It's Just Crazy to Trust Your Sensitive Files to Technology That's 40 years Old
Considering that a smart phone purchased just two years ago is nearly obsolete, imagine using computer protocols that are 30 to 40 years old for business?
5 November 2015
Considering that a smart phone purchased just two years ago is practically obsolete today, can you imagine using computer protocols that are 30 to 40 years old for your current business practices? Yet that's the case for numerous organizations that still use the File Transfer Protocol (FTP) to send files from one server to another.
A quick check of Wikipedia tells us that the original specification for FTP was developed in 1971. Even the current and most recent specification dates back to 1985. Why, that's practically the Jurassic Age in terms of the lifetime of computers!
As you might expect with a decades-old protocol, it wasn't designed with security in mind. In 1971, and even 1985, we were more concerned with ease of use and getting our files from Point A to Point B than we were about someone wanting to intercept or steal those files. Consequently, FTP is vulnerable to threats such as packet capture, brute force attack, spoofing attack and other scenarios. What's more, FTP doesn't encrypt its traffic and all transmissions are in clear text.
There have been subsequent developments that have improved on the age-old File Transfer Protocol. Over the year, developers have used various techniques to try to improve the security of moving a file from one server to another. FTPS, for example, is an extension to the FTP standard that allows clients to request FTP sessions to be encrypted.
The advent of email, secure file transfer appliances and collaborative file shares have greatly supplanted the use of FTP today. Nevertheless, FTP is still in use and it's still putting sensitive or confidential information at risk.
The Verizon 2015 Data Breach Investigations Report lists the dangers of FTP servers as a source of data breaches. The report cites research from One World Labs (OWL), an enterprise security assessment and consulting firm. OWL maps its clients’ digital and online footprint and the company is finding numerous company and individual FTP sites that require no authentication. That is, anyone can access the information that is sent to the servers. Making matters worse, OWL discovered large volumes of intellectual property and personally identifiable information (PII) on these wide-open servers.
Here are just a few examples of what OWL found on various clients' unprotected FTP servers:
- Company documents labeled "Proprietary" or "Confidential"
- Individual medical records
- Individual tax documents
- Proprietary software files
- Usernames and passwords for various accounts and enterprise hardware
Needless to say, this is information that could put a company at risk in so many ways.
Information exposure via unsecured FTP is often one of those accidental breaches. Since mistakes like these expose protected classes of data, the organizations that own said data may have to send breach notifications out to all people potentially affected; in addition to providing protection against identity theft for each person whose data was inadvertently posted.
FTP is an outdated and inherently insecure method for transmitting files today. There are better ways to ensure that the information can't be revealed to anyone other than an authorized recipient. The cost of a breach — even an accidental one — is just too high to take chances with risky methods.
Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.