FTP remains a security breach in the making

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/ftp-remains-a-security-breach-in-the-making/

Many IT administrators still rely on FTP to move files around on enterprise
networks, download patches and share data. However, FTP poses some major
security challenges and can leave networks open to intrusion.

Surprisingly, FTP is becoming popular again, especially with administrators
looking to move away from hosted file sharing services that have become the
targets of hackers, crackers and online criminals, as well a challenge for
those looking to adhere to Sarbanes-Oxley, HIPAA and GLBA requirements.

After all, FTP proves to be a great way to move files between systems,
users and networks and it is fast, simple to deploy, simple to use,
controlled by IT and most importantly - inexpensive. So, what's not to
like? Simply put, FTP can quickly become a security breach in the making,
its benefits prove to be the very Achilles' heal of the aging protocol -
simplicity and abundance have contrived to make FTP a target for incursions.

The shortcomings of FTP stem from both the design of the protocol and
evolving business requirements. Exponential growth in file transfers caused
by increasing business automation, rising awareness of corporate
vulnerability to data leaks, and the need to maintain meticulous audit
trails to fulfill regulatory mandates have come together to expose the
security deficiencies of FTP. Those deficiencies include:

Inadequate Authentication: The Ponemon Institute estimates the average cost
of a data breach at $7.2 million. Something to think about, when using FTP
- which lacks built-in strong authentication, along with non-repudiation
functionality, which can lead to messages being sent and received by
unauthorized users, and to denials that a message was sent or received.

Policy Enforcement: FTP also lacks the ability to filter content to enforce
corporate information security policies, as well as checkpoint and restart
functions that ensure message delivery.

Delivery Controls: FTP lacks file versioning, auditing and other controls
that can prevent data duplication or data loss, as well as other security
and delivery controls.

Improper Administration: Many organizations deploy multiple FTP servers,
resulting in a patchwork of FTP servers for different operating systems,
applications, company locations, departments or even users. That means
several paths for incursion have been opened in the enterprise, with little
or no administrative control.

Lack of Automation: FTP has no process management framework to automate
operations like scheduling across multiple FTP servers. The need to write
scripts to schedule file transfers, apply event-based routing triggers, or
route files through a workflow adds to the burden and expense of script
maintenance, including changing passwords and IP addresses for each
customer or partner with whom files are exchanged. That lack of automation
means that password changes, authentication requirements and the like can
slip through the cracks and become exposed.

Lack of Scale: FTP suffers from an inability to effectively support high
volumes of concurrent file transfers or simultaneous transfers to multiple
recipients. Without the ability to queue data transfers, users start to
receive error messages that in turn increase help desk calls, which may
lead to FTP sprawl, where a new server is launched and forget to be taken
down after the need for it expires.

While FTP seems to hold many promises as a replacement for file sharing
services, FTP still carries significant IT administration costs, data
security risks, and transparency limitations that compromise businesses'
ability to operate efficiently, safely, and in conformance with
regulations. So before abandoning a paid service, consider the implications
alternatives have on regulatory requirements and adopt something that
protects data, while enforcing regulations and company policies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!