USB Devices: “Analyzing security”: “what is happening in my environment” using Excel Charts

02/08/2019 – secRMM is Windows security software that records all the events related to USB storage devices.  This includes thumb/flash drives, external hard drives, SD-Cards and mobile devices.  With secRMM, you see the who, what, when, where and how about all the USB storage in your computer environment.

secRMM comes with a utility to help you analyze the data in an easy way.  The utility is called the secRMM Excel Add-In.  As the name implies, it extends Excel.  Microsoft offers Office Add-Ins for most of the programs in the Office suite.

secRMM Excel Add-In Ribbon Bar (click to enlarge screenshot)

As you can see in the screenshot above, Excel has a tab in the ribbon bar named secRMM.  The secRMM section contains various methods for you to pull the secRMM data into the Excel Worksheets.  Once you have loaded the secRMM security data, you can use all the native Excel features (filtering, finds, macros, etc.).

We have added a new feature into the secRMM Add-In.  This is the “Charts” feature.  While you can manipulate the data in any way you want to make your own Charts, we made an automated way for you to see the most common scenarios with just a couple of mouse clicks.

secRMM Charts button (click to enlarge screenshot)

Once you have some secRMM data loaded and you click the Charts button, you will be presented with a dialog (see below) that will let you specify the start/end times and the chart(s) you want to generate.  You can also specify what type of Excel chart to create for each chart.  Microsoft offers many Excel chart types.  The Excel chart type is totally up to you.

secRMM Charts input form (click to enlarge screenshot)

Once you specify your time range, which charts and chart type, you will see the charts on the “Charts” worksheet (see below).

Currently, the automated charts are for:

1. secRMM events
2. Users
3. Computers
4. USB Devices

As you can see in the screenshots below (btw, the data at the axis has intentionally been chopped), you can easily see the: who (users), what (events), when (via time range), where (computer) and how (devices) of USB security activity occurring in your environment.

We hope the secRMM charts help you easily analyze your USB security data.  Please let us know if you have any questions.  You can reach us at support@squadratechnologies.com.

secRMM Events Chart (click to enlarge screenshot)

secRMM Users Chart (click to enlarge screenshot)

secRMM Computers Chart (click to enlarge screenshot)

secRMM Devices Chart (click to enlarge screenshot)

Advertisements

Combine “Mobile Device Management” (MDM) with USB Plug/Play “Data Loss Prevention” (DLP) using SCCM and/or Intune

01/29/2018 – secRMM has a security property that applies specifically to mobile devices. secRMM can verify when a mobile device is connected to a Windows computer over a USB cable if that device is enrolled in your organizations MDM. If it is not, secRMM can either unmount the device or prevent files from being copied to it. secRMM gets the list of mobile devices from either Microsoft Intune (Microsoft’s MDM) or from Microsoft System Center Configuration Manager (a complete enterprise configuration management and security tool) (SCCM). Below, are some of the relevant screenshots of how the components get tied together and just what they look like if you have not seen them.

SCCM and Intune exchange mobile device information thru a data connector. You define the data connector in the SCCM console (screen shot below).  Microsoft calls this a “Microsoft Intune Subscription”.  This terminology matches up with how you buy Intune (as a service subscription).

SCCM/Intune data connector

The next screen shot below is of the Intune console within Azure. It is a list of the mobile devices that are defined in our organizations cloud instance. This instance is used for our development purposes only.

Microsoft Azure Intune portal

When the Intune/SCCM data connector is active, then you can see the mobile devices in Intune show (and are managed) by SCCM (see screenshot below).

SCCM console for mobile devices

From the SCCM console (with the secRMM SCCM Console Extension installed), you can use SCCM to configure secRMM so that when the mobile device is connected to a Windows computer over USB, secRMM will see if it is enrolled in either Intune or SCCM.

The screenshot below shows how to tell secRMM whether to use Intune or SCCM data to verify if the mobile device is enrolled.

SCCM console to configure ‘RequreMDMEnrollment’

One important configuration item is the secRMM MDM Cache. Using the secRMM MDM Cache improves runtime performance and minimizes the number of times it will call into Intune or SCCM.

The last configuration step is associating the mobile device as it is defined in Intune or SCCM with the mobile device firmware serial number that secRMM uses when it is connected to a Windows computer over a USB cable. To make this association, there is a secRMM “link mobile device” utility (see screen shot below).

secRMM link mobile devices utility

secRMM link mobile devices utility

You get the firmware serial number that secRMM uses to identify the mobile device from the secRMM event data (screen shot below).

secRMM ONLINE event for a mobile device

If the mobile device is not enrolled, the end user will get a pop-up error (screenshot below).

mobile device is not MDM enrolled user pop-up error message

As the system or security administrator, you will see an error generated by secRMM as shown in the secRMM Excel AddIn utility (screenshot below).

secRMM error ONLINE event for mobile device not MDM enrolled

We understand there are many pieces to line up. Feel free to contact Squadra Technologies support to help in getting this powerful security feature up and running in your environment. Visit http://www.squadratechnologies.com for more information about secRMM.

GDPR – COMPLIANCE WILL REQUIRE ADDRESSING USB DATA LOSS – PART 2

Two weeks ago we wrote about GDPR and the requirement to address USB Data Loss.  This week we will be diving deeper into the specifics of GDPR, our interpretation and how secRMM can help.

As a recap, GDPR is the new regulation to protect EU citizens’ personal data, replacing the current directive from 1995 and establishing a single set of rules across the European Union.

GDPR outlines a set of obligations organizations have with respect to data encryption and storage, handling personal data as well as record keeping and breach notification.  Failure to meet those obligations can be costly, with fines ranging up to €20 million, or 4% of a company’s total worldwide sales, whichever is greater. Non-European companies don’t escape the reach of GDPR either.  By having even a single European customer a non-EU based company is required to meet the GDPR requirements.

Below we will highlight the specific GDPR articles that relate to USB Data Loss, our interpretations of the requirements and how we can help.

Article 30 – Records of Processing Activities

GDPR specifies: 1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) a general description of the technical and organizational security measures referred to in Article 32(1).”

 

“2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

 

Out interpretation: Records are fundamentally audit logs.  When it comes to copying data on and off USB devices it is critical that very detailed audit records are created and stored.

How secRMM can help:  secRMM has unrivaled audit capability.  All data being copied to USB devices is fully audited and stored to the windows event log.  From the source perspective, this includes full path information, including network path as well as machine and user identifiers.  From the USB destination perspective this captures device identifier and manufacturer.

 

Article 32 – “Security of processing” – Part 1 a,b

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

=> Article: 4

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

 

Our interpretation:  As it applies to USB devices, this part of article 32 fundamentally means encryption.  Confidentiality is about protecting the information from disclosure to unauthorized parties.  When it comes to USB, the best mechanism to do that is to block copying of data to removable devices or to ensure that any data copied to those devices is encrypted.

How secRMM can help.  secRMM has robust controls to manage access to USB and attached removable devices.  secRMM has the capability to deny write access to non-encrypted storage.  You have the ability to block or allow devices by vendor ID and device ID.  With smartphones replacing thumb-drives as an easily accessible removable media, you can even require on-device authentication using the secRMM app to be sure that only authorized users are able to copy files to only authorized removable devices.  Additionally this allows you to continue to support USB and not completely block use of it so that you do not hamper employee productivity with unnecessary roadblocks.

 

Article 32 – “Security of processing” – Part 2

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

Our interpretation:  This part is about preventing data leakage. From a USB perspective this is a requirement to prevent the “USB device found in parking lot with customer data” from happening in the future.

How secRMM can help – secRMM is a Data Loss Prevention solution for USB and Removable Media.  Similar to above with confidentiality which is ultimately about preventing unauthorized disclosure.  Using secRMM’s capabilities to require encryption, specific supported secure devices and on-device authentication via our smartphone app will allow you to meet this requirement when it comes to USB and removable media.  Additionally, secRMM has controls to prevent writing of data to USB devices by file type or name, providing an additional level of control to prevent unauthorized copying of personal data to removable devices.

Article 32 – “Security of processing” – Part 4

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

 

Our interpretation: From a USB and policy point of view, this requires that actions taken to move personal data to USB removable storage are done so on instruction from the controller.  From a technology implementation perspective this is addressed by deploying policy around how information may be accessed and copied to USB, and modifications to those policies are logged into audit log.

How secRMM can help: secRMM provides the facility to not only audit and control the capabilities to access and write to USB removable media, it also audits the modification of the policies.  This ensures that any action taken by the administrator – in this case you could interpret as the controller or under the authority of the controller.  In this case you can be sure that all changes to policy  are logged and recorded to support your adherence to this requirement.

GDPR is coming quickly and will be enforced May, 2018.  Take the time now to ensure that USB and removable media are part of your data protection plan.

What to do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

My Apple Mobile Device stopped charging over USB on W10!

secRMM has always been able to offer a feature that blocks mobile devices (well, any removable storage for that matter) from mounting their file system to Windows when attached over USB but still lets it pull power from the USB port.  This is the best of both worlds for the end-user and the security administrator because the end-user can still charge their mobile device and/or listen to their music while the security administrator can be assured that the end-user cannot copy files to the device.  Regardless of secRMM, Apple has made it pretty difficult to transfer files to the Apple device.  However, secRMM comes with GUI programs that exposes more of the Apple mobile devices file system, allowing the end-user to copy files to and from the device into their app data directory(s).  That is contradictory to secRMMs security features but some organizations require file transfer functionality to Apple devices, especially if they have large amounts of data to transfer.  The secRMM GUI still adheres to the secRMM security policies (of course).  That is not the subject of this blog however.

We received a support incident from one of our customers.  He said that when they upgraded to Windows 10, their users were complaining that their Apple devices stopped pulling power when connected to the USB port.  Searching the Internet took us to https://discussions.apple.com/thread/6773753?start=0&tstart=0.  If you do a text search in your browser (once you are on the URL) for “Fix 2:”, you will see how to fix the issue.  There were lots of responses to the suggested fix, from SCCM Administrators.  So, we knew we had to pursue this approach.  

We did end up making a SCCM script application since the fix had to be implemented on all the W10 machines in the environment.  Below is the CMD script that we deployed via SCCM.  You need to make sure that the two Apple MSI files (appleapplicationsupport64.msi and applemobiledevicesupport6464.msi) are in the same directory as the script.  I am sure someone out there will be able to offer improvements to the script…so we are anxious to hear from you!

In summary, secRMM continues to help IT organizations and security professionals manage the events around removable storage, especially mobile technology but sometimes, you have to tweak the environment!  Please let us know what you think.

 

 

@ECHO OFF
REM **************************************************************************
REM
REM Module: AppleDriverFix.cmd version 3
REM
REM Purpose: Fix registry so that apple device drivers can be upgraded
REM
REM Reason: On W10, if the apple drivers are not loaded and the apple
REM mobile device is not mounted to the W10 OS but physically
REM connected with a USB cable, the apple mobile device does not
REM charge (i.e. pull power thru the USB cable). This will happen
REM if you use the “Enforce when device is plugged in” on one of
REM the secRMM policy(s).
REM
REM Copyright (c) 2017 Squadra Technologies
REM
REM **************************************************************************

setlocal EnableExtensions EnableDelayedExpansion
set regkeyroot=HKEY_CLASSES_ROOT\Installer\Products
set regvalue=ProductName
set regvalue2=Version
set regvaluevaluetofind=Apple Application Support (64-bit)
set secRMMVersionFix=3
set AppleInstall1=”%~dp0%appleapplicationsupport64.msi”
set AppleInstall2=”%~dp0%applemobiledevicesupport6464.msi”

REM set logToNetworkShare=
set logToNetworkShare=\\Server1\Apps\SysUtils\SecRMM\AppleDriverFixLogs\

if “%logToNetworkShare%” == “” (
set log=”%~dp0%COMPUTERNAME%_%~n0.log”
) else (
set log=”%logToNetworkShare%%COMPUTERNAME%_%~n0.log”
)

set regfile=”%~dp0%~n0.reg”
if exist %log% del %log%
if exist %regfile% del %regfile%

@echo %COMPUTERNAME% > %log%
call :GetAppleApplicationSupportProduct
if defined regkey (
@echo Found registry key !regkey! as !regvaluevalue! >> %log%
call :GetAppleApplicationSupportVersion
if defined regvalueVersion (
@echo Found registry value %regvalue2% value as !regvalueVersion! >> %log%
IF EXIST %AppleInstall1% (
IF EXIST %AppleInstall2% (
if NOT “!regvalueVersion!” == “0x0” (
CALL :UpdateRegistry 0
if !UpdatedRegistry! EQU 0 (
call :CallMsiexecForAppleDrivers
) else (
@echo Registry fix for %regkey% failed >> %log%
)
) else (
echo regkey Version is already 0 !regvalueVersion! >> %log%
CALL :UpdateRegistry 1
if !UpdatedRegistry! EQU 0 (
call :CallMsiexecForAppleDrivers
) else (
@echo Registry fix for %regkey% failed >> %log%
)
)
) ELSE (
@echo %AppleInstall2% NOT FOUND. >> %log%
)
) ELSE (
@echo %AppleInstall1% NOT FOUND. >> %log%
)
) else (
echo regkey Version is not found >> %log%
)
) else (
echo regkey is not found >> %log%
)

exit /b 0

REM ==========================================================================
:GetAppleApplicationSupportProduct
FOR /F “usebackq tokens=1-2,*” %%A IN (`REG QUERY %regkeyroot% /F %regvalue% /s`) DO (
IF “%%B” == “” (
SET regkey=%%A
) ELSE (
SET regvalue1=%%A
SET regdatatype=%%B
SET regvaluevalue=%%C

IF “!regvaluevalue!” == “!regvaluevaluetofind!” (
goto :FoundRegKey
)
)
)
:FoundRegKey
exit /b 0

REM ==========================================================================
:GetAppleApplicationSupportVersion
FOR /F “usebackq skip=2 tokens=1-2,*” %%A IN (`REG QUERY %regkey% /F %regvalue2%`) DO (
set regvalueVersion=%%C
goto :FoundVersion
)
:FoundVersion
exit /b 0

REM ==========================================================================
:UpdateRegistry
echo Windows Registry Editor Version 5.00 > %regfile%
echo( >> %regfile%
echo ^; ProductName=Apple Application Support ^(64-bit^) fix 5010000 >> %regfile%
echo [%regkey%] >> %regfile%
if “%1″==”0” (echo “Version”=dword:0 >> %regfile%)
echo “secRMMVersionFix”=dword:%secRMMVersionFix% >> %regfile%
@echo Calling reg import. >> %log%
REG.exe IMPORT %regfile% > nul 2>&1
if %ERRORLEVEL% EQU 0 (
@echo Registry fix for %regkey% succeeded >> %log%
set UpdatedRegistry=0
) else (
set UpdatedRegistry=1
)

exit /b !UpdatedRegistry!

REM ==========================================================================
:CallMsiexecForAppleDrivers
IF EXIST %AppleInstall1% (
IF EXIST %AppleInstall2% (
set MsiexecAppleInstall1=msiexec /i %AppleInstall1% /quiet
set MsiexecAppleInstall2=msiexec /i %AppleInstall2% /quiet

@echo %MsiexecAppleInstall1% >> %log%
%MsiexecAppleInstall1%

@echo %MsiexecAppleInstall2% >> %log%
%MsiexecAppleInstall2%
) ELSE (
@echo %AppleInstall2% NOT FOUND. >> %log%
)
) ELSE (
@echo %AppleInstall1% NOT FOUND. >> %log%
)

exit /b 0

REM ==========================================================================
:EOF
endlocal

GDPR – Compliance will require addressing USB Data Loss

What is GDPR in Europe and how can it impact non-EU businesses?

General Data Protection Regulation (GDPR) is rapidly approaching, organizations need to get their compliance practices in place or face some pretty steep fines.  GDPR is the new regulation to protect EU citizens’ personal data, replacing the current directive from 1995 and establishing a single set of rules across the European Union. GDPR outlines a set of obligations organizations have with respect to data encryption and storage, handling personal data as well as record keeping and breach notification.  Failure to meet those obligations can be costly, with fines ranging up to €20 million, or 4% of a company’s total worldwide sales, whichever is greater.

Non-European companies don’t escape the reach of GDPR.  By having even a single European customer a non-EU based company is required to meet the GDPR requirements.

USB Data Loss Risk

One area that has potential to be overlooked in the technical implementation of GDPR requirements is USB and removable media.  Removable media accessed through USB is an extremely convenient and reliable way to easily transfer data.  However, as was recently highlighted with the Heathrow Airport USB leak, a single lost USB drive can have serious consequences for your organization.  Fold GDPR into the mix and that thumbdrive containing customer data accidentally dropped in a parking lot or left in a taxi can have extreme financial consequences.

How can secRMM Help?

Implementing a DLP solution such as secRMM can be a key piece of technology to address the GDPR requirements that impact USB and removable media.  First, secRMM provides the ability to restrict the copying of specific files or folders to USB mounted devices. This can be a mechanism to ensure the only specific data is permitted to be copied to removable storage.  The second is encryption. Using secRMM you can ensure that the only connected USB devices are corporate approved encrypted thumbdrives.  Lastly, secRMM has extensive auditing capabilities.  GDPR has stringent record keeping requirements, using secRMM you will have extremely detailed audit logs capturing details of files transferred to storage, the type of device transferred to as well as which user and computer facilitated the transfer.  

GDPR is coming quickly and will be enforced May, 2018.  Take the time now to ensure that USB and removable media are part of your data protection plan.

What to do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

 

Heathrow Lost USB Underscores Importance of DLP

This past week a USB stick was found on the ground in the Queen’s Park area of London UK.  It turns out the USB drive contained confidential details of the security practice for Heathrow Airport.  The man who found the drive provided it to a British newspaper – The Sunday Mirror who then provided it to the authorities.  Contained on the drive was 2.5 GB of data across 76 folders, many files being marked as “Confidential” or “Restricted”.  The contents outlined sensitive details on tunnels linking the airport to the Heathrow Express Line, as well as airport screening procedures for VIP’s and Cabinet Ministers.

Risk (or challenge) Removable Media Poses

This example highlights the risk that removable media can pose to an organization.  While there are a multitude of enterprise and cloud file sharing solutions in the market today, none are simpler than plugging removable media into a USB port.  Ease of file sharing and transportation make removable media an often used tool inside many organizations.  However, as this example with Heathrow shows us, that tool can also be a risk to your organization.  Sensitive data can be easily copied to USB devices.  Once outside the control of your organization, the lifecycle of the data is no longer managed and under your control.  Removable devices (including smartphones) being small can be lost or stolen, exposing your organization to negative PR, legal issues and even lost revenue if they contained sensitive data.

How a DLP Solution can Help

DLP stands for Data Loss Prevention (or Data Leak Prevention if you prefer).  The purpose of a DLP solution is to prevent incidents such as the Heathrow Lost USB.  Outright disabling the USB ports on a computer is an extreme tactic to preventing data from being copied to unmanaged removable devices, however that can be a significant barrier to productivity. DLP solutions can allow you to manage the data and removable devices instead.  Every business is unique in DLP requirements.  Some may require authenticated removable devices (such as managed smartphones) where only known and authenticated devices can be mounted and files transferred.  Others may allow only encrypted USB sticks, while others still may block specific files from being written to removable storage and allowing others.  Implementing a DLP solution can help provide your organization with the control necessary to prevent data from leaking outside the boundaries of your company.

What to do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

Tech Forecast: Cryptocurrencies Have DLP Implications

Cryptocurrencies such as BitCoin and Ethereum are getting a lot of attention these days. Bitcoin, created in 2009, is arguably the largest and most well known cryptocurrency with a market cap of over $99 billion. With explosive growth and popularity it’s no wonder that organizations are beginning to embrace cryptocurrencies, whether for payment transactions with customers and employee’s or as a more multi-purpose ledger leveraging bleeding edge technology such as smart-contracts.

While there is a lot of opportunity in a shift to digital currency, there is also the typical security pitfalls that come with new technologies. In this forecast we’ll take a closer look at the mechanics of storing cryptocurrencies and the downstream DLP implications that exist.

Primer: What is a Cryptocurrency?

A cryptocurrency is a type of digital asset protected with cryptography and stored in a public decentralized blockchain ledger. Anytime people want to transfer money around there are transactions describing digital asset movement from one account to another account, and these transactions are stored in a digital and publicly viewable ledger. Cryptography is used to secure the transactions and be sure that only valid account holders can actually spend the currency.

Bitcoin and Ether are the two most well known examples of a cryptocurrency based on blockchain technology, though tens of new currencies are being created monthly. The underlying details of how a cryptocurrency works is deeper than we’ll go today, but there are great resources online for more information. Cryptocurrencies, however, do have implications when it comes to Data Leak Prevention – that implication comes in the form of the Wallet.

What is a Wallet?

A ‘cryptocurrency wallet’ is the place where you store your cryptocurrency.  To be accurate; the actual currency is not stored in the wallet, but cryptographic information about the currency you hold is.  The wallet is a software program that stores the account identity information and cryptographic private keys used to “spend” the cryptocurrency.  Wallets can be local software to your phone or computer, or hosted by wallet providers.

Implications on DLP.

Much like a physical wallet, if someone has access to your cryptocurrency wallet they could potentially steal all of your cash.  Wallets can be protected by encrypting the contents with passphrases; however this assumes that users implement a strong password (which we know isn’t always the case).

Unlike a physical wallet, if your crypto-wallet is stolen you may have no idea until you attempt to use your money. This is where the DLP concern comes in. How can you detect if somebody tries to exfiltrate your wallet? There’s obviously a lot of different ways that an attacker could steal your wallet, but we’re specifically concerned with somebody that has physical access to your machine.

For the geeks out there, here’s where you’ll find the Bitcoin wallet on Windows & Mac:

• Windows: C:\Users\YourUserName\Appdata\Roaming\Bitcoin\wallet.dat
• Mac: ~/Library/Application Support/Bitcoin/wallet.dat

Given the decentralized nature of cryptocurrencies; there is no company that will protect you from the liability of stolen currency.  If the wallet is lost or stolen that currency is gone forever.

Without proper monitoring and controls, if your crypto-wallet is leaked outside your organization on a USB drive, you may never be aware that the account is at risk and the funds could disappear at any time in the future.

As organizations looking to embrace the use of cryptocurrencies, it is critical to protect crypto-wallets and have appropriate monitoring and data leak prevention controls to ensure your corporate or employee funds are not at risk. Squadra’s secRMM can easily track wallet.dat files, reporting any occurrence of wallet.dat being copied or moved to removable media.

 

What do do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.