithms (SHA-2) on communications between servers and remote clients. SSH also authenticates users by transferring inputs from clients to hosts, and by relaying authentication keys back to clients.
Because SCP works on Windows, Linux, UNIX, and Mac devices and provides native commands to the operating systems, it gained popularity over the past four decades. At least up until the ZDNet report, SCP was believed to be secure, running on Port 22 and transferring confidential data while blocking packet sniffers that can extract the data packets. SCP also included permissions and timestamps for transferred files.
Vulnerability Discovery Comes Out of Finland
The SCP vulnerabilities were discovered by Harry Sintonen, a security researcher with Finnish cyber-security firm F-Secure. Sintonen determined the vulnerabilities allow malicious servers to make unauthorized changes to client systems and hide malicious operations. Two of the vulnerabilities specifically enable SCP servers to modify the permissions of target directories and overwrite files. Another vulnerability allows terminal client outputs to be manipulated via ANSI code to hide subsequent operations.
One of the key reasons SCP is vulnerable is that it does not use TLS (Transport Layer Security) and its predecessor, Secure Sockets Layer (SSL). These tools bind the identities of two systems exchanging files to cryptographic key pairs. Each pair consists of a private and a public key. The private key is kept secure by the host system, while remote clients can access the public key. This lets a host verify that a remote client is legit.
SCP also suffered another setback in 2019; this one came from developers of OpenSSH security utilities, who declared the protocol is “outdated, inflexible and not readily fixed.” One of the alternatives the developers recommend is a more modern tool such as the Secure File Transfer Protocol. SFTP features the same SSH protocol and adds in the File Transfer Protocol (FTP), which is particularly suited for moving large files between servers and desktops. The protocol uploads files to a secure neutral location for access by other systems.
Pandemic Escalates Need for Alternative File Transfer Protection
The need for businesses to elevate the level of security for their file transfers escalated sharply this year as COVID-19 forced many people to work remotely from home. A situation like this makes it mandatory for end-users to exchange files, and with many businesses discovering their workforces can do their jobs more efficiently from home, the percentage of remote workers is likely to remain high. That means security risks are going up too.
To truly protect sensitive files while being transferred, Managed File Transfer (MFT) is your best bet. In addition to encrypting files from end-to-end just like SCP and FTP, MFT takes the next step with authentication that connects to user repositories such as LDAP, Active Directory, NTLM and PAM.
You can also generate a trail of file transfer operations—sender information, send time stamps, and recipients—and produce proof that files have been received by intended recipients. These capabilities come in handy when responding to internal and external auditors who want to verify you are complying with security policies. With MFT, you can quickly generate all the reports auditors require.
Take a Test Drive to Protect Your Digital Assets
To test the value of an MFT solution and determine if it’s a good match for your business, you can visit our website for a free trial of MOVEit Managed File Transfer. A key security feature offered by MOVEit is the ability to exchange files with secure FTP servers that support 128-bit key SSL encrypted transfers—which is the highest level of protection for Internet communications.
MOVEit also supports all three SSL modes, including TLS-P, TLS-C, and IMPLICIT, and it’s used by thousands of organizations to provide complete visibility and control over file transfer activities. With MOVEit, you can assure the reliability of core business processes and the secure and compliant transfer of sensitive data among employees, customers, and partners—which is how business gets done.
Start your free trial of MOVEit today, and avoid putting your digital assets at risk when remote users exchange files.