A media security station or media security kiosk is the entry point for data and files going into an air-gapped or isolated network. An air gap is an extremely good protection mechanism, which allows you to focus your defenses on that remaining limited attack surface that is the province of the media security kiosk.
The items for consideration for setting up a secure process or what we call a secure data workflow can be extensive, and we wanted to go through some of our recommended best practices on how to use a media security kiosk as part of a secure data workflow to keep threats out of your isolated network.
1) Physical Access to the Kiosk: The most expensive but the most secure method of physically protecting your kiosk against tampering is only allowing facility security personnel access to the kiosk. In this scenario, the user gives the media with the files that she wants to move into the facility and then security personnel scan the media for the user. The security personnel then transfer the media into the facility. The user never physically interacts with the kiosk.
If having security personnel scan media is cost prohibitive, at the minimum the kiosk must be in an area that is difficult to physically access unobserved, secured during off hours, and there should always be video surveillance on the kiosks.
2) Facility-owned Media: Non-facility (personally owned) media should never be allowed into a facility (isolated network). All media should be asset controlled, very clearly marked, and should be wiped using industrial class wiping software after every use. By only allowing the use of facility owned media you eliminate many types of potential attacks, especially those that involve accidental malware infections, or any type of attack that attempts to infect media before it enters a facility.
3) Logging: Logging should be enabled at a very granular level. At the minimum the user, date and time of scan, file names, and hashes of every file scanned should be collected. A kiosk should not allow infected files to be processed and should have the ability of quarantining infected files on the kiosk for later analysis.
4) Multi-factor Authentication: A kiosk should be configured so that multi-factor authentication is required to access it. Typically, this might be a combination of a security or smart card used in conjunction with a password. Even vendors and maintenance personnel should have an account created in advance and be issued a temporary time-limited access card and password if they are to be allowed to use the kiosk. Access cards, accounts, and passwords should never be shared.
5) Role-based Secure Data Workflows: A kiosk should allow for the configuration of many aspects of the workflow to support a secure data workflow. Here is a list of some of the more useful kiosk features: allowing only certain file types to be processed, allowing only certain media types to be used, configuring what a given user is allowed to do using some type of role-based control, USB drive white listing, not allowing files larger than a configured size to be processed, the ability to stop processing if a blocked file is found. As you can see security kiosks can be very configurable. The key to secure data workflow configuration is using role-based method to apply the principle of “least privilege” to the process of using the kiosk.
6) Wipe Media: After it is used in the facility there should be a procedure to wipe the facility-owned media using industrial grade wiping software after each use and a separate system should be used to verify the media was wiped. Some security kiosks also support media wiping – this should be enabled as a complementary safeguard procedure – but should never be the primary method of wiping media.
7) Use an intrusion detection system on the kiosk: The kiosk should have some form of Host Intrusion Detection System (HIDS) or a File Integrity Management (FIM) system in place to detect tampering of the kiosk. If an integrity violation is triggered by the intrusion detection system, the kiosk should be able to immediately disable itself until security personnel can fully investigate the issue.
8) Secure Hardened Image: The operating system image that is used by the kiosk software should be hardened as much as possible. The two recommended standards for OS hardening are either the Center for Internet Security (CIS) or the Defense Information Systems Agency (DISA) Secure Technology Implementation Guide (STIG) standards, which are both excellent. Since the kiosk is a very special purpose device device the system should be hardened as much as feasibly possible.
9) Isolate the Security Kiosks: If you have more than one kiosk, you may want to look at connecting them to each other on an isolated network to make it easier to maintain them. The three primary maintenance tasks are: updating the kiosks with the latest anti-malware definitions, updating the operating system, and collecting log data. The kiosks should be kept isolated from any other networks to prevent them from being used a point of entry into any networks, or on the flip side to prevent a connected network to be used as an access point to attempt to tamper with the kiosk.
There are many issues to consider when setting up your media security stations to protect your isolated networks from portable media threats. The key is to use a solid framework to analyze your secure data workflow process to make sure you don’t have any holes. We are indebted to many of our customers that use our kiosk products for giving us their feedback and best practices so that we can share them with the entire community that uses isolated networks.