Ericka Chickowski did a nice job in her Dark Reading article on how old-fashioned FTP introduces unnecessarily levels of compliance and security risks to organizations. And here’s an alarming data point from Harris Interactive – approximately 50% of organizations are currently using the FTP protocol to send and exchange files and data.
Talk of security concerns with FTP is certainly not new. FTP was never designed to provide any type of encryption, making it possible for data to be compromised while in-transit. A common answer for this is to use encrypted standards-based protocols such as SSL/FTPS and SSH/SFTP.
Luckily, modern managed file transfer solutions deliver not only the security you know your business requires, but also the visibility and control that IT needs to properly govern company information.
Ipswitch’s Greg Faubert offers his thoughts in the Dark Reading article:
“While FTP is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy…. The PCI standards look specifically at the security surrounding your FTP environment. It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls.”
And yet, somehow, many organizations continue to rely on unencrypted FTP to transport mission-critical or sensitive information. For those guilty, here are a few steps to help you get started in migrating away from antiquated FTP. And don’t worry, it won’t be painful.
Word has quickly spread that a serious weakness has been discovered in the Secure Sockets Layer (SSL) protocol that allows attackers to silently decrypt data that’s passing between a web server and an end-user browser.
All reports indicate that this vulnerability affects the SSL protocol itself and is not specific to any operating system, browser or software/hardware product. This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 and TLS 1.0 traffic. It primarily impacts HTTPS web traffic, since the browser is the primary attack method.
SSL and TLS are two of the industry standard technologies that Ipswitch File Transfer solutions use to encrypt data while in-transit. Additional technologies such as AES transport encryption, PGP file encryption, and the encrypted FTPS and SFTP protocols are also used to secure data. As always, we recommend a defense-in-depth approach for protecting sensitive data.
At this point the vulnerability is not considered a high risk. Ipswitch is closely monitoring the situation closely and will implement recommendations and provide updates if this turns into a serious threat. We agree with Microsoft’s recommendation to prioritize the RC4 cipher suite and to enable TLS 1.1 in client and server. And given the choice, use the unaffected FTPS and SFTP protocols (and not HTTPS) until this vulnerability investigation is complete. Microsoft has also issued a fix fix that enables support for TLS 1.1 in Internet Explorer on Windows 7 and Windows 2008.