Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
and update your bookmarks.

Wednesday, September 27, 2006

FTP (Failure To Protect) and an early Halloween ghost story

Summary: According to Microsoft TechNet, FTP fails to protect the data and file that it transfers. And, find out if your FTP/SFTP servers are haunted too.


When I talk with perspective customers about their current file transfer solutions, FTP (file transfer protocol) is a common one, but the insecurity of the service scares them.

As it should.

You don’t need to be an information technology guru to understand the business implications of the shortcomings of FTP as the following passage from Microsoft TechNet describes:

FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid user name and password combination prior to granting access. Be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All credentials are sent across the network in plain text. In other words, all FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server. The risk of plain text credentials is that someone other than the intended users could log on to FTP and download the files you have placed there.

In other words, don’t put anything on your FTP server that you wouldn’t feel comfortable publishing in a press release – that’s how wide open your data can be. This is especially true today when everything imaginable and unimaginable are being indexed by search engines and as I have noted in FTP (In) Security in the Google Age.

Of course, there are ways to add security to FTP. It generally involves some kind of additional wrapper around the FTP server. It can be an encrypted channel such as a VPN (Virtual Private Network) through IPSec (Secure Internet Protocol). Alternatively, you can utilize some flavor of encryption such as SSL (Secure Sockets Layer) to scramble the traffic.

The problem is that now you’re talking about adding significant complexity and cost, just to be able to transfer files. This level of overhead may have made sense in the old days when a majority of the file transfer were done via scripts and schedulers with minimum human input required. But, given the increasing importance of secure file transfer in the day-to-day business processes by non-IT users for things like multimedia presentations and legal electronic discovery, FTP and SFTP bring unpleasant memories to IT and end-users alike.


I recently heard this FTP ghost story about a haunted server.

A contract employee was given access to an FTP server where files pertaining to his project were stored. (As a standard IT procedure, the FTP administrator would provision access for any user who showed a valid need, and this contractor proved his need.)

But then the contractor finished the project and left. (Naturally) the FTP administrator didn’t know this and thus didn't de-provision the user. In other words, the contractor still had the ability to view everything on the FTP server. Unbeknownst to everyone within the organization, this contractor paid a few more visits to the FTP server to download files - after all, no one canceled his access to the FTP server.

And, since this is a process issue, even if the server had been running secure FTP (SFTP) instead, the same haunted scenario could still be played out. So, have you ever wondered what kind of unauthorized FTP/SFTP access is happening in your organization? It is more common than you think! A major vendor is selling a tool that claims to catch exactly this type of detection as noted in my posting Much Ado About Tumbleweed and FTP Security.

So, this could be a fun thing to do to your security officer.

First, tell him about the importance of securing file transfer processes as part of SOX/HIPAA/GLBA compliance - feel free to use my posting Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply? as a cheat sheet.

Then, tell him this FTP/SFTP ghost story.


And, before the security officer faints, tell him to pay Accellion a visit because Secure File Transfer Appliance SFTA can solve all of these problems and headaches.


1 comment:

Michael said...

Hi Y.F.,

Excellent point about haunted servers. I've experienced this problem many times both as a direct employee and consultant (Both at small and large companies).

I’ve seen it stem from unintentional process gaps/break-downs as well as from intentionally circumnavigating processes that are (or perceived to be) too cumbersome or inefficient. As a result, I've seen quick account access granted by bypassing channels and, therefore, that account is never integrated into the formal auditing processes.

The result is that often I've had account access well past the length of the formal work engagement. Obviously there are consulting scenarious where it's sensible to have account access maintained but, all to often, I've seen this problem persist in many single engagement cases.

Accounts Director