Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?
Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?
The best example of a cost-effective physical control to enforce a USB removable media restriction policy is putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports. This approach is inexpensive since antitamper tape is generally low-cost and does not require a significant initial investment like locked containers or endpoint agents. Although it requires regular inspections, the overall expense is still lower compared to other high-cost or software-based solutions. Additionally, it meets the requirement of being a physical control, as it physically obstructs access to the USB ports. Implementing a GPO or installing an endpoint agent, while potentially effective, are not physical controls and therefore do not fully meet the criteria of the question.
Answer: Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports ============================================= Explanation: The question is asking for two specific requirements for the solution: 1. A solution that's cost-effective 2. A solution that's a physical control The option to implement a GPO (B) and installing an endpoint agent (D) are software-based implementations, while in the case of the GPO being cost-effective, they do not address the physical control requirement for the solution. Option C would address the requirement as a physical control by preventing users from physically access the USB port and likely the best out all of the given options, however, this option is not cheapest so it's not addressing the cost-effectiveness required for the solution. Only option A would address each requirement of the solution being a cost-effective physical control that can be implemented.
absolutely agree with you. BTW your input on the discussion of the questions is phenomenal so thank you
The answer is GPO not A. Cost effective is only A, GPOs are configured in AD and require no additional cost accepts the network admin to config. A requires purchasing tape, paying techs to go to all systems and cover! Not cost effective at all. What if the organization has 2000 computers, you are going to pay techs to go out with tape! No! Answer is GPO, easy, zero cost, and bullet proof!
100% agree with you. GPO is what the DoD use.
GPO is undoubtedly a better solution. In the context of the question though, it is absolutely not correct. GPO is a technical control, not a physical control.
GPO is a technical control, not a physical one. A: is dirt cheap (tape, port logging & inspection costs very little).
Option A involves a lot of additional cost for security tape and regular inspection... inspection = time = money. Option B is essentially no cost because it uses existing domain software and infrastructure to enforce. Restricting access is by definition a physical control. Option C also involves money (Like option A) and is not cost effective. Option D involves purchasing individual end point agent software... again not cost effective. They are all able to control the physical hardware by disallowing removable media or otherwise restricting it, however only one is cost effect - Option B, implementing a Group Policy Object.
Physical control buddy
If Restricting Access is a physical control, then software is a physical control! (makes zero sense)
my issue with B is that a group policy is LOGICAL. not a physical barrier. having said that, merely putting tape over a usb port is a terrible idea. surely that is only done in trusted environments?
i agree with A but the context would be great. Can u imagine placing tape over a usb port in a high school environment? The tape will be gone in 1 minute. So is the laptop in a trusted or public environment? Because then, after a malware attack, the price of a metal cage is the cheapest option. (just some food for thought)
It's pretty obviously B, I think ya'll are getting too hung up on a physical control being 100% physical. A biometric scanner isn't useful without some kind of software running that compares my signature to a known copy of whatever it's scanning, yet it is still considered a physical control.
The idea behind a "physical control" is that the main control is based on something physical (just like the biometric scan is worthless if we don't have a body part to scan). A GPO is pure software solution. Also, a GPO does not forbid a user from plugging in a USB removable device during system boot and then loading some sort of malware or even a new OS.
Exactly! GPOs offer NO protection from bootable USBs
A biometric scanner by itself wouldn't be considered any kind of control because the scanner itself doesn't prevent anything. Assuming that it is part of a door system that only opens if your biometric signature is known to the system, then the door would be a physical control that the biometric scanner controls access to. Physical: A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. Physical controls prevent specific human interaction with a system and are primarily designed to prevent accidental operation of something. Whether or not a physical control relies on software is irrelevant. What matters is the fact that the control is physically impeding an action from taking place (actually physically blocking the port with tape or putting the whole computer in a locked container). Using a GPO to block removable media at the OS level is a technical control, it doesn't do anything to prevent the physical action from taking place.
its obvious that it's not indeed obvious.
B seems to be the most cost-effective if certain infrastructure were already in place. However; B and C are technical/software-dependent controls NOT physical controls. "A" is a physical control but if the number of systems to be restricted are in hundreds, it will require a lot of "man hours" to place the security tape on the ports and regularly monitor the systems. This is a recurring expenditure in "man hours" that does not seem to be cost effective. "C" is a physical control that requires a one-time investment on containers with locks and "man hours". The containers does not necessarily need to be high-grade, they just need to be adequate. Also, from experience, the containers will likely be purchased at discounts if buying in large quantities. This seems to be the most cost effective as it doesn't require recurring expenditure for several years.
This option physically prevents users from accessing the USB ports altogether, thus effectively enforcing the USB removable media restriction policy. It's a straightforward and relatively inexpensive method compared to other options like implementing endpoint agents or using security tape over USB ports, which can be more complex or costly to deploy and maintain.
someone help me here... I chose C as my answer, now I know that A would be the most cost effective in this situation as tamperseals are cheap etc. but why not chose the "set it and forget it" technique with inserting it into a key controlled box instead of using man hours and labor to monitor the ports as well as potentially having to replace the seal (if broken/altered)
GPO is cost effective and can control the physical access of a USB
The question asks for two things: Physical control Cost effective I picked C because ONCE in a caged locked up, there's no need to pay techs to keep monitoring USB ports and replacing tape (choice A). It's a done deal, zero access and it's also physical. Why would I want to keep paying for tech support to keep monitoring ports after taping them? Who is to say that insider threats can occur easily by removing the tape. Permanent Security is the goal here and not band-aid fixes that's going to cost even more in the long run. Put the ports in a cage and lock it up, you're done! Option B is out because this is NOT physical. It may be cost effective, but it's not a physical control. Option D is an expensive technical control.
Only gas stations use "antitamper tape" over the ports. The answer is B.
B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced Most Voted
How could regularly inspecting the ports be cost effective? We are talking of a tape over USB ports, having a person regularly go and inspect that wouldn't make any sense.
I think you over-think
(B) is the real answer.
A: is a terrible solution, however, as the tape can be ripped off. But it is cost-effective. B: is NOT a physical control, so it's out C: will definitely work, but it's not cost-effective as A: D: is NOT a physical control, so it's out
B and D involve effective methods for controlling USB access, they are not considered “physical” controls. Option C is a physical control but may not be as cost-effective due to the expense of the locked containers.
The only physical controls are A and C. And A is cheaper than C, assuming you don't have the lockers.
A USB removable media restriction policy is a set of guidelines and controls that an organization establishes to manage and control the use of USB and other removable media devices within its computing environment. It can also be supplemented with the physical controls, such as antitamper tapes put on the USB ports and logging the port numbers.
The answer here is "B" GPO. The solution cannot be "A" because it is not cost effective. Buying all that tape to cover ports is not effective, and paying techs to go around periodically checking tapes on each machine to ensure they have not been tampered with is a waist of company time and resources, which ultimately is costing the company a lot of money just to place, check and replace tape. GPO is the only acceptable answer as it counts as physical. Just because you can still plug something in is not relevant. As a security measure is a port is disabled, it is has the same effect as covering the port as it is equally protected even though you can still plug something in.
The problem with B is that it's NOT a physical security control!