In any given organization, chances are, a diverse array of peripheral devices are in use. These can include ubiquitous equipment such as keyboard and mouse combos, tools utilized for convenience such as USB flash drives as well as niche equipment for the completion of specialized tasks. However, as the scope and popularity of these devices continue to increase, so do the frequency and sophistication of the cybersecurity attacks targeting them.
Within a diverse network, multitudinous devices can be active at any given time making them difficult to continuously track. If any one of these devices becomes susceptible to malicious actors, they can then potentially be leveraged to infiltrate an endpoint and conduct illicit activities on behalf of the attacker, such as executing unauthorized commands, injecting ransomware and extracting critical data. These incidents can lead to significant financial loss, lack of business continuity and can negatively impact company reputation.
A crucial step to preventing these attacks is understanding how they are instigated in the first place.
Malicious actors can reconfigure the hardware of peripheral devices and exploit their inherent firmware vulnerabilities in order to gain control over them. As these changes only occur internally, these devices still appear ordinary and non-threatening on the outside. For organizations that support a Bring-Your-Own-Device (BYOD) concept, employees are permitted to utilize their own personal accessories within company premises. In these instances, a user may knowingly or unknowingly bring an altered device into the network; therefore, effectively bypassing conventional security defenses like a firewall or antivirus software.
Since endpoints offer peripheral devices a high degree of integration, once connected to an unprotected computer, even a manipulated device will likely be registered as normal. One example is the BadUSB device called the Rubber Ducky which is a keyboard emulation tool disguised as an ordinary USB flash drive. When plugged in, the endpoint detects it as a keyboard and begins to accept payloads at 1000 words per minute, some of which can be dangerous such as opening command prompts and injecting keystrokes to illegally gain admin privileges.
Even though the hardware of this USB is intricately reverse engineered by reprogramming its microcontroller, the device itself is readily accessible on the market for anyone to buy. The reason being that it was first invented by a sysadmin named Darren Kitchen, who instead of having to manually type in common commands to fix printers or perform other repairs, wanted a tool to do it for him. And because this device was created for a utilitarian purpose, it is relatively simple to use, even for launching attacks.
Moreover, other variations of the Rubber Ducky are constantly emerging. One being PHUKD attack platforms which allows an attacker to configure a time sequence for their harmful keystroke injections. In addition to tampered devices being available for purchase and the easy accessibility of endpoints, the slight modification of existing threats in order to create new threats is another reason that can be attributed to the increasing use of devices in network breaches.
Even as products are created to pinpoint threat vectors pertaining to devices, cyberattacks continue to evolve and evade detection.
In response to devices carrying out keyboard impersonation attacks, several software solutions were created to analyze behavioral patterns of the keyboard inputs in order to verify user identities by utilizing machine learning and AI-based algorithms.
However, to test the efficacy of these products, in 2019 researchers from the Ben-Gurion University of the Negev (BGU) Malware Lab created a penetration test attack called the Malboard. This attack was developed by gathering behavioral data generated from three keystroke tests performed by 30 different users. This information was then consolidated within the Malboard’s underlying AI data reservoir and used to formulate algorithms that were successfully able to mimic the keystroke characteristics of actual users. In this published report, it was found that when these algorithms were fed back into keystroke detection solutions such as KeyTrac, TypingDNA and DuckHunt, in 83 to 100 percent of the tests, the products had failed to recognize the deception.
Another type of attack is the keylogger which is a spyware that directly affects keyboards by discreetly logging every input the user types. It is typically used to steal usernames and passwords, financial details such as credit card numbers and PIN codes as well as personally identifiable information which can be used to commit identity theft and financial fraud. In these instances, because only espionage takes place and there aren’t any payload or script injections, rudimentary risk-based behavioral authentication products may be ineffective at detecting these violations as well.
Finding the Right Solution for Your Organization
Even though attempting to avert specific types of malware is one answer to protecting endpoints, it can require immense effort and a considerable amount of resources to try and predict the evolutionary direction of threats in the wild and moreover to outpace them by creating specific preventative software such as signature based antivirus scanners. Instead, enacting a versatile cybersecurity solution that focuses on asset management and permission authorization can aid in proactively mitigating insider and external threats as well as preserving business integrity.
Adopting a Multi-faceted Approach to Combating Device-related Threats
Role-based Access Control (RBAC) is a cybersecurity strategy that is effective in managing the four main components involved in device related attacks: devices, users, computers and confidential data contained within those computers.
How does Role-based Access Control for Devices Work?
- Endpoint computers are categorized into custom groups based on functionality, department, project, and so forth to form their own digital ecosystem. Smaller groups make it easier to gain insight into user behavior and device requirements.
- For each group, based on the tasks or user roles, admins can create lists of trusted devices for each individual or custom group of endpoints. Following the zero-trust approach, all devices, unless authenticated by the admin, will be blocked by default.
- For the permitted devices, further file access and transfer restrictions can be placed so that devices are only allowed to access mission-critical data. Furthermore, file tracing can be enabled to stay aware of all device actions. If anything suspicious occurs, admins can spot the signs quickly and take action.
Advantages of Implementing RBAC
IT asset accountability – All devices are promptly detected and only the essential ones are allowed to connect to endpoints, thus reducing the chance of infiltration.
Proactive threat mitigation – Since device actions are scrutinized and logged, IT admins will receive immediate alerts if there are any policy discrepancies so that they can take quick steps to mitigate risks and maintain performance.
Maintaining productivity and collaboration – Trusted users will be allowed to use their necessary devices to access relevant data without being inconvenienced, while all other integral endpoint information remains secure.
How Can Device Control Plus help?
Device Control Plus is a robust, cross platform solution for Windows and Mac endpoints that is steadfast in automatically detecting, monitoring and controlling 18+ types of in-built and external peripheral devices. It is equipped with numerous settings that IT admins can avail to create precise file access and transfer policies in order to implement effective Role-based Access Control.