File Transfer (FTP) may be the single most insecure piece of infrastructure that any corporation has. It's roots date back to the early 70's before encryption and transport security were of great concern.
Many common malware attacks rely on unsecured FTP services within a company to stage and exfiltrate sensitive corporate data to unknown third parties.
There is little excuse for a company to be running vanilla FTP either inside their data center or especially over the Internet. Secure file transfer protocols and standards have been around and fully supported SINCE THE TURN OF THE CENTURY!!!
From the Tibco report: Understanding the Impact an FTP Data Breach Can Have on Your Business
"...what about the threat information contained on an unsecured
FTP server could pose to a business like yours? Consider a few other recent FTP
exposures:
- CardSystems, who processed credit card transactions for nearly 120,000 merchants totaling more than $18 billion annually, were essentially forced out of business after 40 million identities were exposed. Amex and Visa told CardSystems that they would no longer do business with the company.
- 54,000 records were stolen from Newcastle City Council
- An unsecured document was exposed on the New Mexico Administrative Office of the Courts FTP server; it contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees.
- The Hacker Webzine reports that Fox News had an exposed FTP connection linking out to Ziff Davis.
- The personal information of uniformed service members and their family members were exposed on an FTP server while being processed by major Department of Defense (DoD) contractor SAIC. As many as 867,000 individuals may have been affected."
Lets take a minute to discuss the legacy FTP system, it's derivative FTPS, and the completely different SFTP.
FTP (Do not use this EVER!)
The FTP (File Transfer Protocol) protocol was documented in 1971 as RFC 114 and eventually evolved into RFC 959 , the FTP standard that all systems use today. It has been the workhorse of most corporate file transfer systems in production.
All current Server Operating Systems, whether Windows, Unix, Linux, MAC, or Mainframe come with a variant of an FTP service following RFC 959.
There are VERY many FTP client applications available for each and every Desktop, Laptop, Tablet and smartphone in existence, also complaint with RFC 959.
(Did I mention that there is no reason in this day and age to use vanilla FTP, EVER?)
FTPS
Once companies and security consultants realized the great risk that FTP exhibits by sending corporate data "in the clear" over the network, they proposed RFC 2228 (in 1997) to protect FTP data in transit using SSL encryption. Aside from transport encryption the service is identical to FTP.
FTPS transport encryption comes in two flavors Implicit, and Explicit. Implicit FTPS (Now pretty much obsolete) establishes an SSL or TLS session prior to exchanging data, over TCP ports 989(data)/990(control). Explicit FTPS, the more common of the two, can use a single port for both encrypted and unencrypted data transfer. The client initially establishes an unencrypted session, and if SSL/TLS is required, an AUTH TLS or AUTH SSL
command is issued by the client to secure the control channel before sending credentials.
And then there's....
SFTP
Although regularly confused with FTPS, SFTP is actually an application in the SSH protocol suite. RFC4253 "The Secure Shell (SSH) Transport Layer Protocol" defines the security model of this Secure File Transfer Protocol. Whereas FTPS relies on SSL (X.509) Certificates with their associated PKI requirements to secure the session, SFTP uses Diffie-Hellman Key Exchange to manage an asymmetric pair of keys to secure the session. All UNIX based systems (Including MAC, Linux, and Mainframe) come with SSH preinstalled. There are many variants available for Windows as well.
Both SFTP and FTPS are fully scriptable (ie: support automation). Either one is acceptable, depending on the application, and Operating System at hand.
Up to this point, we've discussed securing the Data Transport, or "Data in Motion", but what about securing the "Data at Rest"? How do we secure the file transfer directory structure?
In simplest terms, strong user/group access controls are required on FTP service directory structure. I'm going to link to some vendor recommendation sites here:
Disable Anonymous FTP! Sorry, but you should know who is connecting to your file server.
In the UNIX world (Including MAC, Linux, Mainframe), a chroot is a virtual filesystem that can be associated with a specific service, in this case SFTP. A new protected replica of the OS folders and files relevant to running that service are created, and all files uploaded/downloaded via this service reside inside the protection of the "jail"
In Windows, the practice is typically called "Sandboxing" or Application Virtualization:
"In a physical environment, every application depends on its OS for a
range of services, including memory allocation, device drivers, and much
more. Incompatibilities between an application and its operating system
can be addressed by either server virtualization or presentation
virtualization; but for incompatibilities between two applications
installed on the same instance of an OS, you need Application
Virtualization. "
And last but CERTAINLY not least: Scan your network for rogue FTP services (Both Data Center as well as Workstation space) regularly (FREQUENTLY), find them physically, and shut them down!
References:
EITF.ORG: RFC913 - Simple File Transfer Protocol
EITF.ORG: RFC914 - A File Transfer Protocol
EITF.ORG: RFC959 - FILE TRANSFER PROTOCOL (FTP)
EITF.ORG: RFC2228 - FTP Security Extensions
IETF.ORG: secsh-filexfer (SFTP)
IETF.ORG: How to Use Anonymous FTP -- DON'T!
IANA.ORG: Service Name and Transport Protocol Port Number Registry
TIBCO: Understanding the Impact an FTP Data Breach Can Have on Your Business
Understanding Key Differences Between FTP, FTPS and SFTP
SFTP versus FTPS – What is the best protocol for secure FTP?
What’s the Difference? FTP, SFTP, and FTP/S
Filezilla: SFTP specifications
http://winscp.net/eng/docs/ftps
Using FTP? Know the Risks
wikipedia.org: Public key infrastructure
SANS: Clear Text Password Risk Assessment Documentation
SFTP chroot
https://wiki.archlinux.org/index.php/Change_Root
http://www.unixwiz.net/techtips/chroot-practices.html
Oracle: Configuring and Using Chroot Jails
Winquota: Winjail
Microsoft: Application Virtualization
