How to Secure USB Ports

Threats to our computers are coming at us from all directions. Years ago to be that we only had to worry about floppy disks and software bulletin boards in regards to things like computer viruses. Today we have too many sources, everything from the home/work network to the Internet to smart phone and USB drives. Other than email, one of the other top contenders for spreading viruses is the USB drive. Most people have a thumb drive or two, and because USB drives self install and have the capacity to carry large files it is easy for viruses and malware to tag along for the ride.

The way that corporate America dealt with the spread of viruses via floppy disks was to have the floppy drive removed from the computer or to have the device disabled so that only Administrators could use the device after logging onto the computer with a special account. Are there viable options for reducing the risk when dealing with a USB port? I do think that there are a few options. First, we can disable the ports, second we can educate the user, and third we can install additional software that will monitor activity.

Disabling the device seems like the easy way out, but I wonder if it really is a good solution? If we could remove them, I am sure that the System Administrator would have done so already, however since USB ports are built into every computer (usually on the main board) and there are a number of them (4 or more on average) it seems unlikely that removal will be the answer. Disabling only causes more issues, as people try to find a way around the security. Since most people are resilient, we do find a way to get around the security obstacles.

The next option is education of the user (especially on a corporate network) that they could potentially harm other systems if they do not run virus software against these devices. Fortunately, anti-virus software has caught up with the new technology to be on the look out for issues resulting from infected file. However, with that said usually the software is only looking for a virus and might not detect a spyware or malware application. Therefore, we (system administrators) are back to a complete education of the end user to ensure that they know how to check their USB media for potential risks.

This leaves a final option of ensuring that one installed software onto the computer that will monitor for both viruses and malware/spyware issues resulting from USB media. As a Systems Administrator, security software should also include monitoring the files when they are accessed from the company's network. Fortunately, with laptops some great software utilities exist that will encrypt the hard drive in the event that a laptop is stolen or lost. Information is a little more vulnerable than with hard drives. Microsoft Windows 7 Professional and Ultimate come with Bit locker, which is a file and directory security system.

From a corporate or business side, something needs to happen to protect your data and other resources. The best solution is usually multiple items rolled into a network security policy. If it were my network, I would look into software that does its best to lower your risks by scanning files and folders from all media types before use. I would also look into educating the end users. This will help them feel like they are part of the solution, engaged in the process, and not just locked out of using system resources. Disabling the hardware would be the last solution that I would implement, but that also depends on where the computer is located. Perhaps the laptop is in an area where you only want authorized people to use the USB ports, and then disabling for all others might be a good idea. I see this more in a situation where the computer is in a high traffic area where the public might be near; say for example a retail store.

Whichever way you want to go, burying one's head in the sand is not a proper solution. Developing a plan that works for your environment is always the best solution.