I received an Asset Security report from our insurance company, and unfortunately, they rated the site I manage as "Poor." There are several issues to address, but I want to focus on the top three critical findings:
1. **CRITICAL**: An FTP service was detected, which means we're potentially transmitting sensitive information unencrypted.
2. **HIGH**: A POP3 service was also found, but it sends credentials in plain text, making it a security risk unless encrypted.
3. **HIGH**: There's an IMAP service observed that could allow unauthorized mail access if not secured properly.
I'm looking for advice on how to resolve these issues effectively.
3 Answers
Just switch to SFTP and consider using Microsoft 365 for email—it's a great combo to address these issues. Quick and easy solution!
You definitely want to avoid running FTP as it’s entirely unencrypted, exposing your login credentials in plain text. Instead, switch to something more secure like FTPS or SFTP for file transfers. As for the email concerns, there are definitely steps you can take to secure POP3 and IMAP, but I'll let someone else chime in on that!
This issue is super common with many default web hosting setups. Typically, they scan for any open service ports, and if they find any that are insecure, it raises a big red flag. If you manage the web server, consider closing the ports for any unused services through your firewall. Turning them off alone might not be enough. If that’s not an option, you might want to use a proxy service like CloudFlare to mask your server’s IP address during scans.
Great suggestion! Just a heads-up about FTP: if you’re not actually using it, you should disable it completely in your settings. Not running it at all is the best way to avoid that security flag.