Force user to remove USB token
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
|
show 11 more comments
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
32
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
Mar 12 at 7:12
41
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
Mar 12 at 7:27
40
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
Mar 12 at 13:05
7
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
Mar 12 at 14:20
13
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
Mar 12 at 14:41
|
show 11 more comments
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
multi-factor usb bitlocker
edited Mar 12 at 14:38
schroeder♦
78.8k30175211
78.8k30175211
asked Mar 12 at 6:59
IamNaNIamNaN
4801513
4801513
32
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
Mar 12 at 7:12
41
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
Mar 12 at 7:27
40
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
Mar 12 at 13:05
7
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
Mar 12 at 14:20
13
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
Mar 12 at 14:41
|
show 11 more comments
32
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
Mar 12 at 7:12
41
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
Mar 12 at 7:27
40
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
Mar 12 at 13:05
7
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
Mar 12 at 14:20
13
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
Mar 12 at 14:41
32
32
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
Mar 12 at 7:12
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
Mar 12 at 7:12
41
41
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
Mar 12 at 7:27
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
Mar 12 at 7:27
40
40
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
Mar 12 at 13:05
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
Mar 12 at 13:05
7
7
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
Mar 12 at 14:20
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
Mar 12 at 14:20
13
13
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
Mar 12 at 14:41
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
Mar 12 at 14:41
|
show 11 more comments
8 Answers
8
active
oldest
votes
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
7
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
4
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
Mar 12 at 19:45
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
1
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
10
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
13
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
Mar 12 at 15:14
11
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
|
show 1 more comment
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
add a comment |
Why do you think this USB token alone is securing the laptop?
This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.
For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".
In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.
The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.
3
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
add a comment |
I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.
The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.
If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.
If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.
Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.
But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.
add a comment |
You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.
This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.
add a comment |
OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.
However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.
Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.
Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.
What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.
The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.
And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
8 Answers
8
active
oldest
votes
8 Answers
8
active
oldest
votes
active
oldest
votes
active
oldest
votes
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
7
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
4
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
add a comment |
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
7
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
4
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
add a comment |
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited Mar 12 at 18:37
Community♦
1
1
answered Mar 12 at 11:32
Serge BallestaSerge Ballesta
17.6k33062
17.6k33062
7
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
4
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
add a comment |
7
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
4
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
7
7
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
Mar 12 at 13:39
4
4
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
Mar 12 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.
– corsiKa
Mar 13 at 19:15
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@corsiKa, in fact, they encourage it.
– prl
Mar 14 at 4:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.
– jwenting
Mar 15 at 7:07
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
Mar 12 at 19:45
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
Mar 12 at 19:45
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
edited Mar 12 at 14:57
answered Mar 12 at 14:47
schroeder♦schroeder
78.8k30175211
78.8k30175211
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
Mar 12 at 19:45
add a comment |
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
Mar 12 at 19:45
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
Mar 12 at 14:52
1
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
Mar 12 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
Mar 12 at 14:56
schtasks
has ONSTART
to exec the script on startup. Could use ONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.– user2320464
Mar 12 at 19:45
schtasks
has ONSTART
to exec the script on startup. Could use ONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.– user2320464
Mar 12 at 19:45
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
1
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
10
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
13
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
Mar 12 at 15:14
11
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
|
show 1 more comment
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
1
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
10
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
13
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
Mar 12 at 15:14
11
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
|
show 1 more comment
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
edited Mar 12 at 14:14
answered Mar 12 at 12:49
A. HerseanA. Hersean
4,84931022
4,84931022
1
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
10
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
13
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
Mar 12 at 15:14
11
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
|
show 1 more comment
1
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
10
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
13
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
Mar 12 at 15:14
11
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
1
1
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
This should do indeed as a last resort.
– Overmind
Mar 12 at 13:38
10
10
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
Mar 12 at 14:13
13
13
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.– Flater
Mar 12 at 15:14
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.– Flater
Mar 12 at 15:14
11
11
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
Mar 12 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.
– Vi.
Mar 13 at 18:12
|
show 1 more comment
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered Mar 12 at 19:26
StilezStilez
1,056410
1,056410
add a comment |
add a comment |
Why do you think this USB token alone is securing the laptop?
This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.
For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".
In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.
The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.
3
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
add a comment |
Why do you think this USB token alone is securing the laptop?
This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.
For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".
In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.
The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.
3
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
add a comment |
Why do you think this USB token alone is securing the laptop?
This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.
For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".
In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.
The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.
Why do you think this USB token alone is securing the laptop?
This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.
For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".
In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.
The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.
answered Mar 13 at 8:07
GrahamGraham
35925
35925
3
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
add a comment |
3
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
3
3
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.
– IamNaN
Mar 13 at 8:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.
– schroeder♦
Mar 13 at 16:26
add a comment |
I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.
The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.
If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.
If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.
Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.
But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.
add a comment |
I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.
The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.
If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.
If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.
Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.
But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.
add a comment |
I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.
The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.
If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.
If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.
Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.
But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.
I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.
The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.
If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.
If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.
Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.
But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.
edited Mar 15 at 7:01
answered Mar 15 at 6:42
crasiccrasic
1413
1413
add a comment |
add a comment |
You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.
This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.
add a comment |
You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.
This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.
add a comment |
You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.
This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.
You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.
This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.
answered Mar 15 at 13:17
Bojidar StanchevBojidar Stanchev
11
11
add a comment |
add a comment |
OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.
However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.
Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.
Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.
What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.
The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.
And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
add a comment |
OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.
However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.
Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.
Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.
What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.
The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.
And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
add a comment |
OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.
However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.
Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.
Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.
What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.
The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.
And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).
OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.
However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.
Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.
Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.
What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.
The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.
And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).
answered Mar 15 at 7:14
jwentingjwenting
1572
1572
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
add a comment |
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.
– schroeder♦
Mar 15 at 10:03
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
32
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
Mar 12 at 7:12
41
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
Mar 12 at 7:27
40
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
Mar 12 at 13:05
7
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
Mar 12 at 14:20
13
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
Mar 12 at 14:41