The recent revelation of a cache of FTP credentials stolen by hackers from big name companies like Symantec Corp. and McAfee Inc. drive home the importance of the “soft side” of securing data during file transfer, according to one analyst.
On June 26, 2009, U.K.-based security vendor Prevx Ltd. reported approximately 88,000 FTP credentials stolen by a Trojan. The credentials belonged to companies that also included Bank of America, Amazon, and Cisco Systems Inc.
Many enterprises believe that they have done their part upon securing data to be transferred, but the reality is, security is not the only requirement when it comes to FTP, said L. Frank Kenney, research director with Stamford, Conn.-based research firm Gartner Inc.
“I don’t think we spend enough time on the soft side of file transfer,” said Kenney. By that, he refers to governing in a centralized manner things like user provisioning, and monitoring of not just file transmission but the systems used to facilitate that. “Most companies are not thinking at that level. Most companies are still saying, ‘Hey, it’s good enough that we are
securing them,’” said Kenney.
Innovation in IT may allow companies like Amazon, for instance, to offer services like real-time access to inf
ormation on products, shipping and payment transactions, but Kenney said, that all boils down to transferring large files of data on a daily basis. “At the end of the day, we are moving big sets of files to and from our partners internally and externally, and the level of security being used is not quite what it needs to be,” he said.
Basically, the attack is perpetrated when hackers first infect popular Web sites that in turn infect unsuspecting visitors whose PCs download the Trojan. Those infected PCs could belong to a Web developer that works with a large enterprise and regularly accesses the secure FTP server, said Brian O’Higgins, a Toronto-based independent security consultant. O’Higgins explained that the developer’s infected machine will harvest login credentials for the FTP server, whereupon “the bad guys log onto the server and use those credentials to put another malware entry point.”
“It’s just another way of infecting more Web sites and capturing a larger population of people,” said O’Higgins.
Secure Sockets Layer (SSL) encryption is not adequate for securing file transfers, said O’Higgins. “SSL does virtually zero for you in this case. That might be a little surprising for people,” he said.
The security companies, Symantec and McAfee, whose FTP credentials were stolen likely work with many partners and resellers who access their FTP servers, said O’Higgins.
While the risk to enterprises depends on the kind of data stored on FTP servers, it could nonetheless be a very likely scenario, said Jacques Erasmus, director of research with Prevx.
“The basic infection vector is to infect people no matter who they are and then harvest any stored FTP credentials that are on their machines,” said Erasmus.
Further compounding the issue is the fact that hackers are constantly moving their operation to avoid law enforcement who are attempting to take down the servers, said Erasmus. “And it’s just like a cycle that keeps on going,” he said.
Erasmus suggests enterprises use different types of clients and move to a secure FTP structure that uses much stronger encryption.
As for those who should be involved in securing FTP servers, Kenney said it’s no longer just the security professionals. Quite often when FTP servers have been secured, things like guaranteed delivery and ensuring service level agreements are met become additional requirements, making it a risk and compliance issue, he said. “The more you start to think about having visibility and control into the file transfers that are happening … you start to work up the trail eventually until you get to the CIO,” said Kenney.
But the fact that infected PCs accessing the FTP servers of enterprises are owned by those with whom the company does business complicates the situation somewhat. “You just have to get used to this as a current kind of attack vector,” said O’Higgins. “Your friends and your partners may be attacking you inadvertently.”
