How would I go about blocking malicious USB devices in ITSM (like for example Hak5’s Bash Bunnie)?
I see that I can block USB storage, but I’d like to also be able to block USB-only network adapters (not just network adapters) as this is one of the ways devices like Bash Bunnie steal credentials/hashes.
Is there a way to “baseline” devices and then block anything “new” until it is approved/allowed in ITSM? Like hardware whitelisting I guess?
Hello @indieserve
Is there a way to “baseline” devices and then block anything “new” until it is approved/allowed in ITSM? Like hardware whitelisting I guess?
There is no outright available method to do this. But it is possible in a roundabout way.
The short of it, you set up an all-encompassing blacklist (like everything) and then exclude a few devices.
But isn’t the point of Comodo’s defence theory “Default Deny”? Could we set it up to instead whitelist devices (after a baseline collection/learning period). I don’t see how it would be possible/practical to blacklist all known or unknown devices. I guess this is more of a “feature request” then. What if I just wanted to block USB network adapters, is there an easy way to do this? I can’t block keyboard injection attacks I guess but I can at least block the “fake network adapter/default route” attacks.
Also, at least on the visibility side, can I have CCS send logs of any new USB devices attached to a syslog server (SIEM) that I could then create alerts for any new USB devices plugged/unplugged (and maybe add a high risk score to network adapters so it bubbles up into an alert in the SIEM)?
We understand the reason behind your concern which understandably fair. Working in a safe environment having a secured assurance that allowed devices are whitelisted and unapproved ones are not. We have coordinated with our Product Development team to analyze the request for a feature functionality.
Regarding your other query, for CCS logs, blocked or excluded devices only are logged.