Tactical Advice

Away from Prying Eyes

FTP, a tool that came of age during the disco era, is still in heavy rotation in offices worldwide. So how can it be paired with encryption to meet the protection demands of today's users?
This story appears in the November 2005 issue of BizTech Magazine.

Companies still using File Transfer Protocol to send files among offices, clients and business partners, beware. Anyone snooping on a network connection can clearly see everything in an FTP file—including its contents, user names, passwords and the directory into which it's going.

 

FTP is a notoriously insecure technology. It was built in the 1970s when the Internet was a far more open and trusting environment, and hacking was more of an academic pursuit than an illegal business.

 

So how can a company protect its files if the underlying technology was never intended to ensure privacy or security?

 

Either encrypt the files or use a safer alternative, say experts such as Stefan Dietrich, software architech and former chief operating officer of e-Vantage Solutions, an electronic-transactions service provider in New York.

 

 

There are a number of third-party tools that can embed encryption algorithms into files. The difference between the algorithms is the length of the cipher key. For instance, the Secure Sockets Layer encryption used by standard electronic-commerce sites, such as Amazon and eBay, uses a 128-bit key. Free and unpatented algorithms such as Blowfish use keys that vary in length from 32 to 448 bits. Twofish, another license-free algorithm, uses variable key lengths up to 256 bits. The RSA algorithm, the nearly de facto standard from RSA Security of Bedford, Mass., that's included in a number of popular Web browsers and commercial software products, uses a maximum of 512 bits.

 

If a company's data are extremely sensitive and confidential, it might opt for an algorithm like PGP, which stands for pretty good privacy and lets users create key lengths up to 4,096 bits. There are freeware versions of the algorithmic code available, and a product as well from PGP of Palo Alto, Calif.

 

In the Extreme

 

"If you're really paranoid, you can even use two algorithms together" suggests Gary Morse, professional white-hat hacker and president of Razorpoint Security Technologies in New York.

 

Morse cautions, however, that there are tradeoffs. The longer the cipher used to encrypt a file, the more CPU cycles are required to encrypt—and decrypt— the file. That may be insignificant when transferring only one or two files at a time. But it could strain the server during a larger task such as a bulk FTP.

 

Small businesses often find that their large partners dictate the level of encryption. For instance, Tawil Associates, a New York children's clothing manufacturer with 100 employees, works with Disney to produce a branded line of apparel. "When you deal with a company like Disney, they want to keep their copyrighted designs secure," says Jonathan Gleich, Tawil's management information systems director. "So they set up a private network of transferring data using their own encryption."

 

Disney gave Tawil a plug-in for its Web browser so authorized employees can log on to Disney's private network and pass encrypted files back and forth, securely cloaked from prying eyes.

 

Experts also recommend using file-transfer technologies that are more secure than FTP. One alternative is the Secure File Transfer Protocol. SFTP is a standard feature of Unix and Mac OS programs and available for free on Microsoft Windows. Other options include the Secure Shell Interface and Protocol (SSH) and the use of a secure copy utility (SCP).

 

Be a Smart User

 

If FTP is the tool that makes the most sense for a company's needs, then it just needs to take some necessary precautions and to stay away from anonymous FTP servers that require no passwords or user identity verification, security experts say. Instead, a company should configure its FTP server to compartmentalize users and prevent them from straying into files they have no authority to access.

 

Morse, whose clients hire him to hack into their systems and disclose vulnerabilities, finds that companies often leave themselves open to FTP directory transversal attacks, where hackers moving freely from one directory to another can download, steal and tamper with files. Most FTP servers have what Morse calls a "jail-mode option" that systems administrators can adjust to control FTP access levels. "When the user logs in, he's put into his own compartmentalized directory," Morse explains. "He can download and upload files but only within his own little world."

 

 

CEO takeaway
Choose the level of encryption that matches the sensitivity of the data you're transmitting. If regulatory compliance is a concern, let your level of liability dictate the security level.
Consider your business partners' data as well as your own. If you're safeguarding the exchange of intellectual property—such as patents, strategic business plans and the like—you should apply stringent security measures.
Be smart about the ciphers you use. Your cipher needs to be strong, but also be aware that the use of an extremely complex one might draw the attention of hackers looking for a challenge.
Always monitor your FTP server for suspicious activity, such as known users logging on at odd hours.
Sign up for our e-newsletter

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...