Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

3/26/2012
07:30 PM
50%
50%

FTP Ubiquitous And Dangerously Noncompliant

Its ease of use and prevalence notwithstanding, old-fashioned FTP introduces compliance and security risks

FTP servers might be easy to provision and a convenient means for users to share information across corporate boundaries, but the way most organizations use the protocol introduces unnecessarily high levels of security and compliance risks to organizations.

Despite the risks, a new survey shows that more than half of enterprises still depend on insecure and noncompliant FTP connections to collaborate with business partners and customers.

"The FTP protocol is in the drinking water," says Greg Faubert, vice president of enterprise solutions for Ipswitch File Transfer. "But while it is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy."

And yet many enterprises do just that. According to a poll of 1,000 IT decision makers across the globe conducted by Harris Interactive on behalf of IntraLinks, 51 percent of organizations use FTP sites to send and exchange large files. As a file-exchange method, it may be convenient, but it poses problems on the governance, risk, and compliance (GRC) front.

Not only do insecure FTP deployments make organizations more prone to catch the wary eye of regulatory auditors, but as several high-profile incidents during the past year have shown, they're very likely to expose sensitive information stores to the world at large.

For example, last year Yale University exposed data of 43,000 people simply by failing to lock down a database server stored on an FTP server that was eventually crawled by Google’s search spiders. Similarly, 40,000 Acer customers had their details stolen in 2011 when a hacker broke into information stored on a company FTP. Last year also saw an attack against FTP servers at the European Space Agency (ESA) that exposed usernames, passwords, and email addresses for more than 200 users at the agency.

According to Faubert, FTP is an easy target for a number of reasons.

"The first and probably the one that is the biggest point of exposure in a typical FTP is you have the issue of files and credentials at rest in an unsecured area of your network," Faubert says. "[In] a typical FTP model, people connect to your server, they potentially log in, the credentials are validated, they drop a file, and then that file is picked up by another application behind your firewall. So for some period of time that stuff is sitting out in the DMZ, and those credentials are sitting out there."

While some encryption solutions like PGP can be bundled with FTP to encrypt the file, there's still the matter of protecting the login information, says Sam Morris, product marketing manager for Attachmate.

"That still does not provide for the encryption or protection of user credentials," says Morris, who adds that authentication methods, in general, pose problems for security and compliance staff seeking to monitor access to data.

"Good old-fashioned FTP is very constrained in that it's not uncommon to have scenarios where it's just a simple thing to do to just implement anonymous authenticating, which really means you have no way of tracking use," Morris says. "It certainly reduces administrative overhead, but there's some exposure there."

Even with anonymous authentication turned off and security teams pouring through traditional FTP server logs, the infrastructure does not support the level of monitoring required within a regulated environment to figure out who accessed what information and when they did it.

"While some of that information may be logged in traditional FTP server logging files, with the growth of FTP servers and the ease of implementation, it's very challenging to aggregate that data across those logs from those various [feeds]," Morris says.

According to the experts, auditors are increasingly keeping their eyes peeled for insecure FTP file exchange in their investigations of enterprise IT environments. Morris says it is not uncommon for his team to receive requests for a solution to lock down an FTP environment very quickly in response to failed audits. It happens not only in finance and healthcare environments, but also in retail, Faubert says.

"The PCI standards look specifically at your FTP environment and the security surrounding your FTP environment," Faubert says. "It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls around their FTP."

According to Morris, FTP persists to be overlooked because it has been "pervasive and around forever" and it is so easy to set up. More critically, says Fahim Siddiqui, chief product officer for IntraLinks, is the fact that IT has not provided the means to safely share information across the corporate firewall. This does not support today’s reality of what he calls the "extended enterprise," which calls for much closure collaboration between business partners and third-party vendors.

"The value chains are more and more disaggregated now. Instead of just going and hiring another 20 people within the organization, they're looking at business partners who can be more agile, move flexibly, and be more responsive to their needs," he says. "In doing that, what happens is you're not just sending orders back and forth and receiving a widget, you actually end up sharing critical business information across the firewall, and it is not needed to produce products and co-invent and co-innovate.” This is where the managed file transfer industry is trying to fill the gaps. According to Forrester, the managed file transfer (MFT) industry measured up to $1.4 billion. As more organizations face the compliance realities of sticking with the old FTP model, that number looks to grow in the coming years, says Ken Vollmer, an analyst with Forrester.

"Our discussions with clients indicate that the primary push for MFT is coming from the business side and is related to the increasing number of compliance regulations that organizations must deal with," he wrote in November. "For example, information security provisions are extensively covered under HIPAA regulations in the US healthcare sector and Sarbanes-Oxley and Basel II laws covering financial reporting. Similar regulations have come up in other sectors as well."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Managed File Transfer Software
50%
50%
Managed File Transfer Software,
User Rank: Apprentice
4/20/2012 | 8:49:19 AM
re: FTP Ubiquitous And Dangerously Noncompliant
SFTP/FTPS are both equally capable delivery protocols, it depends upon the technology around them. -You can achieve compliance to all standards with a variety of solutions although its imperative that your data doesn't exist in an unencrypted format sitting in the DMZ. -Speak to Pro2col (http://www.pro2col.com) for independent advice about compliant file transfer, we have provided solutions to banks, retail, government and more.
dsf74
50%
50%
dsf74,
User Rank: Apprentice
4/1/2012 | 9:00:19 PM
re: FTP Ubiquitous And Dangerously Noncompliant
Have you looked at Binfer? It is a great replacement for FTP. The cool thing is you dont need a central FTP server and all the complex management. Files transfer directly from computer to computer, along with all the good things like auto resumes, 128bit AES encryption, chat etc.
HANDD Business Solutions for F
50%
50%
HANDD Business Solutions for F,
User Rank: Apprentice
3/28/2012 | 10:56:13 AM
re: FTP Ubiquitous And Dangerously Noncompliant
I don't think we've yet come across a situation where one of our products can't help with automation or stream-lining of workflow or secure file transfer. We provide managed file transfer solutions on behalf of GlobalSCAPE, Ipswitch, SSH, SRT, Attachmate and Linoma throughout Europe and Asia. Fortunately- a good range of products-is able to take file transfer into the modern era - leaving the failings of outdated-FTP behind.
gshumway570
50%
50%
gshumway570,
User Rank: Apprentice
3/28/2012 | 1:48:08 AM
re: FTP Ubiquitous And Dangerously Noncompliant
I agree that FTP should be retired, but unfortunately, nobody has come up with a reasonable and close to equivalent alternative.

FTP - well known ports, proxy support and stupid simple configuration.

FTPS - needs to be configured properly or you can still send and even authenticate in the clear. Plus the use of random ports makes it a poor choice when security people want to lock down outbound activities to a minimum set.

SFTP/SCP - really an SSH server, without proper controls, you give away shell access.

HTTP/HTTPS - can be used for upload, but requires you build and maintain a web site.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...