Don’t Overlook Lifecycle and Data Management Details
By Gregory Hoffer, CEO, Coviant Software
Threat actors are a relentless bunch. They continue to evolve their tools and practices to try and stay one step ahead of the influx of sophisticated countermeasures designed to detect and fend off their attacks; and they have a great incentive to be good at what they do. By some estimates, cybercrime as an industry grosses more than $600 billion annually. That’s a lot of money, and a lot of motivation.
But for all the attention paid to high-skill threat actors and the technologies built to thwart them, there are a lot of hackers that are content with looking for targets of opportunity and who would prefer taking advantage of more common weaknesses in plying their trade. They know that, even the largest organizations with the biggest cybersecurity budgets can overlook simple things that make it possible for them to breach the wall, get inside, and do their thing.
A Common Weakness
One area that is a common weakness in enterprise security is lack of attention to technology lifecycle management. The practice of keeping a meticulous inventory of what hardware, software, and applications an organization is running, and then making sure everything is up-to-date, patched, and then properly retired when obsolete or no longer needed is not one of the more glamorous aspects of cybersecurity, but it is a vital component to a successful security strategy.
The results of poor tech lifecycle management were illustrated when the financial services firm Morgan Stanley was hit with a $60 million fine by the U.S. Comptroller of the Currency in October of 2020 for improper disposal of servers from a data center the company had decommissioned. Some of the equipment was sold to a third-party and found to still contain unsecured customer data for as many as 15 million customers. That led to a class action lawsuit in which the courts found in favor of the plaintiffs for an additional $60 million announced on January 3, 2022.
While it is unclear whether the personally identifiable information (PII) of those customers was unsecured, or if the security status of the data was simply unverifiable, authorities require evidence of encryption, and so the assumption is that the data was compromised. A thorough lifecycle management process would have prompted the data on those systems to be rendered unrecoverable, and with proper data management processes in place, actions like encryption and documentation would have provided an auditable record to satisfy regulators that security and privacy laws were followed.
That is why it’s important to meticulously manage data—and the systems that store and move it—in order to avoid these kinds of incidents. When older technologies become obsolete, and their makers decide to end support, those systems become vulnerable to cybercriminals who target organizations known to use them. The dangers of using old, unsupported tech were illustrated when, in early 2020, an unsupported version of a file transfer appliance sold by Accellion was the focus of attacks by ransomware gangs. Organizations around the world were affected, including retail, industrial, healthcare, academic, government, and financial services. (Coincidentally, Morgan Stanley was one of the organizations breached by attacks on the vulnerable appliance.)
Of course, technology lifecycle management is the responsibility of both the vendor and the user and information from a vendor is critical to preparing for and responding to issues like patching, end of support, and upgrades. While reports suggest that Accellion may have been less than forthcoming with the status of their technology, another vendor in the data management space demonstrated a more responsible posture when it decided to discontinue one of its products.
Plan for End-of-Life
In August of 2020, Qlik announced that its RepliWeb file transfer software product would reach its end-of-life on January 31, 2021, and support for the product would cease at that time. Qlik was open with its customers about the implications of the decision, giving them ample time to prepare for that date and find a replacement for the file transfer function many organizations rely on.
Mozilla is another example of a company that discontinued support for a popular technology when it announced last year that it would no longer support file transfer protocol (FTP) in version 90 of the popular Firefox browser. That move followed the same decision by Google in December 2020 when it ended FTP support for Chrome version 88. For organizations not paying attention, the lack of support for FTP in those browsers could have serious security consequences. According to a ZDNet article, while FTP remains a popular option for moving files between computers, the protocol is “burdened by enough security issues that browser makers are dropping support for the protocol.”
Among the issues, files transferred via FTP are sent unencrypted, and FTP has also been used as an attack vector in malware campaigns according to a statement by Mozilla’s security team, which read, “The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and even modify the data transmitted. To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user’s device using the FTP protocol.”
Don’t Risk DIY
These issues highlight the importance of managing technology’s use and lifecycle. It also means making sure the right tool is being used for important business processes, rather than trying to make do with “close enough” products, or engineering do-it-yourself solutions. After all, FTP is still used for many legitimate business transactions, and for someone with the right skills FTP can be secured and automated. But even if can write the scripts necessary to tackle those functions, knowledge of the nuances that need to be addressed for compliance is vital.
The shortcomings of the DIY approach may not be evident until there’s a breakdown in the process, such as a transfer that fails, an alert that is missed, a security issue occurs, or there is call for a feature that wasn’t considered when the custom scripts were written. That’s when risks increase—along with costs.
When it comes to file transfers, the approach an organization chooses can have implications on data lifecycle management. Through process automation, a secure, managed file transfer (MFT) platform can be used to ensure files are encrypted before being moved, and also upon receipt. And the ability to automatically document all the steps in the send, receive, store, and retrieve process goes a long way toward affirming compliance with regulations like Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Europe’s General Data Privacy Regulation (GDPR), and other state, federal, and international laws.
Secure MFT is not a remedy to all of an organization’s security and data management issues, but it can play an important role in maintaining a strong data security and data management program. It can also help mitigate the risks of relying on human intervention, which often leads to mistakes and oversights that can result in a costly data breach or a finding of non-compliance.
The good news is, these are not tools or processes that are beyond the reach of organizations operating on smaller or constrained budgets, or that are understaffed. Nor do they require a “forklift upgrade” technology refresh to achieve. In fact, a simple tech refresh may be all that is needed to address a specific need and achieve gains in productivity and security. A recent column in the tech trade journal Computerworld identified five reasons for a simple tech refresh, including:
- Lack of Vendor Support for Older Systems;
- Support Employee Remote Access;
- Security Vulnerability Mitigation;
- Enable Regulatory Compliance; and,
- Improve Ease-of-Use.
Making changes necessary to address common-sense issues, like fixing or updating hardware, software, or applications to keep pace with change is a necessary aspect of managing any organization’s IT estate and to keeping data and systems secure. In fact, those changes are to be expected, and may only be a minor nuisance. If you are responsible for managing your organization’s IT, it is not a good idea to put off updates, additions, or replacements of technologies.
For Want of a Nail
There’s an old poem called For Want of a Nail that describes the catastrophic potential when a seemingly simple detail is overlooked.
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.
Don’t let a seemingly minor detail in your technology lifecycle management or data management program be the missing nail that cascades into a major event like a data breach. Pay attention to the small things and your organization’s security posture will improve.
About the Author
Gregory Hoffer is CEO of Coviant Software, maker of the secure, managed file transfer platform Diplomat MFT. Greg’s career spans two decades of successful organizational leadership and award-winning product development. He was instrumental in establishing ground-breaking technology partnerships that helped accomplish Federal Information Processing Standards (FIPS), the DMZ Gateway, OpenPGP, and other features essential for protecting large files and data in transit.