[unisog] Pen testers after my own heart...
Jim.Dillon at cusys.edu
Tue Jun 13 01:43:45 GMT 2006
Disabling USB in the Bios won't work for a lot of applications - no
other ports for mouse, or keyboard, or printer or ... on many modern
machines. I'm experiencing the side effects of this with our last order
of PCs as we now have copious spare mice and keyboards and no computers
that could use them, and no printers we can connect directly! (Yes, they
are old, but working, printers.) We also have a data interrogation tool
(ACL) that uses USB security keys and are testing an encryption
mechanism that requires a USB security key, an external HD that requires
a USB port, and even a floppy drive for some of our archived records
that requires a USB port, since machines no longer come with floppy
drives. Disabling the port is not an option for us, although I
understand it may work in certain environments.
Second potential problem: Disabling the USB storage mechanism through
group policy response as suggested by Jordan Wiens - Does anyone know
whether the mechanisms in USB specs are smart enough to distinguish a
pure storage element from a USB security device? I use one now, and I
often wonder if it isn't anything more than an encrypted key on a low
storage device, but of course it is smart enough to conceal itself once
loaded so I am unable to test my theories. It doesn't show up as a
drive letter so maybe? Anyone have a slightly educated guess?
The reason this concerns me a little is that I think we will all be
forced to something two-factor in the next few years due to our
inability to prevent spyware from infiltrating our systems. Recent
scans we've done with the assistance of Webroot left me with the
distinct conclusion that I couldn't trust 6% of the boxes tested to not
be fully compromised, including password, as they showed either
key-loggers, rootkits, or active Trojans. Another 80% are suspect but
not proven to be compromised. How high will that percentage have to go
before two factor authN is a necessity? I'm using a Kensington system
already that depends on USB, largely because it was the most affordable
thing I could find ($56) that encrypted (AES) and provided two-factor
access control. If monkeying around with BIOS rules interferes with
this device it could greatly compromise the trade-off picture on
individual security controls. Is it better to prevent someone from
attaching an unwanted device to the PC, or to protect the contents of
the drive from unwanted logical access? I don't know of many solutions
that will support the second without higher costs. Tough trade-off in
some situations I'd think.
Still seeking some semi-panacea for our end-user workstation security
woes. I think it will ultimately be a hard-drive with an encrypting H/W
front end that stores it's key on a security device (probably USB) so
that you have true two-factor control, real-time full device encryption,
and little risk of the device itself being compromised w/o the key and
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Joel Esler
Sent: Monday, June 12, 2006 4:03 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Pen testers after my own heart...
Maybe I didn't seen anyone suggest this...
Disable USB in the bios?
There are tools out there that will prevent USB drives being plugged
in, thorugh registry monitoring.
More information about the unisog