Adding control won’t give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this.
The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible.
Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to the Target. The Kiosk OEM has a validation agent. Therefore a single standalone workstation (or Workstation thereafter) for this specific business function is setup installed with the OEM validation agent. This Workstation also acts as a file server for the Target to retrieve.
A mini-infrastructure is setup to connect the Target and this Workstation through a lockbox, a network firewall and a network selector in between. The stateful network firewall allows only Target initiating TCP connection to the Workstation via limited port and protocols. The sequence of steps are:
- Insert the USB to this Workstation
- Check USB for correct version
- Use network selector to choose the Target (because there are multiple Targets)
- Defeat the lockbox
- Target initiate file transfer to grab the required files clean from known malware into its own environment and then distribute; web browser in the Target acts as ftp client as it does not require installing extra modules due to warranty, support issues affecting the Target
Because the Workstation also needs its own protection like applying security patches, updating the anti-malware definition but corporate WiFi is positioned as insecure, complex procedure to accept another USB stick is required to update this Workstation itself and run full scan afterward before each use.
Ftp is utilized to simplify the solution because the source files are all from public domains. However, here comes another “advice”. Insecure protocol like ftp must not be used by company policy, and must change to sFTP.
OMG! Assuming sFTP is feasible, it will require account management (staff movement), regular password change and regular patch or version upgrade of the sFTP server as well. Indeed, simply anonymous ftp will do the job. If the company policy is written so rigid, then it’s about time to review and revise the policy; or even replace with a more competent cybersecurity practitioner too.
We, as cybersecurity practitioner, must look at the entire picture, assess what controls are necessary and exercise our professional judgment to help business users to secure. Here, simply a manual procedure to ENSURE the right USB is used in the Target will suffice. All the entire validation infrastructure and controls in firewall, lockbox, sFTP are excessive and unnecessary. These won’t make it more secure but will consume more effort to maintain the security of this “infrastructure”. More steps to maintain the security of the controls mean more human error too. The magnitude and likelihood of human error in this aspect is probably outweighed that on wrong USB insertion in the first place.