Welcome to a quick hit edition of the CyberSkinny!
I get questions all the time around locking down USB device access to Windows PC's. These questions are all fair and come from a place of real angst over a tried and true attack vector. Usually the questions are posed in a manner based on how these challenges were dealt with in the past. This is certainly true in the healthcare space where sensitive data can be passed all over creation between many people… all with good intentions and with the best interests of the patient in mind. Historically the only real way to tackle this challenge was to completely lock down USB ports and other external access to devices. This is the hammer method when a multi-tool is really what's needed.
Well, fine readers, the days of hammer-instead-of-multi-tool are quickly becoming lore for your (oddly cybersecurity-interested) grandchildren. USB/external access protection is one of those areas where a platform approach can pay huge dividends.
This topical blog from the Windows Defender ATP team really can't be improved upon (including an excellent allusion to LoTR) so I'll just link it here for your consumption.
Allow me to provide a frame of reference from which to read the blog:
In today's cloud-focused, mobile-empowered, technology-possessing (though not always technology-savvy) world, you don't need to completely lock down your environment. You need to control your data. I know "control" is a big word, but a nuanced, comprehensive approach to data protection goes a long way towards balancing the security vs productivity slider for your business. "Environmental lockdown" (e.g. "nothing works when you connect it to a USB port") slides that scale pretty far one way in almost every case. I'll let you decide which way that is. This is true across verticals and regardless of your business model (B2B, B2C, B2E, etc.).
Check out that excellent blog above from the WDATP team and noodle a bit on what a world would look like where you could lock down specific USB devices only, or protect all external access from running scripts or potential malware, or you could block direct memory access from new-fangled standards/protocols like Thunderbolt that appear in your environment before you're prepared for them. And you're not hamstrung with a simple claw hammer to work with. Not everything is a nail. You can be decisive. Dare I say surgical (Dare! Dare!). You can be both reactive to the threats you are seeing and proactive for those you expect to see going forward. And your people can get stuff done. That does sound nice. Yeah, let's go do that.
On a Holiday note, I absolutely love our latest ad focusing on adaptive gaming. Check it out here. "Give Wonder" is an amazing way to approach the holiday season.
May you have a wonderful Holiday season with those you hold dear, filled with Wonder both given and received!
wdsii
