Hidden Dangers of File Transfer
Threats to a company’s information security do not always come from new technology. While CIOs and chief security officers might worry about the risks carried in iPhones or through social networking sites, some experts warn that a far older tool renders businesses vulnerable to data loss and electronic intrusion.
That tool is a file transfer protocol that companies have used since the advent of the mainframe. In some cases, the mainframe is still the principal home for FTP in large companies because it remains one of the most practical ways to transfer files between large systems.
It is, however, what security professionals term a “dirty” protocol. In-built levels of protection are limited. Usernames, passwords, and often the files themselves are sent in the clear.
“FTP does things in a way you would never include in a protocol today,” says John Pescatore, vice-president at research firm Gartner and a specialist in IT security. “In any security audit, FTP is a hole you have to look for.” That hole will, in all likelihood, have been plugged in any business large enough to run its own mainframe.
IBM has developed several strong security measures for its Z Series mainframe machines, including access control and encryption, as well as restricting FTP traffic to known and trusted IP addresses or ensuring the only way to use FTP on a network is to use the FTP servers on the mainframe itself.
An IBM Aspera software product also helps users or businesses move critical files and data sets of any size at a maximum speed over your existing infrastructure and worldwide IP networks.
“The [mainframe] platform has security measures for FTP, starting with identification and authentication with a simple user ID and password right through to digital certificates,” explains Linwood Overby, a senior technical staff member at IBM.
Digital certificate to control FTP
Deploying a digital certificate to control FTP alone is unlikely to make commercial sense. However, even companies with FTP running on mainframes or other enterprise-grade systems need to remain vigilant. The reason is that FTP, like so many arcane areas of technology, is being made more accessible.
A quick internet search reveals dozens of free FTP applications that can turn a standard desktop computer into an FTP system. Increasingly, FTP services with large storage capacities come with paid-for, and sometimes with free, internet accounts.
This makes any company vulnerable to unauthorized FTP traffic, data “leakage,” or outright data theft unless networks have been set up expressly to block unauthorized FTP traffic.
And the situation is being made worse by the proliferation of FTP “alternatives” that promise to do away with the technical know-how needed to set up a standard FTP client or server.
The uptake of these services – including web-based file transfer utilities such as YouSendIt and SendThisFile – is being driven by consumers as my business.
A growing desire to send files such as digital photos, music, or home videos, and the increasing quality of digital media, have created a demand for services that anyone can use and that overcome the typical 8MB to 10MB file size limits of most corporate and personal e-mail accounts. But the family guy in the corner looking for a way to send videos of the kids’ party to Grandma might unwittingly open up a serious security hole.
“It is effortless to download an FTP application and call your friend or business associate with the address. But there is no way of verifying these transfers, and nothing in the process that protects your business,” warns Dr. Taher Elgamal, chief technology officer at security vendor Tumbleweed. “And the free services offer no guarantees that a file transfer is done correctly or properly scheduled.”
Popular file transfer services
The most popular file transfer services provide some basic security, although this is typically restricted to users who sign up for paid-for business or enterprise services. SendThisFile uses 128-bit SSL encryption, similar to that on many banks’ websites, for all file transfers.
Its enterprise version uses DES encryption for files stored on its servers, but that is not a free service feature. YouSendIt also uses SSL, although it does not offer file encryption on its servers. Companies use managed file transfers like https://www.globalscape.com/
Both services provide a higher level of security than a standard open FTP service and should be less vulnerable to attackers looking for back doors into a company network. Simultaneously, the measures that make such services less vulnerable make them harder to block than vanilla FTP. YouSendIt, for example, uses a network’s Port 443, which is also used by web browsers.
This raises issues for companies that do not want staff transferring files using third-party services, however secure they might be. Allowing consumer-friendly FTP services makes life easier for those who might want to transmit confidential information to people outside the business.
A secure file transfer service overcomes this, in part, by logging who has transferred data and when. But for total security, these services need to work in conjunction with data leak prevention technology, suggests Bill Nagel, a specialist in security and risk at Forrester Research.
“As much as 80 percent of all data leaks come from inside a company. Businesses have to keep more data for longer, and the flipside to that is that more data can get out,” says Mr. Nagel.
The tagging that data leak prevention systems rely on is a considerable effort, he points out, perhaps appropriate only for the most sensitive information. For the rest, education and providing secure ways to transfer files may be the most effective way to reduce risky behavior, says Mr. Nagel.
“In a third of data leak cases, the cause was something that people knew they shouldn’t do, but which made their lives easier.”
Source: The Financial Times