Should Security Concerns Make You Think Twice About Where FTP is Used Within Your Organization?
Web hosting firm DreamHost made headlines this past weekend when it opted to reset the file transfer protocol (FTP) and shell access passwords of its customers after uncovering a possible data breach. But it wasn’t just the prospect of the company adding its name to the list of organizations affected by data breaches that had some talking.
Instead, the move led to Adam Bosnian, executive vice president at password and identity management vendor Cyber-Ark Software, to question whether or not it’s officially time to put FTP on the shelf for good.
"Why should we bury FTP? Because the early engineers who created FTP did not have access to the computer power and software needed for solid encryption, the 40 year old protocol continues to be a serious weakness for the security of connected machines,” Bosnian said. “Because it is so outdated, organizations that utilize FTP are putting sensitive data in potential jeopardy.”
Talk of security problems with FTP is not new. FTP was not designed to encrypt its traffic, making it possible for attackers to sniff packets on the network. A common answer for this is to use FTPS, an extension for FTP that supports the transport layer security (TLS) and secure sockets layer (SSL) protocols.
“A shortcoming with traditional FTP and even encrypted FTP sessions is that after the data is done moving, it sits on the FTP or SFTP server in plain text,” Bosnian said. “As the FTP or SFTP server is commonly connected to the Internet to allow business partners access to it, the data is at risk of being retrieved and shared. FTP passwords can also be susceptible to attack when in clear text as any network sniffer can hijack it. Moreover, FTP technology can slow down business processes, as an organization’s IT team often needs to modify FTP scripts in order to support a new business initiative or bring on a new business partner that needs to exchange sensitive information with the system.”
“Furthermore, having the ability to know if the files were transferred correctly and on time is very difficult to do with transfer methods such as FTP,” he added.
Part of the issue is that people have higher expectations for the FTP protocol than they need to have, said Hugh Garber, senior product marketing manager at Ipswitch.
“The FTP protocol turned 40 years old in 2011 and although still functional as a technology to move files, it was not designed to provide any encryption or guaranteed delivery,” Garber said. “For some organizations that are transferring non-confidential or non-regulated information, basic standards-based FTP works fine in those low-risk situations.”
Unfortunately, many organizations are still relying on outmoded FTP to move and transfer mission-critical or sensitive information and that introduces risk, he said. FTP lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer, he added.
“At a minimum, they should be using encrypted file transfer protocols such as FTPS, SFTP or HTTPS to transfer sensitive company files and data,” he said. “Organizations should choose to migrate away from antiquated FTP because it puts company data at risk – unsecured data is obviously an enormous liability.”
In addition, organizations should proactively work to remove all hard-coded clear-text passwords from their FTP scripts and systems, Bosnian said, noting there are commercial products for replacing, securing and managing vulnerable credentials frequently found unsecured within FTP scripts, servers and applications.
Retiring FTP may make perfect sense from a security perspective, but so does killing reusable passwords, group accounts, hardcoded passwords and so on, opined Gartner analyst John Pescatore.
“Realistically, lots of legacy applications will be using FTP for some time to come and the DreamHost breach was more of a password issue than an FTP issue,” he said. “It really isn’t all that hard to do FTP securely – it is reusable passwords that continue to be the Achilles heel of all this. I think it is encouraging to see Google and a few others start to encourage consumers to use ‘two-step verification’ - i.e., replace reusable passwords with SMS/texting challenge/response.”