FTP always seems to come in as a means for transferring files. However, it is not secure. I've gathered a couple of notes I've come across for reference.
From a whitepaper by Sterling Commerce:
But what, exactly, is wrong with FTP?
• For starters, FTP has no built-in encryption or operating system-independent authentication capabilities.
All ‘secure’ FTP functions are third-party add-ons. According to the Sterling survey, more than 50 percent of respondents use FTP for more than 60 percent of their file transfers, but they’re concerned about security. Most have plans to use encrypted FTP transfers by next year, but securing
the transmission still leaves vulnerable data unsecured on the originating and receiving servers. “Encryption over the wire doesn’t help when the files are written to the server’s disk. You’re still at risk,” McKinney states.
• FTP’s lack of adequate security measures exposes the data to common external attacks like eavesdropping,
packet sniffing, denial-of-service attacks, and unauthorized access.
• Remote FTP login passwords are not encrypted as they travel the network, giving snoopers easy access to authentication credentials, which have some level of operating system-level access.
• FTP does not have any built-in management, aside from log files.
• Automation requires specialized scripts to manage FTP and scheduling, which often involves platform-
specific scripting skills.
• Lastly, FTP does not guarantee that a file is delivered successfully. If a connection fails or some other problem halts the transfer in mid-stream, it can’t be restarted from the point of failure; it must start from the beginning again. And FTP does not alert users if a transfer fails.
There are many solutions that cover some or all basics for secure file transfer. Some are secure shells that wrap around the
basic FTP servers. Many of the solutions achieve security through a number of sequential independent steps that encrypt
transfer, proxy thru firewalls, and decrypt separately.
While these ‘Secure FTP’ solutions may be adequate for basic data exchange performed under manual controls, many
businesses need a more automated, secure, and comprehensive way to programmatically handle large numbers of daily
data exchanges. Advanced features like checkpoint restart, guaranteed delivery, pre and post processing, automatic proxies
through firewalls and email notifications, are necessary to achieve the industrial strength capabilities required for true business
to business communications. These features are delivered in a true managed file transfer solution.
Information security has been around for a number of years. As a means to support business requirements and objectives, I submit it is very immature. Because of this, it can be an interesting challenge to promote reasonable security culture needs.
Is it possible for large enterprises to truly embrace information security? We are surrounded by example upon example of large companies implementing “information security,” yet still experience data breaches. The Privacy Rights Clearinghouse contains a database of data breaches during 2005 to present. Can we find common threads in each of these incidents? I believe so, but agree it may be hard to get the right information to nail it down. I’m left to coming up with my own suppositions. I list several of them here. It is up to you to decide if they can be applied to any organization:
1.Some of those organizations don’t understand INFOSEC.
2.Some enterprises roll the dice and take their chances a breach won’t occur. It may seem like a good idea at the time to pinch pennies to keep the bottom-line in the black.
3.The “old guard” is very much still in charge of the enterprise and has a hard time accepting INFOSEC. After all, the business became large without INFOSEC. Why should is it needed now?
4.The security industry is pumping the “fear” factor and continues to promote practices that are overkill and costly.
5.It is too costly.
6.Next year is when planning will begin on INFOSEC…really, this time they mean it.
7.Figuring out risk is too hard. Finding the ways and means to mitigate it are even harder. Bringing consensus in risk discussions from the old and new guard is the hardest.
8.It’s easier to keep discussion going to bury the “decision time” in technical solutions. Mire the decisions in security 101.
9.Half hearted acceptance of INFOSEC helps set the security department up as the source to blame when problems happen.
10.It’s pointless because there is no way to stay on top of it all.
That’s my spin so far. On the flip side, there are examples of large companies that have made INFOSEC work. It should be a wakeup call for anyone considering a new business.
Build it from the ground up. More on that to come.
Many times I have had to respond to questions which come up discussing security culture. I thought I'd begin to capture lessons learned during my 20 year navy career as a cryptologist. I served during the height of the Cold War, joining up in 1983 under President Reagan. The environment was such that it was not in my best interest to discuss anything about what I did.
I remember being told never to let people know what job field I was in. In fact, cryptologists at that time were classified under the admin field. I would always overgeneralize and say I worked on computers. That was true. I attended basic school in Florida. The school building was wrapped in chain-link fence, topped with razor wire, guarded 24 x 7, and access controlled gates. Sign in and sign out. Positive control on who was in was always the objective. Our training materials had to be page checked to make sure they were all there. Then we'd sign for them. The process would repeat when turning them back in.
The entire time in there and throughout my career security was always foremost. When I'd leave base with my buddies, we'd always be aware of where we were and what we were speaking about. It was ingrained and enmeshed in everything I did for 20 years. I still do it today with work and in my personal life. Occupational hazard I suppose.
There is a lesson to learn here which all businesses could practice when they begin their security culture. That lesson is this: be wary of where you are all the time; be wary of who is around you all the time; and watch out whay you say in those two circumstances.
A way to simplify this is, "leave work at work." Don't talk about it when you aren't there. I realize this isn't always practical. But, aside from occupational health reasons, you just never know who is listening. So shut up. Besides, if you can keep quiet outside the office, the habit may carry over to other things you do for work.
You can probably think of examples you heard in the news when a navy spy was uncovered. The damage to this country was incalcuable. It may be hard to imagine, but the same could happen to your business. Keeping quiet and being aware of what's going on around you isn't perfect security.
My wife at the time stopped asking me about my day because she know there wasn't much I could tell her. My wife today never knew navy life but figured out early it was pointless to ask about things I did. For me, it is such a habit to not talk about. Think about that when we ask vendors to sign NDA's to do business with us. Do we reinforce the NDA principles with our own employees? If not, you should--over and over.
I just read an article by Bruce Schnier on wired.com. It touched on something I posted here where I mentioned the reasons for going wasn't necessarily to see the vendors. After the number of years I've been going, I know enough of what I'm looking for. Really, if I'm looking to do something new in my company I won't wait until the RSA conference to initiate a discussion.
Bruce nailed it on the head when he stated,
"It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't."
I agree many people don't understand the products or know what to do with them. I think people's eyes glaze over when vendors start pitching their wares. Hell, half the time I'm not sure what they are either. There's so much smoke in the air I think vendors hope someone will buy them. Half the crap out there I really don't care about.
It reminds me of a conundrum that exists with many security professionals, in my opinion. Many security people have trouble explaining why security is needed to the business. The business just knows they want to be secure and will keep tossing money at it or just do enough to put a check in the regulatory compliance box.
What is needed, more often than not, is a step back to the basics. Why security? What is being protected? What data is at risk? Does our security properly balance the risk? If more people just stopped to reset long enough, we might be able to settle on solutions which really have bite.
Will I go to RSA again? I probably will. I still believe what I wrote before. I'm there to wander around and get a feel for the latest whispers.
I also glanced at some of the user comments posted in response to Schnier's article. I get the sense they don't care for him. I'm sure Bruce can stand up for himself and is used to it. Yet, I can't help but think people should just get a grip. Maybe, just step back and actually read what he posted.
One of the things I've recognized with building a good security program and creating a solid culture in a business is this: put the security event, issue, or concern into terms that apply at home and with the home computer.
I figured this out soon enough at one company I worked for. I would often send out a "Security Notice" or "Security Advisor" to the send to all email distro. And everytime I did that, my phone would ring the rest of the day with questions about my communication. I thought great, people read it and want to know more. Well, they did read it, but they wanted to know if the issue also applied to their home computer.
This was one of those issues I took for granted. I figured if there was a note about the desktop computer at work it would usually mean the same for the desktop computer at home. It didn't. I realized that I should include a paragraph to point out the fact it also applied to the home and explain why.
My general format:
1. Issue
2. Impact to the work environment
3. Impact to the home environment
This approach also supports my mantra that the front line of defense at the office is always the end-user. There are so many of them compared to my staff. We should teach them about typical security issues they can take home. Afterall, if they practice good security at home, they will hopefully do the same at work.
I'll continue posting articles in this new category, "Security at Home." I'm constantly fielding questions about what should be done on the home front. As I think of them, I'll try to capture them here. My goal is to keep it short and clear. I recognize many people don't really care how the computer does what it does. Just give them the info to set it up and they are off.
So I'm flying back from the RSA Conference this past Friday. The flight is about 3.5 hours or so coming home. I ended up watching a movie on my laptop to pass the time. Somewhere near the 3/4 mark in the show I could hear a person speaking pretty loudly. I took the headset off and realized it was coming in the row in front of me. He was speaking to another gentleman across the aisle.
Normally, I don't pay much attention to these things and try to drown them out as an annoyance. This conversation, however, was littered with phrases and terminology pertinent to information security. I'm reading an interesting book by Johnny Long, called "No-Tech Hacking." I realized I was in the middle of an example right out of his book (a must read for anyone doing security). I overheard reference to the military, contractors, projects worked on, scenarios and examples, "I know someone", and on and on. I picked up several names, the CISSP certification being held by the speaker, the fact the speaker is overly or extremely "ethical", and names of company's this guy worked for. The person being spoken to was in law enforcement and was asking some very interesting questions. Maybe I was mistaken, but it almost seemed like he knew if the right question was asked, this guy would speak all about it.
Things got to the point where I was beginning to beg in my mind for this flight to be over. Even then, the person spoke the entire time going to baggage; the entire time waiting for his bags; and I could hear him leaving the airport. Wow, what a speaker.
The fundamental problem I have with this entire situation is this:
1. The close proximity of the airplane cabin permits anyone to eavesdrop.
2. The subjects being discussed were probably not appropriate given item 1.
3. Bragging and boasting can make a story interesting. Lord knows talking about security can be boring. In my opinion, this ethical CISSP went overboard. I'd even say to the point if I was a client of this person's company, I'd worry.
4. Discretion should be among the main tools of a security professional. I don't think that was met.
I did introduce myself at the baggage area because I saw the nifty RSA Conference backpack given out to attendees. I wanted to know his name and who he worked for, just in case my own company was in need of any security services.
Should I have said something to him? Perhaps. It is possible I'm overreacting and need to consider a bit of humility. On the other hand, I heard a lot of information. Even my wife rolled her eyes with the, "does this guy ever shutup?" look.
I attended my first security bloggers meet-up type event. It was fun. I must admit I'm not really good at the socializing type of thing though. I apologize to those I met. I did my best to hear your names and dialog, but found it very difficult to hear. So I hope I nodded at the right times.
A big thank you to those that organized the event. I appreciated meeting many folks face to face.
This is the fifth year in a row I’ve been to the RSA conference. I’m at the point where I’m not necessarily interested in any of the products. I’m really here to find the unwritten theme or undertow around the floor and training sessions.
I’ve heard a lot of things that can be related to security culture and the ways we humans view security. I’ll be writing about some common threads coming up. Such as:
Ownership – The finger always seems to point to someone else.
Data – this is where it all starts
white listing vs. black listing – why create lists of where we shouldn’t go? Why not a list of where we know we want to go?
Products I’ve come across that make my vendor of the day list. In fact, I’ll probably start up comment with Product of the Day, Thought of the Day, Book of the Day, etc. These will be things I think are worth a deeper look in how it may help the cause of protecting the human factor in INFOSEC since we can’t seem to do it without technology.
On April 8, 2008, my first vendor of the day pick goes to IronKey. They make a USB flash drive that seems to be indestrucable, hardware encrypted; secure web browsing and tons more. It self destructs if the password is wrong more than 10 times. No really, the device can never be used again. I’ll be taking a deeper dive on this with my company.
April 9, 2008: Product of the day: 3m Privacy Filters. I’m constantly feeling like someone is looking over my shoulder when I’m using the laptop.
So, I'm headed to the RSA conference tomorrow. It seems to be my annual pilgrimage to San Francisco every year. At least for the last 4 years. It's a time to reconnect with others who are like minded, in some respects. This year is later than previous years so I'm hoping for nice weather. I'm also hoping that I will get something out of it too. I hate wasting my time and money to get there.
Half of the fun is watching the crowds of people. Everyone scrambling to get into various drawings. Big whoop. Oh, and more T-shirts. Last year I won a zune and an ipod. Wonder what it will be this time?
I actually like to go for the pre-tutorials. The instructor I had last was awesome. This year is a hands on hacking refresher course. Should be good, though I'm at the point in my career where I don't do much of the hands on stuff anymore. As far as the keynote speakers, it always seems to be more of the same blather we hear throughout the year.
Well, better hit the hay. Getting up in a few hours to enjoy the travel. One positive note...I'm taking my wife this time, and her folks. The good thing is I get along with her folks. So, it should be good.
