One of the many things that I noticed at a plant is that there are no security controls for protecting against unauthorized devices from being connected to the control system servers and workstations. This had me thinking about the Data Loss Prevention (DLP) term that was coined a few years back. It was a term coined for solutions that help you manage the who, what, when, where, why, and how’s of accessing your data. One subcategory of this term was the external device control field (i.e. USB drives, bluetooth devices, etc.) which allows you to control what devices were allowed, what users were authorized to use them, and what access they were authorized for (i.e. read, read/write, none).
Back then there were few, if any, mature products out there. Looking at it now, it seems the space has finally matured enough with products that have rich feature sets. Some examples of products are:
- GFI Security – EndPointSecurity
- Layton Technology – DeviceShield
- McAfee – Device Control
- Symantec – Endpoint Protection
Each of the products listed above all have the following features:
- Policy Management by User/Group, File Type, or Device Type/Vendor
- Activity Auditing
- Device Access and/or File Access Reporting
- Automated Network Discovery and Agent Deployment
Some of the products offer a few extras such as: Device Encryption, Active Directory integration, and data mirroring. I have personally deployed DeviceShield and believe that it meets the basic needs of most asset owners (i.e. preventing unauthorized external storage devices). One of the things that I like the most about DeviceShield is the minimalist nature of the client agent. Its made up of 3 files (the executable, the config file, and a history file). The install package installs it as a Win32 Service and modifies the DACL to not allow anyone (including administrators) to make changes to the service. I will not mention that you could always manually change the DACL in order to give yourself access to service temporarily. However, it will automatically check and correct its DACL and Startup Type when the service starts up.
Furthermore, the policy engine is simplistic but configurable by groups or users. Policies can be created from scratch or copied from an existing template and are highly configurable from the respect of port types (i.e. bluetooth, serial, etc.), devices (i.e. Peripherals, USB Storage, etc), device models (i.e. Maker and Model #), or File Types. Most of the categories above allow you select one of three main options: Enabled, Disabled, or Restricted. If restricted is selected, you will have the option to limit the actions taken on the object to be read only, read/write, or read/write with forced encryption.
Either way, you more than likely already have a product from one of the large Anti-malware players installed so you should do your own evaluation of which product fits your environment and Ops personnel the best. This should be a solution that you should be using to its fullest especially in environments where hardware profiles do not change often.