If you remember back to the early days of personal PCs, it was a real chore to connect a new device. It was often necessary to set jumpers, add extra serial or parallel ports, install device drivers and reboot, probably several times. Now thanks to USB, a single standardized interface socket, those days are gone. USB devices can be connected and disconnected without rebooting the computer or turning off the device. It has, of course, been widely adopted as the connection interface of choice, and according to the USB Implementers Forum, as of 2008, there are about 2 billion wired USB devices in the world.
USB, however, is only a standard to interface devices to a host computer. It doesn't provide any security features to filter the data that passes through the connection. In this respect, it is exactly the same as an Ethernet or printer cable; any device connected to a PC via a USB connection can be accessed by an application running on the host PC. Therefore, if the PC has been infected by malware, for example, the malware could access data on a portable hard drive that is connected to the PC via a USB cable. The danger could occur in reverse as well, should a U3-enabled USB drive with auto-launching applications (including malware) connect to a PC could and then access data on the host PC or logs all characters typed on the computer keyboard.
To mitigate these risks, you can disable all USB ports on a PC, but this is rarely practical because the ports may be required for devices such as keyboards and mice. If your organization runs a Windows-based network, then you can control USB drives using Active Directory. Individuals and groups that do not need to use a USB drive can be denied access to the ubstor.pnf and ubstor.inf files through an Active Directory group policy. New to Windows Vista, an administrator can now allow users to install only devices that are on an approved list or deny read or write access to devices that are removable or that use removable media. There are also third-party programs that provide a range of access controls for USB drives.
Hopefully, you can see that USB is merely a means to connect a device to a PC, not to control what the device does. In order to protect the USB device, you will need to provide security measures, which should, of course, be supported by policies that cover and clearly communicate the appropriate use of USB devices.
This was first published in January 2009