Solved

Secure USB Access.

Posted on 2013-11-15
26
558 Views
Last Modified: 2013-12-02
Hello Experts,

We have around 830 computers at our premises and every user have USB access. They can use  portable HDD and USB flash memories any time.

Since we all know USB's are the big security hole within the organization. We cannot block USB's due to business reasons.

We are using Kaspersky Endpoint Security 8.0 on the workstations.

I am looking for a solution which can guarantee 100% safety the use of USB's.
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +8
26 Comments
 
LVL 70

Expert Comment

by:garycase
ID: 39651699
Given this comment:  "... We cannot block USB's due to business reasons. "

... there's no way you can "guarantee 100% safety" with their use.   All you could do is install tracking software that would provide a lot of what was copied to USB devices ... but this would require audits to identify any un-authorized usage.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652001
There are options to mitigate risks introduced (confidentiality, integrity, availability, etc.) by portal devices, such as Software Restriction Policies, AppLocker Policies, and Data Loss Prevention (DLP).  Whitelisting applications via AppLocker would be a good measure.  You'll also want to ensure all Windows systems are using the Enhanced Mitigation Experience (EMET) Toolkit.  You'll also want to consider confidentiality risks associated with mobile data both in transit and at rest (e.g. encryption)

References
Thumb Drive Threats and Countermeasures in a Microsoft Windows Environment
USB Drives, Portable Storage Devices and Physical Security
USB – Ubiquitous Security Backdoor
Security Threats and Mitigating Risk for USB Devices

Here's a product worth reviewing:
http://support.frontrange.com/ProductsSolutions/category.aspx?id=13190
0
 
LVL 25

Expert Comment

by:madunix
ID: 39652318
".........We cannot block USB's due to business reasons................. "
Don't assume that technology will solve all know threats around data loss, because it wont. Technology solutions are only part of the story of DLP, IT Staff and CTO's/CIO's are required that they understand the threats and how they work, so you need to change your policy.

I know some organisations, they have physically disabled their USB ports, also there is software that forces data being transferred to USB to be encrypted so it protects if not organization approved device. In our environment USB drives are by default disabled through group policy enforcement.

In your case you can think of some good commercial DLP options (fortigate, Sophos, ..), also checkout  CounterACT (http://www.forescout.com/) is a commercial product for monitoring client activity.

More info:
http://www.youtube.com/watch?v=NJu0De3XUJY
http://okt.to/d5mG4E
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 3

Author Comment

by:cciedreamer
ID: 39653106
Basically we have allowed USB access so that users can do their homework and bring documents at the office to be copied to their respective.

Since I can see the giving USB access is not the solution.

Is there any enterprise solution downloading/uploading documents. It could be integrated with windows active directory. Moreover, it should be secure and provide encryption.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39653506
You may want to consider cloud based storage solutions as well.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39653509
I want to host the files with us.

Thanks
0
 
LVL 47

Expert Comment

by:David
ID: 39664745
Go to gfi.com and look at their endpoint security product.   it will monitor and/or constrain any files getting moved to/from USB sticks. Lots of flexibility on configuring what can and can not be read or written based on source/destination and computer and/or user login privileges.

As you've been told there is nothing that is 100% effective.  But if every system is running the GFI agent then it will be difficult to compromise ... especially if you have the software monitor for systems rebooting or going offline. That is tell-tale indication that somebody is trying to circumvent the software.
0
 
LVL 64

Expert Comment

by:btan
ID: 39664854
Windows has group policies to allow authorised external portable storage and so catch these setting which also try to prevent malicious drive usage
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3._Locking_down_Windows_and_Linux_against_Malicious_USB_devices

Likewise having to encrypt the ext storage will maintain confidentiality for data at rest esp in loss events that is common.
0
 
LVL 64

Expert Comment

by:btan
ID: 39664863
Understand Kaspersky also has device control with access lisy that may be good ro leverage further to tightening.

http://support.kaspersky.com/7467

You may even consider temporary access for shared workstation. See

http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3/section4

Overall if trusted device are infected the other av and host intrusion prevention controls in Kaspersky should kicked in. Exclude unknow zero days
http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3
0
 
LVL 12

Expert Comment

by:TapeDude
ID: 39665666
Is your main concern people walking off with confidential data... or someone introducing a virus (a la STUXNET) via the OS automatically running any software on a USB storage device when it's inserted?

If it's the latter, you can turn off Autorun. Here's an MS article on the subject:

http://support.microsoft.com/kb/967715
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39665694
Why the need for encryption at all? What is the concern with USB as a security issue? Is it bringing in virus's or transferring viri from one pc to the other? Is it loss of information by users copying files to their USB sticks?

If there is a reason to encrypt, make sure you understand what encryption is doing, I wrote an article on it: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

To me it sounds like you want users to upload their documents to one location? I'm not seeing the security angle yet. Bitlocker and GPO's can "force" the use of BL encryption on USB or portable HDD's, but it may be a restriction that the users are not happy with. They might not want to use BL encryption because they use Mac's with their USB sticks and would not be able to because BL doesn't work on Mac/Apple.

I don't see a way to require encryption in a campus environment unless you're issuing the USB drives with the encryption on it already. They don't have the drive then no USB file transfer.

Forcing USB's to be encrypted isn't something I can see at the school/college level for students. Since they can probably access their email via a web browser and just download the files that way too. I need more direction as to why USB is the focus and what the goal is.
-rich
0
 
LVL 64

Expert Comment

by:btan
ID: 39666124
Encryption is to protect data at rest but true enough ans I also see that staff would not bw bother or evn want that unless mandated to comply. If there is means of transparent on the fly decrypt it may help but only in specific cusrom device or specific machine with that agent to decrypt. Aome even comes with 2fa before you can open the content in the portable storage. Encryption only make sense to protect data but that soesnt mean the data is trusted and the we can trust that storage device is used. We can as much enfoece authorised device and restrict  such device use in allowed machine or locality zone. Data leakage and mass infection vector always link back to portable storage aa culprit.  Do have usage policy and awareness training too.
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
ID: 39666499
100% guaranteed safety is easy with this.

You simply need to get some good 2 part epoxy and fill up every USB port on every machine with it.

The tricky part will be using the computers with no mouse or keyboard.
0
 
LVL 12

Expert Comment

by:TapeDude
ID: 39666613
@FutureTechSysDOTcom: just use machines with the old PS2 connectors for keyboard & mouse. Sorted! ;-)
0
 
LVL 47

Expert Comment

by:David
ID: 39666693
There are PS2->USB adapters one could use to defeat this.  Face it, the only 100% effective way is to do what they do at some of the places I go to.   They first remove the temptation by not having USB ports in the first place.

Secondly, and the most effective means ...  6'8" marines with machine guns,metal detectors, searches, and imminent threat of prison.
0
 
LVL 47

Expert Comment

by:David
ID: 39666705
Other than that, look at my post on buying the GFI software.   It monitors all systems for going offline (red flag), and it monitors all systems for USB insertion or copying files to an external device, USB stick, or even network location.

Really no way around that as long as all the systems are running GFI.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39666797
Windows has it's own less intrusive and native controls for "mass storage" devices, allowing you to effectively ban Flash or USB-Hdd's, and still allowing KB and Mouse.
There is no security threat specified by the author, just a mention of USB as being a potential security concern, we need more info. To disable mass storage:
@ECHO OFF
REG ADD HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\USBSTOR /V Start /T 
REG_DWORD /D 3 /F

REG ADD HKLM\Software\Policies\Microsoft\Windows\deviceInstall\Restrictions /V DenydeviceClassesRetroactive /T REG_DWORD /D 0 /F
echo ........USB Mass Storage has been enabled........

Open in new window

-rich
0
 
LVL 40

Expert Comment

by:noci
ID: 39668009
cloudbased can be f.e. owncloud. then you run the cloud show and not some other party.
0
 
LVL 17

Accepted Solution

by:
Gerald Connolly earned 500 total points
ID: 39675997
The security conscious organisation i help support uses this for USB control https://www.lumension.com/data-protection/usb-security-and-encryption-software.aspx
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39688992
I give up!
-rich
0
 
LVL 47

Expert Comment

by:David
ID: 39689045
Rich - your solution is draconian, and it eliminates all USBs.  The author wanted to use USBs with some sort of restrictions.  I'm not the author, but I can see how your solution would not have met the author's needs.

But thanks for the tip, it is an elegant solution as long as nobody as credentials to modify registry.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39689052
@dlethe -- And what is your assessment of my suggestions?  ID: 39652001
0
 
LVL 47

Expert Comment

by:David
ID: 39689114
the front range product is probably similar to GFI which I suggested. I have first-hand experience with GFI, but none with FrontRange so can't give a fair analysis.  As for the rest of the links, encryption is an unworkable solution for these needs..  The SANS paper was ancient and held some good info, but was dated, so most of the fixes were obsolete.
0
 
LVL 64

Expert Comment

by:btan
ID: 39689121
Probably would have consider existing beefing up endpoint sw instead of having another device control sw. Operationally patching and policy mgmt need tighter control and watch over for conflict and misconfig.thanks experts
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39689511
What I gave up on was what the author was after... Ensuring that the USB's are encrypted is ok, but it only solves the problem of a lost/stolen USB from being read by someone unauthorized. USB as a "security concern" is a much broader than lost USB's.
You can't throw encryption at everything people :) It also doesn't sound like the author was looking for encryption at all based on 39653106.
-rich
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question