In many aspects of life, there are many ways to accomplish the same goal, and some tactics may be better than others in the long-term, depending on the end-game objectives. One of the low-hanging fruits that offers a concrete and understandable (and consistently noted in cybersecurity best practice guides) risk reduction is the disabling of USB sticks or USB mass storage devices as an attack vector.
To answer the question of why one might disable USB access, let’s look at a few of my observations:
- USB ports are commonly exposed to passersby within a site control room with minimal observation. You may say that there are physical access controls to prevent unauthorized users, and this might be true, but more often that not, site supervisors and operators are busy fulfilling their duties and the oversight of “guests” is unlikely to be 100%.
- Legacy systems such as Windows XP and Server 2003 still exist. They are very vulnerable to USB autoplay vectors and cannot be quickly replaced in a feasible way. Technology preventing malware such as antivirus software may require considerable resources, so a may be required. Network protections (or disconnection) are one way to protect them, but removable USB devices are just another vector to infect legacy systems.
- In environments where compliance and data-related controls (e.g., DFARs) are required, USB device control is a simple task that can be achieved and marked as “done”. Sensitive information can be limited to requests from the local file share, emails can be locked down or denied, and therefore, information can be limited to the organization at a network level with reasonable expectations (Side note: not much will prevent me from taking a picture from my phone).
- No amount of security awareness training will 100% prevent site employees from picking up rogue USB devices in the parking lot. and awareness campaigns are an essential security program, but additional layers of protection are absolutely required.
After researching the topic and conferring with my colleagues, we all voice the opinion that USB stick-related cybersecurity controls are rather trivial to implement, so:
- Why aren’t all asset owners disabling or limiting USB access today?
- Are other technologies specifically required to tackle this threat?
To answer the first question, the answer has a few related components:
- Systems are merely self-managed, of a non-homogenous nature, and have never been “authoritatively” managed to date.
- Therefore, the amount of self-managed (or non-managed) systems are among the many challenges an organization faces, but once they are brought under the control of a robust asset management solution (e.g., native Windows with Active Directory, or with another solution such as Verve Asset Management and Bigfix) you can start achieving real progress. It is a question of effort, but this is a first and most critical step.
- Other than the management aspect, users may commonly voice questions such as: What if connectivity is lost? What if the fileserver goes down? How do we transport files over an “airgap”? These are all valid considerations against an outright disabling of USB media devices, but frankly, a carefully engineered solution can accommodate nearly all of those factors in a way that is appropriate to budget and risk appetite.
In regards to your organization’s needs, USB media devices could be required in some instances. However, knowing where systems have USB media exposure improves the accuracy of risk management activities, generates the opportunity to control system and information access, and reduce cybersecurity risk exposure via USB.
To answer the second question without explicitly calling out the technologies that can perform application or device whitelisting (now a part of Carbon Black, a VMware company), you can essentially “live off the land” with Verve Asset Management (VAM) and BigFix to manage patching, policy, log fetching, and gather detailed asset information. By combining these solutions, you will accomplish a similar effect efficiently using native Microsoft Windows functionality and BigFix “fixlets” to compound value using a small set of tools.
So let’s explore the question of USB device visibility from the perspective of a technology administrator or a C-level executive in a facility with minimal cybersecurity maturity:
“Hi <site admin>, coming down the pipe will be some compliance requirements about minimizing USB access to critical OT infrastructure, can you tell me what we are doing today? And on what systems USB access is enabled?”
“Well boss, most of those systems are self-managed, and we use USB sticks to transfer files from the corporate-network designated machine to the other systems in the facility”
“OK, that was not the answer I was hoping for, but we can aim to improve by starting with getting visibility on those self-managed assets and assessing the risks to them. In the meantime, can you get me a list of the systems, their OS, and controls by next week – I have a meeting with the Risk Management team? Thanks <site admin>”.
This conversation between the <site admin> and the executive is not as contrived as you may think. There have been many arguments on whether or not to manage, not manage, or prevent USB device access, but the critical steps being noted here are:
- Do we have visibility on those assets, their configurations, and what is happening on them?
- Are we in a position to secure them by starting somewhere with adequate information? (again, only obtainable with a solution that solves question one)?
One of the differentiating factors of the Verve Asset Management solution is the nature to easily onboard commodity (e.g., Windows-based), and non-commodity (e.g., embedded) to make effective change. Assuming a standard Verve deployment beginning with BigFix agent’s distributed and being installed on Windows systems, this solution can:
- Create a BigFix applet to determine USB applicability and consider that for inclusion into VAM & reporting
- Leverage reporting to quickly answer our “executives’” questions about USB device support
To understand what this looks like, this image was created to display a BigFix fixlet that analyzes relevant hosts and determines if USB storage is disabled, as well as also auto-run functionality (this is particularly important for those legacy Windows XP systems). This step won’t be important for executives, but for your awareness, this BigFix fixlets enable vast amounts of powerful functionality that can be used to secure your organization. As an example, this could be the USB device control being discussed in this article, specific investigation of remote desktop service configurations, and also patch validation & remediation
Eliminating the need for your site administrators having to resort to the common method of manually checking systems and reporting the information within an Excel document, BigFix feeds the resulting information into VAM, and can be reflected in reporting: tabular-wise or visualized.
Verve reporting allows us to see which systems may or may not have USB mass media or autorun disabled. Simply said, Verve arms the site administrator and organization executives with a quick way to leverage accurate information on their assets and make informed decisions on next steps regarding USB device controls. By extension, these same BigFix fixlets can be used to push overall policy to OT systems or specific designated systems when granularity is required.
USB devices can be controlled with minimal effort on hosts running most Windows operating systems. Verve can not only be used to obtain detailed asset information, but can also enable accurate decision making and enforcement.