Need a USB blocker to protect sensitive files against theft to portable storage? In this article you will learn why you need to block USB devices and the best USB device management tools to prevent data loss to removable media.
Looking for more tools? Check out our list of the best internet filters and the best employee monitoring software
Ready to prevent data loss to USB storage devices? Get started immediately with a free trial of AccessPatrol, CurrentWare’s USB blocking software.
The theft of sensitive data via USB ports is by far the greatest risk presented by unmanaged USB devices. Companies with databases full of sensitive data such as customer information, intellectual property, and trade secrets are especially vulnerable to insider data theft as this data can be used for personal or professional gain.
A USB blocker is an essential part of any data theft prevention strategy. By not restricting USB drives and other external devices from USB ports a data security incident is as simple as a user sneaking in an unauthorized USB flash drive, plugging it into an available port, initiating a download of sensitive data from the network to the device, then walking away.
USB devices are portable, which makes them convenient for mobile data storage. It also makes them incredibly easy for a user to misplace.
If a proper data backup system is not in place for crucial data there is a risk that the most up-to-date version of a file is located on a USB removable storage device. Should one of the removable devices go missing the integrity of the data will be compromised, not to mention the potential data breach if the data wasn’t encrypted.
With a USB blocker you can improve data security by limiting what files are allowed to be transferred to a USB device.
Since USB flash drives are capable of storing and transmitting data, they are potential vectors for malware. The infamous Stuxnet computer worm, for example, was able to infect air-gapped computers in an Iranian uranium enrichment plant when infected USB flash drives were plugged its USB port.
Even if USB drives aren’t intentionally infected with malware, personal USB devices are at a greater risk of inadvertent infections. A USB blocker protects against rogue USB devices by blocking USB ports and allowing you to authorize trusted USB drives.
Learn More: How Rogue USB Devices Harm Security
Removable devices consist of a variety of compact devices that can connect to another device to transmit data from one system to another.
Last Updated: July 2022
AccessPatrol is a USB device control software solution that protects sensitive data against theft to portable storage devices.
AccessPatrol keeps data secure by…
AccessPatrol’s central console allows you to centrally manage devices and run reports on your user’s USB activities from the convenience of a web browser.
The security policies are enforced by a software agent that is installed on your user’s computers. This keeps devices restricted and monitored even when the computers are taken off of the network.
AccessPatrol operates from the same central console as the other modules in the CurrentWare Suite. It can be purchased individually for the greatest flexibility or bundled with the CurrentWare Suite for the best value.
The CurrentWare Suite includes multiple solutions for protecting data:
AccessPatrol is exclusively available on Windows. It supports Active Directory import and sync that allows you to manage your users with your existing organizational units alongside non-AD users.
AccessPatrol uses a software client to enforce data loss prevention policies on devices no matter which network they are connected to, making it the ideal solution for protecting remote workers.
AccessPatrol has been verified as Citrix Ready. The device control software can be installed on premises or to the cloud on a self-managed cloud virtual machine
Learn More: AccessPatrol System Requirements
AccessPatrol is a module within the CurrentWare Suite. When purchased as a standalone module its pricing starts at $3.99 per license per month, paid annually.
The full CurrentWare Suite starts at $8.99 and provides additional modules for internet use monitoring, web filtering, and remote PC power management.
Discounts are available for prepayment and bulk licensing, managed service providers, and nonprofit/educational organizations.
A free trial of AccessPatrol is available for 14 days and 10 computers.
Learn More: AccessPatrol pricing and licensing FAQ
Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.
In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.
These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.
They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.
Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.
At this time, AccessPatrol can track activities from the following peripherals:
This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.
Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales.
Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.
For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur.
For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol
In the overview dashboard you can review the following metrics:
Moving on to the Files Dashboard you will see…
Finally, we have the Devices Dashboard.
In this dashboard, we have…
As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.
While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious.
For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.
Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.
Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.
Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity.
Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices.
Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.
Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.
As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.
With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in.
Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.
Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.
Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!
AccessPatrol has a variety of device control capabilities. Beyond the ability to block removable storage devices it can permit temporary or scheduled access to USB devices, selectively restrict data transfers based on file name and extension, and more.
Here are AccessPatrol’s key device control features:
Learn More: AccessPatrol USB device control features
AccessPatrol is a magical weapon with cutting-edge capabilities that protects your computer from untrusted USB devices. If an unauthorized device is attached it will warn the company immediately.
Md Jahan M, Digital Marketing & Full Stack Specialist (2022) Internet Industry, 10,001+ employees
[AccessPatrol] has been a great benefit to secure USB devices and access to company computers. We now have the ability to secure machines that otherwise would have been exposed to threats.
Jordan F., Senior IT Specialist (2022) Machinery Industry, 1001-5000 employees
Data leaks have been thwarted by Accesspatrol. When an unauthorized device is detected, an email alert is sent immediately. It enables real-time audit reports on accessed and blocked devices.
Karen M., Senior Director of Marketing (2022) Construction Industry, 10,001+ employees
We have experienced data leaks by dishonest employees in the past and AccessPatrol has helped us avoid them and work with greater security and peace of mind for us and our customers.
Julio V., Head of Information Technology (2022) Financial Services Industry, 10,001+ employees
Product support for AccessPatrol is available from a variety of channels. Their support team is active 8:00 AM – 7:00 PM EST, Monday to Friday.
Last Updated: July 2022
ManageEngine Device Control Plus is a device control software solution created by Zoho Corp. It is available for both Windows and macOS. It is free for up to 25 devices in LAN; the free version contains all of the features except for the ability to have multiple administrator accounts.
ManageEngine Device Control Plus is compatible with both Windows and macOS.
Support Windows OS:
Supported macOS:
While ManageEngine has an extensive product portfolio with many users, reviews for ManageEngine Device Control Plus specifically are difficult to come by.
Based on reviews, ManageEngine Device Control Plus works great as a basic device control software for restricting removable devices, but their customer support is lacking and their feature set does not compete with more advanced device control products.
This software delivers on the essential tasks required for security monitoring files by running real-time and audit reports of who, what, where, and when.
Verified Reviewer of ManageEngine DataSecurity Plus on Capterra (2019)
Manage Engine products seem to be about 80% complete. The UI is unnecessarily unintuitive. They are clearly written by developers who don’t actually know what the end users need.
/u/SysWorkAcct (2022)
I have been in the IT field 20+ years and this is BY FAR the worst technical support I have ever encountered.
/u/newsomek (2022)
I have been in constant “chat sessions” with support. They always end with “can you please upload the log files and we will get back with you.” So I upload the files. 3-5 days later they finally reply with some “canned” fixes or links that do not resolve the issue, then once again ask you to upload the log files. Rinse and repeat.
I would highly recommend using one of their local resellers instead If you want/need quality local support.
/u/elasticweed (2022)
While ManageEngine Device Control Plus provides a variety of methods to contact their support team, critical reviews online have recommended users to purchase from a local reseller to get quality support.
4 hours of web-based product training is available from ManageEngine for US$495
ManageEngine provides email support (during the business hours) for signing-up, usage assistance, problem diagnosis and resolution, clarification in documentation, and technical guidance.
Customers can use telephone support for the following:
Unfortunately, while they do have a self-serve knowledge base it lacks a basic search function.
Last Updated: July 2022
As a company, Ivanti was born out of a series of mergers and acquisitions. In 2015, Lumension and FrontRange merged to create HEAT Software, driven by private equity firm Clearlake Capital. In January 2017, as part of the transaction by Clearlake to acquire LANDESK, Clearlake contributed HEAT Software to the new platform investment in LANDESK. As a result, a new company was established under the name Ivanti.
Ivanti Device Control provides a variety of advanced device control features including forced data encryption, off-network compatibility, and full auditing of all Administrator actions.
Ivanti Device Control supports both Windows and macOS. While it is not a verified Citrix Ready partner the vendor does note that the Ivanti Device Control software clients are compatible with Citrix XenApp and XenDesktop.
Pricing is not publicly available; you must contact their sales team for a custom quote.
The team at what was Lumension are excellent. They provided KB articles regularly, they were brilliant at customer service and support. Overall just a pleasure to work with. During my time working with Lumension I came across a few issues, on a couple of occasions these required release updates so did take a while, but most of the time the team at Lumension provided a way to resolve the issue in the version I was using or input on what could be done to fix the issue.
Anonymous, IT Services Industry (2010)
It worked exactly how it was supposed to. Device control and reporting on devices was exceptional often even down to the make/model and serial number of the device being attached.
Anonymous, IT Services Industry (2010)
I am impressed with Lumension, it is great for that in depth level of control – able to go down to a device/user/computer level and set permissions.
Liam Windsor Brown, Finance Industry 101-250 Employees (2015)
What do you like best?
This application does an amazing job of controlling all of your Endpoints. You can use this product to manage USB devices, dvd drives, and to shadow copy violations of policy. This is very useful when you need to maintain peak productivity and keep data safe.
What do you dislike?
With the aggressive mergers and expansion Ivanti – formally Landesk has experienced in the last few years, some of the message, roadmaps and support channels have degraded in value while cost continues to rise at around 5% per year.
Anonymous Administrator in Information Technology and Services (2018)
Three levels of support are available: Standard, Premium, and Enterprise.
All support levels entitle you to receive software updates and upgrades, including patches, fixes, and security updates. Technical support is provided via the Ivanti Support Portal or over the phone.
Access to the Ivanti Community is also available with each of three plans, giving you an opportunity to meet other Ivanti customers using the same product(s) so you can share ideas, request ideas or help, or just get to know others with similar job responsibilities.
Last Updated: December 2022
Endpoint Protector By CoSoSys is a data loss prevention and endpoint security solution that includes robust data loss prevention features including deep packet inspection and data scanning.
While the initial setup of Endpoint Protector By CoSoSys is complex, the ability to create custom rules to detect and block transfer of data you consider sensitive allows for greater protection of confidential data than a traditional device control software solution.
The clients for Endpoint Protector device control can be installed on the following operating systems:
Endpoint Protector By CoSoSys is one of the few device control solutions that support Linux, making it an excellent choice for preventing data theft in Linux environments. It supports various Linux distros including Ubuntu, OpenSUSE, RedHat and CentOS.
Unlike other multi-OS device control software vendors that have limited features on non-Windows OSs, Endpoint Protector provides feature parity between Linux, Windows and macOS computers.
Endpoint Protector’s endpoint security solution can be deployed as a virtual appliance, as a self-managed cloud service, or directly from CoSoSys as a software-as-a-service (SaaS) solution.
Virtual appliance
Available in VMX, PVA, OVF, OVA, XVA and VHD formats, being compatible with the most popular virtualization tools.
Cloud services
Available for deployment in the following cloud services: Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).
SaaS
Reduce deployment complexity & cost. Focus more resources on identifying and mitigating risks to your sensitive data and less on maintaining the infrastructure.
Pricing for Endpoint Protector is not publicly available. The trial license allows access to all Endpoint Protector’s features for a period of 30 days.
To gain access to all of Endpoint Protector’s endpoint protection and data loss prevention features you must purchase additional modules.
Overall: We needed to unify our data loss prevention solution and Endpoint Protector checked all our key requirements and more. Support is very responsive and the rollout was super easy.
Pros: Endpoint Protector has compatibility with all major operating systems. Endpoint Protector’s granularity on who or which computer gets what policies makes it easy to apply Endpoint Protector to many use cases.
Cons: The flow of the user interface could use some work and unification. It takes a bit to get used to and there’s a few breaks in the flow that I find a bit annoying at times.
Verified Anonymous Reviewer, IT Technology Company (2021)
If you are looking for a product that protects source code, this is not for you. Lot’s and lot’s of false positives when trying to check for code leaks, so many in fact, that it make it unusable for this purpose
Gustavo P., Cloud Systems Administrator (2021)
The product is robust, intuitive & designed by a very dedicated company that carefully listens to it’s customers both when it comes to implementing requested product features and support.
Chad P., Dispatch Coordinator (2017)
The learning curve is pretty steep to get the policies setup correctly. Make sure you team has someone to set this up and have the machine to host the software. That was the only piece we were missing is we had to scramble to find a machine powerful enough to host the solution.
Ray G., Interactive Developer (2020)
What do you like best?
I liked how responsive their support was and how they bundled all the products in one console. The console was pretty simple to work with. I like use agents and this product involves installing an agent on the device that will then report in.
What do you dislike?
I would recommend exploring other products on the market. This product has potential but it’s similar in cost to other products has some difficulty in configuring due to outdated labelling in the console, and doesn’t cover as much as other products.
Anonymous Administrator in Health, Wellness and Fitness (2022)
Paid consultations are available for assistance with solution planning, design and deployment. As the creation of custom rules is complex and unique to each organization this added training can be of great benefit.
Last Updated: July 2022
While Gilisoft USB Lock is not the best device control solution for businesses, its affordable pricing, variety of features, and simple interface make it an ideal choice for home users that want to prevent data theft, restrict internet use, and stop unwanted apps from launching.
USB Lock is available for Windows 2000/2003/XP/7/8/10/11
Gilisoft USB Lock has a simple-to-use interface but it offers advanced features. The application allows you to set a list of trusted devices, so you won’t have to worry about data loss
Windows Report
The graphical interface of GiliSoft USB Lock is very modern, glossy, and intuitive. Its layout is well designed which makes it unchallenging for all kinds of users to work on this software, irrespective of their technical background.
Phohen
While the USB lock does what it intends to do, it gives your computer many lag spikes while you use it. In my opinion, it’s really worthless and you shouldn’t download it unless you have an incredibly good computer or if you enjoy lag spikes.
aznkidkevin7, Download.Cnet.com
Last Updated: July 2022
Note: Microsoft Intune is not a dedicated USB lockdown software. This review will focus largely on its USB lockdown features, though it has far more utility as a mobile device management (MDM) and mobile application management (MAM) solution that is not covered in this review.
Intune is available as part of various Microsoft multi-soution licenses:
If you are already an active customer who has a dedicated IT team and you simply need basic USB lockdown features without USB activity reports you may want to consider using Intune to block USB devices.
If you need device control solutions that make it easy to allow and block specific USB devices you may want to consider a Microsoft Intune alternative for USB lockdown.
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). With Intune you have control over how your business’s laptops, tablets, and cell phones are used.
Additionally, Intune enables employees in your company to use their personal devices for work. On personal devices, Intune can separate organizational data from personal data to ensure that it remains safe.
Intune provides mobile device and application management across popular platforms: Windows, Mac OS X, Windows Phone, iOS, and Android. When Intune is connected with Microsoft Endpoint Configuration Manager in a hybrid configuration, you can also manage Macs, Unix and Linux servers, and Windows Server machines from a single management console.
Intune supports devices running the following operating systems (OS):
Intune is available as part of a variety of Microsoft multi-solution licensed products, such as Microsoft’s Enterprise Mobility + Security (EMS) suite. This suite is a bundle that combines Intune with various Microsoft Azure security and identity management products.
The EMS suite is available in two tiers:
Enterprise Mobility + Security E3 includes Azure Active Directory Premium P1, Microsoft Intune, Azure Information Protection P1, Microsoft Advanced Threat Analytics, Azure Rights Management (part of Azure Information Protection) and the Windows Server CAL rights.
Enterprise Mobility + Security E5 includes all the capabilities of Enterprise Mobility + Security E3 plus Azure Active Directory Premium (AADP) P2, Azure Information Protection P2, Microsoft Cloud App Security, Azure Active Directory [AD] Identity Protection (as a feature of AADP P2), Azure Advanced Threat Protection, Azure AD Privileged Identity Management (as a feature of AADP P2).
Note: Microsoft Intune is a dedicated mobile device management (MDM) and mobile application management (MAM). This section will focus on its USB control features.
Note: As Intune is more than USB control software, many of these reviews reflect the user’s experience when using Intune as a mobile device management (MDM) and mobile application management (MAM) platform.
We ended up going with a mix of Intune and a 3rd party because Intune doesn’t have a policy that says “block all USBs except this one type of encrypted drive”. Doing it via regular GPO causes a whole host of other problems because the GPO blocks removable devices not just storage.
We struggle with the Tattoo issue as we have shared computer situations where someone who is in the block policy logs in and then someone on the allow list logs in….until the Intune policy syncs (which can take awhile sometimes) the person who should be allowed removable media is blocked.
/u/MiamiFinsFan13
Microsoft Intune still represents one of the best device management options for folks running Microsoft-centric environments. The bundle options with Azure-based identity and security tools have matured and represent a powerful growth path. However, the price will be substantial and, for those running non-Microsoft platforms, there are some overlooked features, too.
PCMag (2017)
Pros: Its security is most valuable. It gives us a way to secure devices, not only those that are steady. We do have a few tablets and other devices, and it is a way for us to secure these devices and manage them. We know they’re out there and what’s their status. We can manage their life cycle and verify that they’re updated properly.
reviewer1141062, Enterprise Computing Services Manager at a government with 10,001+ employees
Cons: It doesn’t economize when you scale up. We have over 14,000 employees, and we have between 7,500 and 8,000 city-owned or personal devices being used to conduct city business. Its price can be improved. It is not a cheap solution.
We already use a lot of Microsoft products in our company, and therefore, it made sense to also use this product.
Peter Augustin, Global Messaging & Mobility Specialist at a pharma/biotech company with 10,001+ employees
Microsoft provides global technical, pre-sales, billing, and subscription support for device management cloud-based services, including Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
Customers with a Premier or Unified support contract have additional options for support. As a customer with a Premier or Unified support contract, you can specify a severity for your issue, and schedule a support callback for a specific time and day. These options are available when you open or submit a new issue and when you edit an active support case.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
To protect sensitive data against removable media devices you need more than a single tool. A layered cybersecurity strategy that combines physical, technical, and administrative controls is the most effective approach to preventing viruses and data loss.
This section will overview a few USB control methods that you can use to mitigate this threat.
The best USB blocker software (device control software) are centrally-managed device control tools that allow you to selectively enable and disable what types of peripheral devices can be used and which endpoints/users are permitted to use them.
For example, you can use USB blocker software for blocking USB ports for any user or computer with access to sensitive data while leaving the USB blocker turned off for users that pose less risk.
You can also enforce the exclusive use of authorized USB devices by blocking USB ports to peripheral devices that have not been added to an allow list.
CurrentWare’s USB blocker software AccessPatrol allows you to block or unblock USB ports in just a few clicks, making USB security simple and scalable.
AccessPatrol includes key features to prevent data leakage to portable drives:
Learn More: Which devices can I control with AccessPatrol?
Pros of a USB Blocker Software | Cons of a USB Blocker Software |
Scalable USB security. Solutions that allow for remote central policy management make managing the USB security policies of an entire business scalable. | The solution is not free. While there may be some freeware solutions with limited functionality available, the best features for business use are found in paid USB lockdown software |
Greater visibility. The best USB lockdown software tools will include a feature to monitor USB activities. Timestamped reports of what devices are being used, which computer it was used on, and which user was logged in are incredibly valuable when investigating suspected data leaks. | Requires a software agent. To control all the USB ports with usb lockdown software tools you need to install a software client on each machine you’d like to control. This limits your ability to control USB ports on equipment that is owned by the user. |
Granular control. Rather than completely blocking peripheral ports you can selectively choose what devices are allowed and who is allowed to use them. The best USB control software will allow you to selectively assign read-only, read/write, and no access to each device type. |
Ready to start blocking USB devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB control software.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
A removable media policy is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives.
These policies serve as a critical administrative security control for managing the risks of removable media. They establish the security responsibilities of users, explain the importance of following security standards, and provide guidelines for protecting sensitive data when transmitting confidential data to portable storage.
A USB blocker works in tandem with these administrative security controls to ensure your users avoid high-risk behavior such as using personal USB devices or stealing data for personal or professional gain.
While this is an extreme form of removable device protection, it’s a surprisingly commonly suggested tool. After all, it does prevent the use of peripheral ports on a computer; albeit permanently.
If you desperately need a USB blocker while on a shoestring budget, it technically get the job done. As they say, “sometimes it’s best to just take control of the physical layer and call it a day.”
While using epoxy as a literal port blocker will certainly prevent the use of removable storage devices, there are several downsides…
Pros of this USB Blocker | Cons of this USB Blocker |
It’s a permanent USB blocker. The ports are truly blocked, ensuring that no devices can be used. | You can’t unblock peripheral ports. With no option to block and unblock USB access, the computer is permanently unable to accept any devices for the rest of its lifespan. |
It’s cheap and easy! No need to purchase USB blocking software or spend time in the BIOS on each computer. Applying epoxy is as simple as pressing a plunger. | It harms employee productivity. Modern day keyboards, mice, and other peripherals need a USB port to function. A permanent USB blocker prevents the use of legitimate devices. |
It’s unnecessarily destructive. The device immediately loses any value for resale/refurbishment. Reliably getting epoxy out of the ports simply isn’t worth the risk and labour. | |
It’s not scalable. While this might not take too much time for a few devices, it quickly becomes too much of a hassle for an entire fleet. | |
It lacks flexibility. Physical USB blocking can only block or unblock the USB port. It lacks granular device control such as only blocking unauthorized storage devices. |
Sticking with the physical layer, you could try a USB port blocker. A hardware USB blocker works similarly to the epoxy method, but using a reversible lock-and-key system.
While it will require a greater initial investment than epoxy, the ability to protect your ports from permanent damage is more than worth it. Since the USB ports are completely blocked, physical port locking with USB blocker hardware offers protection against all USB devices.
Pros of this USB Blocker | Cons of this USB Blocker |
It’s a functional USB blocker. The USB ports are truly blocked, ensuring that no devices can be used. | It’s not scalable. While this might not take too much time for a few computers, it quickly becomes too much of a hassle for an entire fleet. With a dedicated USB blocker software you can block or unblock unlimited USB ports in just a few clicks. |
It’s cheap and easy! No need to purchase USB blocking software or spend time in the BIOS on each computer. | It’s inconvenient. Any time a USB device needs to be allowed an authorized user needs to physically come up to the computer and remove the USB lock to unblock the port. |
Layered security. A physical USB blocker serves as an added layer of device control. When combined with USB blocker software a company will have full device control. | It lacks flexibility. Physical USB blocking can only block or unblock the individual port. It lacks granular device control such as only blocking unauthorized USB storage devices. |
Platform agnostic. A physical USB lock works regardless of the operating system of the computer, though you’ll need to have unique USB blockers for each USB connection type. |
With so many security risks it can be risky to support allowing even trusted users to use their USB ports. USB security hardware such as a USB data blocker (“USB condom”) can allow charging via USB without enabling data transfer.
A USB firewall such as the USG can further protect against rogue USB devices by acting as an interface between a USB device and the user’s computer, limiting the USB device’s capabilities to only a few safe commands.
Pros of this USB Blocker | Cons of this USB Blocker |
Layered security. USB security hardware serves as an added layer of device control. When combined with USB blocker software a company will have full device control. | It’s not reliable. These devices are great for providing another layer of security, but it’s not a reliable standalone tool. All it would take is a user neglecting to use the provided protection to introduce malware. |
It’s great for third-party USB drives. For edge-cases where unauthorized devices may need to interface with the network, a USB firewall offers excellent protection against malware. | It’s inconvenient. With this tool the user needs to remember to bring a physical USB block with them. Should they lose the tool they’ll simply be tempted to use their port anyway. |
If you do not need a USB blocker solution that allows you to easily unblock USB ports as-needed, you could completely disable USB ports. On Windows devices this can be accomplished using the BIOS, by modifying Registry keys, disabling USB root hubs in Device Manager, or physically removing the USB ports altogether.
While this may be feasible in environments that genuinely have no use for USB ports, when you block USB ports in this way you also prevent the use of modern day keyboards and mice, among other USB devices that are essential for business use.
If you choose to leave any USB ports enabled it completely defeats the purpose of using a USB blocker in the first place. A user only needs one port to use unauthorized hardware to transfer files. With a USB hub they can easily connect multiple devices to any enabled ports.
Pros of this USB Blocker | Cons of this USB Blocker |
It’s inexpensive. There’s no need to purchase software, all you need is time. | It harms employee productivity. Modern day keyboards, mice, and other peripherals need a USB port to function. Completely disabling the ports prevents the use of legitimate devices. |
It lacks flexibility. Fully disabling ports blocks access to all devices, including those related to the business’ legitimate needs. | |
No visibility. If any ports are left enabled there is no way to monitor their use to ensure that unauthorized devices aren’t being used. |
Looking for even more protection? Your cybersecurity risk management program needs to extend far beyond a USB block. Download the full CurrentWare Suite for enhanced control and visibility over your endpoints: Block dangerous websites, monitor employee computer activity, and restrict peripheral devices—all from the same central console.
Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.
In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.
These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.
They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.
Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.
At this time, AccessPatrol can track activities from the following peripherals:
This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.
Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales.
Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.
For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur.
For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol
In the overview dashboard you can review the following metrics:
Moving on to the Files Dashboard you will see…
Finally, we have the Devices Dashboard.
In this dashboard, we have…
As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.
While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious.
For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.
Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.
Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.
Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity.
Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices.
Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.
Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.
As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.
With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in.
Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.
Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.
Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!
Ready to stop data theft to USB devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB blocking software. Use AccessPatrol on a Windows PC or in a Citrix VDI deployment for free to test its USB blocking capabilities in your environment.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |