» 

Blog

FBI Issues Warning on FTP Servers

FBI warning for FTPThe FBI recently issued a Private Industry Notification to healthcare providers warning them of the dangers of unsecured FTP servers. According to the alert, the FBI is aware of criminal actors actively targeting FTP servers operating in “anonymous” mode, meaning a user can authenticate to the FTP server with a common username like “anonymous” or with a generic email address or password. The FBI notification cited a 2015 study from the University of Michigan that indicated over one million FTP servers were configured to allow anonymous access.

While the notification was intended for medical and dental facilities, inadequate FTP security is a concern across all industries. According to the FBI, “Any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals.”

The problems with FTP servers go beyond anonymous mode. For one thing, many organizations are running legacy FTP software that hasn’t been kept up-to-date with modern security concerns. Another widespread issue comes from granting excess permissions to trading partners or internal staff. Anyone given administrative access could change a setting on the server without realizing the potential security implications.

Hopefully it’s clear that you should be using encryption to protect your data. What some businesses fail to realize is that encryption methods vary greatly in strength based on factors like  key size and type of encryption ciphers used. Many of the older ciphers and protocols have been broken and are now obsolete. Finally, a major problem with legacy FTP servers is a lack of alerts if anything goes wrong and the lack of detailed logs to help you maintain compliance with industry regulations.

These common pitfalls can be addressed with a robust managed file transfer (MFT) solution. Managed file transfer offers a variety of strong, up-to-date protocols and encryption methods, allowing you to replace standard FTP with something more secure like SFTP or FTPS. Software with role-based security gives you the option to limit any user or user group to just the permissions they absolutely need, and detailed audit logs keep track of exactly which user took what action and when—essential information for your team and for auditors alike.

To learn more about how to secure an FTP server, watch the on-demand webinar, Top 10 Tips for Securing Your FTP or SFTP Server.

 


Take the PCI DSS Quiz, Win a Free Tablet!

With the looming 2018 compliance deadlines and the constant news of data breaches, PCI DSS is on the minds of IT and cybersecurity professionals around the world. For organizations that reached compliance within the last year, you may be surprised to know that only 29% of companies are compliant a year after validation.

As processes, partners, and staff shift within an organization, keeping track of the measures required to maintain compliance can be difficult. The first step in becoming or maintaining PCI DSS compliance is understanding the requirements, and how they apply to your organization.

How well do you understand the PCI DSS requirements? 

Find out by taking this fun, interactive quiz for the chance to win a free Google Pixel C. That’s right, one lucky winner will be selected at random to win a free tablet just for taking the quiz.

 

So what are you waiting for? Test your PCI DSS skills below.

 

 

 

 

 


GoAnywhere Wins Cybersecurity Award

GoAnywhere MFT wins 2017 Cybersecurity Excellence Award for Secure File Transfer


For the second year in a row, GoAnywhere Managed File Transfer from Linoma Software, a division of HelpSystems, has been awarded a 2017 Cybersecurity Excellence Award in the category of Secure File Transfer.

The Cybersecurity Excellence Awards honor individuals, products, and companies that demonstrate excellence, innovation, and leadership in information security. The awards are based on the strength of the company’s nomination and the popular vote by members of the Information Security Community on LinkedIn.

Sending and securing data is a challenge for many organizations. GoAnywhere addresses that challenge by providing a secure solution for transferring files, with a firm dedication to improving features and adding functionality to address ever-evolving security and compliance concerns.

The software is browser-based and features a user-friendly graphical interface for easy deployment and integration. Users can be up and running in minutes and the automation and logging features save time and money for IT admins. Whether you’re initiating transfers, your partner is initiating them or if you need to collaborate with a group of users, GoAnywhere MFT can handle your file transfer requirements.

“Congratulations to Linoma Software for winning the Secure File Transfer category of the 2017 Cybersecurity Excellence Awards for the GoAnywhere MFT solution,” said Holger Schulze, founder of the 350,000 member Information Security Community on LinkedIn which organizes the awards program. “With over 450 entries, the 2017 awards are highly competitive. All winners and finalists reflect the very best in leadership, excellence and innovation in today's cybersecurity industry.”

The Cybersecurity Excellence Awards are produced in cooperation with the Information Security Community on LinkedIn, tapping into the experience of over 300,000+ cybersecurity professionals to recognize the world's best cybersecurity products, individuals and organizations. For more info: cybersecurity-excellence-awards.com.


RSA 2017 Recap: Influential Sessions (videos included)


On Feb 13th, 2017, over 40,000 people descended on San Francisco for one of the largest security conferences in the world: RSA Conference 2017. The Linoma Software team was among those attendees, speaking with IT professionals interested in finding a top-rated managed file transfer solution at our expo booth, and sitting in on world-class educational sessions throughout the week. Below you’ll find an overview of some of our favorite sessions, as well as social highlights from the conference.


The Seven Most Dangerous New Attack Techniques,
and What's Coming Next

This was one of the most interesting sessions we attended of the conference. Three security experts (Ed Skoudis, Michael Assante and Dr. Johannes Ullrich) discussed the types of cyber attacks that are increasing in popularity among the cyber “bad guys”. Among their discussions, two important points stood out to us.

1. Attackers are broadening their targets

Attackers are not just looking for PII now. They are interested in other information that could be used for exploitation. Embarrassing information, extortion malware, power grid attacks and background check data are a few examples. “It’s not all about PII. If your organization does not store personally identifiable information, that doesn’t mean you’re not a target. In fact, you’re a target more than ever,” explained panelist Ed Skoudis in the presentation.

2. IOS attacks are projected to increase

Over the past few years, attackers have pivoted their strategy to focus more on mobile devices, specifically Android and IOS. Both Google and Apple are frequently deploying software updates that patch newly discovered vulnerabilities, but sometimes implementation of these patches can take weeks or even months. The best course of action for users is to ensure they’re updating their mobile operating system often, to take advantage of newly released security measures.

I encourage you to watch the full session below.

Planning for Chaos

There are complex cybersecurity challenges on the horizon, and the best step any organization can take is to learn how to plan for that chaos. Dr. Zulfikar Ramzan, Chief Technology Officer at RSA, walked the audience through the required steps for planning for this unknown future, and mitigating risk along the way.

In his session, he discussed the importance of a tangible and realistic incident response plan.

“An incident response plan isn’t a wishlist,” explained Ramzan. “Only leverage available resources.” He stressed the message that for an incident response plan to be successful, it requires the availability of resources, budget and collaboration between IT, finance, sales, marketing and others.

To watch the full session, play the video below:

What’s Next in Cybersecurity

An important aspect of security software development is addressing current and upcoming policies and compliance requirements. In this session, cybersecurity officials discussed the findings of a year-long effort in Washington and Silicon Valley to identify new cybersecurity policies for the administration. Below are just a few of the discussions taking place in the cyber-policy realm:

  • Cloud implementation and shared services: Implemented services in the cloud, in a secure way
  • More focus on NIST framework: Aimed at helping organizations align security, IT and business needs
  • Better reporting of cyber attacks and cyber breaches: Developing a safe way of reporting incidents that protect anonymity while helping us understand the details and learn from the incidents
  • Accelerating the security workforce: Discussing both short and long term solutions to build our US workforce of security professionals

You can listen to the full session in the video below.

Top Tweets of the Conference

The hashtag used on Twitter during the 2017 RSA conference was #RSAC2017. This hashtag was used to share motivational speaker quotes, shocking statistics, cybersecurity resources and conference happenings. Of these tweets, several rose above the rest, receiving hundreds of retweets and favorites. Here are a few tweets that your fellow security professionals found to be most intriguing.

 

 

 

Did you miss a session you were hoping to catch?

Have no fear, RSA has collected a wide range of presentations from the 2017 RSA Conference. They can be found here.

 

We’re curious to hear from you! What was your favorite session or experience at this year’s RSA conference? Comment below.


Still using SHA-1 to secure file transfers? It’s time to say goodbye.

Sha-1 Shattered

Securing information is rising in importance for organizations worldwide. Using outdated technology is extremely risky, yet many organizations continue to do so because of legacy systems that don’t allow them to upgrade, lack of resources and time to upgrade, or they are simply unaware. The commonly used SHA-1 algorithm is a perfect example of an obsolete encryption standard that should have been completely phased out long ago. So why are people talking about it today?

With over a decade of warnings about the security vulnerabilities of SHA-1, and deprecation by The National Institute of Standards and Technology (NIST) in 2011, many organizations have since phased out use of this older hash algorithm. For those remaining organizations who haven’t migrated away from SHA-1, Google’s recent public announcement of the first SHA-1 collision should motivate them to abandon this algorithm completely.

Hash algorithms are widely used for a variety of functions including authentication and digital signatures. With file transfers, the algorithm was typically utilized to verify the integrity of sent messages. Using SHA-1, files are compressed into a 160-bit message digest or hash file which is calculated both before and after transmission. On receipt, the two hash values (or signatures) for that transmission are checked to ensure the data has remained intact, as long as both values still match. If the hash values don’t match, the file was likely compromised at some point along the way.

Having two different messages that produce the same hash value should be almost impossible. However, advancements in technology and computational power since the introduction of SHA-1 have exposed its vulnerabilities. With last week’s announcement, Google has proven that systems using SHA-1 can be fooled into thinking a signature is valid when it’s not by producing the same cryptographic hash with two different files. By publicizing their work, this legacy algorithm has been rendered obsolete and insecure.

How does the SHA-1 collision affect file transfers?

If you are still using SHA-1 to verify the integrity of file transfers, you should know that it is no longer considered a safe or secure method. Bottom line, if you still use SHA-1, it should be transitioned to a more secure standard as soon as possible.

If you’re looking to replace SHA-1, an obvious alternative would be SHA-2. The SHA-2 algorithm is a family of hash functions with values of 224, 256, 384 or 512 bits, thus providing stronger security with longer message digests. The more complex algorithms generate more potential hash combinations than were possible with SHA-1 which make the SHA-2 algorithm extremely difficult to break using today’s technology.

GoAnywhere Managed File Transfer and SHA-2

GoAnywhere MFT fully supports the SHA-2 algorithm for secure file transfers over SFTP and FTPS. In addition, GoAnywhere is Drummond Certified for AS2 file transfers and successfully met all requirements for the optional AS2 secure hashing algorithm 2 (SHA-2) tests.

 


Get the Guide: Achieving HIPAA Compliance with GoAnywhere MFT


Are your file transfers HIPAA compliant? Is your healthcare organization at risk for fines, or worse - a data breach of sensitive patient information? Many health IT teams meet these questions with unease.

Fortunately, GoAnywhere is here to help.

HIPAA (the Health Insurance Portability and Accountability Act) protects the confidentiality, integrity, and availability of electronic health information. For any IT professional working in the healthcare industry—or for a company that does business with healthcare organizations—HIPAA is a concern. Compliance is strictly enforced, with penalties including substantial fines and, in rare cases, even prison sentences.

HIPAA is dedicated to protecting patient health information, but cybersecurity is only a portion of what the law covers and HIPAA’s security standards were not written for an IT audience. Avoiding specific technical language means the law changes with the times and allows organizations to adopt new technologies that help them meet HIPAA requirements. This approach provides flexibility, but it also makes HIPAA compliance challenging—IT professionals have to translate HIPAA into IT terms to determine what steps they need to take to become compliant.

Patient care involves constantly exchanging and updating electronic records, making file transfers a potential area of security vulnerability. GoAnywhere MFT protects valuable personal data while simplifying HIPAA compliance.

We’ve put together a guide that demonstrates how GoAnywhere MFT addresses several key HIPAA requirements. For example, GoAnywhere prevents unauthorized access by authenticating users and passwords with a variety of techniques including database authentication, LDAP, and Active Directory. Audit trails are generated to document if unauthorized attempts are made to alter or delete documents.

 

Download the guide to learn more about how GoAnywhere makes HIPAA compliance easy.

 

 

 

 

 

 


Why Healthcare Organizations Need a Managed File Transfer Solution

Anmed health clinic

 

Last year was a scary year in healthcare cybersecurity. A hack of Banner Health breached up to 3.7 million records. Another data breach at 21st Century Oncology resulted in multiple lawsuits being filed against the organization. When a third party gained unauthorized access to computer systems at Valley Anesthesiology and Pain Consultants, almost 900 thousand patients, employees, and providers had to be notified. These are just a few examples of the biggest incidents in the news—smaller security failures are happening all the time.

Patient records are extremely sensitive, so healthcare organizations have to be especially vigilant about securing their data. Additionally, they need to be able to prove compliance with HIPAA. In an industry that involves constantly moving and updating patient records, maintaining security and compliance requires a robust method of protecting any transfer of data. That’s why no healthcare cybersecurity strategy is complete without a managed file transfer (MFT) solution.

Why Not Use a Basic File Transfer Tool?

Many EHR or network monitoring software already implemented within a healthcare organization include some secure file transfer capabilities, so it’s easy for IT professionals to ask: “Why not just stick with the basics?” While some of the add-on file transfer tools may protect sensitive data in transit, there are several crucial features that a complete managed file transfer solution can perform.

Supports varied platforms, protocols and encryptions: A good managed file transfer platform will support a variety of protocols, such as SFTP, FTPS, and HTTPS, and encryption standards like AES and Open PGP. It may be necessary to select different methods for each transfer based on your partner’s requirements.

Centralized system for organized monitoring and reporting: For many healthcare organizations, regular monitoring and reporting of file transfers is a requirement for compliance adherence. The ideal MFT solution provides a single tool capable of handling all your transfers out of one area, whether that be server-to-server batch file transfers, user-to-user ad-hoc file transfers and person-to-person file collaboration. A centralized area simplifies the ability to monitor and report all transfer activity.

Controls user access: HIPAA requires that organizations prevent unauthorized access to files. Of course, this can mean hackers with malicious intent, but you should also have protocols in place to protect data from internal actors. A 2015 study found that internal actors were responsible for 43% of data loss. That includes both intentional and accidental security failures.

MFT software with role-based security options can limit each user to the servers and the functions of managed file transfer that they absolutely need to use. Individual files and folders can be restricted to certain users or user groups. Since every user has a unique user ID, all their activity can be tracked—essential if you face an audit.

Facilitates HIPAA compliance: Modern IT environments and the volume of electronic records stored by healthcare organizations are far larger and more complex than what existed HIPAA was first enacted. Although many organizations got by with FTP-based tools or custom scripts in the past, the best way to meet HIPAA requirements today is with an easy-to-use, comprehensive managed file transfer platform.

In addition to providing the required security protocols and encryption, a good MFT tool will generate detailed audit trails and reporting of every file transfer, identifying the users, the recipients, and the file names transmitted. Just what an auditor needs to see.

Simplifies and automates transfers: Configuring each file transfer in a way that is secure, compliant, and meets the individual needs of each business partner is extremely time consuming. Too many manual steps in the transfer process can make a high volume of file transfers impossible to manage, not to mention error-prone. The automation capabilities of managed file transfer software can streamline data transfer processes and reduce the potential for mistakes.

Case in Point: 
AnMed Health Saves 500+ Hours of Manpower Each Month

Anmed health clinicWhen health system AnMed Health made the decision to replace outdated file transfer systems with GoAnywere MFT, their new ability to support SFTP and PGP encryption increased the number of vendors AnMed could perform simplified, and secured transfers with.

But that wasn’t the only benefit. Using managed file transfer eliminated the need for third-shift data center staffing and saved programming, operations, and network staff over 500 hours a month. How much money do you estimate that 500 hours a month could save your healthcare organization?

Another useful improvement was automatic notifications and greater visibility into the status of file transfers. Previously, the AnMed Health team often only found out about a problem when they received a call from a vendor.  A robust MFT solution will alert you if something goes wrong, allowing you to attack the issue without delay.

Ready to see for yourself? Schedule a demo of GoAnywhere MFT to see how easily your file transfer process can be secured, automated and centralized.


Preview of RSA Conference 2017 #RSAC

RSA conference

 

For those that are new to the annual RSA Conference U.S., this is one of the greatest info security conferences all year. The 2017 conference is said to be better than ever: more space, expanded food options, the new “Reserve a Seat” option and three full days of info security discussion led by global security experts.

Linoma Software will be attending this year’s conference, exhibiting in the North Expo. Our team is looking forward to learning which security topics are most prevalent among peers and engaging in meaningful discussions on today’s challenges and innovation. From an educational standpoint, there are several sessions we are most looking forward to:

 

CSA summit at RSACloud Security Alliance Summit 2017

February 13, 2017 | 9:00 AM - 4:00 PM | Marriott Marquis | Yerba Buena 5

Ah, “the cloud.” Over the past decade, businesses worldwide have been making the transition towards cloud computing and storage, and concern for security within the cloud has never been higher. In this special summit taking place during RSA 2017, world-leading security experts and cloud providers will join to discuss the threat landscape, data security innovations and global governance.

The keynote speakers are General Keith Alexander, CEO and President of IronNet Cybersecurity, and Robert Herjavec, CEO and Founder of Herjavec Group, and frequent investor on Shark Tank. Together with top officials from Symantec, Cryptozone, Duo Security and Oracle, these speakers are sure to bring decades of experience, lively discussion and actionable advice.

 

Peer2Peer at RSAMobile Devices: What Could Go Wrong? Discussion from the Frontlines

February 14, 2017 | 2:30 PM - 3:15 PM | Marriott Marquis | Nob Hill B

How many of your employees use their personal phones to access email, calendars or internal web resources? As of 2016, 77% of U.S. adults owned a smartphone, according to the Pew Research Center. In a world of BYOD (bring your own device), this session offers the opportunity to learn how your peers are dealing with security risks associated with mobile devices, apps and wi-fi networks that employees use.

This discussion will take place as part of the “Peer2Peers” breakout sessions, which is one of our favorite aspects of this conference. Facilitated by David Jevans, VP of Mobile Security at Proofpoint, it’s sure to spur meaningful conversations and peer-to-peer discussion.

 

Secure File Transfer for Enhanced Data Security

February 13-16, 2017 | Linoma Software Booth 4407, North Expo | San Francisco Moscone Center

Bring your most pressing file transfer questions to the North Expo, where secure file transfer experts from Linoma Software will be available to answer questions. This is a great opportunity to learn how a managed file transfer solution like GoAnywhere MFT can help to secure and automate transfers using a centralized approach.

We’re looking forward to connecting with you during the RSA 2017 conference! Be sure to stop by booth 4407 (map below).

RSA expo map to Linoma booth

 

Ready to get into the information security mindset? Watch the RSA 2016 opening theme video below for a glimpse into the discussions sure to occur during the 2017 conference.


7 Essential Resources on PCI DSS Security

7 essential resources on PCI DSS compliance

Did you know that 80% of organizations are not compliant with PCI DSS requirements? That means, if you’re reading this, there’s a pretty good chance your company needs to make adjustments in order to ensure a fully compliant payment processing infrastructure.

PCI DSS compliance doesn’t happen overnight, and maintaining compliance year after year can be even more difficult. In fact, only 29% of companies surveyed were in compliance a year after validation. With these statistics in mind, we’ve compiled a collection of the best PCI DSS security and compliance resources.

Don’t see your favorite resource listed? Add to the list by commenting below.

 

PCI DSS compliance guide1. PCI DSS Quick Reference Guide [PDF]

This PDF guide provides a comprehensive overview of PCI DSS requirements, necessary security controls and processes, instructions on how to comply with PCI DSS and a list of trusted resources. Published by the PCI Security Standards Council, it’s authoritative and comprehensive.

Why we love it:
For anyone just beginning their research on PCI DSS, this guide is a great place to start. Keep in mind, the PCI Security Standards Council typically releases a new guide when the next version of requirements is confirmed. Check their website for the most up-to-date version.

 

hacking point of sale2. Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions [Book]

This book is a must-have guide for anyone responsible for securing credit and debit card transactions, and offers an inside look at how these systems can be hacked. To beat the enemy, you must know the enemy.

Why we love it:
In the last few years POS hacks have become more prevalent (Wendy’s, Cici’s Pizza and Eddie Bauer, for example). With a reader rating of 4.3 out of 5 stars, this book provides real and actionable solutions on how to achieve better security at the point of sale.

 

 

the hacker playbook3. The Hacker Playbook 2: Practical Guide To Penetration Testing [Book]

This resource goes above and beyond PCI DSS compliance to teach security professionals how to protect against hacking through the game of penetration hacking. Described by readers as a “no-fluff” “ultimate playbook”, this top-rated book made our list of recommended PCI DSS security resources for good reason.

Why we love it:
This step-by-step guide is top-rated, and takes a unique approach to preventative security, helping readers to better understand all the ways their infrastructure could be compromised.

 

 

 

 

PCI DSS validation requirements4. Validation Requirements [Infographic]

Are you a visual learner? Then this infographic is a great place to start when looking to understand PCI DSS validation requirements.

Why we love it:
The chart is straight-forward, allowing anyone to quickly understand which validation requirements their organization falls under.

 

 

 

reduce PCI DSS scope5. Reduce PCI DSS Scope [SlideShare]

Most PCI DSS compliant businesses are looking to minimize the cost and effort that comes with PCI DSS compliance. Fortunately, there are a few key ways at reducing the scope of PCI DSS, and this helpful SlideShare explains them.

Why we love it:
Reducing PCI DSS scope is a very important aspect of PCI DSS compliance, and can greatly help to reduce the costs dedicated to maintaining compliance. Beginning on slide 23, this SlideShare offers some great ways to reduce PCI DSS overhead.

 

 

 

 

PCI DSS compliance made easy6. PCI DSS Compliance Made Easy [Video]

In this 3 minute video, a small business owner explains how PCI DSS compliance affects him, his customers, and his business. He also explains the important risks of non-compliance.

Why we love it:
PCI DSS compliance applies to so many types of businesses, and the importance of these regulations can easily be missed by small business owners focusing on day-to-day operations. This video takes a personable, engaging approach to PCI DSS compliance.

 

 

how to give your PCI DSS compliance program a tune up7. Acquirers: How to Give Your PCI DSS Compliance Program a Tune Up [Infographic]

If you’re confident that your organization is already meeting PCI DSS compliance, this infographic is for you. Learn four ways you can give your PCI DSS compliance program a tune-up, to ensure on-going compliance in years to come.

Why we love it:
In a sea of resources on “what is PCI DSS” and the basics to becoming compliant, this infographic speaks to those organizations that have moved past that stage in their compliance.GoAnywhere PCI DSS Guide

 

 

Want more PCI DSS compliance resources? Check out our new guide on how GoAnywhere Managed File Transfer helps to make PCI DSS compliance easy.