Is this mitigated by blocking mass storage devices on all devices on the air gapped network? Seems like the minimum you would want to do on a network important enough to air gap.
Depends. If you need updates on the software used in the air gapped network you won’t have lot of options. Burning cd’s doesn’t sound so crazy all of a sudden though…
Having worked in classified areas, both as an admin and an unprivileged user, CDs were normally the method of transferring data up the network. (Transferring down rarely occurred, and even then you’d be limited to plaintext files or printouts.)
I’ve seen more places use data diodes to perform one- or two-way transfers so that requests can be streamlined and there’s no loose media to worry about tracking. It’s not super fast and higher speeds mean more expensive equipment, but it covers 98% of software update needs, and most non-admin file transfers were under 20MB anyways.
Anything that did require a USB drive, like special test equipment (STE) or BIOS updates, had to use a FIPS-140-1 approved drive that offered a ready-only mode via PIN. This drive could only be written to from a specific workstation that was isolated from the rest of the machines (where data was transferred via CDs of course) and required two persons to perform the job to ensure accountability.
Not the most time-efficient way of doing things, and not completely bulletproof, but it works well enough to keep things moving forward.
So far, we haven’t been able to trace back to the initial compromise vector in the campaigns seen in our telemetry.
They hypothesize that attaching a compromised USB drive to an air gapped system is to blame. That seems to be a well known vector at this point. Does it matter much what tool is used to copy data once it’s in?
deleted by creator
People literally just drop usb drives in the parking lot of places they want to compromise hoping some idiot will plug it into a machine inside.
You say that like it’s some common occurrence. Is it? As far as I know the CIA, FBI, or NSA (Can’t remember) did a test where they did that in their own parking lot and lots of people fell for it. But is there any evidence of it being done maliciously?
Even if it isn’t an intentional attack you don’t want people bringing God knows what on USB sticks that may or may not just be infected from the users own home PC. USB storage devices are lovely targets.
But yeah the South Korean military got infected by a soldier plugging in a planted USB stick.
I think the narrative of a targeted attack is easier to sell though. Make it us vs them and people grasp the concept a little better. This is very common in information security training in a lot of fields in my experience.
