Removable Media and Content Audits

by Josef Weiss
August 19, 2014

Data loss can occur through several methods; this dashboard focuses on tracking usage of USB devices, CD-ROMs, DVD-ROMs, and other removable media auditable events.  Security analysts should also be concerned about the classification of data stored on local computers. In conjunction with scans using Nessus content audit files, systems containing classified data are easily identified.

This collection focuses on auditing the use of removable media and storage of sensitive documents on local storage devices. The first step in monitoring sensitive data is to have an operational data classification policy and detailed set of storage guidelines. The next step is to create an auditing program for all storage mediums. Tenable provides a series of audit files called Sensitive Content Audit Policies for Nessus and SecurityCenter Continuous View (SC CV). These audit policies look for credit cards, Social Security numbers, and many other types of sensitive data. Many of the other audit files contain audit controls for CD-ROMs, USB devices, and other storage types.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Compliance & Configuration Assessment, and then selecting tags compliance and confidentiality. The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • Content Audit Files
  • Audit Files with Checks for USB, CDROM, and other types of media

To audit for the storage of classified data, the organization should download the appropriate content audit files and modify the files accordingly. There are two modifications that may be required: the file_extension and max_size values. The file_extention [file_extension: "pdf" | "doc"] value contains the extension of the files that will be searched. The max_size value is the amount of data in the file that will be searched. For example, if the max-size is set to 20k, then the first 20k of the file will be searched. Other fields that might need adjusting are the regex and expect fields. However, these changes require extensive testing. Listed below are samples of the audit files:

  •  Government Classified Documents: This file searches documents for keywords indicating classification level such as "TOP SECRET", "NOFORN", and "NATO CONFIDENTIAL". (Last updated November 30, 2007.)
  • HIPAA EDI Claim Information: Searches a variety of file extensions that are used in medical insurance and claims Electronic Data Interchange documents. (Last updated November 30, 2007.)
  • PCI Credit Card Number: Searches for valid Visa, AMEX, Discover, and MasterCard numbers. (Last updated May 2, 2012.)

The checks for removable media can be performed with several audit files.  Listed below are some examples of files supporting CD-ROM and USB checks. The organization should review the audit files and create a specific audit file that applies directly its policies.

  • financial_microsoft_windows_os_audit_guideline_v2.audit
  • USGCB_Win7_Desktops_v2_official.audit
  • NSA_MacOSX_10_6_hardening_tips.audit

SecurityCenter Continuous View (SC CV) supports auditing of more devices than any other vendor.  Device and content auditing is accomplished using Nessus with audit files (located in the Customer Support Portal). The audit scans can be run against workstations, servers, and other devices (routers, firewalls, switches). The content audit checks are supported on Windows and *nix operating systems. Through continuous scanning strategies, the organization can be more aware of the location of sensitive content and storage device usage.

Components

Removable Media and Content Audits - USB Storage Audit Checks: This component focuses on compliance data, filtering on several strings containing “USB” in the plugin name. When an audit file is imported into SecurityCenter, the “description” line for the check becomes the plugin name.  The description for each check provides a descriptive statement of the audit check.  There are several audit files that contain checks for USB storage devices; the most common strings were compiled and used in this component. 

Removable Media and Content Audits - Confidential or Personal Identifiable Documents: This component provides indicators for confidential or personal sensitive data stored on systems identified by the Sensitive Content Audit Policies. 

Removable Media and Content Audits - Government Classified Documents: This component provides indicators for government classified sensitive data stored on systems identified by the Sensitive Content Audit Policies. 

Removable Media and Content Audits – CDROM, Floppy, Other Storage Audit Checks: This component focuses on compliance data, filtering on strings containing CDROM, floppy, and other removable storage devices in the plugin name.  When an audit file is imported into SecurityCenter the “description” line for the check becomes the plugin name.  The description for each check provides a descriptive statement of the audit check.  There are several audit files that contain checks for CDROM, floppy, and other removable storage devices; the most common strings were compiled and used in this component. 

Removable Media and Content Audits - Credit Card Number Audits: This component provides indicators for credit card number sensitive data stored on systems identified by the Sensitive Content Audit Policies. 

Removable Media and Content Audits - Financial Content Audits: This component provides indicators for financial content sensitive data stored on systems identified by the Sensitive Content Audit Policies.