How to achieve truly secure FTP — 7 essential tips | JSACPE

To really take advantage of those secure FTP protocols like FTPS and SFTP, you must also apply the cybersecurity best practices outlined in this post.
  1. Blog

Although plain File Transfer Protocol (FTP) has been the data transfer solution of choice for several decades, it’s no longer fit for today’s business environments. With so many business processes now involving sensitive data, file transfer workflows are now at risk of various threats. And because plain or standard FTP is inherently plagued with serious vulnerabilities, it’s important to replace it with more secure alternatives. In this post, we’ll talk about how you can take advantage of two secure FTP options and make them even more suitable for transferring sensitive information.

A rundown of FTP server vulnerabilities and other security deficiencies

Before discussing the various strategies for implementing secure FTP, let’s first briefly go over the major vulnerabilities and other security deficiencies afflicting the standard FTP protocol. This will underline the importance of implementing those security strategies.

Lack of encryption

FTP has multiple vulnerabilities, but its biggest security issue is its lack of encryption capabilities. When you transmit data over an unencrypted file transfer protocol like plain FTP, your data will be exposed to man-in-the-middle attacks.

As soon as your data leaves your FTP client or your FTP server, hackers can intercept your connection and steal or even alter your transmitted data. If a hacker manages to steal login credentials, they can take over user accounts on your server.

Lack of strong authentication

Authentication ensures only legitimate users are allowed access to your file transfer server. The problem is that FTP servers normally support only one method of authentication — password-based authentication. This kind of authentication can be compromised through a wide range of cyber-attacks, including:

Once a hacker succeeds in breaking or acquiring a user’s password, that hacker can take over that user’s account. Worse, if that account belongs to a server admin, the hacker can acquire enough permissions and privileges to inflict even greater damage on your organization.

Inability to meet regulatory requirements

In certain countries, regions and industries, companies are subjected to multiple data protection and data privacy laws and regulations. Regulatory and legislative mandates like the Healthcare Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), European Union General Data Protection Regulation (GDPR) and others impose onerous security requirements for various IT systems, including file transfer solutions.

A file transfer server running standard FTP is simply incapable of meeting many of those requirements, and we’re not just talking about encryption requirements. For example, under HIPAA, healthcare providers and business associates must not only use encrypted file transfer protocols to transmit electronic protected health information (ePHI).

Their file transfer systems must also provide effective access control, audit controls, data integrity and other security functions.

A regular FTP server will make it extremely difficult for a healthcare provider to meet these HIPAA requirements.

So, if you're considering a managed file transfer solution like JSCAPE. You can request your risk-free, no-obligation trial:

Free trial

Let’s now discuss some of the strategies to address the security deficiencies of FTP.

1. Disable unencrypted FTP and use SFTP or FTPS instead

There is no place for unencrypted file transfer protocols in today’s business environments, where it’s always imperative to send sensitive data through a secure connection. To minimize your risk of a data breach, it is best to rid your organization of unencrypted protocols like FTP altogether and replace them with more secure file transfer protocols like SFTP and FTPS.

SFTP, or SSH File Transfer Protocol, is the file transfer protocol that’s baked into SSH (Secure Shell), the cryptographic network protocol that IT admins use to securely manage Linux, IBM AIX, mac OS and other UNIX-based server operating systems. That said, many SFTP server applications can run on Windows as well. SFTP comes with built-in encryption, server authentication and 2-factor authentication.

FTPS or FTP-SSL is an extension of plain FTP that’s protected by Secure Sockets Layer/Transport Layer Security (SSL/TLS), the same cryptographic protocol that protects modern websites. FTPS offers almost the same security functions as SFTP.

Both protocols can be considered secure FTP. They can encrypt data during transmission, perform data integrity checks and even enable you to apply advanced cryptographic configurations. For instance, you can choose to use strong encryption, disable obsolete cryptographic protocols or use more secure key exchange algorithms. We’ll elaborate on these functions later.

2. Implement strict password policies

The use of strong passwords and other secure password practices will make your file transfer server less susceptible to password-based cyber attacks. Configure your file transfer solution so that it enforces strict password policies. Users must be required to use passwords that possess the following properties.

  • Must be at least 8 characters long
  • Must include a combination of uppercase and lowercase letters
  • Must include numbers
  • Must include special characters like @, $, &, ! and so on

These properties characterize what’s known as a strong password, which can thwart brute force attacks. To counter other cyber attacks that target passwords, your secure FTP server must also be configured to enforce the following rules:

  • Don’t use the same password on multiple applications and services
  • Limit the use of each password to 90 days
  • Avoid using passwords that were already used in the past

3. Enable 2-factor authentication on your SFTP server

Because password-based authentication is susceptible to numerous cyber attacks, it’s best to augment it with other forms (a.k.a. factors) of authentication. For example, you can pair password authentication with, say, biometric authentication, SMS-based authentication, public key authentication, Time-based One-Time Password (TOTP) authentication or any additional method of authentication to create what’s known as a 2-factor authentication (2FA) system.

You can even combine three or more of these methods of authentication into a multi-factor authentication system. Two-factor or multi-factor authentication ensures that even if all your server passwords are compromised, the other factors of authentication can still prevent hackers from gaining unauthorized access to your server’s user accounts.

If you use SFTP, you’ll instantly have a 2-factor authentication option at your disposal. SFTP comes with public key authentication, a method of authentication wherein users have to submit their personal SFTP key through their SFTP clients in order to authenticate with an SFTP server. You can combine public key authentication with password-based authentication to achieve 2FA. When 2FA is enabled, a client can only establish an SFTP connection with an SFTP server if it passes both authentication checks.

4. Integrate auto-blocking and DoS protection

The internet is teeming with zombified computer systems enslaved into sprawling malicious networks known as botnets. These botnets carry out various cyber attacks, including brute force and Denial-of-Service (DoS) attacks, among many others.

Brute force attacks are designed to defeat password-based authentication systems by submitting a barrage of password combinations in rapid succession. Denial-of-Service (DoS) attacks, on the other hand, are crafted to overwhelm target hosts by submitting a large volume of requests in a short period of time.

Both attacks are actually easy to identify in file transfer server logs. Brute force attacks are typically characterized by successive invalid password attempts coming from the same IP address. DoS attacks are likewise characterized by IP addresses that make to many concurrent connections with your server.

For this reason, modern secure file transfer servers are already equipped with features that automatically block IP addresses exhibiting any of these behaviors. All you have to do is configure your file transfer server to automatically block: 1) IP addresses that exceed a certain number of successive invalid password attempts and 2) IP addresses that make too many concurrent connections.

Logs showing an IP address automatically blocked due to excessive login attempts

Standard FTP servers don’t have these capabilities though, so you must use secure FTP servers like Cerberus FTP by Redwood or managed file transfer servers like JSCAPE MFT Server by Redwood if you want to take advantage of these capabilities.

5. Use strong encryption as much as possible

Not all forms of encryption are secure. Some are easily broken by powerful computer systems. Thus, even if you use an encrypted file transfer protocol like FTPS or SFTP, your file transfer connections can still be compromised if your encryption is weak. An attacker can simply intercept your connection and decrypt your transmitted data.

To prevent your encrypted connections from being compromised, stick to reputable cryptographic algorithms or ciphers. A cryptographic algorithm a.k.a. “cipher” is a specific method of encrypting and decrypting data. Examples of trusted ciphers include AES (Advanced Encryption Standard), RSA (Rivest–Shamir–Adleman), ChaCha20 and Triple DES (3DES).

In addition to choosing a good cipher, you must also use long cryptographic keys. A long key and a good cipher equate to strong encryption. For example, while AES comes in 128, 192 and 256-bit key lengths, AES-256 will give you the strongest level of encryption.

Selecting strong ciphers on JSCAPE MFT Server

Just bear in mind that you’ll need to consider different factors when choosing key lengths. The longest key isn’t always the best for a given scenario. If you want to learn more about this topic, read our blog post about choosing key lengths for encrypted file transfers.

Certain organizations are subject to stringent requirements regarding encryption. For instance, the United States military, US government agencies and the companies working with them are required to use cryptographic algorithms and strengths that comply with FIPS 140-2. FIPS stands for Federal Information Processing Standards. In one of our customer engagements, a North American defense intelligence contractor picked JSCAPE for its file transfer workflows due to JSCAPE’s compliance with FIPS 140-2, among other security features.

6. Disable obsolete cryptographic protocols

Secure file transfer protocols like FTPS and SFTP obtain their security functions from cryptographic protocols like SSL/TLS and SSH. These cryptographic protocols do not stay secure forever. Over time, hackers and security specialists eventually discover weaknesses in older versions of these protocols.

When that happens, the affected versions become vulnerable to certain exploits and will therefore be incapable of providing sufficient data security to your file transfer connections. Once a particular version is found to have exploitable vulnerabilities, you must stop using them. Otherwise, you will only put your file transfer workflows at risk.

In line with this, all versions of SSL should be banned from your FTPS servers, as they are now all considered insecure. TLS v1 and TLS v1.1 should not be used as well. If your file transfer solution still supports these versions, they should be disabled. The only TLS versions you should be using are TLSv1.2 and TLSv1.3

7. Use key exchange algorithms that support perfect forward secrecy

Before a file transfer client can upload files or download files over an encrypted data channel, it must first negotiate a session key with the server in a process known as a key exchange. This session key is used to encrypt data, so key exchanges play an important role in secure data transfers. However, not all key exchange methods are secure.

Some key exchange algorithms are susceptible to certain attacks that take advantage of compromised server private keys. Session keys are derived from server private keys. So, if your server’s private key is compromised, an attacker would be able to obtain your session keys. If the attacker has saved copies of data from your previous sessions, that attacker would be able to decrypt those saved data as well.

This exploit can be avoided if you use key exchange algorithms that support perfect forward secrecy (PFS). In a PFS-enabled key exchange, unique session keys are generated for each session. So, even if a server’s private key is compromised, only the current session will be at risk.

The key exchange algorithms Ephemeral Diffie-Hellman (DHE) and Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) both support PFS. So, it would be best to use ciphers that involve any of these two. That said, TLSv1.3 requires PFS. So, if you use TLSv1.3, you can be sure all your connections will be protected by PFS.

Conclusion

Standard FTP is no longer suitable for today’s file transfer workflows. It suffers from serious vulnerabilities that can put sensitive data and your business at risk. Your best option is to replace standard FTP with secure FTP options like FTPS and SFTP. But that’s not enough. To really take advantage of those secure FTP protocols, you must also apply the cybersecurity best practices outlined in this post.

Downloads

You can now try transferring files via FTPS, SFTP, and other secure file transfer protocols using the free trial of JSCAPE's managed file transfer server.

Click here to fill out a short form and get your trial.