In this second post on common endpoint security controls, I’ll be taking a look at removable media. Some of the questions I’ll be exploring include: why is removable media such a risk? What is the state of the art in terms of technical controls? Are there alternatives to providing removable media for users within an organisation?
Removable media is a critical endpoint security concern that should be addressed in networks of any size, by implementing technical controls and supporting processes.
Why is removable media such a risk? Data loss prevention, the name given to the broad class of technologies aimed squarely at preventing precisely that, is of growing importance even in SMEs.
Businesses, from large to small, send and receive vast quantities of information and have growing repositories of personal data and valuable intellectual property. Data loss continues to be concern for businesses, and whether the threat comes from external threat actors such as criminal hackers, or even employees, the consequences when it does occur can be immense. In the new age of GDPR, personal data loss is an even greater concern.
Consequences are typically financial and reputation cost in the event of data loss.
Data loss prevention is not the only benefit from removable media control. Implementing removable media controls can considerably improve the organisational resistance to malware, boost employee productivity, and improve consistency of information exchange.
A variety of solutions are available on the market to control the use of removable media. Most focus on introducing the following capabilities to a removable media device, such as CD/DVD, USB, external hard drive, tape, or FDD:
- Deny read access. This can be implemented using third party products or through GPO, for instance, on Windows 10. This helps minimise the introduction of unwanted information, executables, and/or malware threats.
- Deny execute access. This can be implemented using third party products or through GPO, for instance, on Windows 10, and helps minimise the risk of a malware execution or “evil maid” attack.
- Deny write access. Along with denying execution access, denying write access is a fundamental control to prevent data loss. This can be implemented using third party products or through GPO, and prevents any write by users to CD/DVD media. It stands to reason that a single DVD write could remove a significant amount of information from an organisation.
- Require encryption on write. Commercial solutions offer this capability and it is an excellent way of managing data, including working with business partners.
What is the state of the art in removable media management? Commercial solutions offer a wide range of additional benefits over and above GPO level capabilities, including:
- Control over the file types that can be transferred to removable media.
- Time-based access, limiting the ability of a user to perform a write to removable media. This is an excellent risk mitigation solution and could be combined with renewal requirements on a quarterly, bi-annual or annual basis.
- Restrict the amount of data that can be written by a user on a periodic basis, such as a day.
- Management of all devices, policies and users from a central location.
- Reporting, allowing insight into uptake, frequency of use, potential risk areas, and so on.
- Forced encryption of any removable media written to. This can further include embedding an executable to provide on the fly decryption on recipient platforms without removable media control.
- Whitelist devices and assign permissions for authorised device types by user and group.
- Classify devices by type, and apply policies on that basis. For example, permit the use of any HID devices such as keyboards, but control data storage devices.
Of course, restricting removable media permissions and functionalities comes at a cost. There may be several undocumented business processes for instance that controls will undermine. What solutions exist to provide a reasonable level of import and export, while removing local access? Potential options include:
- Restricting access to a particular time period, such as a day or week. This may be sufficient to treat most risk assessments.
- Apply Role Based Access Control to assign specific individuals or hosts to have an import or export capability. This could, for instance, be a system in view of CCTV, administrators or security personnel.
- Develop a dedicated import or export host. This system would have device-specific permissions assigned to allow import and export. This is the architectural equivalent to the drawbridge over a castle moat.
Dedicated systems are useful in medium to large organisations as it provides a single point where AV and malware detection can be managed. They won’t work in all situations, but they can apply in many. The occasions where data export to removable media is required are often small in number, and a dedicated host might offer some significant benefits. One advantage of a dedicated IX host is the opportunity to focus security measures, such as host hardening, lockdowns, use of multiple AV products, and so on. Because dedicated IX hosts have a very limited purpose, the scope to secure the underlying OS is much greater as usability or broader application compatibility becomes less of a concern. In addition human review of all data exports can ensure suitability for the intended recipient, and that data formats are selected that minimise the risk from hidden data.
Regardless of approach, it is crucial to separate administrative privileges from ordinary users. No removable media solution, GPO or vendor-based, will be fully effective unless administrative privileges are separated from ordinary users.
Vendors that are particularly active in the endpoint security space include Symantec, LogMeIn, Druva, Trend Micro, Check Point Technologies, VIPRE, Carbon Black, Ivanti (formerly LANDESK and Lumension; good for large organisations), Panda Security (good for SMEs), and Comodo.
Full disclosure: I’ve put hyperlinks to the correct vendor sites above at the request of vendors.
There are of course other solutions that can dovetail very well with broader IT initiatives. For example:
- Thin client solutions, such as Dell Wyse devices. Rather than try to manage removable media devices, side-step the problem by using a device without any.
- Bespoke hardware configurations that do not provide CD/DVD drives.
- Disabling USB port access. Some devices allow USB ports to be selectively disabled, which may be sufficient for low risk scenarios.
- VDI solutions such as XenDesktop. This limits the ability of users to export information from desktop sessions, reducing risk substantially.