Author Archive

OpenPGP, PGP and GPG: What is the difference?

Posted by on Thursday, 18 July, 2013

With privacy capabilities of encryption methods such as PGP (Pretty Good Privacy), data security can be heightened and privacy can be achieved.  There are various approaches, however, and various elements of comparison for each of these acronyms.  This article will explore the differences between PGP, OpenPGP, and GPG (GNU Privacy Guard), offering brief histories of their creations and summaries of their capabilities.

PGP (Pretty Good Privacy)

The company, PGP Inc., owned the rights to the original PGP encryption software.  This software was developed by Phil Zimmermann & Associates, LLC and released in 1991 to ensure the security of files that were posted on pre-internet bulletin boards.  From 1997 until 2010, the software changed hands several times until it was acquired by Symantec Corp., who continues to develop the PGP brand.

PGP encryption uses a combination of encryption methodologies such as hashing, data compression, symmetric-key cryptography and public key cryptography to keep data secure.  This process can be used to encrypt text files, emails, data files, directories and disk partitions.

OpenPGP

Automate OpenPGP EncryptionZimmerman, one of the original PGP developers, soon began work on an open-source version of PGP encryption that employed encryption algorithms that had no licensing issues.

In 1997 he submitted an open-source PGP (OpenPGP) standards proposal to the IETF (Internet Engineering Task Force), to allow PGP standards-compliant encryption vendors to provide solutions that were compatible with other OpenPGP-compliant software vendors.   This strategy created an open and competitive environment for PGP encryption tools to thrive.

Today,  OpenPGP is a standard of PGP that is open-source for public use, and the term can be used to describe any program that supports the OpenPGP system.

GPG (GNU Privacy Guard)

GnuPGP was developed by Werner Koch and released in 1999 as an alternative to what is now Symantec’s software suite of encryption tools.  It is available as a free software download, and is based on the OpenPGP standards established by the IETF so that it would be interoperable with Symantec’s PGP tools as well as OpenPGP standards. Therefore, GPG can open and unencrypt any PGP and OpenPGP standards file.

GPG provides a graphic user interface when integrating into email and program systems such as Linux.  Some software solutions for encryption utilize GPG coding, while others encrypt using command line functions in a menu-based Perl script.

A variety of popular solutions have developed their PGP encryption products following the OpenPGP standards.  Some of these products include GoAnywhere OpenPGP Studio and GoAnywhere Director.

Summary

OpenPGP is the IETF-approved standard that describes encryption technologies that use processes that are interoperable with PGP.  PGP is a proprietary encryption solution, and the rights to its software are owned by Symantec.  GPG is another popular solution that follows the OpenPGP standards to provide an interface for end users to easily encrypt their files.

As the need to encrypt and protect data becomes ever more critical, organizations will continue to develop software based on these three systems.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Healthcare Data Breaches on the Rise

Posted by on Wednesday, 19 December, 2012

Stories of data breaches across all industries continue to make the news, and nowhere is the pressure greater to keep data safe than on healthcare IT managers.

Healthcare IT News states that health data breaches increased by 97% in 2011. The 2012 Data Breach Investigations Report from Verizon’s RISK team confirmed that over 174 million records were reported as compromised, mostly as the result of hackers accessing the data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20% of all data breaches in 2011 were in the healthcare industry.

data breach statistics for 2012

What is most startling about this report is that, according to the RISK study, 97% of these cases could have been avoided through simple or intermediate security controls.  The graphic (see right) is one of the many included in Verizon’s study.

Because the most common place where data is compromised is from corporate databases and web servers, hackers who gain access to these vulnerable areas are mining this data for private information such as social security numbers, birthdates and credit card information.

Studies like these underscore the importance of establishing network security perimeters and implementing procedures that protect the privacy of  patients’ information residing on these servers.

IT managers must be vigilant to combat hackers’ ever more sophisticated tools and methods, and that begins with better security procedures at the office.

Security Policy and Procedures Document

The first step in ramping up security is to write and formalize a security policy and procedures document that addresses best practice protocols and that encompasses applicable HIPAA and HITECH regulations.

Next, all employees must be trained and expectations for compliance made clear,  because it takes a concerted effort on everyone’s part to ensure the required protections are implemented consistently.

Secure Data Files In Motion

One of the more popular ways for hackers to capture sensitive data is via the movement of files and documents across the Internet.  In an earlier blog post, we talked about how standard FTP is commonly used to send files.  However, FTP sends the files in unencrypted form, and offers no protection for the server’s login credentials. Once those credentials are captured, hackers can use them to access the FTP server to mine additional data files.

While managing the security of all of the files in the office may seem overwhelming, Managed File Transfer solutions can simplify this task. Used in conjunction with a reverse proxy gateway, a much greater security perimeter is formed around the network, servers and the sensitive data that need protection.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Hacking and File Transfers: What You Need to Know

Posted by on Tuesday, 4 December, 2012

In the battle to secure information, it helps to know a little bit about how it can be compromised. Using FTP is one way to expose critical vulnerabilities that can allow credentials to be hacked.  However, these holes in security can also be easily closed if you know how.

How Hackers Discover Vulnerabilities

Here’s how hackers could access sensitive data sent via FTP.  With the use of a “sniffing” tool, an attacker could intercept and log any data traveling across the network. This log can then be analyzed to look at the content that was sent across specific TCP ports like FTP (port 21), as well as the user ID and passwords used to log in to the FTP servers that may have been sent as clear text.

managed file transfer, secure file transferStart with Networks, Routers, and Firewalls

To prevent this kind of hacking, the wired network can be secured by first making sure network ports are not available for public access, and then by separating network segments for sensitive servers and workstations.

However, many companies also have wireless networks where hackers just need reasonable proximity to the Wi-Fi signal, such as in an adjacent office or parking lot.  Therefore, it is critical to secure wireless routers with WPA or WPA2 encryption options, rather than WEP encryption, which is no longer considered effective protection against hackers.

Once networks are secured, the next most effective tactic against hackers is to block all FTP traffic at the firewall. Then, for permitted file transfers, allow only secure encryption protocols such as SFTP, FTPS, HTTPS, PGP, or GPG for file exchanges in and out of the network. These security restrictions will deter most hackers.

Security Measures Can Be Challenging

Implementing these security measures is important, but it doesn’t come without some challenges.  The IT staff will have to handle more complicated secure file transfer management processes, and users may be inconvenienced as files are transferred to people and organizations that need them.  As a result, users may look for a workaround for sending and receiving files to avoid being slowed down by the IT staff.  Popular alternatives users may try include email attachments or browser-based cloud services such as Dropbox that present a new vector of vulnerability as these options may not meet necessary security standards.

MFT Minimizes Hassle, Solves Security Vulnerabilities

There is a solution, however, that can provide not only the highest security for file transfers, but also create fewer hassles for both the IT department and the general employee.

Managed File Transfer (MFT) solutions increase data file security implementations and simplify the entire file management process by providing the tools for easily creating and managing all of the unique encryption keys for the company’s various trading partners.  Access controls can be set up for authorizing each employee’s file exchange requirements. MFT also provides a detailed log of all transactions so that any required audits may be easily fulfilled.

Some MFT vendors also provide intuitive and convenient email encryption solutions that can integrate with existing corporate email clients such as Outlook. This reduces the temptation for employees to use workaround tools that may bypass the security restrictions that have been put in place to prevent hacking of sensitive data.

Keeping data secure is an ongoing mandate that will only become more critical as industries move toward paperless environments.  Adopting a managed file transfer solution is one of the best ways to strengthen your file transfer processes and security as the pressure and liability risks continue to grow.

photo credit: kryptyk via photopin cc
 
 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Top 4 Email Security Challenges and How to Solve Them

Posted by on Monday, 29 October, 2012

Sending information to others via email has become one of the easiest and most ubiquitous ways of sharing data.  However, there are some important caveats to sharing files this way, as explained by Bob Luebbe, Chief Architect of Linoma Software in a recent webinar entitled, “Ad-Hoc File Transfers Using GoAnywhere Secure Mail.”

Challenges

There are four big challenges that companies need to be aware of when transmitting files using email.

  1. Email is sent “in the clear” meaning that it is not encrypted, therefore can potentially be read by anyone seeing the traffic being sent across an internal network or the Internet.
  2. Large files are most often not permitted by the email provider or the company email server. There is a good reason for this as disk space is very quickly consumed by unlimited use of email attachments and especially when “cc:” is used to send to multiple recipients.
  3. Some file types may not be permitted.  The reason that some file types are restricted, especially on company email servers, is to protect additional attacks from virus and spyware programs that are disguised behind the .zip, .exe, or .dat file types.
  4. There are no good audit trails for the email transaction.  Many companies are required under compliance regulations and other constraints to provide a detailed record of where their information is going, where it changed hands along the way, and whether it arrived at the intended destination. With email systems, this capability is either difficult to use or is non-existent.

Secure Options

Again, the most critical reason for not sending information via email is that it is not secured.  This can be addressed in several ways including these four common encryption methods.

  1. PGP – Using OpenPGP to first encrypt the file before attaching it to an email can be used to send the file securely.  This does not encrypt the body content of the email itself, just the file that is attached.  The recipient needs to create a Public Key and get it to the sender before sending the encrypted file as this key will be needed to decrypt the file. Of course, the recipient must also have the OpenPGP software and the training to create these kinds of electronic keys.  Then the sender would need to install and encrypt the file using this specific recipient’s Public Key. Finally, the recipient would need to decrypt the file with their corresponding Private Key.  This method cannot be used to send files to multiple recipients.  Most users do not have the knowledge to perform this kind of secure file exchange and will usually resort to finding other easier though non-secure methods.
  2. Zip – Compressing the file using some freely available zip software can be used to secure the file as long as it has encryption capabilities such as AES included. After the file is zipped and assigned a password, it can be attached to an email and sent. The password would need to be sent separately perhaps by phone call or another separate email.  The recipient would also need to have software with the same encryption capability to decrypt and unzip the file.  A downside of this method is many corporate email systems block .zip attachments for security reasons.
  3. S/MIME –This encryption method requires that both the sender and the recipient email systems support S/MIME communications. The sender will need to create a certificate and send it to the recipient. The recipient would then need to know how to import the certificate into their email client.  Once the certificate is in place, a secured email can be sent, received and decrypted.
  4. Secure FTP – This method does not use email for sending the file but encrypts the file and sends it directly across a network or the Internet using secure file transfer protocols. The sender needs to have a secure FTP client installed and the recipient needs to have a Secure FTP server setup.  The recipient needs to set up a user ID and password for the sender.  The sender can then log in with their secure FTP client and transmit the file.

While each of these methods certainly allows the sender to assure that the file is secure, it doesn’t address some of the other challenges of file types being blocked and audit trails being easily obtained.  The inconvenience of using these methods prevents their widespread use and make users reliant upon experts to implement, which explains why much of the data flowing in and out of our network is still unsecured.

Solution

There are solutions available that combine the ease of using email together with the option to secure both the file and the text of the email. These solutions are generally referred to as secure mail or secure ad-hoc file transfer.

Secure email uses the common Outlook email client in the form of an add-on utility and/or web client using secure HTTPS protocols.  The sender simply creates the email using the email client with which they are already familiar, while the add-on feature provides a separate “Send” button that’s designated for sending the file using secure methods. Done. It’s a very simple one-button solution.  The recipient gets the email with a link that redirects them to an HTTPS-secured web page with the files available to download.  There are no certificates, electronic keys, or additional software combinations required for the sender or the recipient. Any files remain on the sender’s secured network and there are no file size limitations.  A very detailed and easily accessible audit log is kept for every single secured email transaction. As Bob Luebbe puts it in the webinar, “it’s as easy as pie.”

To listen to the whole webinar on secure mail, click here.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Do Business with the Government with FIPS 140-2

Posted by on Monday, 8 October, 2012

FIPS 140-2 is a standard with which cryptographic-based (encryption) security systems must comply when protecting sensitive data in U.S. government agencies and departments.  This FIPS 140-2 standard also extends to other entities that may exchange sensitive data with the federal government, including defense contractors, state agencies, county and city government.

Brief history of FIPS 140-2

The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce which establishes the standards for cryptographic modules used to protect and secure sensitive information.  NIST issued FIPS 140-1, the first set of standards developed in conjunction with cryptographic industry vendors and users on January 11, 1994. This group specified four security levels and eleven requirement areas of meeting a cryptographic standard.

On May 25, 2001, NIST issued FIPS 140-2, updating its specifications to address the technology changes since 1994 and is currently working on the draft version of FIPS 140-3 issued in Sept. 2009.

Why FIPS 140-2

FIPS 140-2 data securityThe purpose of the FIPS 140-2 standard is to coordinate the standards to be used by U.S. government and other regulated industries in gathering, storing, transferring, sharing, and disseminating sensitive information.  It also provides an FIPS 140-2 accreditation program for private sector vendors that develop cryptographic modules that can be used in other products.  For instance, our GoAnywhere solution uses an encryption module from RSA® which is FIPS 140-2 certified by an independent lab.

Traditional methods of sending files such as email or FTP do not meet the FIPS 140-2 standards. If you intend to exchange files with the federal government, it is critical that your file transmission is encrypted with a FIPS 140-2 compliant encryption module.

When researching managed file transfer (MFT) solutions, it is important to determine if they have a FIPS 140-2 compliant module available, especially if you are exchanging sensitive data with the federal government. Read more about GoAnywhere’s FIPS 140-2 support.

By utilizing an automated and secure file transfer solution like GoAnywhere along with FIPS 140-2 compliant encryption, doing business with the federal government and other such regulated industries becomes much easier.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube