The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

What is USB Control & Encryption?

by Hayley Donaldson on Tuesday July 16, 2019

Contact Us
Free Demo
Chat

Learn about USB control & encryption in Data Protection 101, our series that covers the fundamentals of data security.

The USB port serves as a means of connecting almost anything to a computer. A USB flash drive allows users to easily store and transfer information between devices via USB ports. GPS units, cameras, and cell phones use these same ports to transfer data, receive updates, and charge their batteries. While USB ports make things easy for users, they can be quite a nightmare from a security perspective.

There’s no denying the convenience of USB media, from hard drives and flash drives to other portable media. Virtually everyone uses them; however, their accessible and portable nature makes them prone to data leakage, theft, and loss.

For instance, users who are unacquainted with proper security controls will routinely transfer sensitive data to a USB drive without encryption.

Employees could also bring compromised USB drives from home, plug them into their work systems, and inadvertently, introduce malware into the corporate network. As such, controlling the access of portable devices, removable media, and USB storage to endpoint devices is critical for maintaining a secure network.

Definition of USB Control & Encryption

USB control & encryption refers to the set of mechanisms and techniques used to secure and control the access of devices to USB ports. They are a core part of endpoint security, and they protect data assets and computer systems from security threats. The unauthorized use of USB adapters, devices, and peripherals that can be connected via USB ports pose such threats. These mechanisms protect endpoint systems from a malware attack, prevent corporate networks from being compromised via plugged-in devices, and ensure the security of data being transferred outside the system environment. There are several ways of implementing USB control and encryption.

The most brute-force USB control mechanism involves blocking the use of USB media altogether. This can be done by disabling the USB adapters throughout the operating system or by physically blocking access to the USB port. However, this isn’t a feasible solution, since most printers, mice, keyboards, and other peripherals make use of a system’s USB port.

A more effective approach uses encryption to protect the confidential information stored on portable devices. This ensures that the data in a flash drive or USB device remains safe in the event of theft or accidental loss. This is where USB encryption comes in.

The easiest and most effective (though expensive) way to do this is by purchasing devices with robust encryption algorithms built-in. Also, administrators can provide users with USB devices whose file systems have been manually encrypted. Lastly, users can be required to encrypt individual files before transferring them to a USB device as part of a data loss prevention policy.

How USB Control & Encryption Works

The USB port control, native to most operating systems, is severely limited in terms of options and flexibility. Administrators can either render USB ports read-only or disable them altogether. To ensure finer control over file types and allowed devices, you may have to use robust, third-party applications that provide USB control with varying degrees of granularity.

As part of the connection protocol, USB hardware specification requires each plugged-in device to tell the operating system what kind of device it is. By using this information, some USB control applications allow admins to block specific kinds of devices on specific ports. For instance, admins can instruct the operating system to allow USB mice or keyboards on all ports but not thumb drives. It’s always best to apply the principle of least privilege by specifying what devices should be allowed rather than what devices should be blocked.

Some applications allow for a much finer USB control by letting admins specify that a port can only be used by devices that have been whitelisted based on their serial numbers, which are linked to specific users. Admins can also specify what kinds of files can be written or read through a particular USB port. Thus, they prevent a situation where someone either wants to take out unauthorized data from the system or wants to load rogue programs (such as malware) into the system via the port.

Benefits of USB Control & Encryption

USB control and encryption helps to prevent a system infection by controlling access to USB ports and by encrypting data going out of the system or the portable media it is stored on. Since only authorized devices are recognized and connected to the system, the risk of malware entering an endpoint system and spreading throughout the network infrastructure is minimal.

Although antivirus, signature-based defense solutions are useless against zero-day exploits, a USB control helps to prevent zero-day USB-based exploits from gaining access to the network through an endpoint.

Using portable storage devices exposes sensitive data (your organization’s most valuable asset) on your network to unauthorized use, exploitation by insiders, and outright theft by outsiders. USB control and encryption helps to protect your valuable data by encrypting it (or the portable device it is stored on) before it leaves the corporate network. It does this by enforcing AES 256 encryption on authorized flash drives, while disallowing the use of unauthorized portable devices on protected endpoints.

Best Practices for USB Control & Encryption

To ensure effective USB control and encryption, admins should:

  • Use solutions that offer granularity and ease of management.
  • Prevent data loss and system infection by using robust encryption mechanisms.
  • Maintain real-time control over endpoint computers, as well as, round-the-clock USB monitoring for details of file transfers.
  • Whitelist specific USB removable drives instead of blacklisting unauthorized devices.

Since a typical network may have hundreds (if not thousands) of USB ports, it’s easier to manage all of them from a single location. As such, it’s best to choose a solution that allows you to centrally monitor, manage, and block USB device access to computer ports in your network.

Tags: Data Protection 101

How Mature is Your Data Security Program?

Build a successful data loss prevention program with a proven framework.

Get the Guide

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Guest Contributor

Get unique perspectives on a range of infosec topics from our guest contributors.