BreachExchange mailing list archives
FTP remains a security breach in the making
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 30 Jul 2014 18:49:33 -0600
http://www.techrepublic.com/article/ftp-remains-a-security-breach-in-the-making/ Many IT administrators still rely on FTP to move files around on enterprise networks, download patches and share data. However, FTP poses some major security challenges and can leave networks open to intrusion. Surprisingly, FTP is becoming popular again, especially with administrators looking to move away from hosted file sharing services that have become the targets of hackers, crackers and online criminals, as well a challenge for those looking to adhere to Sarbanes-Oxley, HIPAA and GLBA requirements. After all, FTP proves to be a great way to move files between systems, users and networks and it is fast, simple to deploy, simple to use, controlled by IT and most importantly - inexpensive. So, what's not to like? Simply put, FTP can quickly become a security breach in the making, its benefits prove to be the very Achilles' heal of the aging protocol - simplicity and abundance have contrived to make FTP a target for incursions. The shortcomings of FTP stem from both the design of the protocol and evolving business requirements. Exponential growth in file transfers caused by increasing business automation, rising awareness of corporate vulnerability to data leaks, and the need to maintain meticulous audit trails to fulfill regulatory mandates have come together to expose the security deficiencies of FTP. Those deficiencies include: Inadequate Authentication: The Ponemon Institute estimates the average cost of a data breach at $7.2 million. Something to think about, when using FTP - which lacks built-in strong authentication, along with non-repudiation functionality, which can lead to messages being sent and received by unauthorized users, and to denials that a message was sent or received. Policy Enforcement: FTP also lacks the ability to filter content to enforce corporate information security policies, as well as checkpoint and restart functions that ensure message delivery. Delivery Controls: FTP lacks file versioning, auditing and other controls that can prevent data duplication or data loss, as well as other security and delivery controls. Improper Administration: Many organizations deploy multiple FTP servers, resulting in a patchwork of FTP servers for different operating systems, applications, company locations, departments or even users. That means several paths for incursion have been opened in the enterprise, with little or no administrative control. Lack of Automation: FTP has no process management framework to automate operations like scheduling across multiple FTP servers. The need to write scripts to schedule file transfers, apply event-based routing triggers, or route files through a workflow adds to the burden and expense of script maintenance, including changing passwords and IP addresses for each customer or partner with whom files are exchanged. That lack of automation means that password changes, authentication requirements and the like can slip through the cracks and become exposed. Lack of Scale: FTP suffers from an inability to effectively support high volumes of concurrent file transfers or simultaneous transfers to multiple recipients. Without the ability to queue data transfers, users start to receive error messages that in turn increase help desk calls, which may lead to FTP sprawl, where a new server is launched and forget to be taken down after the need for it expires. While FTP seems to hold many promises as a replacement for file sharing services, FTP still carries significant IT administration costs, data security risks, and transparency limitations that compromise businesses' ability to operate efficiently, safely, and in conformance with regulations. So before abandoning a paid service, consider the implications alternatives have on regulatory requirements and adopt something that protects data, while enforcing regulations and company policies.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- FTP remains a security breach in the making Audrey McNeil (Aug 01)