USB encryption hardware and secRMM

Many organizations either choose or are required to use hardware encryption technology to provide a layer of security for removing sensitive files from their network through removable media.

secRMM works seamlessly with these technologies to generate security events which inform the system administrator:

• the encrypted device has been mounted,
• whether authorization was granted,
• all successful and failed write events,
• when the device goes offline.
• all administrative changes to the removable media security policies

No longer do organizations have to rely on company policies and procedures to limit the use of the USB port.
Instead, they can actively manage, secure, and audit it internally with secRMM.

Squadra Technologies has partnered with the following hardware encryption companies below.
These companies see the synergy between their hardware solutions and the secRMM software.
1. Apricorn
2. DataLocker
3. Imation
4. Kanguru

secRMM Benefits…

• Whitelist specific encrypted devices by the vendor ID (VID) and/or product ID (PID).
• By whitelisting only the preferred encrypted device (company device) secRMM thereby prevents the writing of data onto any other type of removable media device.
• Provides security to prevent the mounting and data transfer to devices beyond the classic USB, including but not limited to; BlackBerry, apple, Windows, and Android.
• Captures the complete path of the source file being copied onto the encrypted device. (i.e.- knowledge of the exact file that has been written and where it came from).
• Logs failed attempts at data transfers through the USB, providing the who, what, where and when of the attempted transfer.

BlackBerry OS 10 USB security

 BlackBerry OS 10 support

secRMM now provides USB security for BlackBerry OS 10 devices with the release of secRMM version 5.9.0.0.  BlackBerry devices are famous for their security coverage.  You can read more about BlackBerry security at http://us.blackberry.com/business/blackberry-advantage.html.  secRMM now extends this security coverage so that all activity pertaining to files copied to the device are recorded into the Windows Security Event log.  In addition to the verbose event logging, secRMM also provides security rules (policies) that you can set for each Windows system or users.  These security rules are simple to configure yet are extremely powerful when it comes to protecting sensitive data files within your domain.  As an example, secRMM lets you define the domain locations where files can be copied from.  Any other locations are blocked.  This feature does not require any modifications to the domain (i.e. Active Directory schema, NTFS, NAP, etc.)

Click image to view larger.

The BlackBerry integration completes the secRMM mobile device coverage.  secRMM now has support for the 4 major mobile device platforms: BlackBerry, Android, Apple and Windows.  secRMM is unique in the fact that it provides the same functions for “classic USB” storage devices (i.e. USB storage devices that get assigned a drive letter by the Windows Operating System) as it does for mobile devices.  This becomes a significant cost savings since competing solutions implement classic USB and mobile security as separate products.

For enterprise customers who want to securely allow BlackBerry device USB connections so workers can effectively copy files to their devices, we highly recommend you consider using secRMM and implementing the following BlackBerry knowledge base article: http://www.blackberry.com/btsc/KB33859.

Click image to view larger.

Securing Cd/Dvds with secRMM

secRMM secures when end-users write files to Cd/Dvds (we will just call it a disc in this article) just the same as when they use a flash drive or mobile device. The Windows operating system offers two different ways to write to discs. You can read a Microsoft description at http://windows.microsoft.com/en-us/windows/which-cd-dvd-format#1TC=windows-7. When you insert a blank disc, Windows will display a dialog asking how you want to use the disc (see screen shot). secRMM will apply security rules to either method chosen. It is up to the security or IT administrator how the security will work on disc.

There are two secRMM properties (rules) that apply to discs. The first one is set to on by default and is called “MonitorCDROMAndDVD”. As its name implies, it tells secRMM whether to monitor the disc while it is inserted into the Windows computer (the property is set to on) or not to monitor the disc while it is inserted into the Windows computer (the property is not set). When “MonitorCDROMAndDVD” is on, secRMM records the ONLINE/OFFLINE events, the WRITE events and any AUTHORIZATION failure events that might occur. This is exactly how secRMM handles any removable storage such as flash drives, external hard drives and all mobile devices.

The second secRMM property related to discs is the “BlockCDROMAndDVDWrites” property. As its name implies, writing to any disc will be blocked (i.e. not allowed). The benefit of using the “BlockCDROMAndDVDWrites” property

as opposed to disallowing discs via Active Directory Group Policy is that secRMM will log the write violation which tells you who the violator was (userid), what file they were trying to copy (the source file), where they were trying to copy it to (the target file which will be somewhere on the disc), what program they were using (explorer in this case), the time they attempted the write, and what computer the user was logged into. All of this information is logged into the security event log and the secRMM event log.

If you are not interested in recording disc write violations but just want to prevent users from mounting writable discs, you can also enable the “Enforce when device is plugged in.” setting. When “Enforce when device is plugged in.” is on, as soon as the end-user inserts the disc into the drive, Windows will eject the disc. secRMM will log an ONLINE error which indicates the disc was forcibly un-mounted (see screen shot).

secRMM is all about enabling productivity by allowing end-users to use removable storage while still protecting and securing the corporations data assets. As you can see, this applies to Cd/Dvds as well.

You can see a YouTube video on this subject at https://www.youtube.com/watch?v=7Ec3MD47-ws.

Using Powershell to copy data from your apple iPad/iPhone

With the recent release of secRMM 5.7, you can use the secRMM SDK/API to copy data to and from mobile devices.  This includes apple mobile devices.  For an overview of the apple functionality provided by secRMM, please read this blog.

secRMM provides an out-of-the-box “Windows explorer like GUI” program called SafeCopy which allows you to do file copies interactively.

Today, though, we will show IT admins how to do this programmatically using Microsoft Powershell.

Here is the code.  Hopefully to the Powershell enthusiast, it is self explanatory.

#To run this batch, from a DOS command window, type:
#powershell “& ‘C:\BlogPost\CopyFromDevice.ps1′”

#Create the secRMM mobile device object
$l_objSecRMM = New-Object -COM secRMMWPDApiCOM;

#Lets set the device, source file and target file
$l_strMobileDevice = “My iPad“
$l_strAppleSource = “com.myCompany.mobileApp1/Documents/TodaysSales.docx“;
$l_strWindowsTarget = “C:\Users\Angela\SalesFor08092014.docx“;

#Lets execute the file copy operation
$l_strReturnCode =
$l_objSecRMM.CopyFileFromDevice($l_strMobileDevice,
$l_strAppleSource,
$l_strWindowsTarget);

if ($l_strReturnCode -eq “1”)
{
Write-Host $l_strAppleSource “copied to” $l_strWindowsTarget;
}
else
{
Write-Host $l_strAppleSource “NOT copied to” $l_strWindowsTarget “:” $l_strReturnCode;
}

For more details, please see https://www.youtube.com/watch?v=EYVn6pfk6lw

Happy scripting!

P.S. Yes, you can do the exact same in VBScript and JScript or in your favorite .Net language.  Native C++ coders, there is a tlb for you to #import as well!

Apple mobile devices in the enterprise

Apple is moving towards better integrating their mobile solutions into the enterprise environment (see https://www.apple.com/ios/ios8/enterprise/). Many businesses use Windows workstations as the primary endpoint computer; meaning, the computer used by the worker.

Squadra Technologies’ new release, version is 5.7 of “Security Removable Media Manager” (secRMM), supports apples direction of moving into the enterprise (see https://www.youtube.com/watch?v=EYVn6pfk6lw).  secRMM provides a security layer for apple mobile devices attached to a Windows computer using a USB cable.

secRMM is a security product that records all files written to any storage device attached to a Windows computer by a USB connection.  It also allows you to specify simple rules to prevent using removable media.  In addition to Android, BlackBerry and Windows mobile devices, secRMM 5.7 includes apple mobile devices.  In general, any device that Windows identifies as a storage object will be protected by secRMM.

Additionally, secRMM provides a mobile device app for Android, apple and BlackBerry that adds an extra layer of security.  Using their Windows credentials, the user must login using the secRMM mobile device app before allowing the device to become mounted to the Windows computer.  A YouTube video about the secRMM mobile device app is at http://www.youtube.com/watch?v=F9tO428gTV4.

For enterprises preferring not to offer iTunes to their end-users, secRMM has an end-user tool called SafeCopy.  SafeCopy is a “Windows explorer” like tool that allows copying files to and from the apple mobile device and the Windows computer.  You still need to install iTunes so secRMM can interact with the mobile device via the “apple mobile device service”, however, you can simply rename or delete the iTunes.exe file to prevent your end-users from accessing it.

secRMM 5.7 also ships a collection of apple command-line utilities that perform many tasks necessary to use the mobile device as a tool within the enterprise.  This includes such tasks as:
1. Listing what apps and their version are installed on the device
2. Install and uninstall apps
3. List, install and backup provisioning profiles
4. Backup the device
5. Copying data to and from the device

While secRMM provides SafeCopy so you can move files to and from the mobile devices, it also ships with a Software Development Kit (SDK) to allow businesses to build their own solutions to integrate the apple device, or any other mobile device, into their environment.  The SDK is comprised of a COM type library (tlb) and .Net COM-Interop dlls for:
1. 32 bit and 64 bit systems
2. .Net pre-40 and .Net 4.0 and greater

The release of secRMM 5.7 is timed perfectly with apples new enterprise direction.

We hope you consider secRMM 5.7 as a necessary tool to keep your sensitive data safe.

For more information, please visit the Squadra Technologies web site.

To see how to copy a file from an apple device using Powershell, please read this blog.

SCCM Endpoint Protection supports Removable Media (DLP)

Abstract overview

Microsoft System Center Configuration Manager (SCCM) contains a component called Endpoint Protection.  Endpoint Protection here means protecting the organization assets.  Assets mean data, software and hardware (Windows workstations and servers) in your environment.  Out of the box, SCCM provides 2 features under Endpoint Protection:

1. Antimalware
2. Firewall

Antimalware is protecting the Endpoint by not allowing programs on the Windows Operating System from performing destructive operations.  The operations I want to call out here is a malware piece of software that takes sensitive data and sends it outside of the network to someone who should not have that data.

Firewall is protecting the Endpoint by not allowing unauthorized data packets from coming into or out of the network.  The Firewall deals with the data coming to/from the network.  For the scenario where data is being taken from the network to outside of the network, Antimalware and Firewall are working together, each covering a different scenario.

There is another security hole that is now covered by SCCM Endpoint Protection: Removable Media devices.  Removable Media devices are hardware devices that connect to the Windows computer with a Universal Serial Bus (USB) cable or a Bluetooth connection.  Removable Media devices contain file-system storage.  With file-system storage, data (files) can be read from and written to Removable Media devices.  Antimalware protects the organization from data being read from Removable Media devices.

What about data being written to Removable Media devices?  SCCM Endpoint Protection needs a feature that will protect sensitive data from leaving the organization.  Squadra Technologies Security Removable Media Manager (secRMM) is Windows security software that focuses on data being written to Removable Media devices (smart phones, tablets, usb drives/sticks, SD-Cards, CD/DVD, etc.).  secRMM lets you define authorization rules to prevent writing and also has the best monitoring (i.e. logging each write event) solution on the market today.  secRMM integrates into SCCM Endpoint Protection and provides this critical functionality.  In addition to protecting the organization from sensitive data leaving (stolen or mistakenly taken), any piece of data that does leave the organization is accounted for by secRMM.  This allows organizations to adhere to strict data regulations that are being required today (i.e. medical, legal, financial, etc.).

Technology overview

Integrating secRMM into SCCM did not require new technology.  SCCM has a feature called “Compliance Settings” (previously named Desired Configuration Management).  “Compliance Settings” allows you to specify values for software running within the organization.  The values you specify are the appropriate values for work to be performed within the organization.  Should the value(s) change, either by a person or programmatically, it will have an adverse impact to the organization.  When a value is set to the wrong value, it is said to be “out of compliance”.  Security settings within the organization typically protect the values from being changed.  For example, the file system (i.e. NTFS) and registry permissions can protect a majority of the values.  However, there are permissions assigned to personnel and programs that give update access to the values.  Given that the values do get changed either intentionally or not, an automated feature that checks the values and reports if they are “out of compliance” is needed to prevent improper values from causing adverse impacts.  This is exactly what SCCM “Compliance Settings” does.  It also includes a feature called remediation.  Remediation will set the value back to the correct value if it is found to be “out of compliance”.

The “Removable Media Policies” under SCCM “Endpoint Protection” makes it very easy to create SCCM “Compliance Settings” specifically for protecting sensitive data being written to Removable Media devices.  Within a large organization, you might want to define more than one “Removable Media Policy”.  SCCM allows you to do this.  Then, for each policy, you assign it to a collection of computers.

Technology specifics

The secRMM integration into SCCM Endpoint Protection is implemented as an SCCM Console Extension.  Each “Removable Media Policy” generates a collection of SCCM “Compliance Settings” “Configuration Items” (CI).  There is always one parent CI and one or more child CIs.  The parent CI performs the secRMM discovery and each child CI is responsible for a specific secRMM property (i.e. AllowedDirectories, AllowedSerialNumbers, AllowedUsers, etc.).  In addition to the CI collection, a single SCCM “Compliance Settings” “Configuration Baseline” (CB) is created and associated with the CI collection.  Both the CIs and CB reside in a console subfolder under the appropriate parent folder (i.e. CI or CB).  This makes the folder structure within the SCCM console very organized and easy to manage.  All management of the CIs and CBs can be performed with the “secRMM SCCM Console Extension” thereby abstracting the “Compliance Setting” user interface that comes with SCCM.  The SCCM Administrator is free to use either user interface though.  The “secRMM SCCM Console Extension” support SCCM “Compliance Settings” remediation.

Combining the powerful features of SCCM “Compliance Settings” (i.e. compliance monitoring, remediation, alerting and reporting) with secRMM is a very powerful solution for protecting an organizations data.  secRMM is deeply integrated into the Microsoft System Center suite and also has:

1. Operations Manager Management Pack (alerts, tasks)
2. Operations Manager Data-warehouse reports
3. Security Audit and Collection Services (ACS) reports
4. Orchestrator extension

Preventing the NSA Security Breach

              

By now everyone has heard the news about the security data breach at the National Security Agency.

So frustrating right?!

If only the NSA were using secRMM’s “Enforceable two man policy”, Snowden would have not been able to copy data without another human involved.

Below is a hyperlink to an article discussing the security breach.  Below the hyperlink, we extracted key excerpts from the article.  Each comment could have been addressed by secRMM.

http://investigations.nbcnews.com/_news/2013/08/26/20197183-how-snowden-did-it?lite&ocid=msnhp&pos=1

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

The “thin client” system and system administrator job description also provided Snowden with a possible cover for using thumb drives.

Finally, Snowden’s physical location worked to his advantage. In a contractor’s office 5,000 miles and six time zones from headquarters, he was free from prying eyes. Much of his workday occurred after the masses at Ft. Meade had already gone home for dinner. Had he been in Maryland, someone who couldn’t audit his activities electronically still might have noticed his use of thumb drives.