2023: The Year MFT Made the Headlines!

We’re still seeing headlines being written from the MOVEit file transfer exploitations, victims being announced and just generally nasty going ons. This won’t be the first blog to talk about the various CVEs and exploits to Managed File Transfer (MFT) this year and it won’t be the last, therefore the details of each aren’t described in these pages.

Instead, as an organisation who works with MFT applications and understands file transfer, what’s likely to be more helpful is to provide readers with some general guidance on how MFT can be secured for the better.

1. Compare MFT to Email

Email is old. Old technology has the benefit of getting its CVEs over and done with in its infancy. Consider how much scrutiny is placed on your company email systems, then consider how MFT moves files in and out of your business in a similar manner, the number of controls in place will be far fewer I am certain.

2. Patch your software

This really does go without saying, all vendors and products are susceptible to zero days being discovered. How quickly they deliver fixes to their customers for them is the real measure of quality. Interesting fact: 30% of all vulnerabilities reported each week are a vendors first registered CVE.

It’s much easier to patch up to date software if you’re still in the dark ages imagine the horror if you’ve got to migrate operating systems or something to apply a fix. Keep ‘em patched!

3. Disable unused ports/services

If you’re not using something, turn it off. Like your old man did when you left the big light on. Minimise your attack surface by not letting services run and open ports exists that do not need to be enabled. These are just potential ways in for any weaknesses which may exist.

4. RBAC: use it

So much exists around the principle of least privilege. Use that same principle within your software and the accounts within it. Role Based Access Control exists in most MFT platforms to use it to minimise how much disruption a compromised account might cause in the event of the worst happening.

5. Account and Password Hygiene

Opening a known port to the internet is unavoidable for most MFT customers. Everyone knows that port 22 is for SFTP. Everyone including the crims. Once they’ve found that open door, they’ll start knocking. Root, admin, Administrator, backup, support, guest, temp…

Use decent password hygiene; all tools have it. Use an IDP if possible: LDAP sources, SAML SSO. Most MFT tools provide these. Don’t share accounts, disable the root users, and use MFA.

Just because MFT isn’t the sexiest tool you’ve got doesn’t mean it shouldn’t be subject to standard security best practices!

6. Access

In a world of cloud first always on accessible from everywhere it’s much more convenient to allow connectivity from all locations. Convenience and security don’t tend to play nicely together in any facet of life though in my experience.

Thinking back to email, you’re probably not allowing all and sundry admin access to your mail servers? MFT should be no different, the door must be open but lets limit who can knock, use auto blacklisting, make ACLs great again and think about stuff including time based controls to prevent the world trying to come in.

If you’re bothered, and you’re not doing at least some of the above, one of our engineers can reassure you by providing consultancy or health checks for your MFT.

HANDD has a team of MFT specialists who can advise on the best way to unleash the full potential of a MFT solution and deliver more for your business. If you’d like to discuss how you can use MFT to save money, reduce complexity and minimise labour hours, or if you need support finding the right MFT solution for you, call us on +44 (0) 845 643 4063 or request a call back.

Contact Us

MFT Blog

Related Posts

APIs – Give it a REST

Privacy Shield and Managed File Transfer

ABOUT US

CONTACT US

Contact Us

MFT Blog