13

On a project I had to use unsecured FTP to connect to the hosting provider - not SFTP, not FTPS. The hosting provider proudly claims it's ISO 27001 certified. Somehow this all seemed quite wrong to me.

Is it possible that a company gets ISO 27001 certification while still heavily making use of insecure protocols like FTP?

I'm not on this project anymore, I didn't get a proper answer when I asked in the past and I will definitely not get an answer if I ask the service provider about this now.

I'm mainly interested in knowing of how this works out in relation to ISO 27001 - and consequently to how much value I can place in this certification.

Is whoever gives out these certifications indifferent to an organization using FTP? Or is it more likely that the service provider kept this information away from the certifier?

Personally I don't trust any internet service provider that still uses FTP for anything. Let alone providing it as the primary option to their clients.

(I know the difference between FTP, SFTP and FTPS - well the difference between the latter 2 a bit less but that's beyond this question.)

Related but not duplicate:

UPDATE: Unsecured data WAS transmitted over an insecure channel. With a man in the middle attack skilled attackers would have easily been able to gain access to the internal network of the institution (I won't provide details here, but wow... I could've probably done it myself - and I'm not a pentest pro by any means). The service provider must have been aware of this.

Community
  • 1
the
  • 1,841
  • 2
  • 16
  • 33
  • 1
    This is often an issue of terms. When people talk about ftp they often mean ftps or even sftp. Both protocols are encrypted and as those not insecure in the way I think you ment it. Please ask them if they support ssl or sftp. – davidb Oct 29 '15 at 11:46
  • 1
    I'm not a ISO27001 guy but I can at least explain the difference between ftps and sftp. Ftps is the ftp protocol with ssl added. Sftp is another protocol which is mostly implemented as a subsystem of ssh and as such allows certificate based authentification and not only password based auth. – davidb Oct 29 '15 at 11:57
  • 1
    27001 isn't a list of "you can/can't" do this, it's about risk assessment and good practice. Sending unencrypted data over a secure connection may be ok, sending encrypted data over an insecure connection may also be ok. Equally they may not, depending on what/how you're doing it. The real question is "Is your data safe, and have you taken every sensible precaution to ensure it is?" – Jon Story Oct 29 '15 at 16:19
  • 1
    @JonStory ISO27001 (and similar standards for non-IT areas) explicitly do *not* require "have you taken every sensible precaution to ensure it is", it is sufficient to have a policy that acknowledges that you haven't taken a bunch of very sensible precautions and that you simply accept the risks caused by that. – Peteris Oct 29 '15 at 19:06

1 Answers1

21

ISO 27001 does not specify which protocols should be used and how they should be used, it specifies how an organization should structure its information security apparatus. An ISO 27001 certified organization must have policies in place and procedures to make sure the policies are adhered to.

ISO 27001 also has a scope which is defined by the organization which can make an enormous difference on the impact of the certification. A certification which covers the network enabled coffee machine is a bit different from one which covers the entire business. The ISO 27001 certification in the case of your question may not have the FTP server in scope.

FTP is perfectly acceptable to use in cases where the data transferred is public, or there are other controls in place to protect the data. If the data is encrypted before transit and there is a good verification system to ensure the data is not tampered with then sending it over a non-encrypted channel is ok. From an ISO 27001 perspective if the organization has performed a risk assessment and gone through a process to mitigate the risk then it's done what it is supposed to do.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • 10
    Any Management certification just means that the organization has a **management** system for that part. So basically it means they have given some thought to it and wrote down some rules. They also know how to handle violations of their own rules. But if your basic premise is "fuck the customers and their data, I don't care about them" you can build a perfectly fine ISMS on that. – Josef Oct 29 '15 at 14:29
  • Data was not public, no other controls were in place. And the data also included code. But overall I guess it's fair to conclude ISO 27001 doesn't mean much at all - and @josef's basic premise seemed to have definitely been applied by the company I dealt with. – the Oct 29 '15 at 17:24
  • It means that the company has a form of IT security management in place, but it isn't a clean bill of health. – GdD Oct 29 '15 at 21:26
  • @KasperSouren ISO 27001 **does** mean much! Just not what you think it means. It means the **management** has given thought to information security and put in place processes to make sure the information security of the company is at a certain level and there are ways to detect and respond to incidents. But it doesn't force any specific level of security or specific protection etc. But think about this: If a company with a proper ISMS only accepts file uploads with unsecure FTP, it means they **thought about this** and decided either it's not their problem or they don't care. – Josef Oct 30 '15 at 08:16