Is FTP a Breach just waiting to Happen?

What Does a Breach Cost?

A recent study by the Ponemon Institute revealed the average cost of a sensitive information leak to be $6.3 million in 2007, up from $4.8 million in 2006. Companies who experienced a breach in 2007 reported that the cost of lost customers after a data leak accounted for 65% of that cost, up from 54% in both 2006 and 2005.

Currently, 35 US states have enacted breach notification laws, the requirements of which vary from state to state. Congress is working on a Federal breach notification law and there is even talk of tying criminal penalties to the most egregious data breaches where reasonable and proper security procedures were not put in place. [go to top]

Why Worry about FTP Specifically?

FTP (File Transport Protocol) is a widely used method for transferring files between computers, even different types of computers.  In most large Enterprise environments, FTP is heavily used every day to facilitate communication between disparate computer systems, both inside and outside the corporate firewall. It is not uncommon to find FTP activity numbering in the tens of thousands, if not hundreds of thousands per day. That’s a lot of data traveling in and out of the Enterprise on a daily basis. FTP servers are included as part of virtually every operating system from Windows to UNIX. Given FTP’s well–publicized exposures and FTP’s limited security implementation, the opportunity for breaching sensitive data is just too large to ignore.

All that is required is read-access to a file to be able to FTP that data anywhere in the world. This potential may not have been taken into consideration when access rules for sensitive data were developed. Once a file containing sensitive data is transmitted outside the corporate firewall, all control over the data and its subsequent dissemination and exposure is permanently lost.

Although most FTP servers have the ability to support secured connections, very few FTP transactions are actually secured.  Unsecured FTP activity travels in eye-readable “clear text” exposing not only the data being transmitted but also the logon information (user ID and password). Compounding the problem is the fact that most users use the same password for many different applications. If hackers glean an FTP password, they may be getting a password that is also used to access online checking accounts or other confidential data.[go to top]

Who’s Responsible for FTP: Network Management or Security?

FTP is a network application and, as such, often falls under the auspices of the network management organization. However, the accessibility to the corporation’s data that FTP provides its users should also make it a primary concern for the security department. Identifying FTP’s exposures and ensuring that adequate procedures and controls are in place to close these exposures requires the participation and coordination of both departments. Identifying all of the FTP servers in the network, controlling network access to the servers and ensuring that all FTP activity is properly logged and archived is generally considered the responsibility of the network organization.  Policing who can access the FTP servers and what data they can access and distribute with them falls more in the area of security.  A coordinated effort involving both organizations is required to adequately secure and audit FTP usage. [go to top]

Relying on Employees to Secure Sensitive Data is Ineffective

In many organizations, FTP usage is not adequately managed and secured to ensure that employees and contractors do not inadvertently (or intentionally) expose sensitive data outside the organization. In these organizations, companies are implicitly relying on their employees to police the access to and dissemination of sensitive corporate and customer data. While this strategy may work most of the time, all it takes is for it to fail one time for the corporation to be faced with the embarrassment and cost of publicly announcing a breach of sensitive, private information. [go to top]

FTP Usage is not always Tracked

Although most FTP servers have the ability to log FTP activity (and there are hundreds of different servers available across the various computing platforms), logging isn’t often turned on by default. In most cases, an administrator needs to enable logging on FTP servers. Ensuring that all FTP usage is being logged and archived is a critical part of proper FTP management.  In the event of an FTP-based breach of sensitive data, knowing what data was breached, when it was breached, who breached it and where it was transmitted will be an important part of the discovery process your organization will be required to perform. More importantly, if FTP activity logs are proactively monitored and audited, your organization may be able to identify FTP security issues before they result in a breach. [go to top]

What Can You Do About It?

There are a number of steps your organization can take now to reduce the exposure your company faces from FTP usage.

1. Harden FTP security
2. Move to Secured FTP usage
3. Ensure FTP usage is being logged throughout the Enterprise
4. Perform regular FTP usage audits
5. Eliminate anonymous FTP
6. Consider real-time monitoring of FTP usage
7. Consider Managed File Transfer solutions for critical data
8. Consider a FTP Management solution

1.      Harden FTP security

Hardening security for FTP servers require some effort on the part of Network Management and Security personnel. Auditors should review all FTP server settings by ensuring that access to sensitive data is controlled properly through the user access settings. Generally, it is best to grant FTP server users the minimum access they need to get the job done. Because FTP servers are popular targets for password cracker programs, IT departments need to restrict access by Internet protocol address whenever possible and disable hacked accounts as soon as possible to ensure unauthorized users don't get logged in. [go to top]

Auditors also need to verify strong passwords are required where supported by the FTP server and FTP sessions time out automatically if they remain idle for a period of time. If possible, auditors need to monitor that account lockouts are enabled so accounts will be disabled automatically after experiencing an excessive number of login failures. [go to top]

2.      Move to Secured FTP

Most organizations have yet to take advantage of the secured connection capabilities provided by most FTP servers. FTP server options exist on virtually every computing platform to support secured FTP usage. Using secured FTP requires that the FTP user uses software capable of establishing a secured connection to the FTP server. [go to top]

3.      Ensure FTP usage is being logged throughout the Enterprise

It is important to ensure that all FTP server activity in the Enterprise is properly logged and archived for long-term auditing and discovery requirements. All of the FTP servers (Linux, UNIX, Windows, etc.) on the network need to be identified and audited to ensure that logging is taking place properly.  There are a number of different FTP server log formats in existence, some eye-readable, some not. The more FTP servers you have, to bigger the job will be to effectively review and audit FTP usage. Consolidating FTP usage from all of the FTP servers into a single view can make that job a lot more achievable. Most third-party FTP Management solutions can help with this consolidation; some are more all encompassing than others. [go to top]

4.      Perform regular FTP usage audits

FTP usage should be tracked and audited regularly to ensure that no unauthorized FTP activity is taking place. Audits should focus on who is using FTP, what they are doing with it, when and where sensitive data is involved and where it is going. Much of the day-to-day FTP usage is repetitious so having the ability to identify exceptional activity helps makes the auditing job more manageable. Every organization will have its own standards for what is considered normal and exceptional activity.

In addition to auditing FTP usage, organizations should perform regular network audits to locate FTP servers and ensure that they are authorized and properly configured. FTP servers are easy to start and are sometimes set up by individual business units to solve a data sharing need without the knowledge of the IT staff. In many cases, these servers are not properly secured and can expose sensitive data to breach. [go to top]

5.      Eliminate anonymous FTP

Most FTP servers offer the option of supporting anonymous logon, where users can access the server’s files without having to provide proper logon information. This option is often enabled as a time-saver to the FTP server administrator because it eliminates the need to maintain user ID access tables. In general, the use of anonymous FTP is discouraged because it provides access to server data to anyone with network connectivity, without providing the logon information needed to maintain a good audit trail. In situations where sensitive data resides on an FTP server that supports anonymous logon, all control over the dissemination of the sensitive data would be lost. [go to top]

6.      Consider real-time monitoring of FTP usage

In cases where FTP usage is integral to a company’s day-to-day operations, real-time monitoring of FTP usage can not only help secure corporate data but can improve operations. Real-time monitoring can alert exceptional FTP usage, integrate FTP usage into data center automation efforts and ensure that FTP usage logging and archival requirements are being met. Failed FTP transmissions can be alerted and restarted automatically, helping ensure that service levels are met. [go to top]

7.      Consider a Managed File Transfer solution for critical data

FTP servers, when used securely, are a great, cost-effective solution for sharing data across platforms. Unfortunately, most FTP is not properly secured and can expose a company’s sensitive data to breach. A number of third party vendors offer Managed File Transfer (MFT) solutions which provide an alternate, more secure way to transfer data. These solutions require that the MFT software be running on all platforms involved in the file transmissions, making it a more expensive and complex file transfer solution than FTP. Sensitive data transmissions and large file transmissions are good candidates for MFT solutions because the entire file transmission process is secured and it is compressed, thereby reducing transmission time and network load. [go to top]

8.      Consider a third-party FTP Management Solution

FTP Management solutions help you address FTP threats and meet compliance requirements. FTP security enhancements enable your organization to quickly and easily address exposures created by unmanaged FTP usage. Comprehensive FTP Management solutions also enable you to monitor and consolidate FTP usage throughout the Enterprise, giving your organization a single place to go to answer FTP questions and audit FTP usage. Real-time alerting and interfaces to data center automation tools enable you to incorporate Enterprise-wide FTP usage into your organization’s automation efforts. [go to top]

What does a breach cost?

Why worry about FTP?

Who's Responsible?

What can we do about it?

Harden FTP security

Move to Secured FTP

Ensure FTP usage is being logged throughout the Enterprise

Perform regular FTP usage audits

Eliminate anonymous FTP

Consider real-time monitoring of FTP usage

Consider a Managed File Transfer solution for critical data

Consider a third-party FTP Management Solution