Hidden Dangers of File Transfer
Threats to a company’s information security do not always come from new technology. While CIOs and chief security officers might worry about the risks carried in iPhones or brought in through social networking sites, some experts warn that a far older tool is rendering businesses vulnerable to data loss and electronic intrusion.
That tool is file transfer protocol, which companies have used since the advent of the mainframe. In some cases, the mainframe is still the principal home for FTP in large companies, because it remains one of the most practical ways to transfer files between large systems.
It is, however, what security professionals term a “dirty” protocol. In-built levels of protection are limited. Usernames, passwords and often the files themselves are sent in the clear.
“FTP does things in a way you would never include in a protocol today,” says John Pescatore, vice-president at research firm Gartner, and a specialist in IT security. “In any security audit, FTP is a hole you have to look for.” That hole will, in all likelihood, have been plugged in any business large enough to run its own mainframe.
In fact, IBM has developed a number of strong security measures for its Z Series mainframe machines, including access control and encryption, as well as restricting FTP traffic to known and trusted IP addresses or ensuring the only way to use FTP on a network is to use the FTP servers on the mainframe itself.
“The [mainframe] platform has security measures for FTP, starting with identification and authentication with a simple user ID and password right through to digital certificates,” explains Linwood Overby, a senior technical staff member at IBM.
Deploying a digital certificate to control FTP alone is unlikely to make commercial sense, however, and even companies with FTP running on mainframes or other enterprise-grade systems need to remain vigilant. The reason is that FTP, like so many arcane areas of technology, is being made more accessible.
A quick internet search reveals dozens of free FTP applications that can turn a standard desktop computer into an FTP system. Increasingly, FTP services with large storage capacities come with paid-for, and sometimes with free, internet accounts.
This makes any company vulnerable to unauthorized FTP traffic, data “leakage” or outright data theft unless networks have been set up specifically to block unauthorized FTP traffic.
And the situation is being made worse by the proliferation of FTP “alternatives” that promise to do away with the technical know-how needed to set up a standard FTP client or server.
The uptake of these services – including web-based file transfer utilities such as YouSendIt and SendThisFile – is being driven as much by consumers as by business.
A growing desire to send files such as digital photos, music or home videos, and the increasing quality of digital media, have created a demand for services that anyone can use, and that overcome the typical 8MB to 10MB file size limits of most corporate and personal e-mail accounts.
But the family guy in the corner looking for a way to send videos of the kids’ party to Grandma might unwittingly open up a serious security hole.
“It is very easy to download an FTP application and call your friend or business associate with the address. But there is no way of verifying these transfers, and nothing in the process that protects your business,” warns Dr. Taher Elgamal, chief technology officer at security vendor Tumbleweed. “And the free services offer no guarantees that a file transfer is done correctly or properly scheduled.”
The most popular file transfer services do provide some basic security, although this is typically restricted to users who sign up for the paid-for business or enterprise services.
SendThisFile uses 128-bit SSL encryption, similar to that on many banks’ websites, for all file transfers.
Its enterprise version uses DES encryption for files stored on its servers, but that is not a feature of the free service. YouSendIt also uses SSL, although it does not offer file encryption on its servers.
Both services provide a higher level of security than a standard open FTP service and should be less vulnerable to attackers looking for back doors into a company network. But at the same time, the measures that make such services less vulnerable make them harder to block than vanilla FTP. YouSendIt, for example, uses a network’s Port 443, which is also used by web browsers.
This raises issues for companies that simply do not want staff transferring files using third-party services, however secure they might be. Allowing the use of consumer-friendly FTP services makes life easier for those who might want to transfer confidential information to people outside the business.
A secure, file transfer service overcomes this, in part, by logging who has transferred data, and when. But for total security, these services need to work in conjunction with data leak prevention technology, suggests Bill Nagel, a specialist in security and risk at Forrester Research.
“As much as 80 percent of all data leaks come from inside a company. Businesses are having to keep more data for longer, and the flipside to that is that there is more data that can get out,” says Mr. Nagel.
The tagging that data leak prevention systems rely on is a huge effort, he points out, and perhaps appropriate only for the most sensitive information.
For the rest, a combination of education and providing secure ways to transfer files may be the most effective way to reduce risky behavior, says Mr. Nagel.
“In a third of data leak cases, the cause was something that people knew they shouldn’t do, but which made their lives easier.”
Source: The Financial Times