Secure file transfer experts are commonly asked if FTP is secure. The definitive answer is no. FTP can be convenient and seems safe. But appearances aren’t everything. FTP is about as safe as a door with a papier-mâché padlock.
That is why smart shops don’t use FTP for sensitive files, but instead deploy far more secure file transfer solutions.
Where FTP Came From
Fire up the way back when machine to see where FTP (short for File Transfer Protocol) came from. FTP emerged in 1971, right in the middle of the mainframe and minicomputer days (remember them?), a decade or so before Internet Protocol (IP) networks based on TCP (Transmission Control Protocol) made the scene in the early 1980’s.
File transfer, as the name indicates, was the name of FTP’s game, which was built to ship files from one computer to another
Later, FTP emerged to transfer files too large for email systems to handle, a use case that drives many FTP implementations today.
FTP Better Than Email Attachments, but Not Nearly Good Enough
FTP file transfer solutions beat the pants off email, but has limits no security-conscious organization should put up with.
The main problem is the lack of a method for encryption during file transport, meaning your sensitive data could be intercepted during transport. FTP solutions, which rely on manual processes with no native means for automation and integration with business processes, are not scalable. If you want to automate and integrate, you go back to your in-house script jockeys to write customized scripts.
Meanwhile, files stored on an FTP server stay there until someone takes them off. This is a big burden for account administrators that must take action for single-time setup, deletion or change of management processes. Finally, FTP solutions lack all the great stuff Managed File Transfer features including connectivity, administration, automation and reporting.
FTP and the Dire Lack of Encryption
FTP, unless enhanced with the security of SSH or SSL (each of which has security limits), transfers and shares files unencrypted. Meanwhile, often unmanaged FTP servers contain vast troves of enterprise data that can be cracked, as can the FTP activity logs.
FTP Servers Turned into Command and Control Systems
Once an FTP server is compromised, it can become an attack center. “File Transfer servers, if not sufficiently secured, can be easy targets for experienced attackers. Those configured for anonymous access, where the login is often an email and the password may be “password,” are the first and easiest target. An anonymous FTP server that is not properly segregated provides easy access to critical assets on the network,” argued the MOVEit eBook Ransomware Vulnerabilities in File Transfer. “The FTP protocol, without the added security of SSH or SSL, conveys data unencrypted. These servers are also often relatively unmanaged and there could be a large volume of information that is easily accessed and consumed that may be valuable or might aid the attack. Automation scripts and activity logs are often not protected. Hackers exploit this limitation to modify log files to cover their tracks.”
FTP Attack Types
There are many FTP attack types, and even the older ones are still a major worry. It can take a long time for a cyberattack type to fall out of favor. Instead, hackers take legacy attacks and tweak them to appear new and bypass established defenses. Here are four attacks FTP users need to fret about.
1. Anonymous Authentication Attacks
Passwords (and two or multi-factor authentication) are a step towards file transfer security. But hackers use anonymous authentication, where users log in either with a simple user name (often taking advantage of the fact that many use their email address as a user name) or log into an FTP server completely anonymously. This can often allow access to all or most all the data on the FTP system.
This stems from lax set up, weak passwords such as the word ‘password’ and a lack of segregation between the FTP server and the rest of the network.
2. Cross-Site Scripting
Cross-site scripting (XSS) attacks target an array of systems including FTP. Here, the hacker sends malicious code to an end user via a web app, usually a browser-side script to an end user.
The browser of an end user executes the script believing it is from a trusted source, and browser data including session token is compromised.
3. Directory Traversal Attacks
Directory traversal attacks are HTTPs that let criminals access restricted directories and then execute malicious commands outside of the web server root directory. Hackers can overwrite or create unauthorized files that are stored apart from the web root folder.
4. Ransomware
Once hackers turn an FTP server into a command and control server, they can launch an array of attacks including the ever nasty ransomware. They can encrypt files on the FTP server rendering them not only useless but destroying the only version of the data that exists.
FTP Sprawl Multiplies Risk
Once an organization gets a taste of FTP, its use explodes. “IT often finds itself with dozens of FTP servers deployed across the network. We call this “FTP Sprawl”. Many of these may be configured in anonymous mode, send and store files in clear text FTP servers or depend on scripts. These are often the first targets cybercriminals look for. The FBI issued an alert (FBI PIN 170322-001) that hackers were targeting clear text FTP servers configured with anonymous mode to launch attacks on the network,” the Ransomware Vulnerabilities in File Transfer eBook argued.
Smart shops have removed all clear text and anonymous FTP servers from their IT infrastructure.
FTP Shortcomings
There are other grave FTP shortcomings. When you need to move a lot of files, IT often relies upon scripts to automate the process. Scripts come with their own complications. First, someone must write the scripts which takes time, and someone should test the script to make sure it works as intended. But scripts are complicated to manage and often only understood by the person who wrote them, and what happens if they leave your company?
And while scripts offer a low level of automation, it really is not up to the volume of files your enterprise needs to send or the different types of transfers you likely require. In short, FTP is difficult to secure, tricky to automate and cannot properly track and audit your file transfers.
The worst situation is to have a wide array of methods of transferring files. Here, copies of files are kept all over the place with no central oversight or security. It is a disaster waiting to happen.
FTP and Compliance
“When unmanaged or insecure FTP servers exist in an organization that routinely deals with data that is protected under HIPAA, PCI, FINRA, FDA, SOX or other industry regulations there is also a risk of significant fines. Some 65% of all data breaches originate with a user,” the MOVEit Why You Shouldn't Use FTP to Transfer Cloud Files blog argued. “The majority of those cases are due to inadvertent errors or poor judgement where sensitive data is mishandled or stored in an unauthorized location - like the file directory of an FTP server or a consumer-grade file sharing service.”
The Answer: Managed File Transfer
FTP was built in 1971 using the client/server model. Managed File Transfer (MFT) systems are centralized and come equipped with “all the visibility, reporting, logging, security, tracking, integrations with your security architecture, failover and assured delivery features already built-in by design (as opposed to add-ons),” the MOVEit cloud blog explained. “These are enterprise-class solutions upon which core processes, like the medical billing and payment systems of a hospital, can be built. For instance, a single implementation may include multiple transfer servers, workflow automation systems and cloud-based transfer services all under management from a centralized console.”
Managed File Transfer vs. FTP
You can learn more about MFT with the MOVEit eBook for IT professionals trying to decide between FTP and MFT called Why IT Teams Migrate to MFT.
As the eBook explains, MFT solutions include:
- Visibility
- Reporting
- Logging
- Security
- Tracking
- Integrations with your security architecture
- Failover and delivery assurance
Critical Integrations
MOVEit MFT can be made even safer by integrating with your security such as data loss prevention (DLP), access control systems and anti-virus/antimalware.
Doug Barney
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.