Skip to content

Page304

Removable Media Controls

Another recent endpoint security product to find its way into large suites assists with removable media control. The need for better controlling removable media has been felt on two fronts in particular. First, malware infected removable media inserted into an organization’s computers has been a method for compromising otherwise reasonably secure organizations. Second, the volume of storage that can be contained in something the size of a fingernail is astoundingly large, and has been used to surreptitiously exfiltrate sensitive data.

A common vector for malware propagation is the Autorun feature of many recent Microsoft operating systems. If a properly formatted removable drive is inserted into a Microsoft Windows operating system that supports Autorun, any program referenced by the “Autorun.inf” file in the root directory of the media will execute automatically. Many forms of malware will write a malicious Autorun.inf file to the root directory of all drives, attempting to spread virally if and when the drive is removed and connected to another system.

It is best practice to disable Autorun on Microsoft operating systems. See the Microsoft article “How to disable the Autorun functionality in Windows” (https://support.microsoft.com/kb/967715) for information on disabling Autorun.

Primarily due to these issues, organizations have been compelled to exert stricter control over what type of removable media may be connected to devices. Removable media control products are the technical control that matches administrative controls such as policy mandates against unauthorized use of removable media.

Disk Encryption

Another endpoint security product found with increasing regularity is disk encryption software. Organizations have often been mandating the use of whole disk encryption products that help to prevent the compromise of any sensitive data on hard disks that fall into unauthorized hands, especially on mobile devices, which have a greater risk of being stolen.

Full Disk Encryption (FDE), also called Whole Disk Encryption, encrypts an entire disk. This is superior to partially encrypted solutions, such as encrypted volumes, directories, folders, or files. The problem with the latter approach is the risk of leaving sensitive data on an unencrypted area of the disk. Dragging and dropping a file from an unencrypted to encrypted directory may leave unencrypted data as unallocated data, for example.

Continuous Monitoring

The threat, vulnerability, and asset landscapes change constantly. Organizations historically have been most attuned to security during quarterly scans, annual audits, or even ad hoc reviews. While routine checkups are worthwhile, the 24 × 7 nature of the adversaries remains. One goal of continuous monitoring is to migrate to thinking about assessing and reassessing an organization’s security posture as an ongoing process.

Beyond the general concept of continuous monitoring, there are also specific manifestations of continuous monitoring that should be called out individually. The most notable references to continuous monitoring come from the United States government. Under this purview, continuous monitoring is specifically offered as a modern improvement upon the legacy Certification and Accreditation approach associated with documenting, approving, and reevaluating a system’s configuration every 3 years.