Connect with us

Hi, what are you looking for?


Data Protection

Should Organizations Retire FTP for Security?

Should Security Concerns Make You Think Twice About Where FTP is Used Within Your Organization?

Should Security Concerns Make You Think Twice About Where FTP is Used Within Your Organization?

Web hosting firm DreamHost made headlines this past weekend when it opted to reset the file transfer protocol (FTP) and shell access passwords of its customers after uncovering a possible data breach. But it wasn’t just the prospect of the company adding its name to the list of organizations affected by data breaches that had some talking.

Instead, the move led to Adam Bosnian, executive vice president at password and identity management vendor Cyber-Ark Software, to question whether or not it’s officially time to put FTP on the shelf for good.

Security Risks of FTP“Why should we bury FTP? Because the early engineers who created FTP did not have access to the computer power and software needed for solid encryption, the 40 year old protocol continues to be a serious weakness for the security of connected machines,” Bosnian said. “Because it is so outdated, organizations that utilize FTP are putting sensitive data in potential jeopardy.”

Talk of security problems with FTP is not new. FTP was not designed to encrypt its traffic, making it possible for attackers to sniff packets on the network. A common answer for this is to use FTPS, an extension for FTP that supports the transport layer security (TLS) and secure sockets layer (SSL) protocols.

“A shortcoming with traditional FTP and even encrypted FTP sessions is that after the data is done moving, it sits on the FTP or SFTP server in plain text,” Bosnian said. “As the FTP or SFTP server is commonly connected to the Internet to allow business partners access to it, the data is at risk of being retrieved and shared. FTP passwords can also be susceptible to attack when in clear text as any network sniffer can hijack it. Moreover, FTP technology can slow down business processes, as an organization’s IT team often needs to modify FTP scripts in order to support a new business initiative or bring on a new business partner that needs to exchange sensitive information with the system.”

“Furthermore, having the ability to know if the files were transferred correctly and on time is very difficult to do with transfer methods such as FTP,” he added.

Part of the issue is that people have higher expectations for the FTP protocol than they need to have, said Hugh Garber, senior product marketing manager at Ipswitch.

Advertisement. Scroll to continue reading.

“The FTP protocol turned 40 years old in 2011 and although still functional as a technology to move files, it was not designed to provide any encryption or guaranteed delivery,” Garber said. “For some organizations that are transferring non-confidential or non-regulated information, basic standards-based FTP works fine in those low-risk situations.”

Unfortunately, many organizations are still relying on outmoded FTP to move and transfer mission-critical or sensitive information and that introduces risk, he said. FTP lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer, he added.

“At a minimum, they should be using encrypted file transfer protocols such as FTPS, SFTP or HTTPS to transfer sensitive company files and data,” he said. “Organizations should choose to migrate away from antiquated FTP because it puts company data at risk – unsecured data is obviously an enormous liability.”

In addition, organizations should proactively work to remove all hard-coded clear-text passwords from their FTP scripts and systems, Bosnian said, noting there are commercial products for replacing, securing and managing vulnerable credentials frequently found unsecured within FTP scripts, servers and applications.

Retiring FTP may make perfect sense from a security perspective, but so does killing reusable passwords, group accounts, hardcoded passwords and so on, opined Gartner analyst John Pescatore.

“Realistically, lots of legacy applications will be using FTP for some time to come and the DreamHost breach was more of a password issue than an FTP issue,” he said. “It really isn’t all that hard to do FTP securely – it is reusable passwords that continue to be the Achilles heel of all this. I think it is encouraging to see Google and a few others start to encourage consumers to use ‘two-step verification’ – i.e., replace reusable passwords with SMS/texting challenge/response.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.