Some of the stuff I've seen still RUNNING the power companies is downright scary.
I won't say which companies, however some of them are still running Windows NT 4.0 Servers running core functions at the power plant. Most of these servers are now virtualized to eliminate the problem of hardware failures however they're still not protected properly with multi-layer security (DMZ, Web, App, Core network zones) or multi-factor authentication systems to prevent unauthorized access.
BTW: Just last week I caught several Russian hackers using DNS spoofing through compromised South American, Netherlands and Spain based companies trying to hack into one of our public FTP Servers. They tried brute force SSH password cracking and executed over 59,000 brute force attempts in just over 3 minutes.
They didn't get in because we require matching certificates and dual-factor authentication for Internet exposed services and within their first 10 attempts (which happened in microseconds) I had an alert fired off and tracing programs already running to determine the true locations of the Russian hackers.
My own opinion based on the results I collected is that it was Russian State Sponsored hacking. It had to be due to its sophistication, the sheer volume of brute force password attempts in such a small amount of time, and the fact that the IP's traced back to Russian Government facilities.
Granted, I'm not supposed to say those things outside the bank and the FBI (who we work with on these things -- they're working with ALL the top tier banks directly) certainly wouldn't "approve" of my saying it.
I know it’s SFTP but still, can’t you autoblock an IP after X number of failed attempts? You wouldn’t necessarily slow throughput if you limited the filter to authentication. Once a channel was established, pass through the filter without incident.
Your public FTP is still SFTP, right?
Thanks for the inside baseball on this stuff.
It is fascinating.
The scope and tenacity of hackers is not to be underestimated.
Thanks for the inside view.