FBI Alerts Medical and Dental Facilities on the Anonymous FTP Security Vulnerability
The FBI recently alerted medical and dental facilities about a new cybercrime threat that involves the active targeting of anonymous FTP servers in order to gain access to protected health information (PHI) and personally identifiable information (PII).
The anonymous extension of FTP “allows a user to authenticate to the FTP server with a common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or e-mail address.”
As a result, hackers are launching cyberattacks on businesses that use anonymous FTP within the medical and dental industries and attempting to compromise sensitive PHI and PII data with the “purposes of intimidating, harassing, and blackmailing” business owners.
Hackers Love Healthcare Data
More than 3.5 million medical records have been compromised in March 2017, according to a list published by the U.S. Department of Health and Human Services. That’s only for the first three months of the year – we’ve still got 9 more months to go.
Healthcare data is the most coveted data type for hackers and cyber criminals, far more than credit card data. Consider all of the information you share with your healthcare provider. With just one medical record, a hacker would know your name, date of birth, address, and social security number. There’s only so much a hacker can do with stolen credit card data. Healthcare data is money, and for a hacker, this money goes a lot further than credit card data.
Are you comfortable enough with the security of your IT infrastructure and data to ignore the recent warning from the FBI?
Three Steps to Eliminate Your Risk
First and foremost, it’s crucial that you determine whether your networks are running FTP servers anonymously. In a recent NetworkWorld article, “FBI Warns of Attacks on Anonymous Servers,” Globalscape Vice President of Product Strategy and Technology Alliances Peter Merkulov explained that replacing anonymous FTP with a more secure alternative, like SSH File Transfer Protocol or Secure File Transfer Protocol (SFTP) or File Transfer Protocol (FTPS), would be more cost efficient in comparison to the costs that would follow a data breach that involved PHI and PII. According to Merkulov, “it’s a really old protocol. Even using it in not-anonymous mode is dangerous.”
So what do you do? Here are two steps to help eliminate your risk:
1. Do a Systems Audit
Performing a systems audit will help you identify any systems that might be running on anonymous. When using anonymous FTP, anyone and everyone can log in to your server without entering a username and password, or something generic such as their email address and a password of "guest." Even if you aren't allowing anonymous logins, on plain FTP the credentials are not encrypted and data is transferred unencrypted. Therefore, as Merkulov says above, it's dangerous and you're putting not only the server on which you allow FTP at risk, but your entire network, including data that you thought was safe, because it is inside your firewall. Now the intruder is also inside your firewall.
2. Stop Using Anonymous FTP
It’s an outdated protocol that carries more risks than rewards. The current security landscape requires a proactive and preventative approach to securing your data and IT infrastructure. For those who feel that anonymous FTP is beneficial because passwords are inconvenient, then that’s not enough. Passwords have become routine, and removing one more layer of security isn’t going to do you or your organization any favors.
3. Start Using a Secure Managed File Transfer (MFT) Solution
A quality Managed File Transfer (MFT) solution not only offers a variety of secure protocols, such as FTPS, HTTPS, and SFTP, but also provides other security features, such as multi-factor authentication, resource controls with permission groups, password complexity, expiring inactive accounts, and of course, encryption. Another valuable feature provided by MFT is Denial of Service (DoS) protections, such as disconnecting and banning user accounts and IP addresses that issue an excessive number of invalid commands.
At the same time, you can consolidate disparate FTP clients with MFT and save yourself a great deal of time and energy because data transfer management will be consolidated to one platform instead of many.
Best Practices for Safe File Transfers
If you're using an FTP server with anonymous logins, odds are you are servicing customers (external or internal customers) who simply need to download files from you, such as applications or forms. If you are also allowing these customers to upload files to you, you are opening up your server to malware. Even for what seem like very basic, safe file transfers, it is considered best practice to:
- Disable any services or features that can adversely affect security, such as web services, any unused protocols that bad actors can enable and use
- Allow only TLS 1.2, if possible
- Disable Clear Command Channel and unprotected data channel
- Disable site-to-site (FXP) support for FTP and FTPS transfers
- Block client anti-timeout attempts
- Have your SSL certificates signed by a Certificate Authority and keep them up to date
- Use generic banner messages to avoid identifying server details
- Specify a maximum limit for connections and transfers for each user
Globalscape’s advanced managed file transfer (MFT) solution Enhanced File Transfer™ (EFT™) secures, manages, and tracks data transferred between people and applications both inside and outside your organization. The EFT platform is a best-in-class solution for organizations with complex and mission-critical file transfer requirements. EFT can reduce the complexity of your file transfer infrastructure, increasing operational efficiency, and protecting your most important data.
Don’t get left in the dark with anonymous FTP. Call today and ask us how we can help you protect your medical records from hackers.