An introduction to how smartphones and removable media work on Windows computers

Have you ever attached your smartphone to your Windows computer and then looked at the phone in Windows Explorer?  The phone gets listed in Explorer and you can even copy files to it (apple the exception).  What makes the phone different from a regular storage device is that it does not get assigned a drive letter.  Some of the older (1-2 years ago…smile) phones get assigned a drive letter but the newer phones being sold today do not get a drive letter.

The cool thing about Explorer is that in general, the end-users experience for working with either a drive letter or a storage device such as the phone are pretty much identical.  You can drag (copy) files to these devices, open files, create folders, etc.

So what is happening under the covers to have Explorer be able to handle non-drive letter devices like drive letter devices?  The answer is a Microsoft technology called Windows Portable Devices (WPD).  WPD is implemented as a device driver and is exposed to the non-kernel (i.e. user-mode code) layer as COM objects.  Microsoft makes WPD available to the hardware manufacturers who make the smartphones or any other type of plug and play hardware.  The hardware manufacturers lean towards using WPD because then they do not have to develop their own software to integrate their hardware into Windows.  Having worked with the WPD COM API, I will tell you that Microsoft has done a great job at implementing this technology.  The only thing I could say that would make it even better is if it was exposed in WMI so IT Admins could have easy scripting access to the WPD information.  So that is what we did.  The Powershell line below will show you the WPD devices attached to a Windows computer:

Get-WmiObject Win32ext_WPD

At Squadra Technologies, we have a security product called secRMM that focuses on securing any type of plug-and-play storage device.  That includes the new smartphone devices.  Our goal was to make the WPD devices and the file system devices (i.e. those that get assigned a drive letter) the same within secRMM.    Since secRMM needed to access the WPD information, we decided that we might as well write a WMI provider for the WPD information so that even if you did not use secRMM, you could still get at the WPD data.  The WPD WMI provider gets installed with the secRMM product.  Again, you do not need to buy secRMM to get the functionality of the WPD WMI provider.

If you do not write in Powershell, here is another example in VBScript:

Set objWMIService = GetObject (“winmgmts:\\.\root\cimv2″)
Set colItems = objWMIService.ExecQuery (“Select * from Win32ext_WPD”)
For Each objItem in colItems
Wscript.Echo “WPD device: ” & _
“Friendly Name: ” & objItem.strFriendlyName & _
“, Manufacturer: ” & objItem.strManufacturer & _
“, Description: ” & objItem.strDescription & _
“, Serial Number: ” & objItem.strSerialNumber
Next

We will continue to work hard to stay on the leading edge of all the device technology coming into the market and share what we discover.  We hope this introduction was informative.  If you have any questions, please contact me at anthony@squadratechnologies.com.

USB security issues in the government

There are two major issues with removable media in today’s worlds. First, information is being stored on removable media devices with little, or no security measures implemented. And by security measures, I mean both physical and software based. As is recently pointed out in a massive security breach in Ontario, Canada. The second problem is just as bad. It appears that most folks who come across a thumb drive sitting in a public location will pick it up, and what’s worse, they’ll actually plug it into their trusted computer systems to check it out. This is a hackers dream come true and the easiest way to infiltrate corporations and government institutions to install malicious code.  Whether it’s protecting against data loss, or protecting against intrusion, there must be appropriate solutions put in place to protect organizations.

If you read the two artices for the U.S. government and the Canadian government, you can see that removable media (i.e. smart phones, usb flash/thumb drives, external disks, etc.) are still a serious security concern.  Without a piece of software that acts like a firewall between removable media and the operating system, the security breaches involving removable media will continue.  We here at Squadra Technologies have addressed this very issue.  Our flagship product ”security Removable Media Manager” secRMM, is a software firewall between the Windows OS and the removable media devices.  Every file that gets written to the removable media device is logged.  In addition, secRMM tells you the user, program and most importantly, the complete path of the file(s) that was written to the removable media device.  We make a strong point of mentioning the complete path of the file because to us here at Squadra Technologies, it is logical that this is the most crucial piece of information you must collect in order to solve the security issues around data leaving the organizations network/domain.  Believe it or not however, most removable media security solutions on the market today are not collecting this crucial data,  including the biggest security companies.  Organizations must implement a solution like secRMM to properly audit the write activity to removable media, otherwise, security breaches like those mentioned in the articles will continue to occur.

Rounding out System Center EndPoint Protection 2012

Microsoft introduced System Center EndPoint Protection 2012 (SCEP) (formerly known as ForeFront EndPoint Protection or FEP :-) ) at the Microsoft Management Summit (MMS) 2012 conference. What is really great about bringing SCEP into System Center is that now customers will get to protect their workstations and servers from malware by owning a System Center Enterprise license.  This is going to let organizations run a pure Microsoft solution set without having to go to an outside vendor to get their malware protection.

I think SCEP is missing one key component that the other security vendors provide with their framework solutions.  That missing component is broadly called Data Leak (or Loss) Prevention (DLP).  Some tell me that Microsoft “BitLocker To Go” addresses that.  This is not entirely true.  DLP and encryption technology must both be present to address removable media (i.e. smart phones, usb/flash drives, external storage, bluetooth storage, SD-Cards, etc.).  So while “BitLocker To Go” is necessary, it does not address DLP.

In the security space, we must take removable media seriously; especially if you need to show compliance with regulations such as HIPPA and/or PCI.  Removable media devices allow complete end-users (those people who really don’t know much about IT) to be as powerful and destructive (from a company perspective) as the greatest hacker in the world!  Why?  Anyone can attach a removable media device to their workstations or server and copy local or network files to the device (given they have at least read access).  The fact that they copied data to the device is not logged anywhere!  I know alot of organizations simply lock-down the usb ports.  However, this is counter-productive to the employees that are just trying to get their jobs done (especially the IT guys).

What would be ideal is if we could allow removable media to be used in the corporation and be guaranteed that whatever files were copied to a removable media device were tracked/audited.  Something similar to the Windows security events when a user logins and logs out.  Squadra Technologies Security Removable Media Manager (secRMM) does just that…and much more!

If you are the person responsible for security audits, you will want to know that when a file is written to a removable media device, secRMM records the user (and SID), the file (source and destination), the source file size, the source file last written, the removable media device serial number, model, description, logical drive, volume name, the program used to perform the copy and the program PID.  If the program is CMD, Explorer, VBScript. JScript, PowerShell or (especially) the “Windows Explorer like” secRMM GUI named SafeCopy, you get additional details of what exactly the user did to invoke the copy.  Other secRMM events (btw, secRMM logs events to both the security event log and its own “secRMM” event log) are online and offline removable media events, administration change events and authorization failure events (because secRMM also lets you control how removable media gets used).

secRMM’s architecture relies solely on the base Windows Operating System.  It comes with a Microsoft Operations Manager (OpsMgr)Management Pack (MP) and has reports for both the OpsMgr Data Warehouse and the OpsMgr Audit Collection Services (ACS) databases.  The auditing capabilities of secRMM surpasses all of the big name solutions in the DLP space.  One other important feature that secRMM provides is the concept that is now provided in Configuration Manager which is policy that “follows the user”.  secRMM is compatible with hardware and software encryption solutions (including Microsoft “BitLocker To Go”) and works with any removable media device.  There are many more benefits to secRMM and I urge you to take 15 minutes to explore this great solution.

Combining Microsoft System Center EndPoint Protection 2012 with Squadra Technologies Security Removable Media Manager is a winning combination!

What is and why secRMM

What:  secRMM is short for “Security Removable Media Manager”.  secRMM is Windows security software built specifically to address removable media security issues.

Why:  secRMM addresses the shortcomings of monitoring and access control for write activity to removable media devices.  Today, people can copy files to removable media without anyone knowing: 1. what they copied, 2. who copied, 3. how they copied, 4. when they copied and 5. from where they copied.  The secRMM monitoring component allows you to answer these questions.  This is important for all the privacy regulations that are prevalent in the business world (medical, financial, credit card, etc) today.

In addition to solving monitoring of removable media, secRMM lets security and IT administrators control access (for writing) to removable media.  The secRMM access control module is very easy to use yet is extremely powerful.  You can perform such tasks as: 1.  locking down a computer so no removable media write activity can occur, 2. allow specific users only, 3. allow specific removable media serial numbers only, 4. allow specific programs only, 5. limit from where on the network or local drives a user can copy files from, 6. limit what file types (via file extensions) a user can copy.

With secRMM in your environment, security and IT administrators will be able to account for all files written to removable media.  If a Wiki-leaks type of security incident does occur involving removable media, you will be able to track it to the exact user, file, date/time, computer, program and removable media device.  Of course, secRMM is designed to help you prevent security incidents from occurring in the first place.

What makes secRMM different from the other removable media solutions?

1. On-demand software – Unlike other solutions, secRMM is not always running.  It automatically gets loaded by Windows when a removable media device is plugged into the computer.  Most of the other solutions have an agent running all the time.
2. Capture full path of source file(s) in the forensic data collected - secRMM is the only solution on the market today that can capture the full path of the source file being written to the removable media device.  All of the other solutions on the market today do not capture this information, they ONLY list the name of the file as it resides on the removable media device.  Squadra Technologies believes that the source file is one of the most important pieces of information that should be caputured when dealing with removable media.
3. Capture detailed forensic data on the process/program being used to perform the write – secRMM performs special processing for Windows Explorer, CMD (DOS window) and scripts to collect additional details so that security and IT administrators can completely understand what the end user did to perform the file write to the removable media device.
4. No framework required – secRMM installs to workstations and servers without the need for a separate server, database, web server or console.  secRMM requires only the features of the base Windows Operating System.  The secRMM monitoring data is written to the Windows Security event log.  secRMM also writes the event data to its own event log named secRMM.  Therefore, secRMM double logs the event data to both the Security and the secRMM event log.  Security and IT administrators configure secRMM via the Microsoft MMC Computer Management program.
5. Works with all hardware and software encryption solutions – secRMM does not interfere with encryption solutions you may already have in place in your environment.  An example of a software encryption solution is Microsoft BitLocker.  There are many encryption usb drives on the market today.
6. Easy integration into systems/enterprise management products and SIEM products – Most IT environments have a framework/program that monitors the health and state of the IT environment.  Some of the most popular frameworks/programs are Microsoft Operations Manager, IBM Tivoli/Director, HP OpenView, CA UniCenter, etc.  All of these programs can read events from the Windows event logs.  Hence, they are capable of reading the secRMM event data (either from the Security or secRMM event log).  In addition, secRMM supports generating SNMP traps (equivalent to the event log data).  secRMM can generate SNMP v1, v2 and v3 traps.
7. 100% scriptable and 100% .Net integration – Many IT environments rely on automation to perform repetitive tasks to reduce human intervention and to reduce delay.  The backbone of automation is typically done with scripts.  secRMM is 100% scriptable and can therefore be integrated into the automation implementation of the IT environment.
8. End-User application (GUI) to write to removable media – secRMM ships with a Windows GUI program called SafeCopy.  secRMM can “force” end-users to use SafeCopy.  If the user attempts to write to a removable media device using any other program (except SafeCopy), the write operation will fail.  Of course, secRMM will record the write operation failure.  SafeCopy works in conjunction with the base secRMM program to record additional details/events about what the end-user is doing regarding the removable media devices.  When you use secRMM with SafeCopy, not only do you get an advanced level of removable media monitoring but you can also implement an “enforcable two man policy” when writing to removable media.
9. Enforceable two man policy – secRMM SafeCopy can require two individuals (one must be an administrator) to be involved when writing to removable media.  The two man policy is a common practice in high security environments such as the military and government.
10. Restrict input directories to copy from - Since secRMM can capture the source file, it has a property that restricts the directories that the end-user can copy files from.  This is a feature of secRMM but is amplified when the end-user uses SafeCopy since SafeCopy disables (“greys out”) the directories that the end-user cannot access.
11. Device tracking – When you use secRMM SafeCopy, you will be able to (given the actual removable media device) tell: 1.  who last wrote to the removable media device, 2. what computer they used, 3.  the date/time they used the removable media device, 4. If the two man policy is active, who the administrator who approved the use is.  Device tracking is useful for lost or stolen removable media devices.  If you are operating in a high security environment, you can perform audits of the removable media devices at any time.
12. Simple to deploy - Since secRMM does not require a separate framework (i.e. dedicated server, database, web server or console), deployment of secRMM is very simple.  For large deployments, secRMM can be done using Active Directory Group Policy Objects or any deployment product (such as Microsoft Configuration Manager/SMS).
13. Very little training required – Since secRMM uses the features of the base Operating System, security and IT administrators will require little additional knowledge to begin using secRMM.
14. Solves a specific security problem – Most software security solutions provide a swiss army knife approach to your security needs.  This is unfortunate since the security issues of removable media are only weakly addressed.    Worse yet, deployment of these large solutions require separate servers, databases, web servers and consoles.  secRMM is a first class solution addressing the true security requirements of removable media.  secRMM does not require implementing a separate framework.

secRMM version 2.0 released!

To start the New Year off right, we released secRMM version 2.0 this week!  Check out our latest videos to see some of the new features in secRMM version 2.0.