+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #1

    Default USB Thumb Drive Security

    Users are utilizing thumb drives to connect to USB ports on company workstations. A technician is concerned that sensitive files can be copied to the USB drives. Which of the following mitigation techniques would address this concern?

    A. Disable USB within the workstations BIOS.
    B. Install anti-virus software on the USB drives.
    C. Apply the concept of least privilege to USB drives.
    D. Run spyware detection against all workstations.
    E. Disable the USB root hub within the OS.

    The answer is A, but I'm not sure why it couldn't also be E. I realize that A might be more secure if you also password protect BIOS access. However, given a large number of workstations, wouldn't E be more efficient to implement via group policy? Would E be less secure? Do you agree that A is the best answer?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Ivanjam's Avatar
    Join Date
    Feb 2012
    Location
    NYC
    Posts
    967

    Certifications
    CCNA, CCENT, Project+, Security+, Network+, A+
    #2
    Both A and E seem like viable alternatives to me too.
    Reply With Quote Quote  

  4. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #3
    If you don't do A, I can boot to media other than the hard drive and get files that way. A would of course necessitate password protecting the BIOS for efficacy.

    It really depends on the true goal. If the idea is to prevent regular end-users from copying files to USB, E will work.

    The better option is to encrypt the hard drives and disable or control removable media through policy. This prevents booting to other media as a vector to place data on removable drives as well as negates the need for a more drastic action like disabling USB entirely.

    I don't remember any Sec+ questions providing a selection of answers quite as poor as this, so this might be more reflective of your preparation material's quality than something you're likely to face on the exam.
    Reply With Quote Quote  

  5. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #4
    Quote Originally Posted by ptilsen View Post
    If you don't do A, I can boot to media other than the hard drive and get files that way. A would of course necessitate password protecting the BIOS for efficacy. It really depends on the true goal. If the idea is to prevent regular end-users from copying files to USB, E will work.
    So E would not prevent booting from USB drive? I'm not sure I understand why?
    Quote Originally Posted by ptilsen View Post
    The better option is to encrypt the hard drives and disable or control removable media through policy.
    Do you mean group policy (technical control)?
    Quote Originally Posted by ptilsen View Post
    This prevents booting to other media as a vector to place data on removable drives as well as negates the need for a more drastic action like disabling USB entirely.
    Please help me understand how this would be accomplished if E were in place.
    Quote Originally Posted by ptilsen View Post
    I don't remember any Sec+ questions providing a selection of answers quite as poor as this, so this might be more reflective of your preparation material's quality than something you're likely to face on the exam.
    Good to know. Sometimes poor questions (like this one) motivate me to dig in and understand the issue better. I realize that I don't fully understand the limitations of "disabling the USB root hub within the OS".
    Reply With Quote Quote  

  6. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #5
    Quote Originally Posted by teancum144 View Post
    So E would not prevent booting from USB drive? I'm not sure I understand why?
    E disables USB in the OS. This doesn't prevent a user from booting to other media or accessing the BIOS. It only affects access within the OS.

    Quote Originally Posted by teancum144 View Post
    Do you mean group policy (technical control)?
    Yes, I mean Group Policy or a similar technical control (not written policy).

    Quote Originally Posted by teancum144 View Post
    Please help me understand how this would be accomplished if E were in place.
    This method is an alternative to E, not something that would be implemented at the same time. Hard drive encryption negates the need for A, since the drive is inaccessible outside of the BIOS to those who don't know the encryption key and have significant technical ability. Technical control over the ability to write to USB media in the OS negates the need to disable USB entirely in the OS (which is not an option you'll see seriously considered in many environments, even military).

    Quote Originally Posted by teancum144 View Post
    I realize that I don't fully understand the limitations of "disabling the USB root hub within the OS".
    The key is that this only disables USB access within the operating system, not outside of it. My aside, which is important to understand in real life, is that it is a drastic measure which greatly impacts productivity (no use of other USB peripherals, such as mice, keyboards, and cameras) and as such is a poor alternative to other, more effective measures (ie, the combination of hard disk encryption and technical controls limited writing to removable media in-OS).
    Reply With Quote Quote  

  7. Junior Member
    Join Date
    Oct 2012
    Posts
    14

    Certifications
    Security+
    #6
    I've seen this question as well and thought the same; that both would work. I agree that in a larger domain using GP would definitely be the way to go rather than to visit each workstation and screw with the BIOS. On the other hand, potentially a user (regular or nefarious) could re-enable the hub on the OS via privilege escalation while cracking the BIOS password would be much more difficult IMO. Poorly worded question regardless.
    Reply With Quote Quote  

  8. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #7
    Quote Originally Posted by ptilsen View Post
    E disables USB in the OS. This doesn't prevent a user from booting to other media or accessing the BIOS. It only affects access within the OS. ... The key is that this only disables USB access within the operating system, not outside of it.
    Ah, I see (seems obvious now, but I was missing this key point). Thank you.
    Quote Originally Posted by ptilsen View Post
    Hard drive encryption negates the need for A, since the drive is inaccessible outside of the BIOS to those who don't know the encryption key and have significant technical ability.
    I see. While this doesn't prevent someone from booting using alternate media, it protects the data on the hard drive.
    Quote Originally Posted by ptilsen View Post
    Technical control over the ability to write to USB media in the OS negates the need to disable USB entirely in the OS (which is not an option you'll see seriously considered in many environments, even military).
    Just to restate what I think you're saying: This type of technical control doesn't prevent USB mice, keyboards, etc. because USB read is allowed, but not write. Therefore, in the case of a USB camera, you could read pictures, but couldn't copy a picture onto your camera's memory (via USB). Again, this doesn't prevent a hacker from booting (outside the OS) via USB, but that is not the purpose of this control. The purpose is to prevent users from writing sensitive data to USB devices for transport. Is my understanding correct?
    Quote Originally Posted by ptilsen View Post
    My aside, which is important to understand in real life, is that it is a drastic measure which greatly impacts productivity (no use of other USB peripherals, such as mice, keyboards, and cameras) and as such is a poor alternative to other, more effective measures (ie, the combination of hard disk encryption and technical controls limited writing to removable media in-OS).
    Make sense. Thanks for all this information. It has helped me to see how all these pieces fit together.
    Reply With Quote Quote  

  9. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #8
    Quote Originally Posted by pgriffin7 View Post
    On the other hand, potentially a user (regular or nefarious) could re-enable the hub on the OS via privilege escalation while cracking the BIOS password would be much more difficult IMO. Poorly worded question regardless.
    I disagree. Coding a privilege escalation exploit would require advanced programming skills. Privilege escalation exploits in general are few, far between, and quickly patched. Breaking a BIOS password is trivial, and the solution is there for non-techies on a cursory Google search:
    https://www.google.com/search?q=forgot+BIOS+password

    E, however, is easily circumvented by booting to another OS, rather than by privilege escalation. Both answers are flawed, but I find E to be more flawed since the circumvention method is easier (no advanced skills required to boot to a USB flash device) and the drawbacks are greater (no USB devices can be used at all).

    Quote Originally Posted by teancum144 View Post
    Just to restate what I think you're saying: This type of technical control doesn't prevent USB mice, keyboards, etc. because USB read is allowed, but not write. Therefore, in the case of a USB camera, you could read pictures, but couldn't copy a picture onto your camera's memory (via USB). Again, this doesn't prevent a hacker from booting (outside the OS) via USB, but that is not the purpose of this control. The purpose is to prevent users from writing sensitive data to USB devices for transport. Is my understanding correct?
    Yep, you got it!
    Last edited by ptilsen; 11-13-2012 at 12:05 AM.
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    Oct 2012
    Posts
    14

    Certifications
    Security+
    #9
    Thanks - I understand and you are correct.
    Last edited by pgriffin7; 11-13-2012 at 12:55 AM.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks