Nearly a million servers around the world still run the unsecure legacy FTP protocol and are actually configured for ‘anonymous’ access. Not good.
The file transfer protocol (FTP) utilized by your end users could be the biggest threat to your company’s proprietary information. A recent phishing campaign that delivered malware to steal banking data and other private information is a prime example.
The attackers disguised their messages sent to various businesses as invoices issued by an accounting software firm. Users who clicked on the email links were directed to an FTP server with a modular version of the DanaBot malware. If the components were activated, the cybercriminals could then send encrypted data—such as screenshots of victim machines—back to a command-and-control server, where it could be distributed covertly using channels like Tor.
FTP connection hacking like this has become quite popular within the cybercriminal community—numerous tutorials on how to hack an FTP client account can be found online. Even large brand-name companies can be susceptible, especially when they work with contractors and third-party business partners across the globe. In one case, multiple FTP user accounts owned by the U.S. government were accessed by a teen hacker. FTP servers turn out to be a favorite command-and-control resource for cybercriminals.
But external cybersecurity threats shouldn’t be your only focus. Unfortunately, somewhere around 1/3 of all data breach incidents originate with end-users doing something they shouldn’t. Consider the situation where an employee in North America might need a file from another user in Europe. The quickest way to share it is through an FTP exchange and one of them has easy access to an FTP server. If that file contains sensitive or regulated data, and the FTP server is not properly configured for security and/or compliance, the company is exposed to huge risk.
And while the vast majority of current FTP servers actually run a secure FTP protocol like SFTP or FTPS, recent research has shown nearly a million servers around the world that still run the unsecure legacy FTP protocol and are actually configured for ‘anonymous’ access (read insufficient password protection.)
Attacks like those described above present a particularly challenging problem because data sharing has become an essential business process for almost every business. Whether the concern is data concerning the “secret sauce” that makes products and services or processes and methods used to produce those products and services, marketing plans, customer lists, contracts or details about you IT infrastructure, protecting proprietary information should be a key concern of any business.
When there is a high likelihood that the data being shared is personal, financial, credit card or health information, even properly configured SFTP and FTPS servers can pose security and compliance risks. Most regulations such as PCI, HIPAA, GDPR, the UK’s PDA and a long list of others require ‘sufficient security measures to protect’ regulated data. Failure to do so results in public embarrassment, IT and security executive career disruptions and fines that can have a material impact on the business.
In taking on the FTP security challenge, IT must contend with the fact that management and front-line employees need sensitive information to make critical decisions and to do their jobs. An important factor in the value of sensitive information is the ability to establish online connections with other end users through a simple click or two—and reliably share information quickly and securely among authorized users. Business partners and customers also need access to sensitive information at times, so finding ways to share information externally is just as important.
A traditional and still-often used method of data transfer is the legacy file transfer protocol (FTP). While making file transfers easy, FTP lacks many of the crucial security and compliance attributes to keep proprietary information safe. For example, FTP user login credentials are not encrypted. Oftentimes no passwords are used, making FTP accounts an inviting target for hackers. And data sent by a hosted anonymous FTP remote server is also usually left unprotected.
Because of the lack of security, hackers can use cross-site scripting to send a malicious script to an FTP user’s web browser, which does not know the script should not be trusted. The malicious script can then access cookies, session tokens, and sensitive information retained by the browser. This sort of access opens the door to proprietary information.
The answer to challenge of sharing proprietary information lies in your choice of an FTP client. It’s critical to give end users access to one that securely enables them to move files before, during and after every web transfer. Here are some of the key security attributes to look for among advanced FTP client solutions:
These protocols and security tools give end users the ability to authenticate and connect to servers that require SSH clients to respond to server-defined prompts for authentication—in addition to the standard username and password prompts. Another attribute to look for in a solution to transfer files is the ability to integrate with your other file transfer tools such as your FTP servers and your cloud environments.
These capabilities will help you meet internal security SLAs by giving you more control over business processes. You can also assure regulatory compliance with features like tamper-evident audit trails and documented delivery to the intended recipient (non-repudiation).
As you focus on evaluating the security capabilities of potential FTP client solutions, don’t forget the needs of your end users and your IT admins. Otherwise, the company won’t generate sufficient file-sharing benefits, and IT will get bogged down with maintenance and technical support.
Usability features to look for are customizable displays and drag-and-drop functionality that make it possible to instantly connect to multiple remote servers and move any size and type of file. The FTP client should also make it easy to locate files and folders using integrated search engines by parameters such as file/folder type, size and date.
Your IT team will want an FTP client that is easy to manage and lets them schedule automated post-transfer actions—such as delete, rename and file downloads. It’s also important to give your IT team the ability to safely back up and archive important folders and files, schedule recurring transfers, and sync to any location, device, drive, or server. Other key capabilities include email notifications of transfers and data compression to reduce storage needs.
Many businesses have found the answer to their FTP security challenges by turning to Ipswitch WS_FTP Professional. The client software provides best-in-class security with the highest levels of encryption, is easy to customize, and reduces administrative burden. Here are some of the benefits you can count on:
You also get built-in automatic end-to-end file non-repudiation and compression between WS_FTP Pro and our other file transfer solutions—MOVEit® Transfer and MOVEit® Cloud Servers. You can get started today by downloading a free trial.
Also be sure to check out our ecosystem of FTP support. You can connect to our FTP community to learn all the best practices when it comes to file transfers and learn about the difference between active and passive FTP.
Subscribe to get all the news, info and tutorials you need to build better business apps and sites