USB Device History Auditing with Nessus

Nessus plugin #35730 can perform an audit of Windows computers to obtain a list of all USB devices that may have been connected to it at one point in time. This plugin compliments plugin #24274 which utilizes a WMI query to list all currently installed USB devices.

Why is this important?

The media is full of news stories about how USB drives are contributing to the data loss problem. Searching for “usb data loss” at Google returned 744,000 hits. Similar stories are located at the DataLossDB project.

Knowing that a computer has had one or more USB devices attached to it and what they were is an excellent piece of information. If you can audit this information ahead of time, your organization can recognize trends and product usage on mobile devices and “thumb drives” that could be damaging. For example, you may allow the use of iPhone or MP3 devices in your offices, but connecting them to a corporate laptop via USB may be against policy.

If there is a form of data loss, knowing the exact types of devices that were attached to a server or desktop may also be important. Knowing the specific manufacturer information can help an investigation understand what sort of physical device was involved in any potential data loss, and may help pinpoint who it belonged to.

Performing the Scan with Nessus

Plugin #35730 (Windows USB Device Usage Report) is located in the “Windows” plugin family. It is shown selected in a Nessus Client scan policy below:

By default the plugin only reports the 'First used' times for USB devices found in the initial section of the log file (setupapi.log). If you would like to report on all USB devices that have been added to the system, you should enable the “Thorough Tests” option under the advanced tab as shown below:

 

Lastly, to perform this audit, your scan policy should have an administrator account and a password to audit the remote Window operating system. If you are only performing a credentialed USB audit, you should also disable all forms of port scanning (to speed up your scan).

Below is a report of a Windows XP Pro system that has had several USB devices used on it recently:

 

Real-time Enterprise Monitoring

For large networks, Tenable offers the ability to report on this information with the Security Center and to also monitor USB device usage in real-time with the Log Correlation Engine.

Security Center customers can leverage plugin #35370 on larger networks by deploying multiple Nessus scanners and performing their USB audits in a rapid and agent-less manner. The results of the scan can be easily searched (as shown below) and also used to create dynamic asset lists of computer groups that leverage certain types of technologies such as BlackBerry and iPods.

Log Correlation Engine customers also can monitor for USB usage in real time. Through the use of the Log Correlation Engine client for Windows platforms, local USB usage as well as those of remote Windows servers can be monitored for device inserts and removals as shown below:

For More Information

Previously, we’ve blogged several times about using Nessus to perform some sort of USB technology audit. The following blog entries will likely be of interest:

• Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM
• Advanced Nessus 3 WMI Checks Against Windows Systems
• Finding Sensitive Data as a Consultant with Nessus