Welcome to the FileSure Defend 2.5 Data Loss Prevention Blog series.
Data Loss Type #2: USB Switchblade Malware and Data Theft
One common way for someone who has physical access to the target computers is to use a ‘USB Switchblade’ (http://www.hak5.org/w/index.php/USB_Switchblade) attack. This method uses the Windows AutoRun feature to runs a program that silently infects the computer and steals data in the by running as a background task (this same attack works with CD/DVD drives.)
Example: Recently the US Department of Defense disclosed that they were attached by a USB Switchblade attack :
Who is taking data: Since this attack is often designed with a certain computers/networks in mind, it can be custom built and will go undetected by virus scanners. This is usually a thief with an inside connection, and is a malicious removal.
What doesn’t (always) work: Some companies turn off the Autorun feature via Group Policy, and some others take a more drastic approach of disabling USB drives altogether. But in both cases, a savvy person with access to the machine can just re-enable them.
How we do it: By using FileSure Defend, you just block reading of executable code from removable drives and CD/DVDs and you’re done.
Specifically, how to do it: Here is a rule being defined in FileSure Defend, blocking reading of program files, batch files, script files, (anything that could be malicious code) from any removable drive and applying the rule to all users.
Of course, you could choose specific files, things in a certain folder, different users or groups, times of day, or more to pinpoint exactly what you are trying to accomplish with the USB write block.
Whatever choice of security you choose, FileSure records the activity, can alert on it, reports on it and archives it centrally forever in an encrypted data store.
Be sure to check out Data Loss Type #2: USB Switchblade Malware and Data Theft
No comments:
Post a Comment