Domain 2 · 2.2 Threat Vectors & Attack Surfaces

2.2.3 Removable Devices & Vulnerable Software

17 min

The physical and logical security of an environment depends on managing hardware entry points and maintaining the integrity of the software life cycle.

Removable Media and Physical Vectors Removable devices represent a significant attack vector because they bypass network-based security controls through physical access. - USB Thumb Drives: The primary vector for delivering malware or exfiltrating data in "air-gapped" or highly secure environments. - Hardware Tokens: Physical USB security keys provide a secure One-Time Password (OTP) or cryptographic challenge/response to act as a second factor in authentication. - Malicious Flash Drives: Threat actors may drop infected drives in parking lots (Social Engineering) to bait employees into plugging them into internal workstations. - Data Exfiltration: Small, high-capacity removable media allow for the rapid, unauthorized movement of sensitive organizational data.

Mobile and Personally Owned Devices The blurring line between personal and professional equipment introduces significant risk to data privacy and organizational secrets. - BYOD (Bring Your Own Device): Policies where employees use personal devices for work. This increases the risk of data loss if the device is stolen or compromised by a "rogue or buggy" app. - MDM (Mobile Device Management): Critical software used to centrally manage mobile devices. MDM allows administrators to enforce encryption, remote lock, and remote wipe capabilities. - Implicit Trust Risks: Personally owned devices often lack the rigorous security patching and monitoring found on corporate-owned assets.

Vulnerable Software and Supply Chain The security of an application is tied to its support life cycle and the reliability of the vendors providing it. - EOL (End of Life): The point at which a vendor stops selling or marketing a product, though they may still offer technical support or limited patches. - EOSL (End of Service Life): A critical risk state where a vendor ceases all support, including security updates. Running EOSL software makes a system highly vulnerable to "forever day" exploits. - Supply Chain Assessment: The process of verifying the security of third-party vendors, online services, and hardware components to prevent "upstream" compromises. - Software Tokens: Applications (e.g., Google Authenticator) that generate time-based OTPs, serving as a more manageable alternative to physical hardware tokens.

Quick recall - Direct Access: An attack vector involving physical proximity or manual connection to a system. - Air Gap: A security measure that isolates a computer or network from the internet; removable media is the primary way to bridge this gap. - OTP Tools: Can be hardware-based (physical key) or software-based (Auth app). - Remote Wipe: An MDM feature used to delete sensitive data from a lost or stolen BYOD device. - Patching: The primary defense against software vulnerabilities, which is impossible on EOSL systems.