Get the Most Out of GoAnywhere: PCI DSS Security Settings Report

Andrew: All right. Good morning, everyone. We're going to go ahead and get started. My name is Andrew and I'll be your host this morning for our next Get the Most Out of GoAnywhere event focused on our PCI DSS Security Settings Audit Report.

Thank you for joining us today. Our event should be about 30 minutes long. Before we get started, a few housekeeping notes. We are recording this event and we will send a follow up email here this afternoon with the recording, the slide deck, and a little bit of additional information about the subject matter we're talking about. There is a Q&A tab down there at the lower right. It's easiest for us to get and respond to questions throughout and I have Brian on the line, too, to help us do that. So if you send them a real time, we'll try and get to them as fast as possible and then we should have a little bit of time at the end to do any additional questions there might be. So go ahead and submit them as they come up and we'll address them as we can.

And then at the very end of the event, and Dan will give us a quick reminder here at the end too. There is a followup survey. It's three short questions. We'd love to hear your feedback on the events so far, especially this event. If you have any questions that need follow up or anything else you want to let us know, that's the best way to do it.

Let's take a look at the agenda today. So we're going to start out and before I introduced Dan, we'll talk a little bit about PCI DSS and the Security Settings Audit Report and then we'll kind of jump right into seeing the report in action with a use case, a live demonstration. And then like I said, we'll finish up with a little bit of Q&A and a little note on the upcoming webinars series. So you all should be familiar with Dan Freeman at this point. He's our senior solutions consultant here at health systems and kind of a resident expert in this area. So I'm going to kick it over to Dan to get started. Dan, are you there?

Dan: I certainly am. Thank you.

Andrew: And you should have presenter rights, so go ahead and take control.

What is PCI DSS?

Dan: All right, appreciate it. Thanks, Andrew, and thanks to all again for joining us today in this exciting episode of Getting the Most Out of GoAnywhere PCI Security Settings Audit Report. Yeah, I know. I think for most of us when we think of security and privacy compliance, we think of, well a lot of work among some other expletive things but for most of us that are responsible for systems containing or transmitting sensitive information and are in the direct line of fire of auditors, compliance usually follows us with an uneasy churning of the stomach. And as if it wasn't enough the need to protect the sensitive information, there seems to be countless number of compliance regulations depending upon what industry you are in and what kinds of information you are actually working with and then even when you do nail that down, interpreting any security, indoor privacy compliance can be quite a daunting task, not to mention and maybe a few FTEs and potentially countless resources.

No matter what security, privacy, compliance standards you do fall under, the goal is to protect information, whether customer, financial, health, federal, or state agency data, it is our duty to protect the confidentiality, integrity, and availability or the CIA of sensitive information. Now today we're going to talk specifically about how GoAnywhere can help relieve some of these queasy feelings surrounding compliance by providing the technical controls and security configurations to properly protect the data that is processed via GoAnywhere and acting as the star of the show and main attraction, we will provide a report to give you a glimpse of how your configurations stack up against the applicable PCI DCSS Security Controls. Speaking of which PCI DSS or the Payment Card Industry Data Security Standards were developed for those companies responsible for processing debit and credit card payments.

Now, these standards do require organizations to protect the privacy of customer account data. Like many of the regulations, failure to meet these standards can result in significant fines or even the termination of the ability to conduct work. In fact, the consequences of not being compliant and PCI range from $5,000 to $500,000 levied by the banks and credit card institutions. Now there are 12 main sections or subject areas with multiple sub security controls that total over 200 security and privacy controls in all. Now for the most part, the key concerns are encrypting data, whether it's in transit or at rest. We must make sure that we're using the appropriate industry strength algorithms, cryptography, and cipher suites to make it virtually useless in the unfortunate event of a breach. We also must control the access to cardholder data. Access control is a central security concern across all compliance regulations and PCI is no exception.

From password policies, job separation of duties, and lease privilege via detailed role based access control administrative users, to the aforementioned encryption capabilities, in general, we must maintain secure systems and networks. And one of the hardest tasks to overcome when dealing with compliance is interpreting and mapping the numerous controls to your environment. Not to mention getting your boss to cut the check for all the tools needed to do so. But in lieu of all that GoAnywhere can at least provide a nice quick spot check on how your configurations map up.

Now, speaking of the boss to cut checks for these tools, one of the additions to the latest version of PCI DSS 3.2 was to require implementation of a top down approach from senior management to be involved with and enforce the creation of the security program, which is essential for user and company adoption. So even though compliance can be a pain in the rear, it can definitely be a driver for C-levels to put pen to paper.

GoAnywhere’s Security Settings Audit Report

Now introducing our GoAnywhere Security Settings Audit Report. Now this report analyzes 76 different security configuration settings within GoAnywhere, with a detailed list of GoAnywhere security defaults, all enabled services and the current configured security settings. I'd say probably the most important and useful component of this report is the fact that we give you the recommended steps to mitigate any failures or noncompliances you may encounter. Now these recommendations definitely take the guesswork out of fixing the issues.

How to Run the Audit Report

Now running the actual report does require that you do have the advanced reporting module as one of your license features. This module will give you access not only to the Security Settings Audit Report we'll look at today, but also about 23 different other configurable reports. When you do run the report, GoAnywhere will do an analysis of your MFT security settings. It will then provide a status and comparison to the latest PCI DSS 3.2 Compliance Setting.

Now the first two are pretty self explanatory. We've got Pass, if so, then obviously the setting meets the requirement and Fail, the setting does not meet the requirement. Now if you get a Warning, this is indicating that the setting may need to be investigated further. An example could be if you don't have our FIPS 140-2 module enabled, this would provide a warning, even though you could still explicitly only now allow NIST approved algorithms and ciphers without having that setting do it for you automatically. Little confusing probably, well, we'll take a look at that exact example when jumping into the product in just a second. The Not Applicable, this usually means that a check on the setting is not required, most likely because you don't have a feature enabled or license within the product and then Fatal. That does sound terrible, but it's an indication that a configuration problem prevents GoAnywhere from accessing the appropriate data. It's definitely not the same as Fail, but rather when trying to access that file that pertains to a particular config setting, we're unable to for whatever reason.

Now, although you can run the report at any time on an ad hoc basis, you can definitely configure the report to run on an automated basis using GoAnywhere Job Scheduler. As you may or may not know, all the reports available in the advanced reporting module are available as tasks within the projects. Now these projects can not only be run a scheduled basis to generate the report, but also the project could then distribute the report in a multitude of ways. Whether you want to email the CSO of your organization or maybe assist admin for review or maybe place a copy and doing an encrypted folder location for archiving or if really ambitious, you could actually generate the report and potentially send to your auditor via GoAnywhere secure mail tasks within the actual product.

Live Demo

With that, let's go ahead and, Andrew, I'm going to ask, make sure that you guys are seeing the screen. You guys able to see my screen up here?

Andrew: Yep, we can see it.

Dan: All right, great. Okay. This should be pretty familiar, you see. This is going to be the administrative console of GoAnywhere, MFT. As we mentioned earlier, we are going to need the advanced reporting feature to run the security audit report. To find that out, you can go to Help and License and actually check the features tab and see if you have the advanced reporting feature. If not, I am very confident that your sales representative can help you in getting that configured for you. In lieu of that, let's go ahead and jump over to the report section here. It's going to have these 24 different canned reports whether on system utilization, user utilization, but the one that we're going to look at and take a peek at today is going to be this security settings audit.

A couple of things we can configure here. If you want, you can change the name to PCI audit and we'll just give it ... Today is not the 10th. Today's the 11th right? Yeah, 2017 and we'll keep in ports. We'll go ahead and run the report. So this is going to again, go through those 76 different security control settings and give you any of those status. One of the couple things to look at within this report that we're looking, the environment variable is something that you can configure within your global settings. I highly recommend it. It is nice to know not just from this report standpoint to know that where this actual audit is coming from. One thing I also want to make a side note on before we get into this report is you will notice this as a demo machine. So we did set up some things for failure just so we can show you guys how these certain settings can be passed, failed or other types of status.

Just definitely wanted to point that out, but also the environment tag can be tagged within other system alerts whether jobs fail or successful. It's nice to know whether it's your demo or maybe your production environment. And then we have our five status settings here with the total count of each and then basically the report is going to be broken down into four sections here. We are going to have the security check column, which is going to be the actual condition or configuration setting or security control that we are going to be reporting against the status as we talked about and be one of the five different statuses.

Again, I think one of the most important areas is going to be that recommendation in case we do fail. Unfortunately, we will give you those mitigation steps to tell you exactly how within the product to fix that so we can get rid of that failed and let's get it back to where we want to see it, back to that pass section or status. And then we'd map it to that PCI DSS section. For the most part, again, as we talked about, there are 12 different sections and we go into numeric order from one down to 12.

There are a couple of different areas here that some, there's some similarities in the actual sections, so there's a little bit of cross, but for the most part it goes from one down to 12 all right, I'm going to leave that report open. That was us running the report ad hoc, just kind of going out here, clicking on this and going ahead and running it in a ad hoc fashion, but as we talked about, and I'm sure you guys know, if you, if you don't, we do have an Enterprise Scheduler, so we could actually schedule this to be run on a scheduled basis.

Now within here we'll look at our preconfigured scheduler. Not going to dive too much into the actual schedule or product, but for the most part and what we're doing is we're going to kick off a project that has the security settings report tasks that we mentioned earlier in the project to develop that PDF report that we just looked at. In this case we set it for a weekly job to run every Wednesday at 10:05, so that was about eight minutes ago, so hopefully I don't get egg on my face and everything went as planned and we'll have a project that ran about eight minutes ago.

But moving forward we can also give some builtin email notifications on the scheduler whether the job completed successfully or it actually failed. Before we get to the fact of whether I failed or not. Let's go ahead and take a look at the project that it's actually calling first and this is going to be the security settings report project. So let's navigate over here. We'll go down to security settings report and again, like I mentioned, there is the reports component library section where it has all of those custom reports that we looked at from the advanced reporting module, one of them being the security settings audit.

And again, this is going to place a PDF document of the actual report that we looked at just a second ago. If you're not familiar with the advanced reporting or your, unfortunately you didn't attend our advanced reporting or I'm sorry, advanced workflows module, we can output those into variables. And I'm going to do just a couple of different possible tasks that you could do kind of like we mentioned here. In this case, we're going to run this every week and we're going to send a copy to our CSO, put in some information, have a nice message that says, "Here's the monthly security settings report for our super efficient and money saving GoAnywhere, managed file transfer solution."

I mean, what a great message. So he can have a nice little copy with the attachment of the secure report right there. We could also, if we got ambitious, we could leverage our secure mail feature within GoAnywhere to send securely the actual package or the actual attachment as a package to our auditor or whoever we wanted to, securely. Or we could simply just copy that report that we generate to a certain location on our network. So just a couple of different ways or a couple of different things that we can do. Let's go to the completed jobs and look for 10:05 and looks like it actually ran successfully. So that was great. Let's take a look at my email if I can drag that on over here. So we get to see, here's an example of the actual email getting sent to our CSO.

Here's the monthly setting security report and here's an actual, the actual builtin notification saying the job completed successfully and actually the secure message to where I would actually have to have an account, but I could go in and download that file from the secure mail portal. So that was good. No egg on the face, areal time schedule. So that was good to see.

All right, so let's get back to the report and we're going to talk about as we mentioned the PCI DSS 3.2 does have 12 requirements. We'll go through just a couple of them. We'll go through all 12 and just kind of highlight one or two within the actual report and talk about how we can either mitigate it or how we're actually being successful at the current moment. For check one, the actual regulation reads, "Install and maintain a firewall configuration to protect cardholder data."

So for us, for GoAnywhere where that is applicable is our GoAnywhere Gateway device. Now our GoAnywhere Gateway device is a software based forward and reverse proxy that is installed on any system, whether physical or VM sitting in your DMZ. Now a couple of good things to note are some things that we do like to point out about our GoAnywhere Gateway, one, no data or no sensitive information is ever going to sit out in your DMZ and, two, we are not going to increase your threat vector because we don't have to open up any additional ports from your DMZ to the internal private network. Now the way that we do this is we have a controller port all configured from your MFT on the internal network and upon startup, we're going to open a channel from inside the private network out to the DMZ, the Gateway DMZ.

It's going to give all its service mappings. Everything that you configure down here, whether it's HTTPS for the web, client, SFTP, whatever it is that you're mapping, it's going to give all that configuration so that when someone does come in, they'll come in through your external firewall, say port 22 on SFTP. The way that it's going to check is go over that preexisting controller port here. Go back, check in with MFT, make sure everything's okay. If everything is, we will open up a separate port again from internal MFT going out the firewall to the DMZ and go ahead and broker that connection. So in that case, again, it's just streaming information from outside the network to your private without anything ever being staged or housed within the DMZ and no inbound ports needing to open from the DMZ to your private network.

Another nice feature of the Gateway as far as your compliance goes, all the communication can be set up to be SSL enabled, so encrypted communication between the MFT environment and the actual gateway as well as a shared secret and then this can kind of get away from maybe some of those internal or maybe having somebody install a rogue MFT version or instance and tried to maliciously connect up to that Gateway and do some configurations, unauthorized.

All right, let's go back to number two. Number two, do not use vendor supplied default for system passwords and other security parameters. I think this one's pretty much a no brainer. Hopefully, we do this even at home on our home routers and things like that. Always change the default usernames and default passwords, at the very least. That's obviously the first thing people are going to guess upon when they're trying to hack into your system. Secondly, one, and here's one where we failed and I'm going to point out where and how the mitigation steps kind of come into play here. This one is not going, it doesn't like the default protocols that are being used for the HTTPS listener. It wants to, and according to PCI DSS 3.2 they are only allowing TLS version 1.1 and higher. Anything older is considered a failure. So that's what we're seeing here.

So it's going to tell us, and I'll just read verbatim and this'll be the last time I'll read anything verbatim for you, but "Within the service manager, the following HTTPS service listeners should be configured to only allow SSL protocol version TL1-1 and 1-2." So within here, we can go to our services, service manager, go to the HTTPS listener, and go ahead and edit that listener to only allow TLS1-1 and 1-2 as you currently see, we're also allowing TLS ver.1, which is a no, no. So if you take that out, restart the service, then that would go from failed to pass. And that's how we kind of leverage those mitigation or recommendations steps. Another area, if you weren't familiar, we do have a full blown key management system, one of them being SSL certificate managers. A good place to also change the default password would be on your key store password for both your trusted and private Java key stores, so you could change your passwords right here.

All right, back to here. Let's go to section three and this one we're going to look at and it says protect cardholder data and they kind of talk a little bit about retention policies and of course the ever important encryption at rest. So we've got some overall disc quotas specified for GoDrive and encrypted folders are configured for GoAnywhere. We'll kind of look in that case here, GoDrive being our collaboration type file sharing module, but here from a global level you can have a disk reten ... or a retention setting at the global level of 500 gigabytes or whatever you want it to have set, but you can also do it from the individual user level. If they had the GoDrive available to them, you can give them a disk quota of whatever size you want.

Kind of on that same note and probably more commonly when people are leveraging your system for SFTP, FTP to drop off or pickup files. You can also do disk quota straight from here, from the folders that you give them access to, which is kind of nice. On the other note, the encrypted folders part ... Don't say there ... this is GoAnywhere's way to do a software based encryption at rest of any of the target folders that you choose. Anything that GoAnywhere has access to, you can make a targeted AES 256-bit encryption at rest to satisfy those NIST standards as well as the PCI standards.

All right, let's go to number four and number four is going to be a good example of that confusing statement I may have said in the original or the first part of the presentation, but we do have a FIPS 140-2 validated module which basically takes away or only allows the strongest NIST approved cipher suites. So in our case we don't have that actually set. We have that set to know and that's why we're getting the warning. It's telling us that maybe we need to enable the FIPS 140-2 compliance mode, but as you see, everything that the FIIPs 140-2 compliance mode would enable and have passed, as far as the security control setting goes, we have those set explicitly so they're passing anyway.

So just kind of showing an example of how a warning provides or really needs you to do a little bit more investigation on what exactly is going on. Just to show you in the product that FIPS 140-2 module. That's right here and again if you click on yes, what it's basically going to do, if I go to some of my service listeners, it will basically take a lot of these certain algorithms and key exchange algorithms and not make them available for me to even select. It's only going to select the NIST approved algorithms to be within the product.

All right, we'll go on to number five and that one says protect all systems against malware and regularly updated antivirus software and programs. Now within GoAnywhere, we don't have anything native as far as that is concerned. What we do have and I would like to point out as a resource, we can add ICAP servers, so if you do have the availability of an ICAP server, we can take files before loading up to your system or before going out and do some AV scanning or maybe some DLP scanning, leveraging an ICAP resource within a project.

All right, having said that, let's move on to section six. This one says develop and maintain secure systems and applications. Here we talk about the product update has been in the last six months and the appropriate Java runtime edition. From here we can always go to our check for updates and it'll let us know what installed version we're on and if we are on the latest version as well as going to help about system info. We can always see the level of Java, but like I mentioned, the latest versions are going to make it a requirement to be on those latest JRE versions, anyway for you.

Let's get back over here. One of the other ones on section six is going to talk about some brute force denial of service and IP filtering. We did pass on this one here and that is going to be located within our automatic IP blacklists feature. Within here you can configure as far as very low to very high depending on the settings that you want and whether the band that you want on that being permanent or on a temporary basis. You can definitely put in this certain usernames. Choose what you want in here. If you ever have questions, as you guys have probably heard me say it before or someone may be in support have heard before, if you do have questions on what some of those very high end settings mean, you can always hit the question mark to get a little bit more in depth on exactly what those mean.

All right, let's keep going here. Let's go to number seven. Restrict access to cardholder data by business need to know. On this one, we failed. We have more than two sec offer roles, but here what I would like to point out is within the GoAnywhere, what's more important I think from a auditor standpoint is having that job separation of duties and you can provide lease privilege with your administrative users, with our 16 different, very detailed role based access control, administrative user types. So depending upon what your administrators need to do, you can give them their certain roles and also certain things within the product. Say, people need to have access to certain databases. You can always on an individual basis give certain permissions to a lot of the resources within the product as well.

All right, let's move on to number eight, eight mentions identify and authenticate access to system components and here we've got the inactivity. We should be making these users inactive or deleting. We'll kind of look at a couple of here and then go into the product here in just a second. Some of the service listeners are not set to or set too high of a timeout session and then some password policies that we're passing. Here, let's look at the one that we failed the HTTP admin server, what I'm actually on right now, needs to be 900 seconds or lower, so if we actually went to and go to our admin security settings, this is where we would change that down to 900 seconds or lower.

Some of the more, I think important settings. Looking at the web user side, the folks that are logging into your system to leverage those services are going to be the settings on disabled web user accounts after how many involved login attempts as well as the password policies. If you're an active directory user, these will look very similar to your windows directory services, ADM or group policy type password policy settings.

All right, number nine, restrict physical access to cardholder data. Again, another one that GoAnywhere is not explicitly really responsible for, but I do like to point out that you can provide, although we can't provide that physical security, we are flexible enough to install in virtually any platform so you could choose where actually physically reside, I guess is my one answer to that one.

And then 10, will say track and monitor all access to network resources and cardholder data. This one we definitely do within the system we have a lot of different options through our log settings. Depending on which log you can definitely set the retention period within the database that it has access to as well as when you purge it, where those actual files are going. Not to mention if you already have a centralized SIS log server that you like to use and would like to push these to, you can definitely do that as well. From a individual log standpoint, it's also nice to know and auditors are definitely going to want to know what your admin users are doing to your system, at what time, who's making those changes and what those changes actually are. So we do have an administrative log to do that exact requirement, as well as any of the service logs when people are logging in, if they're submitting packages, downloading files of what they're actually doing. We separate that out by those service logs.

The last two regulations, again, going where it doesn't have a lot of explicit applicability to, 11, regularly test security systems and processes and, 12, is maintaining a policy that addresses information security for all personnel. So again, this is kind of a quick overview of some of the settings that we have, what the report will give you from a GoAnywhere perspective. And again, I think the most important part is those mitigation steps and although this is mapped and geared toward PCI DSS, most of these controls if maintained in a past status will definitely ensure protection and prove due diligence on your part to hopefully pass that audit. With that, I'm going to go ahead and pass the mic back to Andrew. Andrew.

Q&A

Andrew: Great. Thanks, Dan. That was a great overview. It looks like. We did have a couple of questions come in while you were speaking, so I'll throw those your way. The first one's around FIPS, “how does FIPS come into this encryption and cipher suites?”

Dan: Well, the Federal Information Processing Standards, those are going to be determined by the NIST standards and those algorithms that we have. So basically that FIPS module is going to take away anything that is not NIST approved as far as like for the example of the SSL and TLS protocols, if you had that FIPS processing or 140-2 module selected, nothing SSL 3.0 or TLS version one would even be available for you to choose in the application. So it literally just takes it away from you to even, I guess it's kind of like an option to protect yourself from yourself, I guess.

Andrew: Okay, and then it looks like “is there a way to link up the security check setting with the location of where you make the corrections?”

Dan: That is a good question. I might have to get back on that one. Actually, mentioned that one again real quick. I'm just trying to think of that one.

Andrew: Yep, “a way to link up the security check settings with the location of where you make the corrections.”

Dan: Well, yeah, those are going to be if they failed, you're definitely going to know where it is just by the recommendations settings or instructions, but as far as if they've passed. Yeah, that's, that's a good question but definitely if they fail, that's the whole point of the recommendation. It's going to tell you exactly where in the product you can go to fix that. Yeah, I'd have to get back on the other part though if we actually have a mapping.

Andrew: Sure, and we have someone to follow up on that one. Last one. I can see at least, “what is the relationship, if any, between open PGP key manager, and encrypted folders?”

Dan: Oh, within the product. Yeah, those are definitely completely separate. The open PGP key manager is going to be that full fledged PGP key manager for your file level encryption. This is where we can add things or add those PGP keys with your trading partners to leverage as a resource. And then do automatic encryption decryption as well as digital signatures and verifications from your trading partners back and forth. Encrypted folders are going to be AES 256-bit encrypted target locations and those keys are actually built into the product. So the only way that you're going to do any encryption and decryption on the fly is through an authorized GoAnywhere user or GoAnywhere process like a project, so they're separate.

Andrew: Perfect. I think that's it or at least, I can see, it looks like for the time we have. Brian has answered a few of these as well, so if you have additional questions, again, there's a survey at the end you can fill out, put them in there. The ones that we asked here that weren't addressed, we can have someone follow up too. In addition here, I do show this PCI DSS and GoAnywhere MFT data sheet. We'll send that as a followup in the followup email and it gives you a lot more detail based on what Dan has covered today.

Also for the rest of the year here. We do have two more in our series, so I believe this is our third of five we're doing this year and it seems they've been going over pretty well, so we'll continue to do this. We will cover secure forms on November 1st and then we'll do a web services piece on December 6th and that will round out our year and then we will look into 2018 for some other opportunities.

These are posted on our website. We will continue to send out communication and there's a link here at the top that you can go to if you have yet to register for the upcoming events. With that, I think that's all we have today.

So Dan, thanks again for taking the time to go over this report with everyone and thank you to everyone else for attending.

Dan: Thank you.

Andrew: We'll catch you on the next one. Yep. Have a great day.