by Oded Valin
In the digital world in which we live, securing file transfers is critically important to personal and corporate security. Every day we send and receive sensitive information with the expectation that the services we use help us keep it secure.
But, as we re-learn constantly, vendors calling themselves ‘secure’ doesn’t always make it so. The latest egregious example is found in a high profile vulnerability discovered in a managed file transfer service used internally by Facebook employees:
http://yro.slashdot.org/story/13/01/08/1949210/serious-password-reset-hole-in-accellion-secure-ftp
In short, the vulnerability allowed an attacker to create a new user account, log in with that new account and change the password of another user, even if that other user had full administrative privileges. After that, a would-be attacker has a clear shot at any of the data in the file transfer application. Ouch!
Unfortunately, that’s what can happen when security is added as an afterthought and is not a core design principal built into the product from the ground up.
Given that Cyber-Ark’s business is all about privileged accounts and securing critical data from advanced attacks, we do know something about this. If you are looking at a truly secure file transfer service that won’t put your critical data at grave risk, here are some things you need to look for.
- The process used to create new users should not rely on public, generic URLs, but have a full set of security controls and optional secure workflows in place.
- The entire password resent process should work in a secure way:
- It shouldn’t rely only on a HTTP POST request without asking for the user’s current password or using a unique link.
- It shouldn’t transfer confidential parameters in a POST request without encrypting it with something stronger than BASE64.
- The reset function should use a unique link with an expiration period, not a public, generic and insecure link.
- It should offer the option of adding personal security question challenges to the process.
- Session management should be done in a secure way using a unique session ID and unique tokens. It cannot be part of the URL.
- Executable code should be obfuscated
- The file repository should be fully encrypted and separated from the web application server in case the web portal is attacked.
- Follow the National Institute of Standards and Technology (NIST) guidance and “require your vendor to demonstrate that their software development processes employ state-of-the-practice software and security engineering methods, quality control processes and validation techniques”.
This sounds basic – but it’s part of the due diligence that every business should do to truly understand the level of security that has been built into the product. Just because a vendor claims to offer “secure” file transfer or cloud sharing, doesn’t make it so.
If security really matters to you, (and it should,) your best bet would be to start with a company with a “security first” approach, and the credentials to back it up.
