Secure File Transfer

BUSINESS INTELLIGENCE/APPLICATIONS
DISASTER RECOVERY/COMPLIANCE
APPLICATION DEVELOPMENT
DATA CENTER MANAGEMENT
STORAGE ARCHITECTURE
VIRTUALIZATION
NETWORKING
Secure File Transfer

Enterprises strictly enforce le size limits on email systems, and alternative options often arent made available, leaving employees to use personal email accounts, Dropbox and other insecure methods to move les around. Learn how to ensure le transfer activity isnt a data breach waiting to happen in your enterprise.
EDITORS NOTE
SECURITY
Tech Guide
CLOUD
LOW-COST METHODS FOR SECURE FILE TRANSFER
THE DANGERS OF POOR DIGITAL DOCUMENT SECURITY
BEST PRACTICES FOR PROTECTING INTELLECTUAL PROPERTY
EDITORS NOTE
Keeping Our Files Secure

When we talk about data loss, we are generally talking about the mishan-
dling of les. The common computer le, a collection of linked storage

Home
blocks arranged on whatever the latest storage media happens to be, is the bucket into which our data is poured. We like to think were keeping a watchful eye over our bucketsbut we arentespecially when were moving those le-buckets around. In this technical guide, well take a look at what it takes to securely pass a le from point A to point B. Matt Pascucci makes it clear that using consumer-focused options is foolhardy at best, particularly when there are better options. Moriah Sargent comes at it from another angle, looking at the issue in the light of a recent study of document security. Ninety percent of respondents said they suffered loss of condential documents in the year prior to the study. Peter J. Toren reports on a study that he conducted, looking at 120 government prosecutions for the theft of trade secrets. He offers a number of takeaways that will help you protect your intellectual property. One thing that experts emphasize when looking at secure le handling is employee training. There are a number of steps that organizations can take to enforce the safest possible handling of documents. But given the present state of practice in most organizations there is no question that a great deal of security rests on the good habits and sensible decisions of those entrusted with our sensitive data. If we want to shufe our les around in safety, its never a bad idea to invest in training for the people who do the shufing.
Robert Richardson Editorial Director, TechTargets Security Media Group
Editors Note
Low-Cost Methods for Secure File Transfer
The Dangers of Poor Digital Document Security
Best Practices for Protecting Intellectual Property
SECURE FILE TRANSFER

Organizations struggle with the process of sending and receiving large
les. File size limits are often strictly enforced on email systems, and alterHome
native secure, large le transfer options usually arent made available, leaving workers to use personal email accounts, Dropbox and other insecure methods to move les around an organization. In this chapter, well summarize the security issues with large le transfers, and offer enterprises a few low-cost options (e.g., cloud services, SSH FTP and the like) to ensure le transfer activity isnt a data breach waiting to happen.
THE RISKS OF INSECURE FILE TRANSFER
Editors Note
Sending les is a part of daily business, and many times an organizations IT systems either are not able to handle these transfers or are congured to send les in an insecure manner. Its common now to use popular personal storage sites to transfer les, but a weak password or lack of due diligence on the part of the service provider can easily result in data exposure. This is an area that information security teams need to assist the business, allowing them to function properly and securely without limiting their productivity. Its the information security teams job to advise the business of security risks and ways to mitigate those risks using people, processes and technology, and ultimately allow the business to make the decision on how to manage that risk. In the case of insecure le transfer, the risk can be huge: Files that include sensitive intellectual property, marketing strategy or sales projections, if lost, can negatively affect a companys bottom line; worse still, credit card data,
health records and other customer information that isnt transferred securely and in accordance with compliance mandates like PCI DSS and HIPAA can lead to a ne, a loss of trust among customers and ultimately set an organization back years. In this light, the risk of insecure le transfer becomes much more harrowing than it may seem. A business must limit the ability for users to access sites like Dropbox, YouSendIt, Google Drive and so on, and instead have users funneled to an approved secure le transfer system or service. Since many of these sites are using HTTPS for le transfer, its becoming harder to look at whats actually
Home
being transferred, both into and out of the network. One of the best methods for blocking this inappropriate access is to use Web ltering tools to block this category of sites, and open it only to those that need to use it for business. Blocking this by the domain level is the easiest way to deny access to such sites. Blocking these sites, both agents and Web-based upload ability cuts off a major avenue by which sensitive les can exit the enterprise unchecked. Also, this allows the security team to monitor whos still trying to use these sites and if there might have been an issue with a particular user or group. It may highlight a business need that requires a special solution. Lastly, there should be a policy and procedure in place on how to access these systems with a clear audit trail of who has access. Setting the guidelines of whats to be expected of users from the start will help set the stage for securing large le transfer.
ADDRESSING THE PROBLEM
Editors Note
A few vendors, such as Accellion, ProofPoint and LiquidFiles, offer a system on-premises that acts like an internal personal storage device. These systems have the les stored locally to an appliance within a network that allows an organization to share via groups or third parties. Many of these systems store the les on this internal storage that can be shared by sending email or links to the recipient to download the les from an organizations site. Many also have mobile apps that allow access to and sharing of an organizations
les via a handheld device or tablet. Additionally, all les can be audited and scanned for malicious content while entering or exiting the system. There are also many cloud-based services with similar functionality, but they dont have data stored on-premises. These offerings allow for the potential of higher redundancy, backup, and increased storage and scalability. The one downfall here is that a company needs to determine where this data is being stored, who has access to it and what the vendors are doing with it. While cloud-based services have benets and may be a viable solution for many businesses, it is imperative that companies using this type of service
Home
rst verify that the data is being encrypted in storage and that extremely condential data is not sent to the cloud. Lastly, using systems like SSH File Transfer Protocol (SFTP) or File Transfer Protocol Secure (FTPS) that allow for secure le transfers with minimal cost could be the solution that works best for some businesses. Ive seen small businesses that didnt have the budget to accomplish this use standard FTP (which by itself is extremely dangerous) while encrypting the les with PGP encryption software before sending to a third party or vendor. Keep in mind this isnt an ideal solution, but its more secure than using a protocol like FTP alone or a free public service. Ultimately there are many options to consider when securing the le transfer needs of a business, but failing to address insecure le transfer activity is a big mistake and will cause sensitive data to leak out of a network at alarming rates. Setting up an approved, secure le transfer method with auditing of accounts is the ideal way to prevent a damaging loss of data. Matt Pascucci
Editors Note
DIGITAL DOCUMENTS

Confidential documents are not being protected properly, and a recent
survey found a lack of funding and other issues make digital document secuHome
rity a thorny problem to solve. Sixty-three percent of IT specialists surveyed said condential or sensitive documents at their organization are not fully secured and protected, according to a study conducted by Ponemon Institute, a research think tank that specializes in privacy and data protection. The study, 2012 Condential Documents at Risk Study, surveyed 622 IT and IT security professionals in the U.S. It revealed trends in how enterprise IT deals with digital document security. The results show poor practices are leaving companies susceptible to document leaks. Of those surveyed, 90% said they have experienced a leakage or loss of condential documents in the last 12 months. The survey was commissioned by Palo Alto, Calif.-based WatchDox, a le-sharing service for condential documents. Funding issues contribute to the lack of action in protecting condential documents, said Larry Ponemon, chairman and founder of the Traverse City, Mich.-based Ponemon Institute. It does require resources; its not free, and you cant just start training people, Ponemon said, adding that while training is a good course of action, it shouldnt be the main one. Digital document security has become a widespread concern with the increasing popularity of browser-based le-sharing services such as Dropbox, Box.net and YouSendIt. WikiLeaks, which relied on anonymous tips and whistleblowers, has also raised questions about the security of condential documents.
Editors Note
DIGITAL DOCUMENTS
So far, little action has been taken to address the issues brought up by le-sharing tools. Forty percent of those surveyed said they were not taking any of the suggested steps to reduce risks. Suggested steps included manual monitoring and controls, employee training and awareness, and enabling security technologies. Organizations cited the critical success factors for implementing security controls. The top answers included ample budget resources, compliance monitoring procedures and centralized accountability and control, with resources being noted as very important or important among 80% of reHome
sponders. Currently, organizations said they spend only 6.98% of their IT security budget on document protection. Further complicating the problem of protecting digital documents is the plethora of ways employees can share them. While enterprises were focused on email attachments and USB drives, smartphones and remote storage services make it easy for multiple devices to access the Internet and receive a le. In the Ponemon study, which was published in July, 65% of organizations said they believe there is a serious security risk in accessing documents on mobile devices and tablets. To accommodate the need for le sharing and the multiple devices it occurs on, Ponemon believes in a multifaceted solution, including governance, a document security tool and security intelligence. You cant just have one solution, he said. Until the right tool is available, Ponemon said organizations can take basic steps to secure their documents. Organizations need to take a look at data theyre not using and if they dont need it, they should get rid of it, he said. Organizations have way too much data, Ponemon said. He also said encryption across devices and creating a policy for the use of cloud technology are important steps. Moriah Sargent
Editors Note
INTELLECTUAL PROPERTY

The confidential information and trade secrets of U.S. corporations
will be stolen, the only questions are when, and how much damage will the
Home
theft cause? Indeed, Congress has heard this year from a slew of witnesses who have testied about the threat posed by foreign hackers who penetrate U.S. companies computers and steal valuable data and intellectual property. FBI Director Robert Mueller testied that hacking could soon replace terrorism as the FBIs primary concern. Gen. Keith Alexander, head of the militarys Cyber Command, characterized the losses caused by cybertheft as the greatest transfer of wealth in history. At the same time, however, employees and other insiders, who by virtue of their position have access to companies condential information, remain the greatest threat to the security of the intellectual property. According to a study I conducted of the 120 prosecutions the government has brought for theft of trade secrets, in more than 90% of the prosecutions, the defendant was an insider and had access to the trade secrets because he or she either was an employee of the victim, or worked for a vendor or contractor of the victim. Companies should also be aware that defendants almost always misappropriate the trade secrets shortly before resigning from the victim company. In addition, most information is obtained by downloading from the companies computer system. The threats to condential data are even greater for companies that operate overseas, especially in countries that dont enforce the protection of intellectual property rights to the same extent as the United States. It is critical, therefore, that U.S. companies operating worldwide adopt a set of best
Editors Note
practices for protecting intellectual property that not only applies to their U.S. employees, but to their foreign ofces as well. There are a number of best practices that a company, whether operating domestically or internationally should adopt: Employees and vendors must be required to sign a code of conduct and condentiality, and non-disclosure agreements before beginning work. It is critically important to create not only legal obligations for employees to safeguard the companys condential information, but also to impress upon
Home
them the importance of doing so. Employees should be reminded of their obligation to maintain the secrecy of the companys proprietary information through regular training and audits. 1. Electronically stored condential information should be
Editors Note
compartmentalized and accessible only on a need-to-know basis. There is simply no reason for employees who, for example, are not working on a particular project to have access to condential information relating to the project or for employees who are working on a section of the project to have access to all of the projects intellectual property. 2. Immediately revoke a departing employees ability to access any proprietary information. 3. Conduct an exit interview with the employee and require him or her to attest that he or she is not taking any condential or proprietary information to a new employer. It is absolutely critical for a company to learn the departing employees future plans and, more specically, if the departing employee intends to join a competitor or start his or her own company. 4. If suspicious activity on the part of the departing employee is uncovered, consider conducting a full-scale investigation of the former employees recent conduct. This should include, for example, a forensic analysis of the employees electronic devices, including any company-issued computer laptop.
It is especially important that U.S. companies operating internationally understand that regardless of the steps undertaken to protect their condential information, the protection is only as strong as the weakest link; companies must continuously evaluate the situation and implement new protections as the situation warrants. At a minimum, companies, regardless of where they do business, should implement the following additional measures: 1. Physical security measures should include carefully controlled access to
Home
facilities containing valuable proprietary and condential information. 2. Network and computer security should at a minimum include passwords and rewalls to prevent inltration by hackers and other outside threats. 3. Implementation of a policy that controls the classication and marking of proprietary documents and access to documents and their physical handling. 4. Training of new hires and current employees, regardless of nationality, as well as security audits to promote compliance with the programs policies.
Editors Note
Even with best practices for protecting intellectual property, companies are still vulnerable to having their condential information and trade secrets misappropriated. Accordingly, it is crucial that companies not only continuously re-evaluate their practices, but also consult with security and legal experts in each country that they do business to make sure its not running afoul of any laws and is protecting its valuable information in a manner that preserves all available legal protections. The review should emphasize internal threats and the danger of foreign economic espionage, especially to hightech companies. Peter J. Toren
10
ABOUT THE AUTHORS
MATTHEW PASCUCCI is an infor-
mation security engineer for a large retail company where hes involved with vulnerability and threat management, security awareness and daily security operations. Hes written for various information security publications, has spoken for many industry companies and is heavily involved with his local InfraGard chapter.
MORIAH SARGENT reported on enterHome
This Technical Guide on Secure File Transfer is a Security Media Group e-publication.
Robert Richardson Editorial Director
Editors Note
prise cybersecurity topics for SearchSecurity.com. Sargent is a student in the Northeastern University School of Journalism.
PETER J. TOREN is a partner with
Eric Parizo Senior Site Editor
Kara Gattine Senior Managing Editor
Weisbrod, Matteis & Copley in Washington, D.C. He was also federal prosecutor with the Computer Crime and Intellectual Property Section of the U.S. Justice Department and is the author of Intellectual Property and Computer Crimes.
Linda Koury Director of Online Design
Doug Olender Vice President/Group Publisher dolender@techtarget.com
TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com

2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
11

Secure File Transfer - Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure File Transfer - Final

Uploaded by

Copyright:

Available Formats

BUSINESS INTELLIGENCE/APPLICATIONS

DATA CENTER MANAGEMENT

LOW-COST METHODS FOR SECURE FILE TRANSFER

THE DANGERS OF POOR DIGITAL DOCUMENT SECURITY

BEST PRACTICES FOR PROTECTING INTELLECTUAL PROPERTY

Keeping Our Files Secure

dling of les. The common computer le, a collection of linked storage

Low-Cost Methods for Secure File Transfer

The Dangers of Poor Digital Document Security

Best Practices for Protecting Intellectual Property