10 Crucial Guidelines for Securing FTP and SFTP Servers
Most organizations use FTP or SFTP servers to exchange files and other critical business documents with their trading partners. Unfortunately, these servers have become a primary target for hackers, putting your FTP or SFTP server at risk of a costly data breach.
The Three Tenets of Information Security
Since we’re talking about keeping our servers secure, we should define what that means.
Information security can be discussed in terms of the CIA. No, not that CIA—in this case, the acronym CIA stands for confidentiality, integrity, and availability. Maintaining confidentiality means that information is never disclosed to unauthorized individuals, entities, or processes. Integrity refers to making sure your data remains accurate and unchanged. Finally, availability means that the system is available to authorized entities without disruptions.
Major Compliance Standards and Regulations
Compliance with industry security standards is an issue that puts pressure on organizations of all sizes. Which compliance challenges you’re facing will depend on both your industry and location. In the U.S., the most common regulations include:
- Health Insurance Portability and Accountability Act (HIPAA): Requires the protection of any communications containing PHI (Protected Health Information) which is transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
- Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to implement safeguards to protect the security, integrity, and confidentiality of customer information, no matter how it is stored or transmitted.
- State privacy laws: Most states have notification laws, while others are more specific on how personal data must be protected.
- Federal Information Security Management Act (FISMA): Defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.
- Payment Card Industry Data Security Standard (PCI DSS): Developed for companies that are responsible for processing debit or credit card information in order to protect the privacy of customer account data.
Like the other regulations on the list, non-compliance with PCI DSS can result in fines or even the termination of your ability to conduct business. The consequences levied by the banks and credit card institutions can range up to $500,000. Although PCI DSS was designed for companies processing cardholder data, its detailed security requirements are a great reference for anyone looking to protect sensitive data. Throughout the webinar, Bob and team reference how each security tip relates to PCI DSS.
The latest version of PCI DSS had a couple notable changes. You can read more about them and how they affect your business in this free guide.
Related Reading: The 5 Biggest PCI Compliance Breaches
If you’re in the EU or if you process data for EU residents, the most important change in data privacy regulations in 20 years is the General Data Protection Regulation (GDPR), which was adopted in 2016. It’s designed to replace the current Data Protection Directive and consolidate data privacy laws within Europe. Fines for non-compliance with GDPR can be up to 20 million Euros or 4 percent of the company’s revenue in the preceding financial year.
Top Ten Tips for Securing FTP and SFTP Servers
Poor FTP implementation practices are widespread and leave many businesses at risk of a data breach or a hefty non-compliance fine. Want to make sure your servers are both secure and compliant? Here are our top 10 tips:
1. Disable Standard FTP
If standard FTP is running on your server, you should disable it as soon as possible. FTP is over 30 years old and just isn’t meant to withstand the modern security threats we face today. FTP lacks privacy and integrity and makes it fairly easy for a hacker to gain access and capture or modify your data while it’s in transit. We suggest you switch to one of several more secure FTP alternatives.
2. Use Strong Encryption and Hashing
Encryption ciphers are used in both SFTP and FTPS protocols to protect data in transmission. The cipher is a complex algorithm that takes the original data and, along with the key, produces the encrypted data to transmit. The first thing you should do is disable any older, outdated ciphers like Blowfish and DES, and only use stronger ciphers like AES or TDES.
Hash or MAC algorithms are used to verify the integrity of the transmission. Again, you should disable older hash/MAC algorithms like MD5 or SHA-1 and stick with strong algorithms in the SHA-2 family.
3. Place Behind a Gateway
The DMZ (demilitarized zone) is a common segment of the network in which organizations store their FTP servers. The problem with the DMZ is that it faces the public internet, making it the most vulnerable segment to attack. If the FTP server is in the DMZ, trading partners’ data files and user credentials are usually also stored there, which is a big risk even if the files are encrypted.
Other organizations have taken the step of moving files and user credentials into the private network, which is safer. The problem with this method though is that this requires you to open ports into the private network, which creates a path for an attack and may not meet compliance requirements.
Related Reading: DMZ Secure Gateway: Secret Weapons for Data Security
An approach which is growing in popularity is to use a DMZ Secure Gateway, or an enhanced reverse proxy. The Gateway is software that you install on a server in the DMZ. A special control channel is then opened up from the private network into the DMZ at startup. Your trading partners connect to the Gateway, and the Gateway will send the session over the control channel to the FTP server on the private network. Files and user credentials stay in the private network, and no inbound ports are required.
4. Implement IP Blacklists and Whitelists
An IP blacklist denies a range of IP addresses from accessing the system, either temporarily or permanently. For example, you may want to block certain countries from access. You can also have the FTP server perform auto-blacklisting for certain types of attacks, like DoS attacks.
Another method is to whitelist only specified IP addresses to access the system, such as your trading partners. The difficulty is that this only works well if the trading partner uses fixed IPs.
5. Harden Your FTPS Server
If you’re using an FTPS server, there are a few measures you should take to keep it secure, including:
- Do not use Explicit FTPS unless you force encryption for the authentication and data channels
- Do not use any version of SSL or TLS 1.0
- Use Elliptic curve Diffie-Hellman key exchange algorithms
6. Utilize Good Account Management
It’s risky to create OS-level user accounts for trading partners because it creates a pathway to gain access to other resources on the server. Also, user credentials should be kept separate from the FTP application. Do not allow anonymous users or shared accounts. Set some rules, like account user names should be at least 7 characters in length and accounts should be automatically disabled after 6 login failures or 90 days of inactivity.
7. Use Strong Passwords
Passwords should be at least 7 characters in length, contain both numeric and alphanumeric characters, and include at least one special character. Make sure admin passwords change every 90 days. Don’t allow the last 4 passwords to be reused, and store user passwords using strong hashing encryption algorithms like SHA-2.
8. Implement File and Folder Security
A trading partner should only have the folder access they absolutely need. For example, just because a partner needs permission to download something from a folder doesn’t mean they need total rights to that folder. Needing to upload files to a folder doesn’t require them to have read access to the folder. Encrypt files at rest, especially if they’re stored in the DMZ, and retain files on the FTP server only as long as needed.
9. Lock Down Administration
Administration of your server should be tightly controlled. Restrict admin duties to a limited number of users and require them to use multi-factor authentication. Instead of storing passwords on the server, store them in an AD domain or LDAP server. Don’t use common admin user IDs like “root” or “admin” – that’s the first thing a hacker will try.
10. Follow These Best Practices
In the webinar, Bob Luebbe and his team had several recommendations to follow, including:
- Keep the FTPS or SFTP server software up-to-date
- If working with U.S. government data, use only FIPS 140-2 validated encryption ciphers
- Do not use the default SFTP software version that is shown when you first log in – that will give hackers a clue how to exploit the server
- Keep any backend databases on a different server
- Require re-authentication of inactive sessions
- Implement good key management