FTP Brings Compliance, Security Risks

Wednesday, March 28, 2012 @ 03:03 PM gHale


FTP servers might be a convenient means for users to share information across corporate boundaries, but the way most organizations use the protocol introduces high levels of security and compliance risks.

Despite the risks, a new survey shows more than half of enterprises still depend on insecure and noncompliant FTP connections to collaborate with business partners and customers.

RELATED STORIES
Microsoft Seizes Zeus Servers
Smart Malware on Growth Curve
Malware has Bots Acting as C&C Server
Stealth Trojan Hijacks DLL File

“The FTP protocol is in the drinking water,” said Greg Faubert, vice president of enterprise solutions for Ipswitch File Transfer. “But while it is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy.”

According to a poll of 1,000 IT decision makers across the globe conducted by Harris Interactive on behalf of IntraLinks, 51 percent of organizations use FTP sites to send and exchange large files. As a file-exchange method, it may be convenient, but it poses problems on the governance, risk, and compliance (GRC) front.

Not only do insecure FTP deployments make organizations more prone to catch the wary eye of regulatory auditors, but as several high-profile incidents during the past year have shown, they’re very likely to expose sensitive information.

FTP is an easy target for a number of reasons, Faubert said.

“The first and probably the one that is the biggest point of exposure in a typical FTP is you have the issue of files and credentials at rest in an unsecured area of your network,” Faubert said. “[In] a typical FTP model, people connect to your server, they potentially log in, the credentials are validated, they drop a file, and then that file is picked up by another application behind your firewall. So for some period of time that stuff is sitting out in the DMZ, and those credentials are sitting out there.”

While some encryption solutions like PGP can bundle with FTP to encrypt the file, there’s still the matter of protecting the login information, said Sam Morris, product marketing manager for Attachmate.

“That still does not provide for the encryption or protection of user credentials,” said Morris, who added authentication methods, in general, pose problems for security and compliance staff seeking to monitor access to data.

“Good old-fashioned FTP is very constrained in that it’s not uncommon to have scenarios where it’s just a simple thing to do to just implement anonymous authenticating, which really means you have no way of tracking use,” Morris said. “It certainly reduces administrative overhead, but there’s some exposure there.”

Even with anonymous authentication turned off and security teams pouring through traditional FTP server logs, the infrastructure does not support the level of monitoring required within a regulated environment to figure out who accessed what information and when they did it.

“While some of that information may be logged in traditional FTP server logging files, with the growth of FTP servers and the ease of implementation, it’s very challenging to aggregate that data across those logs from those various [feeds],” Morris said.

According to the experts, auditors are increasingly keeping their eyes peeled for insecure FTP file exchange in their investigations of enterprise IT environments. Morris said it is not uncommon for his team to receive requests for a solution to lock down an FTP environment very quickly in response to failed audits. It happens not only in finance and healthcare environments, but also in retail, Faubert said.



Leave a Reply

You must be logged in to post a comment.