By Greg Hoffer
As of late, Shadow IT has been associated with the end user introduction of cloud and mobile platforms into the work environment, but a couple of recent events serve as a reminder that the term has more insidious implications. It might also apply to legacy technology lurking—often in the literal shadows—in a forgotten office or a forgotten corner of a server room for some long-forgotten purpose. Like a Prohibition-era speakeasy, the otherwise unremarkable door will swing wide open for anyone aware of what’s on the other side and knows the secret knock.
Two events recently, as reported by Network World, illustrate that point in dramatic fashion. In both cases the hackers’ back door was unsecured FTP servers.
In the first, a security researcher scanned IPv4 addresses and found nearly 800,000 FTP servers without authentication required for access, posting the information on the open source community site GitHub.
Shortly after the researcher’s disclosure (perhaps coincidental, perhaps related) a teenager claimed to have gained access to an FTP server that listed access to all the FTP servers on .us domains as well as some .gov domains. The teen boasted that, as a result of the vulnerability, they were able to make off with a lot of highly sensitive personal information, found unencrypted, including Social Security numbers, online banking transaction data, contact information and even credit card numbers.
How does this kind of thing happen? In our experience, it usually develops over time, masked by years of network evolution, mergers and acquisitions, or simple neglect. It’s homegrown IT, implemented to save money or perform a specific task at a point in time.
With FTP servers these scenarios come about because someone once—in a time before online collaboration tools like Google Drive, Dropbox, OneDrive and Box—needed to send files to close a business deal ASAP and so an IT guy, tasked with figuring it out, cobbled together a fix. Problem solved, the server was called on to perform the task now and again. Then, as more convenient means of sending large files became available, that FTP server became less and less useful but was never disabled.
Consider the implications for your business when hackers are working overtime to access a business’s valuable intellectual property. Whether it’s financial resources, business plans, personnel records, trade secrets or customer lists and sales projections, your business relies on data. When hackers access your data they can have a direct effect on your bottom line and reputation. The Ponemon Institute says the average data breach last year cost companies an estimated $4 million.
Leaving an FTP server unsecured is like parking your car on the street, leaving the doors unlocked and the keys in the ignition. Sure, you’ll probably get away with it for a while, but all it takes is for one curious individual to walk by.
Today there are still a number of FTP servers sprinkled among corporate networks of every stripe (and we know because we encounter them all the time). In most cases these servers are almost completely forgotten. They are well-known to the hacking community who are always looking for backdoors into the network. They know there are unsecured FTP servers out there; they know how to knock so that the doors open wide for them.
This scenario is most prevalent in cases where the network has grown over time and where consolidation has been the norm. The financial services industry is one such example, where a small chain of community banks merged to create a regional chain that was acquired by a national brand. With each step technology was layered in, but legacy systems may have remained in place.
In 2016, there aren’t many good reasons for an enterprise to be running 1990s tech, and yet it’s more common than you’d think, which is why it’s important to make sure you know what’s lurking in the shadows.
About Greg Hoffer
Greg Hoffer is Vice President of Engineering at Globalscape where he leads the product development teams responsible for the design and engineering of all of Globalscape products.