What to Do When You Gotta Have FTP

FTP has been around for a long time. While it has grown long in the tooth, it continues to be an essential protocol for many business processes – especially in the financial industry. Clearly, it is a functional and useful tool, but it certainly also comes with significant security risk.

First of all, in its bare form, it is a plain-text protocol and open to capture and observation by anyone in the communications path. Firewall rules pertaining to its different modes of operation are also often confusing for novice network techs and admins, sometimes leading to inadvertent security issues in its deployment. Worse yet, it is a commonly scanned, brute forced and exploited attack surface as well.

But, if you are any of the industry firms where FTP is still a mainstay (banking, wealth management, title management, loan processing, imaging, etc.) how can you do your work and still try and keep security as tight as possible?

Let’s start with identification. You need to know if you have FTP exposed to the Internet, partner networks or on any segments where trust is low. For each instance, you need to understand the data that is being moved, the sources and destinations of that data, the authentication mechanism and model in play (you’re using strong passwords and MFA, right?) and you need to carefully consider the trusts that exist within the system and network environment where the server lives.

Then, you can address prevention. Do you have an alternative to replace it with SFTP or another encrypted protocol? Does it have to be exposed to the world, or can you use access controls or restrict the source IPs allowed to connect to it with either host configurations or firewall rules? How is the server component kept updated to ensure that patching is taking place?

Let’s talk detection. Are logs being generated, stored and reviewed? How would you know if a brute force attack had exposed your data or credentials? How would you identify malicious behavior against the FTP service? Many companies we talk to (especially smaller ones), don’t have good plans for monitoring these systems, even though they may be mission critical.

If something bad happened, you should also have a response process in place for managing FTP data. What would you do if the data were compromised? What would you need to do if the FTP server were not available or the network was down for an extended period? Running table top exercises is usually a good way to develop and refine the policies and processes needed around FTP data exchanges.

Lastly, your organization should have a plan for recovering from problems with the FTP server. Is the data backed up within an appropriate window and how would/could that data be restored? What would be the business and financial challenges to recovery? How would you handle notification of partners or customers that were impacted?

These are pretty basic questions for infosec teams, but for many organizations with more ad-hoc IT staff or for smaller organizations with only contractors they can be daunting. 

Hopefully our advice above gets you thinking about FTP. As always, if you have questions or need assistance executing any of the above – MSI is here to help. But, if your team takes this list and executes against it – you should be much better off than before the project began.

As always, thanks for reading, and until next time, stay safe out there!