Anonymous FTP: Crippling Healthcare Organizations

If you’ve ever had to share a large number of files with people working remotely, odds are you’ve used a file transfer protocol (FTP) server to accomplish this. It’s an easy way that you and others can access and upload information with a username and password, without taking up your own valuable internal storage space.

Unfortunately, most of these FTP servers are operated by only a few companies. I say unfortunately because it means they are large targets for hackers.

A recent bulletin released by the FBI details how FTP servers used by healthcare organizations have seen a sharp jump in attacks by cyber criminals. Here’s what we know so far.

Anonymous FTP

These attacks, the FBI noted, are carried out to steal healthcare and other personally identifiable information with which attackers can later harass business owners. Specifically, the FBI warned healthcare organizations using FTP servers to check their network for those running in “anonymous” mode.

An anonymous FTP is a system through which, as the name implies, users can log in without providing the strict credentials normally needed to access the server. Instead, many times these anonymous FTP servers have passwords that are easily cracked (think something along the lines of “password,” for example). The FBI explains how these cyber criminals are able to access this information:

“Research conducted by the University of Michigan in 2015 titled, “FTP: The Forgotten Cloud,” indicated over 1 million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers. The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address.”

While the FBI expressly warns about this threat to the healthcare sector, HIPPA has made it a requirement for some time now that protected health information be transmitted through secure networks. It’s not much a stretch, therefore, to see attackers moving off to other industries, like the financial field, who may still be using these anonymous FTP servers.

Reach Out

Obviously, the best way to combat this vulnerability is to check and see if your FTP server has an anonymous function enabled. To do this, consult with your IT department or provider to either ensure that your servers are not anonymous, or to have this function switched off.

Moving forward, with the threats of FTP attacks still looming, you should take several precautionary steps to protect your organization. These include running regular vulnerability scans to ensure your FTP has not been switched to anonymous without you knowing it, encrypting all the data you store on an FTP and using anti-malware/virus software on your FTP.

The bottom line is that you need to treat your FTP server like you would your internal networks. Just because it’s off in the distance, run by an outside company, doesn’t mean your information is as protected as it should be. No matter who hosts it, ensuring the security of your FTP servers should be a crucial part of your IT security.