Protecting Privileged Accounts can be the Difference Between “Managing” and “Securing” File Transfers
Posted on January 10, 2013 by Oded Valin
In the digital world in which we live, securing file transfers is critically important to personal and corporate security. Every day we send and receive sensitive information with the expectation that the services we use help us keep it secure.
But, as we re-learn constantly, vendors calling themselves ‘secure’ doesn’t always make it so. The latest egregious example is found in a high profile vulnerability discovered in a managed file transfer service used internally by Facebook employees:
In short, the vulnerability allowed an attacker to create a new user account, log in with that new account and change the password of another user, even if that other user had full administrative privileges. After that, a would-be attacker has a clear shot at any of the data in the file transfer application. Ouch!
Unfortunately, that’s what can happen when security is added as an afterthought and is not a core design principal built into the product from the ground up.
Given that Cyber-Ark’s business is all about privileged accounts and securing critical data from advanced attacks, we do know something about this. If you are looking at a truly secure file transfer service that won’t put your critical data at grave risk, here are some things you need to look for.
- The process used to create new users should not rely on public, generic URLs, but have a full set of security controls and optional secure workflows in place.
- The entire password resent process should work in a secure way:
- It shouldn’t rely only on a HTTP POST request without asking for the user’s current password or using a unique link.
- It shouldn’t transfer confidential parameters in a POST request without encrypting it with something stronger than BASE64.
- The reset function should use a unique link with an expiration period, not a public, generic and insecure link.
- It should offer the option of adding personal security question challenges to the process.
This sounds basic – but it’s part of the due diligence that every business should do to truly understand the level of security that has been built into the product. Just because a vendor claims to offer “secure” file transfer or cloud sharing, doesn’t make it so.
If security really matters to you, (and it should,) your best bet would be to start with a company with a “security first” approach, and the credentials to back it up.
Posted on February 11, 2011 by Josh Arrington
Inboxes can always be difficult to manage – filing message after message, flagging and categorising – but many organisations are still really struggling to deal with large attachments, often finding that they clog up email exchanges and slow staff down.
Indeed, Virgin Media Business has just conducted some research* and found that 69 percent of public sector workers in the UK cannot send or receive emails larger than 10 MB in size, and 89 percent are unable to send or receive emails in excess of 15 MB. Clearly these limitations can be hugely inhibiting for staff – preventing them from sharing large files and getting the most out of the resources at hand.
Such restrictions are clearly out of date, with more information than ever flowing between staff and companies, most often via email. In order to enhance productivity, organisations should be looking at ways to enable staff to share large files in a quick, simple and secure way. For example, with a secure file transfer solution that takes sensitive documents out of the email exchange – delivering access to the files through a secure link – employees can enjoy a far quicker and less congested inbox.
With this clear benefit, workers stop seeing security processes as a hindrance to their performance, but rather as an enabler to better business practices.
- #PrivSec Twitter Q&A with Jon Oltsik: Advanced Cyber Threats Demand a New Privileged Account Security Model
- By Targeting Privileged Accounts, Another News Outlet Gets Hit
- Lessons from Snowden: You Must Monitor
- Snowden’s Remarks Should Make Any InfoSec Professional Shiver
- A New Privileged Account Security Model
Posted on June 17, 2013
Posted on June 11, 2013
Copyright 2013 Cyber-Ark Software - All Rights Reserved