• SENTINEL
• Announcement
• Trial Information
• Fact Sheet
• Q & A
• Training
• Questionnaire

• Contact Us
• Technical Support
• Print This Page
• Image Gallery
• Downloads

Q&A

How does FTP expose my company?

FTP is a convenient way to transmit data from one system to another and is an integral aspect of business operations in many organizations. It is not uncommon for large organizations to have thousands, and in some cases, millions of FTP transmissions daily. Furthermore, FTP use eases the way data is sent and received from one system to another. Virtually every operating system has a built-in FTP client that enables FTP server connections. All of the popular Internet browsers also have been supporting FTP connections for some time.

Despite these advantages, the problem with FTP is that the overwhelming majority of file transmission activities are unsecured, which may result in the exposure of login information and unencrypted data traveling in plain text format. This unencrypted data can be captured and viewed by a network or packet sniffer running on any computer on the network between the FTP client and FTP server. It was revealed recently that hackers stole millions of credit card numbers from discount retailer TJX Cos. by intercepting wireless transfers of customer information from two Miami-area Marshalls stores. The data was unsecured (traveling in clear text) so the hacker's job was made much easier.

In addition, FTP use makes it easy to send files to locations outside the company's network. All that is required is read-level access to data and an Internet connection for someone to be able to send the data to an FTP server virtually anywhere in the world, leaving data exposed to a much wider distribution than intended. Once data has been distributed outside the company, all control over the data is lost forever. As a result, new compliance rules are directing IT professionals and internal auditors to take a closer look at their organization's use and management of FTP activities and the controls used to protect individuals from the disclosure of sensitive information. This tougher compliance landscape, combined with the alarming number of recent data breaches, has created a pressing need to take a closer look at data security procedures and identify and address the exposure that FTP use creates.

How can I tell if we are exposed?

There are a few things you can do to assess your company's exposure to FTP breach. It doesn't take much time and doesn't cost a thing but you come away with a better understanding of FTP usage at your company.

• Download and run the FTP Auditor tool to find out what FTP servers are running
  It will scan your network, looking for active FTP servers. Most people who run it are surprised to find out how many FTP servers are out there, most of which are completely unsecured.
• Download and read our document telling how to ensure that z/OS FTP activity is being logged
  Click here to learn how to tell if you are logging and how to start logging if you aren't already. If you aren't logging (more prevalent than you might expect), you have no audit trail
• Participate in DINO's Free FTP Analysis program
  Find out who's using FTP, what they are using it for, what data is traveling in and out of the Enterprise, whether sensitive data is transmitting unsecured and what FTP usage needs to be stopped.

After completing these items, you will be prepared to start making decisions and recommendations about what, if any, steps should be taken to address your company's FTP exposure.

How are logon information and data exposed through FTP?

The overwhelming majority of FTP activity takes place unsecured. That means that the communication stream between the FTP client and the FTP server is unencrypted and, if viewed, would be eye-readable. A typical logon sequence looks like this:

Client: ftp hostname
Server: 220-FTPD1 IBM FTP CS V1R8 at MVSA, 17:25:43 on 2007-09-26.
Server: 220 Connection will close if idle for more than 5 minutes.
Server: User (10.288.148.54:(none)):
Client: sysprog (clear text user ID)
Server: 331 Send password please.
Client: abcdefg (clear text password)
Server: 230 SYSPROG is logged on. Working directory is “SYSPROG.”

If this were a logon to a z/OS server, the user ID and password exposed in clear text would most likely be what is needed to log onto TSO. This is an even larger exposure that simply disclosing a user ID that has access only to an FTP server.

Data is exposed is much the same way. The data travels across the network between the client and the server in eye-readable clear text, the same as the logon sequence is. A packet sniffer sitting between the client and the server could easily intercept this information. As noted above, hackers stole millions of credit card numbers from discount retailer TJX Cos. by intercepting wireless transfers of unencrypted customer information from two Miami-area Marshalls stores. If the unsecured data is traveling across the Internet, the exposure is magnitudes larger.

How does SENTINEL address the FTP exposure?

SENTINEL provides you with the tools you need to manage FTP usage more effectively and reduce your exposure. It bolsters the security of the z/OS FTP server, monitors for suspicious FTP activity and generates alerts for escalation. It also helps reach compliance by providing long-term logging of FTP activity and facilitating end-to-end audits of FTP usage. It does all of this by:

• Adding a security interface to the z/OS FTP server which enables you to write security rules to restrict access to data and FTP facilities in accordance with company policies and industry regulations,
• Monitoring FTP activity, real-time, and issuing alerts for exceptional FTP activity,
• Issuing alerts when suspicious or unauthorized FTP usage is detected,
• Accumulating Enterprise-wide historical FTP usage data in VSAM for auditing purposes,
• Providing a tool to assess your Enterprise-wide FTP exposure and enabling you to bring all FTP activity into conformance with company policy,
• Facilitating comprehensive FTP audits with a minimum of time and effort under ISPF and Windows,
• Identifying unauthorized FTP usage so you can put the necessary controls in place in the SENTINEL security interface to eliminate it.

With SENTINEL in place, you can start exerting control over FTP usage and eliminate unwanted FTP activity. Sensitive data can be properly protected from FTP exposure threats. Outlying FTP servers can be located.

What do we need to do to reach Compliance in the area of FTP?

Bringing FTP usage into compliance with company policy and industry regulations requires that you more effectively manage and control FTP usage.

• Block unauthorized FTP usage
  Secure FTP server usage using whatever means the server(s) offer. Consider third-party solutions like SENTINEL to secure z/OS FTP servers which can access your company's most critical data.
• Protect Transmissions of Sensitive Data
  Compliance requires that sensitive data transmissions be properly protected, using a secured connection, and is traveling only to and from authorized locations.
• Protect transmission of logon sequences
  Unsecured FTP connections expose logon information (transmitted as clear text). This is also a big concern, especially z/OS FTP server usage where the logon user ID and password is usually a TSO ID which poses a bigger threat than just FTP server access.
• Log FTP usage on all platforms
  Ensure that logging is enabled for all FTP servers and maintain readily-accessible, historical FTP usage logs.
• Perform regular end-to-end audits of FTP usage
  Analyze all FTP activity and focus on biggest exposures (sensitive data, anonymous FTP). This can be a big job if you don't have tools that enable you to manage FTP by exception. Audit your network to detect newly added FTP servers and ensure that they are properly configured.
• Implement secured FTP wherever possible throughout the Enterprise
  Use secured connection options on FTP servers. When that is not feasible, consider using a Managed File Transfer solution for critical data.
• Maintain the controls necessary to ensure accountability in FTP usage
  Eliminate shared User IDs when possible, track changes to FTP environment, secure FTP settings and options and regularly review what data is accessible via FTP (especially servers that allow anonymous access).

How does SENTINEL fit in with our automation efforts?

SENTINEL is monitoring FTP activity on a real-time basis, both on the z/OS platforms as well as any distributed system platforms where you've installed the Remote Agent. It has the ability to generate alerts when activity of interest takes place. These alerts take the form of WTOs which contain the information pertaining to the event necessary for automation tools to make informed decisions about what, if any escalation response to take. A few examples of automation opportunities presented by SENTINEL are shown below:

• Successful completion of an FTP transmission could trigger a job or notification email. File watching techniques currently in use to accomplish this cannot differentiate between an FTP that failed and one that succeeded, resulting in automation steps taking place with partial data. SENTINEL knows when an FTP transaction completes whether it was successful or not and would only trigger follow-on activity for successful transmissions.
• A failed FTP transmission could trigger a restart or escalation to the responsible person for human intervention.
• Transmission of sensitive data over an unsecured connection could trigger a security alert.
• Repeated failed logon attempts might trigger a security alert.
• Exceptional FTPs can trigger an alert to be escalated to the responsible person
• File transmissions of sensitive data to unauthorized locations and/or by unauthorized users could trigger a security alert.
• Transmission of large files to the z/OS host could trigger a DASD space usage alert.

What does the Free FTP Analysis entail?

DINO's Free FTP Analysis is intended to help companies assess the size and scope of their FTP exposure, while simultaneously demonstrating the benefits that accrue from using SENTINEL to audit FTP usage. The Free Analysis involves a few simple steps:

• Download and run the FTP Sampler Installer
  1. This will install the FTP sampling Wizard on your PC. This Wizard is used to create an SMF sample on your host system and email it to DINO Software for analysis.
  2. You will be prompted for job cards, host logon information, dataset allocation specifications and the dataset name of an SMF dataset to use to extract the SMF sample. Once you have provided all of the necessary information, the FTP Sampler Wizard will tailor and submit a batch job to create the SMF extract, convert it to an XMIT file format. It will wait for the job to complete, download the job output to verify that the job ran correctly and then download the XMIT file to your PC.

• Email the sample to DINO Software
  1. Once the FTP Sampler has successfully created the SMF sample an email to DINO Software should appear with instructions for attaching the zip file containing the SMF sample. Attach the zip file indicated in the email and send it to DINO Software.
  2. Additionally, you can gather one or more distributed system log files and have them included in the analysis. This is a great way to see what kind of FTP activity is taking place on the systems as well as to see how SENTINEL consolidates FTP usage data from disparate platforms into a unified view.

• Review the FTP activity on-line
  1. Once we have received your sample data, we will load it up into SENTINEL and prepare it for an online review. You will be contacted to schedule a time that is convenient to review the FTP activity reflected in the sample.
  2. The review takes between 30 and 60 minutes, depending on the number and type of questions that come up during the process.

What distributed system platforms does SENTINEL support?

FTP usage on distributed systems platforms is accomplished by SENTINEL's Remote Agent, in conjunction with the Real-Time Monitor running on z/OS. The Remote Agent is a java program that runs on the distributed system platform (Windows, UNIX, Linux, etc.), monitors FTP usage and feeds it back to the SENTINEL Real-Time Monitor. The Remote Agent currently supports FTP servers that log in IIS, W3C, SFTP and XFERLOG formats. Most third-party FTP servers support one of these log formats.