Solved

Secure USB Access.

Posted on 2013-11-15
26
552 Views
Last Modified: 2013-12-02
Hello Experts,

We have around 830 computers at our premises and every user have USB access. They can use  portable HDD and USB flash memories any time.

Since we all know USB's are the big security hole within the organization. We cannot block USB's due to business reasons.

We are using Kaspersky Endpoint Security 8.0 on the workstations.

I am looking for a solution which can guarantee 100% safety the use of USB's.
0
Comment
Question by:cciedreamer
  • 5
  • 4
  • 4
  • +8
26 Comments
 
LVL 70

Expert Comment

by:garycase
ID: 39651699
Given this comment:  "... We cannot block USB's due to business reasons. "

... there's no way you can "guarantee 100% safety" with their use.   All you could do is install tracking software that would provide a lot of what was copied to USB devices ... but this would require audits to identify any un-authorized usage.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39652001
There are options to mitigate risks introduced (confidentiality, integrity, availability, etc.) by portal devices, such as Software Restriction Policies, AppLocker Policies, and Data Loss Prevention (DLP).  Whitelisting applications via AppLocker would be a good measure.  You'll also want to ensure all Windows systems are using the Enhanced Mitigation Experience (EMET) Toolkit.  You'll also want to consider confidentiality risks associated with mobile data both in transit and at rest (e.g. encryption)

References
Thumb Drive Threats and Countermeasures in a Microsoft Windows Environment
USB Drives, Portable Storage Devices and Physical Security
USB – Ubiquitous Security Backdoor
Security Threats and Mitigating Risk for USB Devices

Here's a product worth reviewing:
http://support.frontrange.com/ProductsSolutions/category.aspx?id=13190
0
 
LVL 25

Expert Comment

by:madunix
ID: 39652318
".........We cannot block USB's due to business reasons................. "
Don't assume that technology will solve all know threats around data loss, because it wont. Technology solutions are only part of the story of DLP, IT Staff and CTO's/CIO's are required that they understand the threats and how they work, so you need to change your policy.

I know some organisations, they have physically disabled their USB ports, also there is software that forces data being transferred to USB to be encrypted so it protects if not organization approved device. In our environment USB drives are by default disabled through group policy enforcement.

In your case you can think of some good commercial DLP options (fortigate, Sophos, ..), also checkout  CounterACT (http://www.forescout.com/) is a commercial product for monitoring client activity.

More info:
http://www.youtube.com/watch?v=NJu0De3XUJY
http://okt.to/d5mG4E
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 3

Author Comment

by:cciedreamer
ID: 39653106
Basically we have allowed USB access so that users can do their homework and bring documents at the office to be copied to their respective.

Since I can see the giving USB access is not the solution.

Is there any enterprise solution downloading/uploading documents. It could be integrated with windows active directory. Moreover, it should be secure and provide encryption.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39653506
You may want to consider cloud based storage solutions as well.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39653509
I want to host the files with us.

Thanks
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39664745
Go to gfi.com and look at their endpoint security product.   it will monitor and/or constrain any files getting moved to/from USB sticks. Lots of flexibility on configuring what can and can not be read or written based on source/destination and computer and/or user login privileges.

As you've been told there is nothing that is 100% effective.  But if every system is running the GFI agent then it will be difficult to compromise ... especially if you have the software monitor for systems rebooting or going offline. That is tell-tale indication that somebody is trying to circumvent the software.
0
 
LVL 62

Expert Comment

by:btan
ID: 39664854
Windows has group policies to allow authorised external portable storage and so catch these setting which also try to prevent malicious drive usage
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3._Locking_down_Windows_and_Linux_against_Malicious_USB_devices

Likewise having to encrypt the ext storage will maintain confidentiality for data at rest esp in loss events that is common.
0
 
LVL 62

Expert Comment

by:btan
ID: 39664863
Understand Kaspersky also has device control with access lisy that may be good ro leverage further to tightening.

http://support.kaspersky.com/7467

You may even consider temporary access for shared workstation. See

http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3/section4

Overall if trusted device are infected the other av and host intrusion prevention controls in Kaspersky should kicked in. Exclude unknow zero days
http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3
0
 
LVL 12

Expert Comment

by:TapeDude
ID: 39665666
Is your main concern people walking off with confidential data... or someone introducing a virus (a la STUXNET) via the OS automatically running any software on a USB storage device when it's inserted?

If it's the latter, you can turn off Autorun. Here's an MS article on the subject:

http://support.microsoft.com/kb/967715
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39665694
Why the need for encryption at all? What is the concern with USB as a security issue? Is it bringing in virus's or transferring viri from one pc to the other? Is it loss of information by users copying files to their USB sticks?

If there is a reason to encrypt, make sure you understand what encryption is doing, I wrote an article on it: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

To me it sounds like you want users to upload their documents to one location? I'm not seeing the security angle yet. Bitlocker and GPO's can "force" the use of BL encryption on USB or portable HDD's, but it may be a restriction that the users are not happy with. They might not want to use BL encryption because they use Mac's with their USB sticks and would not be able to because BL doesn't work on Mac/Apple.

I don't see a way to require encryption in a campus environment unless you're issuing the USB drives with the encryption on it already. They don't have the drive then no USB file transfer.

Forcing USB's to be encrypted isn't something I can see at the school/college level for students. Since they can probably access their email via a web browser and just download the files that way too. I need more direction as to why USB is the focus and what the goal is.
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 39666124
Encryption is to protect data at rest but true enough ans I also see that staff would not bw bother or evn want that unless mandated to comply. If there is means of transparent on the fly decrypt it may help but only in specific cusrom device or specific machine with that agent to decrypt. Aome even comes with 2fa before you can open the content in the portable storage. Encryption only make sense to protect data but that soesnt mean the data is trusted and the we can trust that storage device is used. We can as much enfoece authorised device and restrict  such device use in allowed machine or locality zone. Data leakage and mass infection vector always link back to portable storage aa culprit.  Do have usage policy and awareness training too.
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
ID: 39666499
100% guaranteed safety is easy with this.

You simply need to get some good 2 part epoxy and fill up every USB port on every machine with it.

The tricky part will be using the computers with no mouse or keyboard.
0
 
LVL 12

Expert Comment

by:TapeDude
ID: 39666613
@FutureTechSysDOTcom: just use machines with the old PS2 connectors for keyboard & mouse. Sorted! ;-)
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39666693
There are PS2->USB adapters one could use to defeat this.  Face it, the only 100% effective way is to do what they do at some of the places I go to.   They first remove the temptation by not having USB ports in the first place.

Secondly, and the most effective means ...  6'8" marines with machine guns,metal detectors, searches, and imminent threat of prison.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39666705
Other than that, look at my post on buying the GFI software.   It monitors all systems for going offline (red flag), and it monitors all systems for USB insertion or copying files to an external device, USB stick, or even network location.

Really no way around that as long as all the systems are running GFI.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39666797
Windows has it's own less intrusive and native controls for "mass storage" devices, allowing you to effectively ban Flash or USB-Hdd's, and still allowing KB and Mouse.
There is no security threat specified by the author, just a mention of USB as being a potential security concern, we need more info. To disable mass storage:
@ECHO OFF
REG ADD HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\USBSTOR /V Start /T 
REG_DWORD /D 3 /F

REG ADD HKLM\Software\Policies\Microsoft\Windows\deviceInstall\Restrictions /V DenydeviceClassesRetroactive /T REG_DWORD /D 0 /F
echo ........USB Mass Storage has been enabled........

Open in new window

-rich
0
 
LVL 40

Expert Comment

by:noci
ID: 39668009
cloudbased can be f.e. owncloud. then you run the cloud show and not some other party.
0
 
LVL 16

Accepted Solution

by:
Gerald Connolly earned 500 total points
ID: 39675997
The security conscious organisation i help support uses this for USB control https://www.lumension.com/data-protection/usb-security-and-encryption-software.aspx
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39688992
I give up!
-rich
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39689045
Rich - your solution is draconian, and it eliminates all USBs.  The author wanted to use USBs with some sort of restrictions.  I'm not the author, but I can see how your solution would not have met the author's needs.

But thanks for the tip, it is an elegant solution as long as nobody as credentials to modify registry.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39689052
@dlethe -- And what is your assessment of my suggestions?  ID: 39652001
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39689114
the front range product is probably similar to GFI which I suggested. I have first-hand experience with GFI, but none with FrontRange so can't give a fair analysis.  As for the rest of the links, encryption is an unworkable solution for these needs..  The SANS paper was ancient and held some good info, but was dated, so most of the fixes were obsolete.
0
 
LVL 62

Expert Comment

by:btan
ID: 39689121
Probably would have consider existing beefing up endpoint sw instead of having another device control sw. Operationally patching and policy mgmt need tighter control and watch over for conflict and misconfig.thanks experts
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39689511
What I gave up on was what the author was after... Ensuring that the USB's are encrypted is ok, but it only solves the problem of a lost/stolen USB from being read by someone unauthorized. USB as a "security concern" is a much broader than lost USB's.
You can't throw encryption at everything people :) It also doesn't sound like the author was looking for encryption at all based on 39653106.
-rich
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question