FBI's Issued Warning
In 2017, the FBI issued a Private Industry Notification to healthcare providers warning them of the dangers of unsecured FTP servers.
According to the alert, the FBI is aware of criminal actors actively targeting FTP servers operating in “anonymous” mode, meaning a user can authenticate to the FTP server with a common username like “anonymous” or with a generic email address or password. The FBI notification cited a 2015 study from the University of Michigan that indicated over one million FTP servers were configured to allow anonymous access.
While the notification was intended for medical and dental facilities, inadequate FTP security is a concern across all industries. According to the FBI, “Any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cybercriminals.”
Related Reading: Why Healthcare Needs MFT to Help Secure EHR File Transfers
The Problem with FTP
The problems with FTP servers go beyond anonymous mode. For one thing, many organizations are running legacy FTP software that hasn’t been kept up-to-date with modern security concerns. Another widespread issue comes from granting excess permissions to trading partners or internal staff. Anyone given administrative access could change a setting on the server without realizing the potential security implications.
Hopefully it’s clear that you should be using encryption to protect your data. What some businesses fail to realize is that encryption methods vary greatly in strength based on factors like key size and type of encryption ciphers used. Many of the older ciphers and protocols have been broken and are now obsolete. Finally, a major problem with legacy FTP servers is a lack of alerts if anything goes wrong and the lack of detailed logs to help you maintain compliance with industry regulations.
Related Reading: Problems with FTP (And How to Solve Them)
MFT > FTP
These common pitfalls can be addressed with a robust managed file transfer (MFT) solution. Managed file transfer offers a variety of strong, up-to-date protocols and encryption methods, allowing you to replace standard FTP with something more secure like SFTP or FTPS.
Software with role-based security gives you the option to limit any user or user group to just the permissions they absolutely need, and detailed audit logs keep track of exactly which user took what action and when—essential information for your team and for auditors alike.
Watch the Webinar: Replacing FTP Scripts with Managed File Transfer