Page 169 - Courses
P. 169
Logical Security: The Network Layer
FTP Server Characteristics
• File Transfer Protocol (FTP) is a standard network protocol used to transfer files between
computers. Secure FTP (SFTP) encrypts the data in transmission.
• Data that organizations transmit over FTP include automated clearing house (ACH) or bank
transmissions, benefit or 401K data to benefit providers, or data from the organization to the
cloud environment.
• The FTP server application usually exists on a Unix or Windows server with a native OS, and is
typically a feature of the OS. There are also third-party vendor FTP systems.
• To transmit data to an FTP server, an ID and password are required.
• The ID and password are either maintained within the FTP application or within the
native OS security.
• Default settings for an FTP server allow for anonymous login, where a password is not required.
• Default settings should be disabled, or passwords should be changed.
• FTP servers normally reside within the DMZ where they are isolated from the rest of the
organization’s network.
• The best practice is to have data reside on an FTP server in the DMZ for a minimum time
interval. Data delivered to the FTP server is promptly removed when sent or received,
usually through automated processes.
• The best practice, especially when the FTP server is contained within the DMZ, is to have most
services and functionality removed from the OS. The OS would be security-hardened.
Security Risks
• Unauthorized access occurs.
• The OS may not be security hardened, such that the risk of potential intrusion occurring
increases.
Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
