What is an FTP Sprawl?

July 05, 2020 Security and Compliance, MOVEit

To this day, FTP (file transfer protocol) and the more secure SFTP (secure file transfer protocol) are still the most used standard to move files over the Web. It’s cost effective, quick and easy to deploy, and if used correctly in a regulated industry it keeps users from using non-compliant data transfer tools like Google Drive and DropBox. However, do those benefits outweigh the risks?

It’s true that FTP came about as an easy way to move data securely across an organization or externally to business partners. Unfortunately, FTP is now showing its age. FTP is a standard that arose out of the 1990s during a different time and IT landscape. Password protected FTP servers were secure enough back then. Nowadays, brute force attacks are common place and automated in the form of bot attacks.

Is FTP Secure?

FTP by itself transfers passwords and usernames plain text, so this is insecure by design. Man-in-the-middle attacks are a common problem. An anonymous FTP server that is not properly segregated provides easy access to critical assets on the network. The FTP protocol, without the added security of SSH or SSL, conveys data unencrypted. These servers are also often relatively unmanaged and there could be a large volume of information that is easily accessed and consumed that may be valuable or might aid in a cyber attack. Additionally, automation scripts and activity logs are often not protected. Hackers exploit this limitation to modify log files to cover their tracks.

Understanding FTP Sprawl

Another inherent problem with FTP and SFTP are that many times it leads to a cyber security and IT maintenance nightmare called an FTP sprawl. This really is just the FTP server version of a server sprawl. You can compare a server sprawl to an unmanaged data center. FTP sprawl is the duplication of FTP servers over an information technology infrastructure that is used to transfer data securely internally and externally.

Many of these are clear text FTP servers and are one of the first targets cybercriminals look for. IT often finds itself with dozens of FTP servers deployed across the network. Many of these may be configured in anonymous mode, send and store files in clear text FTP servers or depend on scripts.

FTP Sprawl Leads to Real Problems

Last year, the FBI issued an alert (FBI PIN 170322-001) that hackers were targeting clear text FTP servers configured with anonymous mode to launch attacks on business networks. Many enterprise security, risk management, compliance and IT teams are now actively removing clear text and anonymous FTP servers from their environments.

Simply, there is nothing efficient or secure about FTP sprawls. In healthcare and finance, they have become an unfortunate status quo. Whenever there is a new business requirement or project, IT falls into the habit of adding another FTP server to the array. When IT teams are continuously being crunched for time, energy, and resources, it’s only natural for IT admins to not find the time to make necessary changes to protocols and technology. However the physical servers are hard to maintain without server consolidation. There is also the risk of backlash from end users who are used to the way things have always been done.

Dealing with an FTP Sprawl 

So you are dealing with the consequences of years of poor information management and tasked to take control of the unruly FTP sprawl on your network. How can you fix this without having users opt for shadow IT? You will of course need to get the new solution up and running as quickly as possible to avoid backlash. You don't necessarily have to hire more people to fix the issue since that doesn't really fix the fundamental problems with FTP sprawl or any server sprawls in general. 

There are quite a few solutions, but if you work in a regulated industry and need to be compliant with regulations such as HIPAA or SOX, or need to be compliant with the upcoming GDPR (General Data Protection Regulation) you will need a solution that is not only secure, but compliant as well.

In regards to the healthcare industry, the unique circumstances that hospitals deal with every day could be likened to a hotel that also placed a computer with each patron's billing information in every room.

This presents a unique opportunity for social engineering since access points are spread throughout a facility. The sheer number of legitimate users and the distinct units they belong to only complicate this issue and make it difficult for users to truly know if a person is who they say they are.

Solution for FTP Sprawls

The best replacement for FTP and SFTP sever sprawls is managed file transfer (MFT). MFT is a purpose-specific class of middleware focused on the reliable transfer of files between business parties, using simple, secure protocols and easy-to-understand models of exchange. But it’s fortified with secure encryption, manageability, scalability, file processing, integration, and business-reporting options that allow IT to deliver more sophisticated, controlled file-transfer solutions without slipping into the custom-code abyss.

Our managed file transfer solution, Ipswitch  MOVEit, lets you manage, view, secure, and control all file transfer activity through a single system. MOVEit reduces the need for IT hands-on involvement and allows for user self-service as needed. It provides the perfect solution for secure file transfer to meet security and compliance needs in any industry and company size while reducing administration time and costs.

Greg Mooney

Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Read next Open Source FTP Clients vs. Proprietary: Pros and Cons