Is USB blocking misguided security?

Last Updated on October 11, 2019 by Dave Farquhar

Blocking USB ports on corporate computers certainly is an inconvenience. But it’s something many companies do in the name of security. The question is, is USB blocking misguided security? Does it solve a problem, or just create others?

There are serious security concerns with USB devices, besides the danger of people copying huge troves of corporate data onto a USB stick and taking that information with them. That’s why many companies, and the government, limit what you can use USB for, or sometimes block it completely.

Blocking USB to protect corporate data

Is USB blocking misguided security
USB port blocks is a growing security practice. It’s aggressive, but I wouldn’t call it misguided.

My current employer prevents USB thumb drives from working in its computers. This keeps us from copying data onto them and keeping it if we ever leave the company. A previous employer allowed USB drives, but put software in place to limit what you were copying onto it. The problem was, it’s not exactly difficult to get around that software. The CISO handed us two files, told us to steal them, then tell him how we did it, and he’d pay us. It took me about 35 minutes to steal the files. I found that if I embedded the files two levels deep in other filetypes, the DLP software didn’t dig deeply enough to find them. All the DLP software saw was a grocery list. It paid no mind to those two 1×1-pixel PNG files in the corner of the document that were acting as a wrapper for the files he told me to steal.

It’s not something an average user would have the patience to do. But given the difficulty of keeping a power user from driving truckloads of data through the hole I found, the expense of DLP, and the difficulty of keeping DLP working right, I don’t blame companies for just blocking USB storage entirely. It’s far more effective and economical.

But what about backup copies, Mr. Security? That’s what network drives are for.

Other dangers of USB

There are no fewer than 29 different ways to embed malware on a USB device to infect a computer when you plug it in. Most of them operate at a level too low for antivirus to catch. There have been too many stories of people leaving malicious USB drives in parking lots and curious people picking them up and plugging them in, then infecting their computers.

For this reason, on highly sensitive computers, some organizations will fill USB ports with epoxy to completely disable them. If the system doesn’t have PS/2 ports, they’ll leave two USB ports open to plug in a keyboard and a mouse.

Actively blocking USB ports to one degree or another may not be a mainstream practice yet. But it’s a practice I see growing. I wouldn’t be surprised if it’s a common practice in another couple of years. But is USB blocking misguided security? No.

If you found this post informative or helpful, please share it!
%d bloggers like this: