FTP No Option, Even For Small Media Companies

Megan Cater

For decades, FTP (file transfer protocol) has been used in the media and entertainment industry to move files between servers and for distributing them around the world. And for just as long, cybersecurity experts have been warning of its potential threat to network security, intellectual property and privacy. Nevertheless, FTP has persisted.

A 2016 study called FTP: The Forgotten Cloud conducted by the University of Michigan revealed more than 13 million FTP servers in use, with 1 million configured to allow anonymous access, potentially exposing sensitive files and network access. And that number has likely only grown over the last few years.

In a recent research report examining the most common file sharing services across the Internet, Digital Shadows found over 3 petabytes of data exposed through FTP servers. Considering the proliferation of FTP throughout the media content supply chain, especially among small post houses, a substantial portion of that data could be valuable media assets.

The Increasing Ban On FTP

In fact, just last year HBO, Netflix and Disney dealt with security breaches that, according to Alex Heid, chief research officer at Security Scorecard, can likely be traced to hackers exploiting FTP used by third-party post-production companies.

“A lot of the time the people doing the editing have access to confidential, highly secure information just so they can access files they need quickly,” said Heid in an interview with Polygon. “The hacker underground has figured out how these transfers are being done and how to get into a company’s main database through that.”

“Using an FTP goes back to the beginning of the Internet,” Heid continued. “It’s not a very secure method…. There may not be any password in place. But, once an attacker has that, they can essentially log in to the entire network.”

In response to all of this, most major media enterprises have banned FTP, requiring that all partners use secure accelerated file transfer solutions like Signiant’s. And they are not alone in the understanding of the interconnected nature of the media industry’s digital content supply chains, or the need for more advanced technology (both in terms of speed-of-delivery and security).

Pushing for higher security standards across the industry in Europe, the Digital Production Partnership is one example of a trade group that is taking on the problem. Companies that have banned FTP are doing so in favor of technology that meets guidelines like the DPP’s Committed to Security Programme (CTS).

“As concern about cybersecurity grows there have been repeated calls for more consistent practice regarding security measures,” said DPP Managing Director Mark Harrison when the program was launched last year. “But, without a common frame of reference, this has been difficult for suppliers. The DPP’s Committed to Security Programme establishes such a best practice framework.”

“No scheme can ever guarantee the removal of all cybersecurity breaches,” added Harrison. “By displaying the DPP Committed to Security logo, companies are indicating to their customers that they are addressing cybersecurity in a structured fashion. This is particularly important in multi-vendor environments where continuous change also requires continuous vigilance.”

To develop their guidelines, the DPP worked with a group of DPP Member security experts and quality assurance expert Eurofins Digital Testing on two self-assessment CTS checklists for broadcast and production.

The production checklist includes 50 line items under categories: policy and procedures, physical security, incident management and recovery planning, IT security, commercial and legal considerations, training and awareness, long-term preservation, business continuity and resilience. For broadcast, the list is slightly shorter at 30 lines with detailed requirements around product security documentation and testing, authentication and controls.

The guidelines provide a common framework for addressing cybersecurity to help suppliers demonstrate their commitment to security best practices. Signiant was one of the first 20 companies to receive a DPP ‘Committed to Security’ Mark in both production and broadcast.

Other standards such as World Broadcasting Union’s cyber security recommendations for media vendors’ systems, software and services are likewise asking vendors to discontinue using FTP.

While encrypted protocols like SFTP and FTPS are allowed with WBU’s recommendations, they do not address latency and bandwidth issues that make using even secure versions of FTP impractical for modern global media workflows.

A New Era Of File Transfer

FTP was once the best way to move large files over the Internet. Given enough time and tolerant network conditions, the protocol still works, and many businesses have legacy systems that rely on it. In truth, companies that do not partner with the big players or do not handle high-value content are probably not yet concerned with FTP-related security breaches. They may even welcome some hacking-related attention to their content.

However, the media industry ecosystem is vastly interconnected and most companies take part in it at some level (or at least want to). Any given file for any given film or episodic series moves across the world multiple times and visits multiple servers along the way.

In order to stop what Alex Heid called an ongoing series of “repeatable attack scenarios,” security needs to be everyone’s concern, and that very well may hinge on replacing outdated FTP systems across the industry.

Megan Cater is senior manager of digital content at Signiant. She specializes in technical copywriting, content strategy and user experience design and is currently a graduate student in Bentley University’s MS Human Factors in Information Design program. Connect with her on LinkedIn.