Internal Controls and Auditing

FTP is an extremely convenient means of transmitting data from one system to another.  Within many organizations, FTP is an integral aspect of business operations.  In some cases, it is not uncommon for large organizations to make thousands, or even millions of FTP transmissions daily.  Furthermore, because virtually every operating system has a built-in FTP client, FTP eases the way data is sent and received,  and can be done so for a relatively low cost.  For some time, even the most popular web browsers have been supporting FTP connections.

Despite the advantages of low cost and ease of use, the overwhelming majority of FTP transfers are unsecured.  This can result in the exposure of login information, as well as unencrypted data traveling in plain text format.  The unencrypted data can be captured a number of ways in relatively easy fashion.  In addition, the problem may not necessarily be limited to inside an organization’s network because all one needs to send data to an FTP server anywhere in the world is an Internet connection.

New compliance rules have been established which direct internal auditors to address an organization’s use and management of FTP transmissions.  These controls are used to protect individuals from disclosing information, unbeknownst to them, regardless of the sensitivity of the information.  The compliance landscape is evolving due, in part, to the alarming number of recent data breaches.  This increase has created a pressing need for companies, as well as internal auditors to look at data security procedures and address the exposure which is inherent in FTP.

Of course this can be a daunting task, and many organizations do not even realize the magnitude of the problem.  It can literally take weeks for auditors working in conjunction with network administrators and other IT staff to identify and locate all FTP servers.  Companies can have hundreds, if not thousands of rouge FTP servers in place which are unknown and unmanaged.

The Recommendation and Solution

The solution to this monumental problem is actually quite simple; a centralized solution which utilizes a Secure FTP solution (SFTP or FTPS), and has the capability of real-time monitoring, alerting, and automation.  Merging all traffic to a central repository has many obvious benefits from an administrative standpoint, but it will also facilitate the end-to-end auditing.  It will also provide a common time zone when comparing file transfer activity across an enterprise which may have servers operating in different time zones.  Should the need for an audit arise, all activity can be logged and archived across the enterprise to make it simple.

The transmission of all data using a secure connection should be an organization’s primary goal.  Network and packet sniffing tools will not be able to access data when a secure FTP connection is used.  An FTP server (such as the one used within secureXchange which supports secure socket layer and/or transport layer security connections will ensure that login information as well as data are not accessible.  Additionally, managed file transfer solutions support a wide variety of protocols for transmitting private documents via the Internet or for ensuring privacy between applications.

Monitoring all transmissions in real time enables an organization to generate alerts when suspicions activity occurs, and to control overall automation efforts.  This can be extremely useful in identifying hacking attempts, unapproved or unsecured transmissions, and any failed transmissions which may affect business critical processing.  Alerts can be used to escalate problems for human intervention or just notify the appropriate people/departments upon a successful or failed completion of a file transmission.

Managed file transfer solutions, such as secureXchange, can be a strategic solution for an organization to comply with new and ever-changing security standards, while also simplifying the administrative efforts for internal and external data exchange.  secureXchange can also provide real time monitoring and alerting functionality which benefit the organization on many levels, while doing so from a centralized location.

If you want to learn more about the managed file transfer process, or how you can better protect your data, please contact us at info@btrade.com.

I recently read a report about a cyber attack that is worthy of note from a data security/managed file transfer perspective. LivingSocial, the second largest online daily deal company behind Groupon, announced that it was hit by a cyber attack which potentially compromised sensitive data for more than 50 million of its current and former customers. I say “potentially” because it appears LivingSocial had instituted certain practices which enhance data security.

For example, LivingSocial said the cyber attack resulted in “unauthorized access” to such data as email addresses, dates of birth and passwords. However, LivingSocial also stated that it “encrypts” customer passwords rather than storing them in plaintext, which is a good data security practice. Encryption transforms data from plaintext to make it unreadable to anyone except the person(s) who possess the “key” to unlock or unscramble the data.

Had the breach affected the file system instead of a database, we would tell you that a good managed file transfer solution should allow storage of sensitive data on a readily accessible medium, but with complete security using an in-built, data-at-rest solution, thereby permitting programmatic access to the sensitive data in a real-time environment. We would also tell you that a good managed file transfer solution should have other file storage and retention features, such as being able to limit access to uploaded files, auto-deleting files after a specified retention date, implementing a file compression policy, providing security access logs, etc.

LivingSocial also reported that a “substantial portion” of the company’s database was affected, including customer accounts that had been closed, because LivingSocial retained such information in the database. From a managed file transfer perspective, this is not a good practice. LivingSocial would have been better served had it backed up the old customer data, encrypted it, and stored it offline.

Finally, although not directly related to data security or the managed file transfer process, I found it interesting that LivingSocial’s CEO sent an email to customers in which he advised: “We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).” Now that is good advice. In fact, we dispensed similar advise previously on this blog.  To reiterate, you should create a different password for every site that you join and make sure each password is difficult or impossible to guess.

bTraders are always happy to discuss data security needs. If you want to learn more about this or any other managed file transfer topic, please contact us at info@btrade.com.

One of our areas of expertise is data security.  On this blog, we have previously highlighted some situations where data security was lacking, thereby leading to high-profile data breaches .

Just to keep you current, here is a link to a good compilation of data breaches occurring in the first quarter of 2013:   Link of data breaches in the first quarter of  2013

Suffice it to say that most of these incidents could have been avoided, or at least the adverse effects could have been limited, had the affected organizations instituted and deployed a managed file transfer process.  If you want to learn more about the managed file transfer process, or how you can better protect your data, please contact us at info@btrade.com.

Soaring Sales

Thanks to our well-designed and executed managed file transfer solution and an outstanding support team, we have seen soaring sales in 2012, as well as a strong first quarter in 2013.  We’ve been able to provide managed file transfer solutions to customers from every industry and have heard from them about how our solution, secureXchange, has made their lives easier and their data more secure.

Trade Show Season Is In Full Swing

In 2013,  we are looking forward to meeting new people and reconnecting with old friends.  We are heading to NEECOM (New England Electronic Commerce User Group) next week where Jerome Mendell, VP of Sales for bTrade, is presenting a session on how “Managed File Transfer is Critical to Governance, Risk and Compliance.”  We will provide updates throughout the year on other events involving the bTrade team.

We’ve Launched a New Website

If you haven’t visited our new website yet, please check it out.  Our team worked very hard to redesign not only the look and feel, but also the navigation, to make it easier for visitors to find what they need.  We hope you’ll take a look and let us know what you think.

Stay Tuned for Product Announcements

We’ve also added some new faces to our team and are working on some pretty cool software enhancements which should be available very soon.

Customer Success Program

As always, we welcome your ideas and your feedback, and if you’ve got a great story to share about how one of our solutions have helped you work more efficiently or kept your data better protected, let us know. We’d love to hear it!

Last week, the National Institute of Standards and Technology (NIST) held the first in a series of workshops as part of efforts by the Commerce Department to implement the Executive Order.  The workshops are open to all interested individuals from both the public and private sectors, and are intended to drive discussion toward the development of a voluntary framework for reducing the nation’s vulnerability to cyber risks.

Some in the managed file transfer community were expecting that the workshops would lead to a new, comprehensive framework pertaining to information security.  But based on comments made during the workshop, it appears that the eventual framework will consist of already existing managed file transfer standards.  Why do I say this?  Because of the following statement made by Patrick Gallagher, Director of NIST and Under Secretary of Commerce for Standards and Technology, during the workshop:  “The framework will probably be a set of references to existing standards.”

So what “existing standards” pertaining to managed file transfer might eventually be used in the framework?  Certain publications were suggested at the workshop, including the Payment Card Industry Data Security Standard (PCI-DSS); NIST Special Publication 800-30, 800-39 or 800-53M; SANS’ 20 Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines; ISACA’s COBIT 5 IT governance framework; and the ISO 27000 series.  If you take the time to review these publications, you will see that each contains a host of potential standards suitable for the cyber security framework.  But I suspect many of you don’t have the time, so allow me to provide a summary of concepts that likely will and will not be included in the eventual framework.

IT professionals, including those in the managed file transfer community, want to develop information security standards covering such things as secure firewalls, authentication of data using secure passwords and PINs, protection of data wherever it is stored, effective encryption to secure data transmitted through public networks, implementing strong access control measures, and having visibility into the information security system.

What that means is that managed file transfer solutions will need at least the following features/functionality:

·  Dashboards and Reports (real-time monitoring)

·  Auditing and tracking of messages

·  Alerts and notifications

·  Authorization (system access based on identity)

·  Archiving and purging (active logging)

·  Support for multi-tiered networks; DMZ and internal network components

·  Compliance with secure protocol standards

·  Cross-platform compression, encryption and authentication

Business professionals are urging that IT security must be balanced against business concerns (i.e., a company’s bottom line).  There seems to be agreement among all involved that a “checklist” approach, like that in PCI-DSS, is not the best alternative.  Business professionals want a risk-based system that is flexible, scalable, and not complex.  Also, several business leaders who spoke at the workshop felt that the development of a meaningful set of metrics could provide the needed value proposition to encourage businesses to adopt a framework.

We will continue monitoring the situation with the Executive Order and keeping you updated on developments.  In the meantime, feel free to contact us at info@btrade.com if you have any questions, or if want our data security experts to analyze your infrastructure to determine how best to protect your valuable and confidential data.  bTrade is a pioneer in the data security and managed file transfer fields, and our managed file transfer software solutions address the needs mentioned above by both the IT and business professionals.

The best managed file transfer software contains the latest encryption, and the latest cryptographic standards are found in FIPS 140-2. The FIPS 140-2 encryption standards were issued by the National Institute of Standards and Technology, and contain strict guidelines for ensuring that cryptographic-based products properly safeguard data transmissions. The government established a FIPS 140-2 accreditation program for vendors that develop cryptographic modules, and the testing of cryptographic modules is handled by approved third-party laboratories. bTrade’s managed file transfer products contain cryptography that has received FIPS 140-2 validation.

Why is FIPS Validation Important for the Managed File Transfer Process?

Traditional methods of transmitting information, such as via email or FTP, generally do not meet the FIPS 140-2 standards. If you exchange files with the federal government, it is critical that your data transmission is encrypted with a FIPS-compliant cryptographic module. In fact, federal agencies and contractors are prohibited from buying a managed file transfer solution that does not contain FIPS-validated encryption.

Managed File Transfer and FIPS 140-2 Certification

When researching managed file transfer software, it is important to determine if they have a FIPS-compliant module available, especially if you are exchanging data with the federal government or highly regulated industries. By incorporating FIPS-compliant cryptography in your managed file transfer process, it becomes much easier to do business with the federal government and other regulated industries.

To learn more about bTrade’s accredited managed file transfer software, or if you want to speak with our data security experts about how best to protect your valuable and sensitive data, please

Data Security, Hackers and FTP

When companies transmit data using the File Transfer Protocol (FTP), there is always the possibility that critical information could be hacked. “Sniffing” tools are used by many hackers to access sensitive data sent via FTP. An attacker could intercept data traveling across the network, analyze it and then gain access to sensitive user ID and password information, thereby allowing them to log onto FTP servers.

Prevent Hackers with Secure FTP

To help prevent data being compromised, networks need to make sure that network ports are not available for public access. Once networks are secured, the next most effective tactic against  hackers is to block all FTP traffic at the firewall. For permitted file transfers, allow only secure encryption protocols for file exchanges in and out of the network. These security restrictions will help in preventing access through sniffing tools.

Managed File Transfer Technologies Help Solve Security Exposure

Managed file transfer solutions can provide the highest security for file transfers. Managed File transfer solutions increase data security implementations and simplify the entire file management process by providing the tools for easily creating and managing all of the unique encryption keys for the company’s various trading partners. A managed file transfer process also provides a detailed log of all transactions so that any required audits may be easily fulfilled.

Keeping data secure is an ongoing concern for organizations of all sizes, and will only become more critical in the future. Deploying a managed file transfer solution is one of the best ways to strengthen your file transfer process and security as the pressure and liability risks continue to grow.

bTrade is a pioneer in the data security and managed file transfer fields, so please contact us at info@btrade.com if you want our data security experts to analyze your infrastructure to determine how best to protect your valuable and confidential data.

NIST has not defined that which will be considered “critical infrastructure,” but it did make specific reference to infrastructure of concern from five specific sectors:  telecommunications, energy; financial services; water and transportation.  Businesses in these five sectors with the potential to be deemed “critical infrastructure” should pay close attention to the development of the best practices framework, as well potential risks for failing to implement any aspects of framework that is eventually developed.  Comments to the initial RFI are due by 5 p.m. ET, April 8, 2013, and should be sent to cyberframework@nist.gov with the subject line: “Developing a Framework to Improve Critical Infrastructure Cybersecurity.”

Because more and more critical services are being controlled or managed via the Internet, all businesses (not just those operating within any of five critical infrastructure sectors) should examine their current networks/computers and assess corresponding data security practices.  bTrade has 20+ years of experience in various aspects of cybersecurity, including encryption, secure communication protocols and the secure/managed file transfer processes.  To learn more about how we can assist with your data security needs, please contact us at info@btrade.com.