Recently I was tasked with writing an analysis on the risks of using FTP in an organization.
My first thought was what company still uses FTP when it’s known to be a very unsecured protocol. Turns out there are many companies that still use FTP despite its vulnerabilities because of its ease in moving files rather than using an email application like Outlook because of the potential to lock up due to file size.
So with that said what are the risks to a company that maybe still using FTP rather than using a secure protocol like SFTP or FTPS. For starters, an FTP session is not encrypted so if sensitive information is being passed it can be intercepted. FTP has no way to validate that the data sent went to the intended recipient so anyone could have received the files that were sent.
With its many known vulnerabilities what can a company do to mitigate the risks of using FTP on its networks?
One thing that can be done is to segregate FTP traffic on your network by creating a VLAN for that particular traffic. Another thing is to turn off FTP on any workstation. One of the most important steps is to move to a secure protocol like SFTP that uses SSH and has a form of encryption to keep sensitive data safe also make sure that you are loging all traffic to and from the FTP servers.
The continued use of FTP can put a company at serious risk for a breach of sensitive information as well as fines and the risk of being non compliant with government regulations if you are a health or financial business. You don’t have to look hard to find an example of a company who was breached because their FTP server wasn’t hardened. In 2011 Yale University had a data exposure of 43,000 records as did the computer company Acer (Dark Reading).
If you know your company is using FTP then take some of my recommendations but also do some research to find out what will work best for your company and you can close the door on this risk.
FTP Ubiquitous And Dangerously Non-compliant | Dark Reading
Retrieved from: http://www.darkreading.com/compliance/167901112/security/security-management/232700273/ftp-ubiquitous-and-dangerously-noncompliant.html