A farmer takes a risk when introducing new sheep into their flock as the new sheep may carry parasites that may spread through the flock, infecting all sheep and causing significant losses to the farmer. Introducing new sheep to the flock is, however, unavoidable and therefore the risk must be accepted – unless it can be mitigated.
The farmer’s solution to this problem is a sheep dip – a trough filled with pesticides in which the new sheep is immersed (dipped) and thoroughly disinfected before being introduced to the flock, preventing the spread of infection and protecting the entire flock.
Parallels Between Agriculture and Enterprise Cyber Security
Enterprise security teams face a similar challenge to the farmer: a new device, such as a thumb drive, may need to be introduced into the business network. Malware present on the drive may spread through the entire organisation and cause significant operational disruption or even closure of business. Before we discuss solutions, let us first examine if this risk is hypothetical or real.
The Risk of Rogue Devices
Threat actors are known to use USB Drop Attacks, leaving a malware-laden thumb drive or other USB storage media in a place accessible by the victim; the victim plugs the drive into a computer to check its contents and the malware launches.
The Stuxnet attack, which destroyed a large number of centrifuges and significantly hampered Iran’s nuclear programme, is the most famous example of an attack launched through an infected USB drive.
An infected USB drive, or other device laced with malware, is not just another cyber attack. It is a type of cyber threat that can be used to compromise air-gapped systems that are used in high security environments, as was the case in the Stuxnet attack.
Risk Mitigation Options
The organisation may consider these options to mitigate the risk presented by potentially infected new devices:
- Avoid Introducing New Devices – While effective, this is not a practical solution for the vast majority of organisations. Business requirements may dictate that data on a thumb drive be accessed from or copied to an enterprise endpoint, or data be copied to the drive. A blanket ban on using thumb drives will only exist on paper and the policy will often be violated in practice, and the organisation will eventually be compromised
- Scan New Devices When Plugged In – Endpoint security solutions, such as K7 Endpoint Security, permit automatic scanning of devices like thumb drives for malware when they are plugged into an endpoint. While this solution can prevent the entry of malware, the organisation still faces the risk of the device being accidentally plugged into an endpoint that is unprotected due to endpoint security not being installed or being temporarily disabled for maintenance
- Sheep Dipping – The most effective and practical solution is digital sheep dipping, where devices are scanned before being introduced into business networks
Sheep Dipping in Enterprise Cyber Security
Sheep Dipping, in enterprise cyber security, refers to scanning a device such as a USB thumb drive through an endpoint dedicated to that purpose after which the drive is used in the business endpoint where it is required. The computer used for scanning is the equivalent of the trough that farmers use to disinfect sheep.
The scanning endpoint may use endpoint security such as K7 Endpoint Security and other cyber security tools such as sandboxes, virtual machines, and alternative operating systems (Linux/Windows dual boot) to meet the organisation’s security requirements.
Precautions to be Followed for Effective Sheep Dipping
While sheep dipping is highly effective at preventing ingress of malware from infected devices, these precautions should be followed to ensure this digital defence is not defeated.
1. Physical Facility Isolation
Sheep dipping works only if every device is scanned before being introduced into the business network. It can be easily circumvented if employees or contractors are allowed to carry devices into the facility. The enterprise must have a physical security process to prevent devices being carried into the facility past a physical perimeter. A maker-checker authorisation process must be followed to allow device entry, and device entry must be permitted only after the device has been sheep dipped in the dedicated scanning endpoint.
Within the facility, access to USB storage media and other devices should be blocked on all endpoints. Deploying a solution like K7 Cyber Protect 360 XDR will allow temporary USB access to be granted through an OTP that is provided to the end user after appropriate authorisation, and all USB access will be logged for monitoring and analysis.
2. Network Segmentation
Malware may flow from the new device into the sheep dip/scanning endpoint, and from the sheep dip endpoint to business endpoints if all endpoints are on the same network. The sheep dip endpoint must use a different network segment or otherwise be isolated on the network to prevent the spread of malware through the sheep dip endpoint. Such isolation necessitates physically transporting the new device from the sheep dip endpoint to the business endpoint where it is required; the organisation’s digital infrastructure cannot allow direct transfer of device data between the sheep dip endpoint and the business endpoint, to preclude cyber threats piggybacking on legitimate data transfer.
3. Protecting the Sheep Dip Endpoint
Sheep dipping will not be effective if the sheep dip endpoint is itself infected with malware or otherwise compromised. The sheep dip endpoint must be protected by following stringent security measures to prevent the endpoint turning into a point of entry for cyber attacks.
- The security team must maintain physical and logical access control to the sheep dip endpoint. Access, including access credentials, should be available only with authorised members of the security team and should not be shared; access credentials should maintain password hygiene
- The sheep dip endpoint must be used only for sheep dipping and all other use should be avoided
- No unnecessary applications should be installed on the endpoint and any that are present should be removed. Network access, including access to websites that are not related to the sheep dipping function, should be curtailed. Physical and logical ports that are not required for sheep dipping should be disabled
- The sheep dip endpoint should be protected with endpoint security like K7 Endpoint Security that includes a firewall with integrated Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Prevention Systems (HIPS), and supports granular device control including blocking of devices by category, Class ID, and Device ID
- Use virtual machines in the sheep dip endpoint and restore to a clean snapshot (or even delete the virtual machine) if a highly dangerous threat is detected on the device
- Where practicable, the sheep dip endpoint can be air-gapped for additional security. As scanning for cyber threats is the purpose of the sheep dip endpoint, it will need to receive malware definition updates; internet-delivered updates will not be received by the endpoint if it is air-gapped. Protecting the endpoint with K7 On-Premises Enterprise Endpoint Security, which supports offline updates, enables the sheep dip endpoint to scan devices for the latest cyber threats without being exposed to the internet
Sheep dipping does not remove the need for endpoint security or other cyber security solutions, and may not be appropriate for all organisations. Sheep dipping is a useful tool in the cyber security team’s toolbox that may be deployed where necessary, such as in high-security environments and facilities that frequently use USB storage media to transfer data.
Deploying solutions like K7 Cyber Protect 360 – XDR along with K7 Endpoint Security can ensure comprehensive and reliable cyber defences for organisations with and without sheep dipping facilities. Contact Us to learn more about how K7 can help you stop cyber threats irrespective of how they attempt to enter your organisation.
