In mid-November, Sharetru launched a new session lockout feature that will create a more secure FTP hosting experience for our users. This new feature slows down and defeats cyber-attacks, and it’s also a key component to complying with certain cybersecurity regulations and standards.
Sessions lockouts are available through two of Sharetru pricing plans: Performance and Enterprise. To start taking advantage of this new feature, sign into your administrator dashboard and click on the Account Lockout Policy tab on the left. Visiting this tab will give you the opportunity to configure session lockout settings by IP address and username. You can enable or disable the feature, set the number of login failures that will trigger a lockout, adjust the tracking window minutes, and change the number of lockout minutes.
See below for more details on the benefits of session lockouts, as well as more information on taking advantage of and customizing session lockouts for your organization. As always, our team is here to help if you have any questions or would like to further discuss session lockouts.
How Session Lockouts Work
In the digital age, it’s not uncommon for cyber criminals to run scripts or otherwise automate password attacks. In most cases, these attacks include random password guesses tied to known or easily guessable usernames. For example, if there’s a user with a known email address as the username, hackers need only to guess that user’s password to gain entry into a system.
Our session lockouts snuff out password-guessing attacks in two ways. First, users only get a certain number of attempts to enter the password correctly. If the user makes a typo when entering the password initially, he or she will have additional opportunities to enter the password correctly. Second, if the user incorrectly enters the password a certain amount of times, the system will lock the user out for preset number of minutes. Administrators can configure the number of login failures that will trigger a lockout, as well as the number of minutes a user will be locked out.
If the user is legitimate, the lockout gives them time to retrieve the correct password or to contact a system administrator for support. But, if the user is not legitimate, the lockout will likely prompt the attacker to move on to a different hacking opportunity. In short, it’s nearly impossible to guess a password when you’re only given three opportunities before a lockout that lasts several minutes.
The Benefits of Session Lockouts for Secure FTP
Organizations choose Sharetru because we provide the most secure method for safely transferring sensitive files and information. Session lockouts give FTP administrators a series of actions they can take if and when a brute force attack is detected. System administrators can implement several responses to a session lockout, including:
- Blocking IP addresses: Administrators may choose to blacklist the IP address related to the session lockout.
- IP address login limitations: When a cyber-attack is suspected, administrators can limit access to only specific IP addresses.
- Relegation from admin to normal user: If an admin account is locked out, administrators can automatically relegate the admin to a normal user until an investigation is completed.
- Further investigation: A session lockout can trigger a predetermined, step-by-step investigation into the root cause.
Of course, any of the four tactics listed above can be used in tandem with another (or with a tactic not listed here that your organization finds beneficial). For example, an organization can automate relegation of an admin to a normal user alongside a predetermined process for further investigation. These tools are simply opportunities for administrators to maintain the most secure FTP experience — both for the sake of security and also for the sake of maintaining compliance and limiting breach-related liability.
The Compliance Benefits of Session lockout
Organizations that regularly handle sensitive files likely need to stay compliant with key regulations and standards. For example, a private contractor doing business with a government agency will need to comply with a series of regulations and standards — or risk losing a contract. Here’s a look at just some of the most prevalent regulations and standards that address session lockouts:
- NIST 800-171 (3.1.8): The National Institute of Standards and Technology (NIST) addressed session lockouts in its Special Publication 800-171A, stating that compliant organizations define and implement systems for “limiting unsuccessful login attempts.”
- CMMC 2.0 Level 2: The Cybersecurity Maturity Model Certification (CMMC) calls for the monitoring of remote access sessions as part of Level 2 within CMMC 2.0.
- DFARS 252.204-7012 and DFARS 252.204-7020: The Defense Federal Acquisition Regulation Supplement includes language that encourages session lockouts in both 252.204-7012 and 252.204-7020.
- SOC 2: SOC 2 is reporting on controls over sensitive information as outlined by the American Institute of Certified Public Accountants (AICPA). Session lockouts are an important control for protecting sensitive information, and the presence of session lockouts would be reportable via SOC 2.
When you’re looking to grow your business by working with government agencies, or when you’re trying to maintain existing contracts with the U.S. government, session lockouts can help you achieve a level of compliance that unlocks new opportunities.
Enable Session Lockouts With Sharetru
At Sharetru, we provide the most secure way to share sensitive files and information with other organizations and government agencies. We’re constantly adding new features and capabilities so that we provide an industry-leading platform — the most secure FTP cloud service on the market. Not only do new features like session lockouts help keep your files more secure, they also help you comply with regulations and standards that can lead to new opportunities.
If you’re looking to share sensitive files and information as securely as possible, our team is here to help. Get in touch to schedule a demo of our FTP cloud services and the new session lockout feature.