Security and USB Ports: Yet another access to control
Dave Piscitello Core Competence, Inc.
The insight, Those who forget the lessons of history are doomed to repeat them, is attributed to George Santayana, a mostly 20th century philosopher whose works were paradoxically described as both materialistic and Platonistic. The insight seems particularly apropos to security.
|
How many years have we dealt with removable media? In the 1970s, mainframes and minis had pizza-sized hard drive catridges and PCs had floppy disks the size of frisbees. By the 1980s, these had been replaced by smaller form factors, and the 21st century advances now allow us to carry up to a gigabyte in credit card, microdrive, key fob, secure digital and compact flash card form factors. Floppies were convenient, and not very secure. Floppies were among earliest carriers of viruses and malicious code. In their time, they were convenient media for information theft, and convenient as well for their ability to boot enough of an OS to crack systems (notably, the Micro OS and NTRawrite utilities from SourceForge). What lessons did we learn here? How quickly did we forget. |
 
|
USB removable media are now bearing the torch of their floppy ancestors, and they, too, are bootable[1]. Already making headlines for injecting malicious code into unprotected systems, USB media are all the more worrisome because they combine enormous storage and easily hidden form factors. Imagine all the sensitive information someone can copy onto a Gigabyte Compact flash card or USB removable drive: as easy to conceal as USB devices are, how difficult is it to "plug-and-steal"? Now imagine losing a similar drive you frequently use to "sneaker-net" files between your home and office PC. A bootable USB drive with a full-blown operating system can bypass PCs protected only with basic logon mechanisms? Imagine all the misuse that might follow.
Security problems with removable drives and media attract most of the attention, but here's more sobering news: your worries extend beyond media, since USB Ports accommodate cameras, modems, network interfaces, printers, and more. In fact, your worries extend beyond USB, to Firewire, BlueTooth and iRDA.
Ultimately, USB is yet another port to control, as are Firewire, BlueTooth, and iRDA.
You can take measures to reduce the use of unapproved USB (in fact, any removable) devices, prevent infections from malicious executables, and deter data theft, by applying port access controls. In concept, this is similar to using a personal firewall for your modem, WiFi, or Ethernet NICs. From shareware like SecureFolder, that password protects removable media and restricts access to floppies, CD-ROMs, and USB mass storage to business grade device access control software, like SecureNT and DisknetPro, you can impose corporate-wide security policies on USB and other removable media and device ports.
Reflex Disknet Pro 4, for example, provides a number of security features enterprises might find desirable for many forms of USB removable media as well as CD/CDRW/DVD and diskette. Client software provides boot-level access control (through a password). Port access controls dictate which types of devices can be connected via USB. Media authorization, based on digital signatures, may be used to distinguish approved media/devices from unauthorized media. As part of an informal testing of Reflex Disknet Pro 4, I confirmed that I can define and enforce a policies that authorize Secure Digital media drives but restricts the use to individually signed (authorized) SD cards. I can also enforce antivirus scanning of a medium before any files are accessed; restrict file types that may be read from or written to media; and encrypt data that are recorded to authorized media. I can also restrict the use of network adapter cards. The Enterprise version of administrators can restrict types of data (e.g., file types) that can be read from and written to media. Central administration is provided through a client-server application. Administrators can define policies and push these to clients. Clients can also pull policies, and administrators can concede varying levels of trust (local policy definition) to individual clients.[2]
SecureNT (not tested) is very ACL-centric (access control list, or user/group permissions), and offers device whitelists, scheduled access, CD/DVD shadow-and-audit (to detect unauthorized copying of sensitive information, for example), and iRDA access controls.
File encryption can play an important role in preventing unauthorized disclosure. Encrypting USB removable media helps protect sensitive information if it's lost. Encrypting sensitive information on your PC's file system in general will protect data that's copied onto a removable drive without authorization. Microsoft's Encrypted File Sytem and a selection of stored file encryption products (including AES-based encryption offered in the aforementioned Disknet Pro 4) will help here.
It's a shame Windows 2000 and XP SP1 don't provide adequate local security policies for USB specifically, and Plug and Play devices in general. As I continue to investigate Windows XP SP2, I will report any improvements in this area, here. Until such policies are added in future operating systems, you may want to look into a 3rd party solution.
[1] Dealing with the bootable problem falls under the category, "previously unsolved". While you can reduce this threat by limiting boot devices and password protecting BIOS on your PC, you can't eliminate it: methods for bypassing BIOS passwords abound (see How to Bypass BIOS Passwords. In fact, a simple Google of the phrase, "how to bypass BIOS passwords" illustrates this hack is essentially common knowledge.) But if your PC or laptop has fallen into the hands of someone with motivation, talent, and time to bypass your BIOS password, your worries extend beyond USB, don't they?
[2] Reflex Magnetics provided licensed software for testing purposes, but I did not request or receive compenssation for testing and reviewing the product.