How to conduct a File Transfer Audit
Your organization needs regular File Transfer Audits to ensure all data movements in your enterprise are conducted responsibly.
Get our Whitepaper “Auditing Complex File Transfer Environments” here:
Download
Why is the threat growing?

Most people expect their account to be locked after entering a number of invalid passwords in a row — whether it is when they log on to a computer or when they insert their debit card into an ATM. Not so with FTP. A number of products to aid in automated FTP password hacking make use of the fact that FTP will allow users to enter invalid passwords literally for days without locking the account or alerting anyone. These tools are widely available on the internet, and the instructions on how to use them are even posted on YouTube and other video sharing sites.
FTP hacking tools typically offer two methods of attacks:
Dictionary-based Attacks
While Brute Force Attacks are guaranteed to eventually discover the correct password, the downside is that the may run for a very long time. Attackers therefore often try another, far quicker method first: The Dictionary-based Attack. With that approach, the attacker supplies the tool with a dictionary — a list of words to try as passwords in various combinations. These lists usually consist of human names, pet names, places, TV shows, etc. A sample list might be: ‘adam, Adam, apple, Apple, barbara, Barbara, chicago, Chicago, fido, Fido, house, House,’ etc. Should the Dictionary-based attack fail to find the correct password, then the intruder would resort to the Brute Force Attack instead:
Brute Force Attacks
Brute force attacks let the attacker set a minimum and maximum password length, and the tool will connect to the FTP server and try all possible password combinations matching those criteria in a serial manner, e.g. from aaa to ZZZZZZZZ until it finds the correct password. Some FTP Servers (e.g. on z/OS) do not support case-sensitive passwords, which significantly increases the vulnerability to brute force attacks due to the reduced number of potential password combinations.
What are Brute Force Attacks?
Most people expect their account to be locked after entering a number of invalid passwords in a row — whether it is when they log on to a computer or when they insert their debit card into an ATM. Not so with FTP. A number of products to aid in automated FTP password hacking make use of the fact that FTP will allow users to enter invalid passwords literally for days without locking the account or alerting anyone. These tools are widely available on the internet, and the instructions on how to use them are even posted on YouTube and other video sharing sites.
FTP hacking tools typically offer two methods of attacks:
Dictionary-based Attacks
While Brute Force Attacks are guaranteed to eventually discover the correct password, the downside is that the may run for a very long time. Attackers therefore often try another, far quicker method first: The Dictionary-based Attack. With that approach, the attacker supplies the tool with a dictionary — a list of words to try as passwords in various combinations. These lists usually consist of human names, pet names, places, TV shows, etc. A sample list might be: ‘adam, Adam, apple, Apple, barbara, Barbara, chicago, Chicago, fido, Fido, house, House,’ etc. Should the Dictionary-based attack fail to find the correct password, then the intruder would resort to the Brute Force Attack instead:
Brute Force Attacks
Brute force attacks let the attacker set a minimum and maximum password length, and the tool will connect to the FTP server and try all possible password combinations matching those criteria in a serial manner, e.g. from aaa to ZZZZZZZZ until it finds the correct password. Some FTP Servers (e.g. on z/OS) do not support case-sensitive passwords, which significantly increases the vulnerability to brute force attacks due to the reduced number of potential password combinations.
Why can’t my Firewall protect me?
One of the most common mistakes made is to assume that only Internet-facing FTP Servers need to be protected. The opposite is true. While a firewall is very helpful in keeping the vast majority of amateur hackers, college kids etc. out, firewalls have the following shortfalls:
- Firewalls are no match for professional intruders. Email-based phishing scams and other techniques enable professional intruders to take control of computers on the corporate network despite firewalls being in place.
- The advent of telecommuting and work-from-home days makes corporate devices easier to penetrate, especially when these devices are used by the family members of employees.
- The rising practice of BYOD (Bring Your Own Device) — allowing employees to use personal devices for work purposes — reduces a corporation’s ability to install appropriate safeguards on devices attached to the corporate network.
- Firewalls cannot protect against actions by malicious, disgruntled or misguided employees and contractors having legitimate access to the corporate network. In the recently released report ” Understand The State Of Data Security And Privacy: 2012 To 2013”, Industry Analyst Forrester Group estimates that about 33% of all cases of malicious data thefts are performed by insiders with legitimate access to the network.
Corporations therefore need a second layer of defense – protection against threats from inside the corporate network as well as outside intruders that have penetrated the firewall. Reliable protection can only be achieved by securing each system – especially servers holding sensitive data – as if there were no firewall at all.