The FBI issued a Private Industry Notification (PIN) alert last week to healthcare providers concerning the security of their FTP servers. While the alert did not indicate a specific threat, industry experts note that the FBI is not in the habit of issuing alerts unless they have good reason.
Cybercriminals Love Healthcare Providers
Protected Health Information (PHI) is now worth more on the black market than credit card data. This makes healthcare providers more lucrative targets than banks or retail institutions. Credit card data has a shelf life that lasts until the bank discovers a breach and freezes the affected credit cards. Health data, on the other hand, includes a larger wealth of information (insurer, employing company, social security, birth date, etc), making it harder to quickly contain the abuse of using the data improperly. Health data can also be used to commit insurance fraud, buy drugs or medical equipment or steal an identity.
FTP Servers Are Low Hanging Fruit
FTP servers are low hanging fruit for a hacker. They are everywhere. Smaller medical and dental practices likely have them embedded in turnkey software provided by a reseller some 5 years ago. They are in Ricoh and Xerox printers. Our customers tell stories of finding them unattended in some forgotten corner or closet.
A study published in 2015 by the University of Michigan found 13.8 million of them attached to the internet. Worse yet, 1.1 million of them were anonymous (no password needed) and exposed 600 million files/directories to the open internet. A study done in September of 2016 by a security expert who calls himself Minxomat used the same FTP enumerator code and found over 750,000 anonymous FTP servers still exposed.
Even Secure FTP Isn't That Secure
Up until about 4 years ago, enterprise security was almost entirely focused on perimeter and end-point defenses. Often described as 'higher walls and deeper moats' the idea was that, if you could keep cybercriminals outside of the trusted network, you would be safe. Well, cybercriminals proved too smart for that idea.
It turns out perimeter defenses can easily be broken with a wide range of exploits from sophisticated phishing campaigns down to straightforward approaches like dropping a memory stick in the parking lot of your target enterprise.
We now live in a world where the most sage advice from enterprise security experts is 'assume you have already been hacked'. We live in the world of advanced persistent threats (APTs) where high school hackers have given way to cybercriminal enterprises who will patiently spend two years figuring out how to get beyond your defenses .
In the new world, it turns out that even Secure FTP isn't so secure. Sure FTPS (SSL/TLS) and SFTP (SSH) provide encryption for data transmitted over FTP. Sure that means data can't be stolen in transit. But if I am already in your network, it's just a matter of time before I gain access to the FTP server itself.
FTP Servers Are A Goldmine For Cybercriminals
How many times have you shaken your head in wonder at the politicians who didn't realize that emails hang around forever? Well, enterprises have their own parallel in the FTP server. You upload a file to FTP and it stays there until you delete it and, by the way, most likely in plain text.
So, if anyone in your company ever sent valuable data over an FTP server and you don't have an automated process for deleting it, there is probably some pretty valuable data hanging out in your FTP cloud. Chances are also good that your FTP server is easier to hack than the database servers that valuable data came from.
FTP servers are also a great egress vehicle. Does your security routinely scan for FTP connections to IP addresses in China or Eastern Europe? Remember the famous Target breach? Target's internal FTP servers were used as the command and control link back to cybercriminal headquarters to upload the exploits and download the credit cards.
It is all too common for organizations to have many FTP servers on multiple technology platforms operating scripts in multiple languages. Sound familiar? In security terms this means 'multiple attack vectors'. A further complication comes in when the authors of those scripts are no longer with your organization. Then you likely have no clue whether those file transfers are actually secure or not.
What Should You Do?
Make sure you aren't using anonymous FTP. The advice used to be that there might still be valid use cases for anonymous FTP so if you were still using it, make sure you weren't transmitting sensitive data. That argument has pretty much gone away. If your 'valid use case' is that users don't need the inconvenience of passwords it's time to move on. When your cell phone locks every 5 minutes, people get used to passwords quickly. If they can use them for Facebook, they certainly can use them for enterprise file transfers.
Consider replacing scripts with workflow automation. Scripts are fun to write and keep us nimble with our programming skills, but they can be a real pain for our IT buddies when we've moved on. Workflow automation tools replace advanced programming skills with drag and drop UIs. The resulting workflows are easy to edit and maintain. A tool like MOVEit Automation works with any FTP server upon installation.
Consider consolidating FTP servers with MFT. If your organization transmits data externally as part of normal business processes, you should be considering migrating to Managed File Transfer (MFT). It turns out that running core business operations across diverse FTP servers stresses most IT organizations much more than necessary. By moving to MFT, you get the management visibility and control, security, reliability and audit trails you need to meet SLAs and pass the next audit.
FTP is a technology whose time has passed. Continuing to depend on it leaves your business exposed to the very threats the FBI is warning you about.