In this two-part series, the first blog demonstrates how USB devices can be conduits of threats. Read that blog to learn more about USB security threats. In this blog, we’ll look at how you can address these USB security risks. Even in the era of the cloud, USB risks prevail. This is evident from some of the top USB-based searches in Google.
Frequently asked USB-based questions in Google Search
1. How to block USB port in Windows 10
2. Can you get a virus from plugging in a USB?
3. How to enable USB port in Windows 11
We conducted our own analysis using a third-party tool to find questions with high search volumes. From the questions searched, the first and third queries can be answered with a mix of data leak prevention measures, bring your own device (BYOD) policies, and data visibility tools, which we’ll look at a little later in the blog. The second question is important in the context of stakeholder awareness. You’d think most users wouldn’t plug in a random USB found in the parking lot, but so many similar security incidents have taken place; most famously, the Pentagon attack where employees plugged in infected USBs lying in the parking lot, leading to a breach of classified systems. So the answer to question two is a big YES! This brings us to the question: Can we forego employee convenience by blocking USBs, or is there a better way to regulate USB usage?
USB blocking versus USB regulation
Pendrives are a basic utility to employees and other stakeholders. Curtailing the use of pendrives completely may lead to the use of other unauthorized and unsafe channels for data storage and transfer. There are two ways to tackle this, and per usual, there are both benefits and drawbacks:
Banning USB devices completely |
Managing the ways in which USB devices are used |
All USB ports are blocked. There is no risk of employees inserting abandoned flash drives. |
Admins control actions made in USBs, including modifying files within the drives. |
Stakeholders cannot transfer data easily. They might resort to unauthorized file sharing apps. |
Stakeholders are given selective access to read, modify, or execute applications in USB drives. |
All USB-port-dependent devices end up blocked. |
Admins can allow BYOD policies by authorizing organizational devices only. |
Can both of these strategies coexist? Absolutely, but only in the form of a comprehensive strategy for safe USB usage.
A comprehensive strategy for secure USB usage
The best strategy implemented by organizations is one where all stakeholders are active participants. For the sake of this approach, we can break down the strategy into two: sysadmins who oversee USB usage and employees using USB drives. Let’s look at them in detail.
I. How can sysadmins or IT managers ensure secure use of USB drives?
Sysadmins or IT managers are the authorities who enable and monitor flash drive usage. Here are some best practices sysadmins can follow:
-
Create a removable media storage policy outlining the purposes for which USBs can be used and the process through which employees can procure authorized devices.
-
Authorize safe devices with adequate encryption controls by testing and selecting hardware-encrypted drives.
-
Monitor the USB activity of employees to detect any suspicious file transfers using USB port security software.
-
Allow USB usage only when the user’s role demands it by implementing role-based access control. Conduct user awareness training regularly.
-
Safely decommission or reuse devices once the purpose for which the USBs were used is fulfilled. This involves implementing data erasure protocols.
-
Encrypt all data in USB drives. Procure drives with password protection or encryption control to impose another layer of security check.
II. How can employees ensure secure use of USB drives?
-
Use only organization-vetted devices instead of personal USB media drives.
-
Be aware of USB risks, especially loss of drives and plugging in unknown ones.
-
Never plug in alien USB sticks, especially if you find them lying in parking lots or even hallways in your organization.
-
Never store sensitive data within USB sticks. Sensitive data includes any email IDs, payment records, health information, and more.
-
Report loss of USB drives immediately. It is better to know that official data is lost rather than leaving it up to the organization to find it. Prompt reporting helps in mitigating the impact of data lost or stolen via USB drives.
Get a printable version of 10 ways you can ensure secure usage of USB drives. Download now
How can a USB access control tool help you?
A USB monitoring tool gives you the advantage of customizing your response to USB drives that are being plugged in to endpoints across the network. You don’t have to block all media devices entirely, just the ones not authorized by you. This is how you can use it to your advantage:
-
Grant specific access to users who need to use USBs. Do it even more effectively by choosing the type of access the user gets. For example, provide read-only access to users who need to carry official files with them. This way, they’ll be able to read but not tamper with files.
-
Block peripheral devices which support bluetooth and Wi-Fi, as well as CD drives.
-
Maintain a list of authorized devices, and block all unauthorized devices.
-
Monitor USB activity for restricted files, including execution of application files, and get notified by email whenever such an action occurs.
ManageEngine DataSecurity Plus is a unified data visibility and security platform that gives you control over your security posture via a wide array of reports and responsive alerts. USB monitoring is one aspect of the vast control the solution offers to check on data security. Try this feature and others in a fully functional, free trial. Alternatively, you can also schedule a personalized demo with our solution expert.