What do the U.S. Army Corps of Engineers and video-game giant Sega have in common? The answer is that both exposed sensitive
via their File Transfer Protocol (FTP) sites. While the impact on Sega was only to force the company to release information on a new game earlier than it wanted to, in the former case it could have cost the lives of soldiers in Iraq.
FTP may be a dinosaur these days, but it's being used -- or, perhaps, misused -- regularly by employees who are simply trying to do their jobs, but who lack the adequate tools, according to John Thielens, vice president of technology for Tumbleweed, a vendor of content-security solutions.
Employees Must Fend for Themselves
"When, for whatever reason, employees can't use e-mail -- the typical problem we have today is multimedia attachments where e-mail's not going to work -- they're looking for another solution," Thielens told us. Finding a solution, however, is often left to the user. Thielens noted that one survey showed 42 percent of companies don't tell employees what to do when that situation occurs. What happens then? "People make things up," he said.
FTP is often the solution employees come up with. It's ubiquitous, built into Web browsers so that users don't always even realize they're working with it. But Thielens noted that FTP is often left unsecured, with anonymous access allowed. That's not only a problem that can result in leaking important information to a competitor (or, as in the case of the Army Corps of Engineers situation, to the press). It means there's no audit trail, which can be particularly serious if the company is subject to disclosure laws.
All that's known, Thielens said, is that somebody accessed the site and took the information -- but there's no way to tell who.
Freeware Analysis Tool
Tumbleweed is debuting a freeware program at the upcoming RSA Conference called FTP Analyzer. "What we're trying to do with FTP Analyzer is raise awareness of the use of FTP because it's so ubiquitous," Thielens said. "It's not impossible to use FTP securely, but typically it isn't used safely."
FTP Analyzer is a simple-to-use tool that watches network traffic, looking specifically for FTP traffic. When it sees that traffic, it performs some analysis and provides a brief PDF summary of what it's seen. The product will note user names and passwords that passed by in the clear, as well as filenames.
The tool doesn't go beyond highlighting the extent of FTP usage on a network, Thielens said, but later this year Tumbleweed will roll out more sophisticated tools that will allow users to engage in managed file transfers from within the e-mail environment, with all necessary controls and filters.
In the meantime, good practices and common sense can help prevent problems. "This would include making sure that you're not using anonymous access or some other kind of public access," as well as staying away from shared accounts where credentials can be swapped, Thielens said. He also recommends implementing "file-purging procedures on FTP and other file servers, so even if data is sitting there, it's there for a day or a week, but not forever."
Finally, Thielens advises, "Implement some sort of user ID scrubbing, so that accounts that are disused or eliminated no longer have access."