It may be obvious to some that FTP (File Transfer Protocol) is an insecure protocol; and that its continued use for transferring sensitive or personal is inappropriate. Yet, its use for that very purpose still continues according to Rapid7, creating an unnecessary risk.
The well-known IT security vendors third annual National Exposure Index report has found via an automated scan of the internet that there are roughly 21 million FTP servers still in operation. Tod Beardsley, the principle security research manager at Rapid7 said "I'm worried about all of the personally identifying information that's going to be lurking in all of these FTP servers that are easy to comprise".
The Trouble with FTP
The File Transfer Protocol has been around for longer than most of us have been working in IT or IT security. In its earlier days, it was simply a way to move files from one computer or server to another. With hindsight, it is clear that its creators never envisioned today's security threats and data protection regulation environment.
As a result, FTP has been enhanced with added SSH and SSL capabilities along the way. Yet, there remains a large portion of organisations who remain on legacy and insecure FTP servers. For those that routinely transfer sensitive documents containing proprietary or regulated data and find themselves in his situation, FTP servers have become a compliance liability and a heightened risk.
There are a number of security issues with FTP:
- Lack of encryption for both files at rest and in motion.
- FTP bounce attacks take place when an FTP proxy is being used to move files between two FTP servers. An attacker can pose as the proxy and gain access to both servers and the files being transferred between them. Remember that there is no encryption in use by FTP, files are sent in the clear.
- FTP servers are susceptible to brute force attacks as they generally have weak passwords and no automated account lock-out features. Hackers have bots which scour the internet for ports open on TCP 21 routinely.
- Because FTP transfers take place in clear text, transfers are vulnerable to packet capture and sniffing attacks, whereby files can be stolen by snooping on the transfer.
- Connection between a FTP client and server is based simply on username, password and connecting IP address. As there is no client verification outside of this, such as a certificate or fingerprint, it is possible to spoof an address and pretend to be an internal client.
- When an operating system opens a dynamic port number during a transfer, attackers cas easily decipher the next port number to be used and gain access to it (port stealing). Giving them access to the transferred files.
Managed File Transfer
As opposed to FTP being a server model, a Managed File Transfer system can be thought of as a fully featured and centralised file transfer system. It supports more secure transfer protocols such as SFTP (SSH/Secure File Transfer Protocol) and FTPS (FTP Secure). Tt provides better visibility, reporting, logging and tracking capabilities; as well as failover or high availability options to ensure the availability of systems and guaranteed delivery/receipt of files.
Managed file transfer solutions are enterprise-class solutions upon which core processes, like invoicing and payment systems, can be built. For instance, a single implementation may include multiple transfer servers, workflow automation and cloud integrations, all from one centralised interface.
These systems are also designed to assure data security, especially for those who require data transfer systems for sensitive files or personal data. This could be in accordance with ISO 27001, PCI-DSS, HIPAA or GDPR (General Data Protection Regulation).
Some of the more valuable features of MFT, in this case, are integration with pre-existing security infrastructure such as anti-virus, DLP and access control systems. Another key feature of many MFT systems in centralised logging and compliance reporting.
Ipswitch MOVEit Managed File Transfer
Ipswitch have been helping organisations with secure and managed file transfer transfer requirements for over fifteen years. Recognised as an industry leader in this space and with one of the most impressive list of existing customer, containing household names and national governments, Ipswitch MOVEit can achieve everything in the blog and more.
Advanced Cyber Solutions are specialists in Ipswitch solutions and managed file transfer. We are the Ipswitch Partner of the Year for Northern Europe; hold accreditations for professional services and training; and have managed file transfer customers in seven countries.
Take a look at our Ipswitch MOVEit Transfer page for more information.