The paper considers the urgent task of ensuring information security by monitoring the connections of USB devices. An analysis of the available solutions was carried out, and technologies were identified that will allow the system to be implemented. The topology of the physical components of the system is developed and described. The subject area model is described by an ER diagram that contains key entities and links them. The description of model attributes is given. The system is implemented in the form of two Windows services, utilities for configuring launch options for services and a web application. The verification plan is given, according to which the system was proved to be operational. The developed system can be recommended for solving the urgent cybersecurity task of monitoring device connectivity.
At the present stage, information is becoming one of the most valuable and sought-after resources, for the preservation and protection of which more and more time and money is allocated. In this regard, a cybersecurity measure to protect information is one of the important processes of any organization. The process of information security management is inextricably linked with the monitoring of events in the system. Availability, small size and increased capacity of USB drives casts great doubt on the information security of companies. Ignoring this threat can lead to significant material losses. By connecting to a USB port, an attacker can snatch important information or install malware. More and more companies are investing in firewalls, using more reliable and modern encryption algorithms, and other means and technologies to protect data from Internet theft. However, the most common attackers are employees of the company, who steal information about investments, project documents, commercial offers, personal information and contact details of customers and much more.
Disconnecting USB ports is a radical security measure that will lead to significant inconvenience and inability to connect peripherals to your computer. Determining the list of allowed devices using a serial number is a good measure to prevent information leakage, but not enough. The serial number of the flash drive can be changed to any, which will allow the infringer to access important data without any obstacles.
An important security measure is to monitor the connection of USB devices to corporate computers. Centralized connection tracking is an effective way to investigate leaks via USB devices, allowing security management or the security administrator to respond in a timely manner and identify the device, date, time, and computer where the incident occurred. Analysis of this data and detection of the fact of connection of the device will help to successfully identify the attacker and take the necessary measures.
The aim of the work is to increase the efficiency of information protection systems by developing a subsystem for monitoring the connection of USB-devices. 2
Related works analysis and problem statement One of the important tasks of modern information and / or cybersecurity systems is to ensure promptness (timeliness) in identifying threats and risks for information objects and processes to be protected. In order to increase efficiency in information and / or cybersecurity management systems, components are used that record changes in the functional state of an object or process automatically. The basis of such components are high-quality agents (hardware or software) to collect data on the current state of individual components of the object or process and effective agents that can analyze the collected data and make decisions about the functional state of the object or process as a whole. Examples of the first type of agents are in [1]. Implementation of agents of the second type requires the involvement of machine learning technologies [2] and pattern recognition similar to those used in intelligent decision support systems for technological, economic, environmental, and social objects or processes.
Large companies and corporations use Security Information and Event
Management (SIEM) technology for cybersecurity [
According to [
- Security information management (SIM) — log management and compliance reporting.
- Security event management (SEM) — real-time monitoring and incident
management for security-related events from networks, security devices, systems, and
applications [
However, small companies do not have the opportunity to invest heavily in ensuring information security on this technology and conducting training of specialists for the quality performance of their functions in the application of the above products. During the analysis of existing solutions, software products were identified that can fully or partially perform the task monitoring of USB device connections: USB Canary, USBDeview, CleverControl, Solarwinds Security Event Manager, and AlienVault.
Determine the main characteristics of the monitoring system USB connections, which meet the needs of a small company, and determine the compliance of existing solutions to these requirements (see Table 1).
Thus, a review of existing solutions has shown that both paid and free products can be used to monitor USB device connections. The disadvantage of free solutions is the lack of functionality that does not meet all the needs for a full-fledged solution. Most free solutions do not have a centralized analysis of events when connecting USB devices to corporate computers. Paid versions contain redundant features that you have to pay for.
Therefore, it is necessary to develop a system that will: - track connection events on corporate computers; - provide centralized collection and storage of events for further analysis; - have an intuitive web interface for easy viewing and analysis of events; - provide the ability to find the right events; - access to view events must be carried out after the authorization procedure; - the ability to manage users of the web application and delete irrelevant information. Access to these functions should be provided only to users with administrator rights.
- ability to recover the password; - ability to deploy the program on the computer to be monitored.
For high-level design of databases ER-chart was developed. This model allows you to describe the subject area, highlight key entities, and identify the relationships that can be established between those entities.
Figure 1 shows a database diagram that meets the requirements of the development system. In order to avoid potential inconsistencies and redundancy of the data, the model was reduced to the third normal form during the design.
Id userpc eventdate eventtime vid pid SN typeevent Id ip userpc mac
Key
FK
To display the topology of physical components of the system and the location of software components of the system, a deployment diagram was developed (Fig. 2). Using this diagram, you can display the location of complex information systems that require different computing platforms and database access technologies. This makes it possible to streamline the placement of components in the corporate network, which determines the overall performance of the system. The need to integrate systems with the Internet requires addressing related security issues and the availability of information for corporate customers. The use of "client-server" technology requires the placement of large databases in different segments of the corporate network, their archiving, backup, and hashing, which in turn will ensure system performance. These aspects also require visual representation to specify the software and technical features of the implementation of distributed architectures.
Hereof it is possible to allocate the basic purposes of development of the deployment diagram: - distribute the components of the system on physical nodes; - show physical connections between nodes during execution; - facilitate the system configuration process.
The main component of the deployment diagram are nodes and their relationships. Representation of nodes occurs by means of rectangular parallelepipeds with the artifacts which are located in them. In turn nodes can contain the subnodes, presented by rectangular parallelepipeds. A node on the deployment duagram can rearrange a computer, a database server, network components, and other. The diagram shows four physical nodes: - server - a node on which the server service is located; - client - a node over which monitoring is carried out, and on which the client service is located. Any corporate computer can be this node;
- web server - a node on which the web application is installed, the main purpose of which is to analyze events; - database server - a node on which the database is installed.
The diagram (Fig. 3) allows you to determine the requirements for the system and describe the functionality. It also helps to identify internal and external factors that affect the system and need further consideration.
Description of the software implementation of the system for monitoring the connections of USB-devices
To develop a system for monitoring USB device connections, the following were selected: C # and Python programming languages, technologies for creating HTML web interest, CSS and JavaScript, and PostgreSQL database.
The part of the system that monitors USB device connection events must be implemented as a Windows service. Services implement the .NET Framework created by Microsoft to implement Windows. This platform allows you to run applications on the Windows operating system written in languages such as C # or VisualBasic.
Any monitoring system [
The system was checked according to the plan (Table 3).
TC_ID TC1 ТС2 TC3 TC4 TC5 TC6 TC7 TC8 ТС9
Table 3 - Verification plan Verification requirements Test the ability to register the client service and server service in the system using the installer Test the ability to track the connection or disconnection of USB drives to a PC, send the received data to a server and store it in a database Test the ability to configure network settings for client service and server service, the ability to run services on separate computers, the ability to view received events using a web application Test the ability of authorized access to the system
Once the USB device is connected, the data is added to the database. This means that the USB device connection event was successfully tracked, transferred to the server, and recorded to the database (Figure 6).
A convenient search allows you to track the connection with the specified parameters (Fig. 7).
Testing the program according to a defined plan proved the efficiency of the developed system.
The developed system allows you to supplement cybersecurity measures with a convenient tool for monitoring events. The software allows you to track connection events on corporate computers; provide centralized collection and storage of events for further analysis; have an intuitive web interface for easy viewing and analysis of events; provide the ability to search for the desired events.
The disadvantages that will be eliminated in the future include the impossibility: ─ work with ActiveDirectory; ─ identify the user account during which the device was connected; ─ automatically determine the type and name of the company-manufacturer of the
USB-device; ─ remote complete blocking of USB-devices connection; ─ creation of "white" lists of devices allowed for use in the corporate network; ─ remotely delete USB device entries from the registry of the remote computer. 6
The following main results were received in this paper: ─ The main tasks of modern information and/or cybersecurity systems and technologies to ensure information protection have been considered; ─ A review of software for monitoring the connection of USB-devices revealed the urgency of developing a system that can be used by small companies to reduce the response time to leaks and increase the chances of establishing the identity of the infringer. ─ The system is implemented in the form of two Windows services, utilities for configuring settings for running services and a web application. ─ The performed efficiency test made it possible to recommend this software tool for monitoring USB-device connections. ─ Further research will be aimed at integrating the developed monitoring system with the information security management system, which will allow to comprehensively solve the cybersecurity problem.