USB Security—How to Protect Data Against Portable Storage Devices

data loss prevention: The best USB blockers

Need a USB blocker to protect sensitive files against theft to portable storage devices? In this article you will learn why you need to block USB devices and the USB control methods that are available to you.

Table of Contents

What Are the Risks of Removable Media Devices?

Data Leaks & Insider Data Theft 

“CurrentWare saved us a lot of time and money. If we didn’t have them we would have never known what was going on.” - Vincent Pecoreno Network Administrator, Viking Yachts
Case Study: See How CurrentWare’s USB Control Software Stopped a Data Thief in the Act

The theft of sensitive and confidential files is by far the greatest risk presented by unmanaged USB devices. Companies with databases full of sensitive data such as customer information, intellectual property, and trade secrets are especially vulnerable to insider data theft.

By not restricting USB drives and other external devices from accessing computers a data security incident is as simple as a user sneaking in an unauthorized USB flash drive, initiating a download of sensitive data from the network to the device, then walking away. 

Data Loss & Integrity Risks

data loss prevention - the top data exfiltration risks

USB devices are portable, which makes them convenient for mobile data storage. It also makes them incredibly easy for a user to misplace. 

If a proper data backup system is not in place there is a risk that the most up-to-date version of a file is located on a USB removable storage device. Should one of the removable devices go missing the integrity of the data will be compromised, not to mention the potential data breach if the data wasn’t encrypted.

USB Malware & Viruses

Since USB flash drives are capable of storing and transmitting data, they are potential vectors for malware. The infamous Stuxnet computer worm, for example, was able to infect air-gapped computers in an Iranian uranium enrichment plant through infected USB flash drives.

Learn More: How Rogue USB Devices Harm Security

Examples of Removable Media Devices

A 32 gigabyte USB flash drive sitting on top of a computer keyboard

Removable media devices—also known as portable storage devices—consist of a variety of compact devices that can connect to another device to transmit data from one system to another. 

  • USB storage devices (“Jump Drive”, “Data Stick”, “Thumb Drive”, “Flash Drives”, etc)
  • SDHC, SDXC & SD cards
  • External hard drives and solid-state drives
  • R/W Compact Disk or DVD media
  • Mobile devices such as tablets, smart devices, cameras, and portable media that support a data storage function such as player-type devices with internal flash or hard drive-based memory.
  • eSATA devices
  • Floppy disks

USB Control Methods

To protect sensitive data against removable media devices you need more than a single tool. A layered cybersecurity strategy that combines physical, technical, and administrative controls is the most effective approach to preventing viruses and data loss.

This section will overview a few USB control methods that you can use to mitigate this threat.

USB Blocker Software

The best USB blocker software (device control software) are centrally-managed solutions that allow you to selectively enable and disable what types of removable media devices can be used and which endpoints/users are permitted to use them.

For example, you can use USB blocker software to enforce a USB block for any user or computer with access to sensitive data while leaving the USB block turned off for users that pose less risk. 

You can also enforce the exclusive use of authorized USB devices by restricting USB ports to peripheral devices that have been added to an allow list.

Scalable USB security. Solutions that allow for remote central policy management make managing the USB security policies of an entire business scalable. The solution is not free. While there may be some freeware solutions with limited functionality available, the best features for business use are found in paid software solutions.
Greater visibility. The best USB control software solutions will include a feature to monitor USB activities.

Timestamped reports of what devices are being used, which computer it was used on, and which user was logged in are incredibly valuable when investigating suspected data leaks. 
Requires a software agent. To control USB ports with blocker software you need to install a software client on each machine you’d like to control. This limits your ability to control USB ports on equipment that is owned by the user. 
Granular control. Rather than completely blocking a USB port you can selectively choose what devices are allowed and who is allowed to use them.

The best USB control software will allow you to selectively assign read-only, read/write, and no access to each device type. 

Ready to start blocking USB devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Removable Media Policy

removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

A removable media policy is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives. 

These policies serve as a critical administrative security control for managing the risks of removable media. They establish the security responsibilities of users, explain the importance of following security standards, and provide guidelines for protecting sensitive data when using removable media.

Block USB Ports With Epoxy, Super Glue, etc

As extreme as this USB port blocker is, it’s a surprisingly commonly suggested tool. After all, it technically works in preventing the use of USB ports on a computer.

If you desperately need a USB blocker while on a shoestring budget, it technically get the job done. As they say, “sometimes it’s best to just take control of the physical layer and call it a day.”

While using epoxy as a literal USB port blocker will certainly prevent the use of removable storage devices, there are several downsides…

It’s a semi-permanent USB blocker. The ports are truly blocked, ensuring that no devices can be used. You can’t unblock the USB port. With no option to block and unblock USB access, the computer is permanently unable to accept any devices for the rest of its lifespan.
It’s cheap and easy! No need to purchase USB blocking software or spend time in the BIOS on each computer. Applying epoxy is as simple as pressing a plunger.It harms productivity. Modern day keyboards, mice, and other peripherals need a USB port to function. Permanent USB blocking prevents the use of legitimate devices.
It’s unnecessarily destructive. The device immediately loses any value for resale/refurbishment. Reliably getting epoxy out of the ports simply isn’t worth the risk and labour.
It’s not scalable. While this might not take too much time for a few devices, it quickly becomes too much of a hassle for an entire fleet. 
It lacks flexibility. Physical USB blocking can only block or unblock the USB port. It lacks granular device control such as only blocking unauthorized storage devices.

USB Port Blocker Hardware

Rogue USB Devices Harm Endpoint Security

Sticking with the physical layer, you could try a USB port blocker. A hardware USB blocker works similarly to the epoxy method, but using a reversible lock-and-key system. 

While it will require a greater initial investment than epoxy, the ability to protect your ports from permanent damage is more than worth it. Since the USB ports are completely blocked, physical port locking with USB blocker hardware offers protection against all USB devices.

It’s a functional USB blocker. The USB ports are truly blocked, ensuring that no devices can be used. It’s not scalable. While this might not take too much time for a few computers, it quickly becomes too much of a hassle for an entire fleet. 
It’s cheap and easy! No need to purchase USB blocking software or spend time in the BIOS on each computer. It’s inconvenient. Any time a USB device needs to be allowed an authorized user needs to physically come up to the computer and remove the USB lock to unblock the port.  
Layered security. A physical USB blocker serves as an added layer of device control. When combined with USB blocker software a company will have full device control.It lacks flexibility. Physical USB blocking can only block or unblock the USB port. It lacks granular device control such as only blocking unauthorized USB storage devices.
Platform agnostic. A physical USB lock works regardless of the operating system of the computer.

USB Security Hardware

Photograph of a USB converter

With so many security risks it can be risky to support allowing even trusted users to use their USB ports. USB security hardware such as a USB data blocker (“USB condom”) can allow charging via USB without enabling data transfer.

A USB firewall such as the USG can further protect against rogue USB devices by acting as an interface between a USB device and the user’s computer, limiting the USB device’s capabilities to only a few safe commands.

Layered security. USB security hardware serves as an added layer of device control. When combined with blocker software a company will have full device control.It’s not reliable. These devices are great for providing another layer of security, but it’s not a reliable standalone tool. All it would take is a user neglecting to use the provided protection to introduce malware.
It’s great for third-party USB drives. For edge-cases where unauthorized devices may need to interface with the network, a USB firewall offers excellent protection against malware.It’s inconvenient. With this tool the user needs to remember to bring a physical USB block with them. Should they lose the tool they’ll simply be tempted to use their USB port anyway. 

Disable USB Ports on Each Computer

USB device trying to connect to a USB port. "Forbidden" symbol overlayed.

If you do not need a USB blocker solution that allows you to easily unblock USB ports as-needed, you could completely disable USB ports. On Windows devices this can be accomplished using the BIOS, by modifying Registry keys, disabling USB root hubs in Device Manager, or physically removing the USB ports altogether. 

While this may be feasible in environments that genuinely have no use for USB ports, when you block USB ports in this way you also prevent the use of modern day keyboards and mice. 

If you choose to leave any USB ports enabled it completely defeats the purpose of using a USB blocker in the first place. A user only needs one port to use unauthorized hardware to transfer files. With a USB hub they can easily connect multiple devices to any enabled ports. 

It’s inexpensive. There’s no need to purchase software, all you need is time. It harms productivity. Modern day keyboards, mice, and other peripherals need a USB port to function. Completely disabling the ports prevents the use of legitimate devices.
It lacks flexibility. Fully disabling ports blocks access to all devices, including those related to the business’ legitimate needs.
No visibility. If any ports are left enabled there is no way to monitor their use to ensure that unauthorized devices aren’t being used.

Looking for even more protection? Your cybersecurity risk management program needs to extend far beyond a USB block. Download the full CurrentWare Suite for enhanced control and visibility over your endpoints: Block dangerous websites, monitor employee computer activity, and restrict peripheral devices—all from the same central console. 

Get Started With USB Blocking Software

Ready to take control over removable media devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB blocker software. 

  • Block USB: Prevent the use of unauthorized USB devices on your Windows computers. The restrictions remain enforced on the device even without an internet connection
  • Granular Controls: Selectively block and unblock specific peripherals such as flash drives, external hard drives, SD/MM cards, Bluetooth, and WiFi. Assign unique security policies to each group of endpoints and users.
  • Monitor USB Activity: Get reports and alerts of removable storage device use. Find out what devices are being used, get auditable reports of file activity to portable storage, and get alerted when unauthorized devices are used.
  • Block File Transfers: Prevent authorized devices from stealing sensitive data by selectively restricting file transfers based on file name and extension.
  • Central Console: Access the password-protected web console from the convenience of a web browser to manage the solution and configure policies for your entire workforce.
Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.