221 – Disconnect unnecessary input devices

Summary

A virtual essential must not have connected devices that are not necessary for its operation (e.g., Floppy, IDE, CD/DVD, USB, Serial).

Description

This control refers to the restriction of access and permissions to the minimum necessary functions for the operation of the system. In the context of virtual essentials, unnecessary connected devices increase the attack surface, providing potential ways for exploitation. Actions as the use of malicious USB devices, BadUSBs, unauthorized data exfiltration, among others, can be executed against virtual essentials and eventually gaining access to the host system.

Supported In

Advanced: True

References

• CIS-4_1. Establish and maintain a secure configuration process
• CIS-4_2. Establish and maintain a secure configuration process for network infrastructure
• CIS-4_8. Uninstall or disable unnecessary services on enterprise assets and software
• MITRE-M1034. Limit hardware installation
• CMMC-MP_L2-3_8_7. Removable media
• HITRUST-01_h. Clear desk and clear screen policy
• OSSTMM3-11_9_3. Data networks security - Limitations mapping
• C2M2-9_3_d. Implement IT and OT asset security for cybersecurity architecture

Last updated

2024/01/18