S 4.4 Correct handling of drives for removable media and external data storage
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: User, Administrator
Commercially available PCs today are normally equipped with a CD/DVD ROM drive and/or CD/DVD writer. In addition, it is possible to connect external storage media via interfaces that are automatically detected and mounted by many operating systems. Examples of such media include USB memory devices, which are plugged into the USB interface, and Firewire hard drives. Card readers for memory cards are also integrated into many IT systems. The following potential security problems result from the use of drives for removable media and external storage devices:
- The IT system could be booted up in an uncontrolled way by such drives.
- Software could be installed in an uncontrolled manner from such drives.
- Data could be copied to removable media without authorisation.
Booting from removable media or installing third-party software might not only allow security settings to be disabled, but could also infect the IT system with computer viruses and other malicious programs.
These threats must be counteracted by suitable organisational or technical security safeguards. A number of approaches can be taken for this purpose, and their specific advantages and disadvantages are described briefly in the following:
- Removing drives
Removing the removable media drives (or avoiding them when purchasing) is the best way to protect against the threats listed above, but it usually involves a lot of time and effort. Removal is often not possible, e.g. in case of memory card readers in notebooks. Furthermore, it must be kept in mind that removing the drives could make administration and maintenance of the IT system more difficult under some circumstances. This solution should be considered if there are special security requirements. - Locking drives
For some types of drives, it is possible to insert a lockable device to prevent uncontrolled use of the drive. When purchasing such a device, it must be ensured that the drive locks are suitable for use with the existing drives and will not damage them. Note that for some types of drives, such as integrated memory card readers, no locks are available. In addition, it should be ensured that the locks offered by the manufacturer have a sufficiently large number of different keys. The disadvantages of this approach are the costs of purchasing the drive locks and the effort required to administer the keys. For these reasons, this solution should only be considered if there are high protection requirements or special security requirements. - Deactivation in BIOS or in the operating system
On most PCs, it is possible to specify which drives can be used to boot the PC in the BIOS settings. When combined with password protection for the BIOS settings (see also S 4.84 Use of BIOS security mechanisms), it is possible to prevent a system from booting in an uncontrolled manner from removable media and mobile data media. In addition, in modern operating systems the existing drives and interfaces can be disabled individually.
This makes it more difficult to use them without authorisation, e.g. to install third-party software or copy data to removable media. Disabling the drives in BIOS or in the operating system has the advantage that no hardware changes are required. The corresponding settings in the operating system can even be implemented centrally, if necessary. However, in order for this approach to be effective, it must be ensured that the users do not have the operating system permissions required to re-enable the drives. - Controlling the use of the interfaces
It is very difficult to prevent the use of external storage devices such as USB memory devices if the corresponding interfaces are also used for other (permitted) additional devices. For example, with some notebooks the mouse can only be connected to a USB interface. This makes it generally impractical to use a USB lock or to disable the interface using some other mechanical safeguard.
The use of interfaces should therefore be controlled by granting the appropriate permissions at the operating system level or with additional utility programs. Some utility programs for securing the USB or Firewire interface also have settings for specifying that external data media are read-only. Alternatively, it is possible to monitor the adding of devices.
When data media are connected to external interfaces, drivers or kernel modules are often loaded by the operating system or entries are created in configuration files (e.g. in the Windows registry) that can be detected. The details depend on the product and operating system used and are described in a separate safeguard (see also S 4.200 Handling of USB storage media). - Encryption
Products are available that ensure access is only possible to permitted mobile data media. One example of such a solution is to only allow reading and writing data to and from mobile data media that have been encrypted using a certain cryptographic key. This not only protects the IT systems from unauthorised access using manipulated mobile data media, but also protects the data on the mobile data media if the media are lost or stolen. - Guidelines for use
In many cases, the users are allowed to use drives installed for removable media or storage media connected to external interfaces, but this usage should be regulated by corresponding guidelines. At the technical level, only the booting from removable media should be disabled in the BIOS in this case. It is not an option to remove, lock or disable the drives in the operating system.
In this case, the guidelines regarding the use of drives and storage media should be defined as explicitly as possible. For example, a general ban could be declared and only the copying of public text documents would be allowed as an exception. All users must be informed of the guidelines and compliance with the guidelines must be monitored. The installation and operation of programs that have been loaded from removable media should be prohibited and prevented technically to the greatest extent possible (see also S 2.9 Ban on using non-approved software).
This purely organisational solution should only be selected if the users need to access the drives occasionally or regularly. Otherwise, access should be prevented by implementing technical safeguards as described above.
When choosing a suitable approach, all drives for removable media need to be taken into account as well as all routes used to exchange data over networks, especially e-mail and internet connections. If the IT system is connected to the Internet, it is not enough to simply disable or remove all the drives for removable media. Particular attention must be paid to protection against malicious programs, for example computer viruses or Trojan horses (see also S 4.3 Use of virus protection programs).
Independent of the selection of a suitable approach, the contents of removable data media must not be automatically executed when the data media are connected. To prevent this, the respective Autorun and Autoplay functions of the operating system have to be disabled. More detailed information on this can be found in S 4.57 Disabling automatic CD-ROM recognition.
To ensure that the security safeguards are accepted and followed by the users, they must be informed and made aware of the dangers associated with using drives for removable media.
Review questions:
- Is the automatic execution of the contents of inserted removable data media prevented?
- Are any technical measures implemented that prevent boot up from other sources than intended?
- Are any technical measures implemented that prevent the unauthorised connection of external devices and data media?
- Is there a guideline that regulates the handling of removable media and external data storage devices?
- Have all users been informed of all rules regarding the handling of drives for removable media and external data storage devices?
- Are any technical measures implemented that prevent the misuse of removable media?