Articles and news

Secure File Transfer and Business Continuity Planning

Fri 06 July 2018 | article

Introduction

What is business continuity planning (BCP)?

According to Wikipedia, business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company.

Business Continuity Planning also includes these five components as defined by the SANS Institute. These components are:

  • Business Resumption Plan
  • Occupant Emergency Plan
  • Continuity of Operations Plan
  • Incident Management Plan
  • Disaster Recovery Plan (DRP)

We have decided to provide a high level overview for this article. While secure file transfer is just a component of business continuity planning, it is still an important component of it. We hope that after reading this post, that you also recognize secure file transfers to be part of the Business Continuity Planning process.

Assigning risk ratings

Planning involves conducting a risk assessment of your organization. In this case, planning involves determining what is considered IT risk versus Business risk.

By conducting a risk analysis, you can identify portions of your business resources, identify known risks to these business resources, and assign a risk rating.

According to the Cisco Systems Network Security Policy Best Practices White Paper, the following are rating guidelines based on a three-tier risk level. These are examples from purely a network security level and there are other models and guidelines available that cover a more generalized approach.

The following are excerpts from the above whitepaper:

Low Risk

These are systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would not disrupt the business or cause legal or financial ramifications. The targeted system or data can be easily restored and does not permit further access of other systems.

Medium Risk

These are systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would cause a moderate disruption in the business, minor legal or financial ramifications, or provide further access to other systems. The targeted system or data requires a moderate effort to restore or the restoration process is disruptive to the system.

High Risk

These are systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would cause an extreme disruption in the business, cause major legal or financial ramifications, or threaten the health and safety of a person. The targeted system or data requires significant effort to restore or the restoration process is disruptive to the business or other systems.

From the perspective of secure file transfer, you will need to consider at which level your assets (such as the assets covered in the scope of file transfers) fall under which of these risk categories.

Establishing a business continuity structure / policy

Part of the planning process also involves establishing a business continuity structure.

Having a business continuity policy will require building a team and a governance structure around it. Within the policy, ensure to outline the roles and responsibilities of those that are going to be impacted by this document.

Within the context of secure file transfers, the policy could outline the role of the secure file transfer administrator and to make aware that it is their responsibility to ensure successful Continuity of Operations. In this example, the same administrator could also be the support or testing lead to ensure that the failover file transfer system is tested and verified should there be an issue with the main server.

On that note, for those interested in more details about how SFTPPlus can help administrators meet Continuity of Operations demands, please read our introduction to SFTPPlus and high availability or resiliency environments.

In conclusion, the business continuity policy should ensure that the organization has been provided a general understanding of the policy, purpose, guidelines and definitions around the business continuity plan.

Incident Management and Incident Response

Part of business continuity planning is around incident management and incident response.

What is the relationship between Business Continuity Planning and Incident Management Plan? According to NIST Security Incident Handling guide (the National Institute of Standards and Technology), “organizations should ensure that incident response policies and procedures and business continuity processes are in sync. Computer security incidents undermine the business resilience of an organization. Business continuity planning professionals should be made aware of incidents and their impacts so they can fine-tune business impact assessments, risk assessments, and continuity of operations plans.”

Within the context of secure file transfers, SFTPPlus emits an audit trail for administrators to monitor events and for audit assurance purposes, which can help assist in incident management and response. For further readings about procedures, we recommend the NIST Security Incident Handling guide. Our documentation on the audit trail also provides a useful starting point on how you can administer SFTPPlus to be compliant to your auditing needs.

Implementation

Implementation is the practice stage. The importance of implementation is the prevention of business risk.

The recovery point objective (RPO) and recovery time objective (RTO) are baseline data that administrators should be aware of when implementing the business continuity plan.

For example, a secure file transfer administrator can ask themselves questions such as "What is the recovery time actual (RTA) in contrast to the recovery time objective (RTO) for the file transfer application during an actual disaster or exercise?"

The Business Impact Analysis should uncover which systems are mission critical and non-critical, which can further impact the RPO and RTO, as an example. In this example, you may need to ensure an active-active high availability setup is in place with the backup server in the cloud rather than on-premise. In this scenario, you may be targeting 100% Recovery Consistency Objective (RCO) for a business process.

Exercise / Testing / Action

Part of business continuity plan should include a review process to modify the existing policy. This process should be able to adapt to lessons learned - either from an actual disaster event or from an exercise.

The review process ensures that the policy, posture and practices are being re-evaluated accordingly.

The Business Continuity Plan should end up being a dynamic document that can adapt to the constantly changing business and IT environment and needs. This dynamic should also include education and evaluation of staff skills involved.

ISO guidelines for further reading

Continual improvement with your business continuity plan are also covered by guidelines such as ISO 22301 "Societal security -- Business continuity management systems --- Requirements". This guide “specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”

And for those focusing on the information security management system, the ISO/IEC 27001:2013 standard “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.”

This resource is written as of SFTPPlus version 3.34.1.

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

SFTPPlus MFT bewerten

Die in diesem Artikel aufgeführten Funktionen sind nur einige ausgewählte Funktionen aus vielen heute verfügbaren Integrations- und Konfigurationsoptionen. Sprechen Sie mit dem Support-Team über Ihre Anforderungen an die Datenaustausch-Software.

SFTPPlus MFT Server unterstützt FTP, Explizites FTPS, Implizites FTPS, SFTP, SCP, HTTP und HTTPS.

SFTPPlus MFT ist als On-Premise-Lösung erhältlich, die auf Windows, Linux und macOS unterstützt wird.

Es ist auch in der Cloud als Docker-Container, AWS- oder Azure-Instanzen und viele andere Cloud-Anbieter verfügbar.

Fordern Sie mit dem unten stehenden Formular eine Testversion an.

• • •

SFTPPlus Release 3.35.0

Tue 03 July 2018 | security release

We are pleased to announce the latest release of SFTPPlus version 3.35.0.

New Features

  • The OpenSSL library used by SFTPPlus on Windows was updated to OpenSSL 1.1.0h. [#4579]
  • It is now possible to define virtual folders that are available to all accounts from a group. These virtual folders can point to directories outside an account's locked home folder. [server-side] [#4928]
  • It is now possible to allow authentication of operating-system accounts only for those belonging to a configured group. [server-side] [#4962]
  • Python version on all supported platforms except HP-UX was updated to 2.7.15. Consequently, the Expat libraries bundled with Python were updated to 2.2.4 on these platforms. [#4579]

Defect Fixes

  • An internal error is no longer raised when a SSH client sends a message for a method which is not supported by the SSH transport. Instead, the client receives a standard SSH not-implemented error. [server-side][sftp] [#4579]
  • The speed of the SSH handshake for the SFTP service has been improved. Previously, there was a noticeable difference for certain customers during the SSH handshake authentication process. [server-side][sftp][#4579]
  • pyOpenSSL was updated on AIX and Solaris to fix CVE-2013-4314. The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted cert issued by a legitimate Certification Authority. The experimental packages for HP-UX are still vulnerable to this and will to be fixed in a future release.[server-side][#4579]
  • Once set, passwords for locations or email resources are no longer readable from Local Manager. A password can be read only before being set and applied. Afterwards, its value cannot be read, only updated. [security] [#4938]
  • Comma-separated configuration values may now contain comma characters, as long as they are enclosed in double quotation marks. [#4951]
  • The event generated when a peer's certificate validation fails during a TLS/SSL handshake now shows the detailed error message, not just the error code. [#4979]

You can check the full release notes here.

• • •

Setting up security scanners for your SFTPPlus MFT Server

Wed 20 June 2018 | article security

Introduction

OWASP Logo

The following is a short guide on how you can set up a security scanner for your SFTPPlus MFT Server installation. For this guide, we have chosen a free and open source scanner, OWASP Zed Attack Proxy or zaproxy, as an example.

Of course, there are a number of other software and tools that you can use and all with varying mileage.

We can also cover these other tools, depending on interest. Therefore, if you would like to see more of these types of posts from SFTPPlus, please make sure to contact us. If you are not familiar with the terms, or need to do some background reading, you can scroll down to the Other resources section first.

To be kept up to date with the latest developments, please sign up to our security advisories.

About OWASP Zed Attack Proxy or zaproxy

For our server-side scan of the SFTPPlus MFT service (HTTPS and HTTP) and Local Manager, we used the OWASP Zed Attack Proxy or zaproxy which is a free and open source penetration testing tool released by OWASP and developed for website application security testing.

After running the application, you can generate a report for further consumption. The report contains OWASP ZAP specific terminology. These are listed below for your reference.

WASC ID This is the ID provisioned by the Web Application Security Consortium (WASC) Threat Classification project. Read more about WASC here.

CWE ID This is the ID provisioned by the Common Weakness Enumeration (CWE) project. Read more about CWE here.

Confidence This is the description of how confident the result is in the validity of the finding.

  • False Positive - for potential issues that one will later find is actually not exploitable.
  • Low - for unconfirmed issues.
  • Medium - for issues that zaproxy is somewhat confident in.
  • High - for findings that zaproxy is highly confident in.
  • Confirmed - for confirmed issues.

Risk Description of how serious the risk is. The risk shown is from the report generated by zaproxy.

Source This is the ZAP policies code. Read more here.

Using zaproxy to conduct an active scan on SFTPPlus services

Prerequisite

As a standard prerequisite, you will need the zaproxy application, a version of SFTPPlus Server software and consent to conduct these types of scanning activities if you are doing so on behalf of a group or organization.

For this example, we will be conducting an active scan of the SFTPPlus HTTP service available on the default port 10080. There are also other web-browser based services that you can scan such as the SFTPPlus Local Manager on port 10020 and the HTTPS service available on the default port 10443.

In addition, scanning can affect availability. We recommend a backup of your database.

What is an active scan?

Active scanning will attempt to find potential vulnerabilities by using known attacks against the selected target, in this case the SFTPPlus HTTP service. It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.

Also, scanning will unearth results that also need to be consumed and understood by the relevant parties.

Setting up an active scan

In order to attack the authenticated part of the HTTP service, we will need to add the HTTP session token in the zaproxy application.

Go to 'Tools' -> 'Options' -> 'HTTP Sessions' -> add chevah_http_session in the Token Name. Make sure that this token is enabled then select 'OK'.

See screenshot below:

OWASP zaproxy adding custom HTTP sessions pane

Make sure that the 'HTTP Sessions' tab is open. To view the 'HTTP Sessions' tab, go to 'View' -> select 'Show Tab' -> then 'HTTP Sessions'. At this stage, the pane is empty but it will soon be populated with the correct values in the later steps.


In the 'Quick Start' pane, add http://localhost:10080 in the 'URL to attack' field. This is the URL for the SFTPPlus HTTP web-browser based file manager service. Do not press 'Attack', instead scroll down and select 'Launch Browser' for Chrome.

See screenshot below:

OWASP zaproxy Welcome pane

The reason why you cannot go straight to attacking/scanning the resource is because it still requires authentication. If not authenticated with zaproxy, you will see an error Failed to attack the URL: received a 401 response code.


After selecting 'Launch Browser', a new Chrome browser will launch and you will start seeing activity in the 'Sites' pane. The browser should have 'Explore your application with ZAP' as the landing page.

Open the URL http://localhost:10080 in the Chrome browser and login to the test file transfer account.

Once logged in, you should now see http://localhost:10080 in the 'Sites' pane.

OWASP zaproxy Sites pane

In the 'Sites' pane, right-click over the http://localhost:10080 URL and select 'Include in Context' then 'Default Context'.

OWASP zaproxy Sites pane

In the 'HTTP Sessions' pane, you should now see that there is a new session added for the site localhost:10080 with values populated in the 'Session Tokens' Values' field.

If you do not see any values, launch the SFTPPlus HTTP service again and log in.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Back in the 'Sites' pane, right click over the localhost URL, select 'Attack' -> 'Active Scan'.

For one of our tests, we only wanted to scan the HTTP headers to see if the version of SFTPPlus would be able to escape possible CSRF attacks. In this case, for the 'Input Vectors' tab, only the 'HTTP Headers, All Requests' vector was selected. You can choose other vectors according to your own requirements or you can opt to choose all vectors.


Allow the scan to work. The times can vary.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Alerts are located in the 'Alerts' tab. You can read what the Alert is about from this pane. Please note that alerts may include alerts from associated third party services.


You can generate the report after the scan has completed.

Select 'Report' on the top menu > 'Generate HTML Report' and save the file.

Other reporting file formats can be used such as JSON, XML, Markdown.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Example scan result

Below is an example scan of what you may find. Please note that results will differ depending on factors such as your installation, configuration and SFTPPlus version:

Low Risk: Web Browser XSS Protection Not Enabled
Details:
URL:
Risk: Low
Confidence: Medium
CWE ID: 933 - Security Misconfiguration -
https://cwe.mitre.org/data/definitions/933.html
WASC ID: 14 - Server Misconfiguration
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Source: Passive (10016 - Web Browser XSS Protection Not Enabled)

Description:
Web Browser XSS Protection is not enabled, or is disabled by the
configuration of the 'X-XSS-Protection' HTTP response header on
the web server

Other info:
The X-XSS-Protection HTTP response header allows the web server
to enable or disable the web browser's XSS protection mechanism.
The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The following values would disable it:
X-XSS-Protection: 0
The X-XSS-Protection HTTP response header is currently supported
on Internet Explorer, Chrome and Safari (WebKit).
Note that this alert is only raised if the response body could
potentially contain an XSS payload (with a text-based content type,
with a non-zero length).

Solution:
Ensure that the web browser's XSS filter is enabled, by setting
the X-XSS-Protection HTTP response header to '1'.

Reference:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

Upon seeing reports in regards to XSS vulnerabilities, we have fixed user input escaping where error messages where done without the user input and also added validation of the user input.

Therefore, the HTML rendering code for the HTTP service has been added to ensure that this is not the case to secure user input.

As part of this change, we have also added new automated tests for the HTTP service as part of our quality assurance reviews.

Example SFTPPlus audit log during a scan

As you can see, the scan generated some potential CSRF attacks which SFTPPlus version 3.34.1 detected and therefore disconnected against:

| 40018 2018-06-07 11:05:43 Process Unknown 127.0.0.1:58871
  Forcing client disconnection at "/unwanted.js" after
  receiving 0 bytes in body. Response: 400 Possible CSRF

The above is just an example of what you may see in the audit log and is not related to the scan result in the previous section.

The reason why you are seeing this in the audit trail is that we now enforce requests from the same origin including basic requests such as GET and even older HTTP requests such as POST.

This is to ensure that requests from the outside boundary (the Internet) are not interacting with the safe confines of the HTTP file service or the Local Manager.

We have ensured that the browser is forced to download data, rather than execute data, after checking the Origin and Referrer headers are of the same source.

What to do if you find an issue

The first step is to check if you have the latest version of SFTPPlus. New versions will contain not only new features, but also defect fixes including security bug fixes.

The second step is to look at the type of alert and to do a manual confirmation of the feasibility of the alert (for example, if it's a false positive) and to confirm the results from zaproxy. The alerts are meant to be guidance for further investigations.

If there is a bug found, please do not hesitate to contact SFTPPlus Support with your defect report.

Keep up to date by signing up to our security advisories

SFTPPlus continues to be focused on automated, non-interactive file transfers in a secure fashion. Our security practices have been designed to make this a reality for our clients.

To be kept up to date with the latest security advisory and news, please subscribe to out newsletter here.

Other resources

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

This resource is written as of SFTPPlus version 3.34.1.

SFTPPlus MFT bewerten

Die in diesem Artikel aufgeführten Funktionen sind nur einige ausgewählte Funktionen aus vielen heute verfügbaren Integrations- und Konfigurationsoptionen. Sprechen Sie mit dem Support-Team über Ihre Anforderungen an die Datenaustausch-Software.

SFTPPlus MFT Server unterstützt FTP, Explizites FTPS, Implizites FTPS, SFTP, SCP, HTTP und HTTPS.

SFTPPlus MFT ist als On-Premise-Lösung erhältlich, die auf Windows, Linux und macOS unterstützt wird.

Es ist auch in der Cloud als Docker-Container, AWS- oder Azure-Instanzen und viele andere Cloud-Anbieter verfügbar.

Fordern Sie mit dem unten stehenden Formular eine Testversion an.

• • •

SFTPPlus Release 3.34.1

Fri 08 June 2018 | security release

We have recently deployed the latest release of SFTPPlus version 3.34.1 which fixes the following defects:

  • The files downloaded using the HTTP file transfer service now have explicit headers to disable caching. [security][http][https] [#4953]
  • The HTTP service no longer returns user input as part of the error messages. [security][http][https][server-side] [#4954]

You can check the full release notes here.

• • •

IPv6 support for HTTP/S, FTP/S, SFTP and SCP File Transfer Services

Mon 04 June 2018 | article infrastructure

Why get ready for IPv6?

According to the Akamai Q1 2017 State of the Internet Connectivity Report, "approximately 5 million IPv4 addresses were depleted from available pools at the Regional Internet Registries in the first quarter, leaving approximately 39 million addresses remaining."

In response to the steady depletion of IPv4 addresses, we see greater adoption of many large mobile and broadband networks actively rolling out IPv6 connectivity. According to World IPv6 Launch, among the top 10 participating networks with more than half IPv6 deployment rates include Comcast, ATT, Verizon Wireless and Deutsche Telekom AG.

Now is a good time to brush up on your knowledge of deploying IPv6 in your organization. For those with a lack of knowledge or training in IPv6 implementation, there is an even greater urgency when addressing the potential security impact of the rollout in the organization. Such scenarios are amplified when administrators do not have the required level if minimal expertise in IPv6 to ensure there is protection against threats. If you are in the front-line of IPv6 deployment and file transfers in your own organization, you will find this post of useful interest.

A brief introduction to IPv6

IPv6 was first introduced by IETF in 1998, via RFC 2460, which has since been updated via RFC 8200 published in July 2017. This is the new version of the Internet Protocol and a successor to IPv4.

The main updates are as follows:

Expanded addressing capabilities

This involves increasing the IP address size from 32 bits to 128 bits. This allows greater support in addressing hierarchy, more addressable notes, scalability of multicasting, and addition of anycast address.

Simplified header formats

This involved dropping or making optional some of the IPv4 header fields.

Improved support for extensions and options

The way IP header options are encoded allows for more efficient forwarding and greater flexibility for new options.

Flow labeling capability

This allows sender requests to be treated in the network as a single flow.

Authentication and privacy capabilities

Extensions are added in order to support authentication, data integrity, data confidentiality.

While it has been some length of time since the first introduction, each day brings forward the pressing need to implement IPv6 as IPv4 addresses become exhausted. Greater adoption for IPv6 by vendors, including increase in knowledge and support, means that deployment is now more feasible for administrators than ever before.

IPv6 and SFTPPlus

Enabling IPv6 on SFTPPlus for HTTP/S, FTP/S, SFTP and SCP

SFTPPlus supports configuring IPv6 addresses for the HTTP, HTTPS, FTPS, FTP, SFTP and SCP file transfer services.

We have written a starter guide with details on how you can enable IPv6 with SFTPPlus. Please to go to the documentation section on IPv6 support.

When configuring a new service on SFTPPlus, an IPv6 address can be used. To accept connections on all available IPv6 interfaces, simply use the :: address like the simplified test configuration below:

[services/ftps]
enabled: Yes
name: FTPS Service on an IPv6 address.
address: ::1
port: 10021

Please consult the configuration documentation for more details about each type of file transfer service.

Enabling IPv6 on SFTPPlus Local Manager

Similar to enabling IPv6 on file transfer services, you can set the SFTPPlus Local Manager to listen in on an IPv6 address via the same address field as the services.

Administrators can add this via the SFTPPlus Local Manager Services section:

FTPS service including IPv6 address option.

Enabling authentication methods with IPv6

We support IPv6 address when authentication file transfer accounts via the ldap authentication method and via the HTTP API authentication method.

IPv6 implementation and security considerations

The following are some considerations in implementing IPv6 securely.

Conduct an inventory audit

Tag which file transfer scenarios (server, client, protocol) require IPv6 implementation and support.

Communicate with your vendors

Notify your vendors as to what level of support is provided for IPv6. If not supported, inquire if there will be plans on the product roadmap for the support.

We have added IPv6 support for file transfer services, as of SFTPPlus version 3.33.0, in response to customer needs to roll out such support.

Conduct a security-focused audit on IPv6 deployment

Both IPv4 and IPv6 share similar properties when it comes to security. In this case, take an audit of which of these properties can be carried over within an IPv6 deployment.

Last but not least - do not overlook security risks and requirements for IPv6

Network administrators overlooking the effects of IPv6 in their network will face security risks. IPv6 packets is susceptible to attacks like MITM (Man-in-the-Middle) attacks. Bad actors may also attempt to eavesdrop by making use of upper-layer protocols such as TLS (Transport Layer Security) or SSH (Secure Shell). Another potential security threat is bypassing IPv4-only firewalls and ACLs using functional IPv6 tunneling protocols as described in the Carnegie Mellon University CERT/CC blog post here.

IPv6 troubleshooting

The following are introductory advice for those troubleshooting IPv6 within a file transfer scenario.

  • Ensure that the protocols to be used are fully tested with SFTPPlus.
  • Ensure that FTP proxies, firewalls and other layer 7 technologies properly support IPv6.
  • Ensure that any other boundary facing technologies are implementing IPv6 correctly.

It is also good to keep note of future changes to the protocol. For example, design changes to the new IPv6 extension header could mean security implications based on how the new changes work with existing extension headers.

Those evaluating SFTPPlus and customers with a valid support contract can leverage help from the SFTPPlus Support team for queries in regards to SFTPPlus and IPv6 deployment.

Other resources

This resource is written as of SFTPPlus version 3.34.0.

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

SFTPPlus MFT bewerten

Die in diesem Artikel aufgeführten Funktionen sind nur einige ausgewählte Funktionen aus vielen heute verfügbaren Integrations- und Konfigurationsoptionen. Sprechen Sie mit dem Support-Team über Ihre Anforderungen an die Datenaustausch-Software.

SFTPPlus MFT Server unterstützt FTP, Explizites FTPS, Implizites FTPS, SFTP, SCP, HTTP und HTTPS.

SFTPPlus MFT ist als On-Premise-Lösung erhältlich, die auf Windows, Linux und macOS unterstützt wird.

Es ist auch in der Cloud als Docker-Container, AWS- oder Azure-Instanzen und viele andere Cloud-Anbieter verfügbar.

Fordern Sie mit dem unten stehenden Formular eine Testversion an.

• • •