Solved

Secure USB Access.

Posted on 2013-11-15
26
549 Views
Last Modified: 2013-12-02
Hello Experts,

We have around 830 computers at our premises and every user have USB access. They can use  portable HDD and USB flash memories any time.

Since we all know USB's are the big security hole within the organization. We cannot block USB's due to business reasons.

We are using Kaspersky Endpoint Security 8.0 on the workstations.

I am looking for a solution which can guarantee 100% safety the use of USB's.
0
Comment
Question by:cciedreamer
  • 5
  • 4
  • 4
  • +8
26 Comments
 
LVL 70

Expert Comment

by:garycase
Comment Utility
Given this comment:  "... We cannot block USB's due to business reasons. "

... there's no way you can "guarantee 100% safety" with their use.   All you could do is install tracking software that would provide a lot of what was copied to USB devices ... but this would require audits to identify any un-authorized usage.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
There are options to mitigate risks introduced (confidentiality, integrity, availability, etc.) by portal devices, such as Software Restriction Policies, AppLocker Policies, and Data Loss Prevention (DLP).  Whitelisting applications via AppLocker would be a good measure.  You'll also want to ensure all Windows systems are using the Enhanced Mitigation Experience (EMET) Toolkit.  You'll also want to consider confidentiality risks associated with mobile data both in transit and at rest (e.g. encryption)

References
Thumb Drive Threats and Countermeasures in a Microsoft Windows Environment
USB Drives, Portable Storage Devices and Physical Security
USB – Ubiquitous Security Backdoor
Security Threats and Mitigating Risk for USB Devices

Here's a product worth reviewing:
http://support.frontrange.com/ProductsSolutions/category.aspx?id=13190
0
 
LVL 25

Expert Comment

by:madunix
Comment Utility
".........We cannot block USB's due to business reasons................. "
Don't assume that technology will solve all know threats around data loss, because it wont. Technology solutions are only part of the story of DLP, IT Staff and CTO's/CIO's are required that they understand the threats and how they work, so you need to change your policy.

I know some organisations, they have physically disabled their USB ports, also there is software that forces data being transferred to USB to be encrypted so it protects if not organization approved device. In our environment USB drives are by default disabled through group policy enforcement.

In your case you can think of some good commercial DLP options (fortigate, Sophos, ..), also checkout  CounterACT (http://www.forescout.com/) is a commercial product for monitoring client activity.

More info:
http://www.youtube.com/watch?v=NJu0De3XUJY
http://okt.to/d5mG4E
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Basically we have allowed USB access so that users can do their homework and bring documents at the office to be copied to their respective.

Since I can see the giving USB access is not the solution.

Is there any enterprise solution downloading/uploading documents. It could be integrated with windows active directory. Moreover, it should be secure and provide encryption.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
You may want to consider cloud based storage solutions as well.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I want to host the files with us.

Thanks
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
Go to gfi.com and look at their endpoint security product.   it will monitor and/or constrain any files getting moved to/from USB sticks. Lots of flexibility on configuring what can and can not be read or written based on source/destination and computer and/or user login privileges.

As you've been told there is nothing that is 100% effective.  But if every system is running the GFI agent then it will be difficult to compromise ... especially if you have the software monitor for systems rebooting or going offline. That is tell-tale indication that somebody is trying to circumvent the software.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Windows has group policies to allow authorised external portable storage and so catch these setting which also try to prevent malicious drive usage
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3._Locking_down_Windows_and_Linux_against_Malicious_USB_devices

Likewise having to encrypt the ext storage will maintain confidentiality for data at rest esp in loss events that is common.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Understand Kaspersky also has device control with access lisy that may be good ro leverage further to tightening.

http://support.kaspersky.com/7467

You may even consider temporary access for shared workstation. See

http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3/section4

Overall if trusted device are infected the other av and host intrusion prevention controls in Kaspersky should kicked in. Exclude unknow zero days
http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3
0
 
LVL 12

Expert Comment

by:TapeDude
Comment Utility
Is your main concern people walking off with confidential data... or someone introducing a virus (a la STUXNET) via the OS automatically running any software on a USB storage device when it's inserted?

If it's the latter, you can turn off Autorun. Here's an MS article on the subject:

http://support.microsoft.com/kb/967715
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Why the need for encryption at all? What is the concern with USB as a security issue? Is it bringing in virus's or transferring viri from one pc to the other? Is it loss of information by users copying files to their USB sticks?

If there is a reason to encrypt, make sure you understand what encryption is doing, I wrote an article on it: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

To me it sounds like you want users to upload their documents to one location? I'm not seeing the security angle yet. Bitlocker and GPO's can "force" the use of BL encryption on USB or portable HDD's, but it may be a restriction that the users are not happy with. They might not want to use BL encryption because they use Mac's with their USB sticks and would not be able to because BL doesn't work on Mac/Apple.

I don't see a way to require encryption in a campus environment unless you're issuing the USB drives with the encryption on it already. They don't have the drive then no USB file transfer.

Forcing USB's to be encrypted isn't something I can see at the school/college level for students. Since they can probably access their email via a web browser and just download the files that way too. I need more direction as to why USB is the focus and what the goal is.
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Encryption is to protect data at rest but true enough ans I also see that staff would not bw bother or evn want that unless mandated to comply. If there is means of transparent on the fly decrypt it may help but only in specific cusrom device or specific machine with that agent to decrypt. Aome even comes with 2fa before you can open the content in the portable storage. Encryption only make sense to protect data but that soesnt mean the data is trusted and the we can trust that storage device is used. We can as much enfoece authorised device and restrict  such device use in allowed machine or locality zone. Data leakage and mass infection vector always link back to portable storage aa culprit.  Do have usage policy and awareness training too.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
Comment Utility
100% guaranteed safety is easy with this.

You simply need to get some good 2 part epoxy and fill up every USB port on every machine with it.

The tricky part will be using the computers with no mouse or keyboard.
0
 
LVL 12

Expert Comment

by:TapeDude
Comment Utility
@FutureTechSysDOTcom: just use machines with the old PS2 connectors for keyboard & mouse. Sorted! ;-)
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
There are PS2->USB adapters one could use to defeat this.  Face it, the only 100% effective way is to do what they do at some of the places I go to.   They first remove the temptation by not having USB ports in the first place.

Secondly, and the most effective means ...  6'8" marines with machine guns,metal detectors, searches, and imminent threat of prison.
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
Other than that, look at my post on buying the GFI software.   It monitors all systems for going offline (red flag), and it monitors all systems for USB insertion or copying files to an external device, USB stick, or even network location.

Really no way around that as long as all the systems are running GFI.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Windows has it's own less intrusive and native controls for "mass storage" devices, allowing you to effectively ban Flash or USB-Hdd's, and still allowing KB and Mouse.
There is no security threat specified by the author, just a mention of USB as being a potential security concern, we need more info. To disable mass storage:
@ECHO OFF
REG ADD HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\USBSTOR /V Start /T 
REG_DWORD /D 3 /F

REG ADD HKLM\Software\Policies\Microsoft\Windows\deviceInstall\Restrictions /V DenydeviceClassesRetroactive /T REG_DWORD /D 0 /F
echo ........USB Mass Storage has been enabled........

Open in new window

-rich
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
cloudbased can be f.e. owncloud. then you run the cloud show and not some other party.
0
 
LVL 16

Accepted Solution

by:
Gerald Connolly earned 500 total points
Comment Utility
The security conscious organisation i help support uses this for USB control https://www.lumension.com/data-protection/usb-security-and-encryption-software.aspx
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
I give up!
-rich
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
Rich - your solution is draconian, and it eliminates all USBs.  The author wanted to use USBs with some sort of restrictions.  I'm not the author, but I can see how your solution would not have met the author's needs.

But thanks for the tip, it is an elegant solution as long as nobody as credentials to modify registry.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
@dlethe -- And what is your assessment of my suggestions?  ID: 39652001
0
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
the front range product is probably similar to GFI which I suggested. I have first-hand experience with GFI, but none with FrontRange so can't give a fair analysis.  As for the rest of the links, encryption is an unworkable solution for these needs..  The SANS paper was ancient and held some good info, but was dated, so most of the fixes were obsolete.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Probably would have consider existing beefing up endpoint sw instead of having another device control sw. Operationally patching and policy mgmt need tighter control and watch over for conflict and misconfig.thanks experts
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
What I gave up on was what the author was after... Ensuring that the USB's are encrypted is ok, but it only solves the problem of a lost/stolen USB from being read by someone unauthorized. USB as a "security concern" is a much broader than lost USB's.
You can't throw encryption at everything people :) It also doesn't sound like the author was looking for encryption at all based on 39653106.
-rich
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now