File transfer environments, with their many moving parts and frequent handling of sensitive data, require multiple layers of security. Here are 11 proven security tactics we’ve outlined for quick consumption. Feel free to go over them while on the go.
Avoid using unencrypted protocols like File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) when transferring files over insecure networks like the internet.
Data sent over unencrypted protocols can be eavesdropped upon using packet sniffers and other similar tools. If that data includes login credentials, such as usernames and passwords, whoever obtains that information can use it to gain unauthorized access into your file transfer system.
Mitigates the risk of a data leak when you transfer files over an insecure network.
Shift to encrypted alternatives such as Secure File Transfer Protocol (SFTP), File Transfer Protocol over SSL/TLS (FTPS) and Hypertext Transfer Protocol Secure (HTTPS).
When you store user files on your server, make sure you encrypt them with OpenPGP or other similar data-at-rest encryption tools.
Files stored in unencrypted form can be vulnerable to threat actors that target servers or storage devices. If those files contain sensitive data, you could suffer a reputation-damaging data breach.
Mitigates the risk of a data breach even if a threat actor manages to compromise your server or storage device.
If your file transfer solution supports it, configure your solution so that it automatically encrypts files upon upload.
Use cryptographic algorithms and key lengths that have been proven to be computationally infeasible to break with current technology.
Some cryptographic algorithms and key lengths can be broken with readily available tools. The moment they are, the data they’re supposed to protect will be exposed.
Ensures data confidentiality is truly preserved and that you’re not relying on a false sense of security.
Use widely-recognized cryptographic algorithms and key lengths like AES-256. For highly sensitive data, stick with cryptographic elements recognized by security standards such as Federal Information Processing Standards (FIPS) 140-2.
Grant users the minimum level of access or permissions they need to accomplish their tasks.
Malicious insiders or even threat actors who have taken over legitimate accounts can do more damage if the accounts they’re using possess more privileges than they’re supposed to have.
Limit what threat actors and malicious insiders can do, including data access, data deletion, system disruptions, lateral movement or privilege escalation.
Enable multiple access control mechanisms to establish a multi-layered defense, including IP-based access, file/folder access rights and time-based access.
Add one or more authentication factors to the usual password-based authentication.
Password-based authentication is susceptible to a wide range of threats, including brute force attacks, man-in-the-middle attacks, credential stuffing, shoulder surfing, social engineering and phishing.
Prevents a threat actor from taking over an account even if that account’s password has already been compromised.
When choosing an additional authentication factor, take into account both security and user convenience. For example, you can use time-based-one-time (TOTP) passwords generated by an authenticator app, which many users find easy to configure and easily accessible.
When sharing files through ad hoc file transfer, limit access by protecting download links with passwords.
A download link that’s unintentionally shared with an unauthorized individual can lead to a data breach.
Mitigates the risk of a data breach due to accidentally shared download links.
If your file transfer solution supports the capability, set an expiration date for the download link as well.
Scan uploaded files for the presence of ransomware, worms, viruses and other types of malware.
Malware-infected files uploaded to a shared folder can lead to a malware outbreak.
Prevents the spread of malware due to an infected file upload.
If possible, use Internet Content Adaptation Protocol (ICAP) antivirus scanning to prevent computationally-intensive virus scans from affecting server performance.
Implement DLP, which scans files for sensitive data and then executes a predefined action that prevents the data in question from being exposed.
Some files contain sensitive data such as bank account numbers, credit card numbers and Social Security numbers. If this information falls into the wrong hands, individuals associated with it may be subjected to identity theft.
Mitigates the risk of a data breach involving sensitive data.
Always enable DLP on shared folders, as these folders are normally accessed by multiple users. Hence, the chances of an unintentional data leak can be quite high.
Educate employees about risks in file transfer environments and train them how to mitigate those risks.
No matter how strict your security policies are or how robust your security tools are, threat actors can still access your systems through your weakest link — your end users.
Mitigates security risks associated with insecure user practices such as the use of weak passwords, unencrypted protocols and shadow IT.
Conduct security training sessions regularly to update users about the latest threats, refresh their memory and cultivate a security-aware culture.
Take a proactive approach to enforcing strict password policies (e.g., using long passwords that include uppercase and lowercase letters, numbers, special characters, etc.) Don’t wait for users to adhere to the policy. Instead, automate enforcement in your file transfer system.
Regardless of how often users are reminded of security best practices, some users can be non-compliant. Others are simply forgetful. Therefore, you shouldn’t leave policy enforcement completely in their hands.
Reduces reliance on policy enforcement in your end users and increases overall adherence to policy.
Passwords, regardless how strong, are vulnerable to a wide range of attacks. Combine them with other factors of authentication. Review #5.
Maintain detailed logs of both user and administrator activities.
Cyber incidents are a matter of when, not if. When they occur, detailed audit logs provide critical insights for root cause analysis and can help you understand how the incident developed.
Provides an audit trail for digital forensic investigation. The knowledge gained can be used to inform your future security strategies.
You can also use logs to detect suspicious events and then act on them before they escalate into full-blown cyber incidents.
File transfer-targeted cyber threats can come from different directions and manifest in various shapes and forms. By adopting all the security measures recommended above, you’ll be able to establish a robust, multi-layered defense against a wide range of threats and significantly reduce the risk of a data breach, operational disruption and other cyber incidents.
That being said, there are certain types of threats that fall beyond the scope of any of the controls recommended above. Zero-day exploits are one of them. We’ve covered zero-day threats and how to how to address them in our comprehensive secure file transfer guide. Do check it out.