Device Control is the branch of endpoint security that refers to the control of devices access to computers. Endpoint device control is critical to protecting organizations data assets from the risks associated with the use of removable devices. Removable Media may transfer malware to computers and can also be used to extract sensible information from computers to unauthorized hands, therefore the importance of removable media management.
Removable Media and Devices may contain malware and infect computers. Because endpoint computers can act as Device-Host and Network-Host, malware could spread and affect not only the compromised system but also the network infrastructure.
External Storage such as USB drives can be used to transfer data assets from computers, This could result in sensible data being stolen, lost or exposed. Preventing confidential data loss is a major concern for organizations.
The Universal Serial Bus (USB) is today the most used but not the only interface allowing communication between devices and computers.
Most vulnerable USB-host protocols:
- USB Mass Storage Device Class (UMS).
- Media Transfer Protocol (USB-MTP).
- USB Attached SCSI Protocol (UASP).
- USB Human Interface Device Class (HID).
Most dangerous Source/Device:
- USB flash drives.
- Card readers.
- USB adapters.
- Wireless Transceivers.
- BadUSB (aka. USB Rubber Ducky).
- External drives (USB, e-Sata, Firewire).
- Compact discs.
Common active Countermeasures:
- Driver restriction.
- USB Lockdown.
- Drive Dismount.
- Disc Ejection
- Device Disable.
- Centralized USB Management.
- Block USB Devices (System-wide).
- Specific Authorization (Whitelist).
- USB Monitoring.
- USB Encryption.
- Event Logging.
Most vulnerable USB Host/Network Host:
Most vulnerable organizations sector:
- Energy production.
- Defense/law enforcement.
Risk to enterprise:
- Operating Systems malware infection.
- Confidential/Sensitive data loss.
- Keystroke/payload injection Attacks.
- Malicious command/code execution.
- Endpoint availability loss leading to personnel/environment endangerment.
- Sensible data disclosure/exploitation.
- Assets loss.
- Endpoint Security (Parent).
- Data Loss Prevention (DLP).
- USB Device Control (a.k.a., USB Lockdown, USB Control, USB Access Control).
Effective Device Control solutions should act to deny the presence of unauthorized devices in the system. Blocking is the most effective way to prevent malware incoming from devices such as USB flash drives.
Enforcing removable media policy requires that detection and blocking measures be active and locally enforced. Such policies should be able to adjust/escalate depending on device status and media type.
Removable Media and devices connection events should be monitored and sent to the Central Control in real-time, event logs and alerts should include:
- Device VID (Vendor ID), PID (Product ID) and Serial Number.
- Source IP, Machine name, and Logged-User.
Protection scope should be system-wide (not user-wide). Devices such as USB drives are hosted at Operating System level and not at user level. User restrictions have diminished security value in preventing virus/malware infection or code injection compared to system-wide restrictions.
Unauthorized devices should be blocked, blocking measures should remain until the device is physically or remotely removed from the system.
Specific USB Devices Whitelisting/Authorization should have auto-detection capability.
Monitoring function should be available to allow visibility over data transfers from endpoints to authorized USB drives.
Encryption function should be available to secure authorized USB drives data transit.
All device identifiers should be stored encrypted to prevent spoofing.
The Management of devices and media requires that security settings be applied from a Centralized Control located in a Server within the enterprise/organizations network/domain and that Authorized personnel ability to access the Central Control should not depend on internet access, external services or entities.
Security policies are to be deployed, applied and enforced to client machines in real-time without delay or need to reboot.
The Central Control interface should show clients updated security status and receive events/alerts from managed endpoints and should work with encrypted data, only readable within the administrative control interface.
Device connection events should be sent via secure email to an inbox within the organization domain and/or be standardized to Syslog or CEF (Common Events Format) to be relayed to SIEM solutions.
Note: When readable reports outside the Control interface are required, access to reports should be managed/secured to prevent device identifiers disclosure.
Today, it’s well understood that:
- Industrial networks in manufacturing, processing and energy production sector MUST implement device control to safeguard:
- Both Industrial and Enterprise IT Networks should implement device control to prevent:
- Malware infection.
- Confidential or sensible data loss.
- Arbitrary commands/code execution (ACE).
Cyber-attacks grow in frequency, stealth and complexity. It's important that IT security personnel select the adequate solucion to fulfill the requirement. Decisive Control requires a tool that can be fully tested within its thought operating environment.
If you have been experiencing trouble with malware and other related issues, or you know that illicit or sensitive files are being shared on your network, it might be time to consider upgrading your Endpoint Security by implementing device control.