Security Basics mailing list archives
Re: Re[2]: Flash Drive Policy
From: "Lucas Lyon" <lucas.security () gmail com>
Date: Thu, 16 Oct 2008 19:40:08 -0500
Windows Operating systems make a clear distinction between USB storage devices, and USB input devices. USB Storage devices may be disabled completely in the windows registry, and USB keyboards and mice will still function normally. On Microsoft windows systems, the following key controls functionality of USB storage devices: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor The 'Start' value disables/enables USB storage. Switch this value to 4, and USB storage devices are disabled. Switch this value to 3, and USB storage devices are enabled. Additionally, there are usbscan, usbprint, usb aapl, usb ehci, usbhub, usbscan within the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key. I have not ever had a need to disable any of the others, but I would imagine that something could be done. I would agree that USB storage devices are unwelcome in the enterprise workplace, my opinion being based on the damage I have seen caused by them firsthand whilst performing audits/assessments. Additionally, there are USB based toolkits in the wild that can pull nearly every password contained within a Windows system within seconds, and even leave behind a nice backdoor, admin account, or keylogger as well. I have to say that the combination of end-user local administrative rights combined with USB storage devices can be a very destructive thing indeed. One solution I have seen that works well enough is called USB-Defender™ by a company called TriGeo. This combines what I would define as an administrative rootkit "Agent" with administrative monitoring and control software, and a rack mount hardware device capable of IDS behavior.
From what I have seen it is an excellent platform to provide
additional end user security/monitoring/control. Here is a link for clarity: http://www.trigeo.com/products/usbdefender/ Lucas S. Lyon Information Security Analyst (225) 253-1716 This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521 and is legally privileged. The information contained in this Email is intended only for the use of the individuals or entities named above. Unauthorized dissemination of this message or its contents is prohibited. On Thu, Oct 16, 2008 at 3:15 PM, Adam Pal <pal_adam () gmx net> wrote:
Hello Steve, There is also sanctuary device control which provides the same level of control as you described bellow. BUT: I disagree that you dont care what happens to them, see, by the encryption of the USB, you provide the control on the devices and the user but not on the content. If one of the devices can be used to load malicious code on the USB, you have an uncontroled "virtual" data flow by the USB. -- Best regards, Adam Pal Wednesday, October 15, 2008, 11:59:45 AM, you wrote: <==============Original message text=============== SA> Jon, SA> But now you have expanded the argument as Users should not be operating SA> CIS equipment as administrators. USB is not at fault here it is the SA> risk owners not actually getting a grip and reducing the risks they own. SA> I too have seen systems where users are logging on as Admin (and we were SA> even asked to undertake penetration testing against the internal LAN!), SA> but these are not LANs that can be secured. SA> However, the software we use (on correctly configured networks) is SA> http://www.becrypt.com/uk/solutions/connect_protect.php which works SA> very nicely, and on the Gov systems that we advise on we implement SA> encryption on the USB sticks too - that way we don't care what happens SA> to them; if they connect they are encrypted and if the user is not SA> authorised to use that device or it is not encrypted, then it is not SA> accessible. SA> Steve SA> -----Original Message----- SA> From: listbounce () securityfocus com SA> [mailto:listbounce () securityfocus com] SA> On Behalf Of Jon Kibler SA> Sent: Sunday, October 12, 2008 2:39 PM SA> To: Steve Armstrong SA> Cc: Steven Bonici; security-basics () securityfocus com SA> Subject: Re: Flash Drive Policy SA> * PGP Signed by an unknown key SA> Steve Armstrong wrote:I mus ttake issue with your 2nd point as I believe the 'head in the sand' approach to USB devices is so 1990's. USB is used in most businesses and it will continue to increase with the demise of open network shares on Corp lans (aka the swap share) and the introductionSA> ofdesktops to the Corp environment without ps/2 interfaces. I agree that policy and appropriate software can reduce the risk from USB devices but that is not our call (security advisors) it's the risk owners - who in my experieance are some of those asking for them inSA> thefirst place.SA> Steve, SA> The problem I have is that most risk owners do not understand security SA> and the regulatory and business policies that drive them. That is why SA> security develops and deploys security policy. So, I would argue that it SA> IS the place of security to set policy for USB devices. SA> Regarding network shares, a lot of organizations are moving to all SA> network based storage, and either thin clients or no data stored on SA> local desktops. In such an environment, sharing data simply becomes a SA> matter of setting the correct access permissions. Collaboration software SA> suites (sharepoint, zimbra, etc.) are also being used to accomplish such SA> sharing. SA> Then, at least here in the states, we have regulatory issues that come SA> into play when you look at removable media issues. When you have to have SA> full audits of "who did what to this data, how, when, and from where", SA> the use of USB or other removable media simply makes these types of SA> audit trails impossible. So, I stick with my original statement that SA> there is no place for USB or other removable media in the workplace. SA> Finally, you indicated that there is 'appropriate software' that can SA> reduce the risks associated with USB drives. Please give some examples! SA> I have not seen any type of USB management software that cannot be SA> easily defeated by the typical desktop user -- especially if they have SA> local admin rights (which I find over 95% of all corporate desktop users SA> have!). I have yet to find a USB management package that would prevent SA> an attack as simple as plugging in a USB hub and using it to share your SA> rodent and a USB drive. SA> So, bottom line... I have to disagree. I stick by my argument that you SA> should not allow any USB or other removable media in the workplace. SA> Jon SA> -- SA> Jon R. Kibler SA> Chief Technical Officer SA> Advanced Systems Engineering Technology, Inc. SA> Charleston, SC USA SA> o: 843-849-8214 SA> c: 843-224-2494 SA> s: 843-564-4224 SA> http://www.linkedin.com/in/jonrkibler SA> My PGP Fingerprint is: SA> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 SA> * Unknown Key SA> * 0xCF394253(L) SA> ================================================== SA> Filtered by: TRUSTEM.COM's Email Filtering Service SA> http://www.trustem.com/ SA> No Spam. No Viruses. Just Good Clean Email. SA> The information contained in this e-Mail and any subsequent SA> correspondence is private and is intended solely for the intended SA> recipient(s). The information in this communication may be SA> confidential and/or legally privileged. Nothing in this e-mail is SA> intended to conclude a contract on behalf of Logically Secure Ltd SA> or make Logically Secure Ltd subject to any other legally binding SA> commitments, unless the e-mail contains an express statement to SA> the contrary or incorporates a formal Purchase Order. For persons SA> other than the intended recipient any disclosure, copying, SA> distribution, or any action taken or omitted to be taken in SA> reliance on such information is prohibited and may be unlawful. SA> Registered in England and Wales No: 05967368. Registered Office: 36 Tudor Road, Lincoln, LN6 3LL. <===========End of original message text===========
Current thread:
- Flash Drive Policy Steven Bonici (Oct 08)
- Re: Flash Drive Policy Jon Kibler (Oct 09)
- Re: Flash Drive Policy Jon Kibler (Oct 10)
- Re: Flash Drive Policy Steve Armstrong (Oct 14)
- Re: Flash Drive Policy Jon Kibler (Oct 14)
- RE: Flash Drive Policy Hill, Pete (Oct 14)
- RE: Flash Drive Policy Steve Armstrong (Oct 15)
- Re[2]: Flash Drive Policy Adam Pal (Oct 16)
- Re: Re[2]: Flash Drive Policy Lucas Lyon (Oct 17)
- Re: Flash Drive Policy Jon Kibler (Oct 10)
- Re: Flash Drive Policy Jon Kibler (Oct 09)
- RE: Flash Drive Policy Steven Bonici (Oct 09)
- Re: Flash Drive Policy ॐ aditya mukadam ॐ (Oct 10)