FTP: The Overlooked Achilles Heel

March 1, 2008

“FTP is an unreliable way to conduct critical business communications,” warned Arne Johnson.

Would you drive in a car without seatbelts? Many enterprises are taking their corporate well being into dangerous territories every day by using File Transfer Protocol (FTP) as a data transfer method. FTP is like a car without seatbelts, offering nothing beyond the basic transportation of the data.

If an organization uses FTP to transfer data from one computer to another, it is at real risk of a data breach and losing critical customer and company information. Why does FTP have the potential to be so dangerous? FTP is used extensively in business but often with little oversight. As a result, it can be taken for granted and become subject to carelessness. For example, one of your business partners can routinely be downloading some of your critical business information over FTP in the normal course of business, making it vulnerable to data breach. Someone in another department in your organization could bring up an FTP server and gain access to information not intended for their use.

The worse part of these scenarios is that you may not even be aware that an intrusion has occurred!

How real is the risk when transporting or storing electronic data via FTP? The Associated Press recently obtained detailed schematics of a military holding facility in southern Iraq, geographical surveys and aerial photographs of two military airfields outside Baghdad, and plans for a new fuel farm at Bagram Air Base in Afghanistan. The AP was able download this information, which could have posed a direct threat to U.S. troops, because it was carelessly posted to FTP file servers by government agencies and contractors.

Consider some other recent FTP data breaches:

CardSystems was essentially forced out of business after 40 million identities were exposed. Amex and Visa stated that they would no longer do business with the company.
The personal information of uniformed service members and their family members were exposed on an FTP server while being processed by major Department of Defense contractor SAIC. As many as 867,000 individuals may have been affected.

INHERENTLY INSECURE PROTOCOL

Businesses are very conscious of risks to their security--at the perimeter, inside their networks and within their applications. While corporate networks, security measures and industry regulations have evolved to address security risks, and attacker methods continue to grow in sophistication, most companies still leave themselves vulnerable by relying on FTP as their primary file transfer method.

FTP contains a number of mechanisms that can be exploited to compromise security. For example, FTP allows a client to instruct a server to send files to a third computer. Known as proxy FTP, this feature can instruct a server to send data to a port of a third computer never intended to receive the transfer. There is also no provision for encrypting data during transfer. Passwords and files are transferred in clear text and can be easily accessed. The specification also permits an unlimited number of attempts to enter a password, facilitating password guessing attacks on the system.

Most computer platforms support the FTP protocol. This means any computer connected to a TCP/IP based network can manipulate files on another computer that permits FTP access on that network regardless of the operating system used. It can also manipulate files on the server by renaming them or even deleting them. FTP is not a good method to transfer files when authentication is required or when the data is sensitive in nature. If a file transfer is interrupted, the receiver of the transfer has no way to determine if they have received the entire file.

FTP is an unreliable way to conduct critical business communications. Its ease of operation comes with huge risk and cost from data breaches, attacks by hackers and disgruntled employees, and lack of security compliance. Companies utilizing FTP protocol for data transfer aren’t always aware of the amount of unsecured activity that is going on.

There are ways to encrypt FTP transfers, such as FTP over SSH protocol, which is sometimes called Secure FTP. FTP over SSH tunnels an FTP session over an SSH connection. While these solutions provide protection of data as it traverses the Internet, they don’t provide the audit trails and controls needed today to monitor and analyze all file transfer traffic.

A managed file transfer (MFT) solution provides companies with total control and visibility of information-based business processes, with all transfers secure, documented, auditable, and accountable. An integrated MFT solution enables an organization to impose security and control over all the enterprise’s information-based processes.

In addition, MFT technologies deliver enterprise integration capabilities enabling the automation of all transferred data.

Arne Johnson is senior vice president of Proginet Corporation. Previously, he served as vice president of corporate systems at Chase Manhattan Bank.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.

FTP: The Overlooked Achilles Heel

INHERENTLY INSECURE PROTOCOL

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.