I have some plugged USB devices in the computer, and I worry they might be used to "spy" - access the internet\ransomware. For example, a USB camera or a USB stick that will be connected to the computer.
How do I prevent (new or specific existing) USB devices from sending data to the internet or reading/writing to the hard drive?
I am not sure how you are going to prevent individual devices from connecting to the computer other than being physically present when users are using the machine, but there are some settings you can use for the camera in Windows 10.
Windows 10 privacy settings
Windows 10 offers greater control than previous versions over the devices connected to computers and it presents these options in a very simple and intuitive interface. To access them just open the Start menu and select Settings. Click on the Privacy section and head over to Camera options in the left pane
Here you’ll find a list of applications that have access to your webcam alongside controls to enable or disable said access. At the top of the window you also have a master switch that disables access to the camera for all applications listed.
Please note that not all installed applications are listed here. For example I have Skype and Yahoo! Messenger installed, applications with camera access, and they are not listed here. The applications found here are mostly the ones installed from the Windows Store, so please keep this in mind when reviewing your privacy settings.
All devices inside your computer have software/firmware, such the hard disk, the network adapter, the display adapter, the BIOS/UEFI and more. There's nothing special about USB and no way to protect against infected hardware, since you do need to use these devices from time to time.
However, the firmware of devices is usually protected by digital signature, just as UEFI (in non-Legacy mode) protects in the same way against infected operating system components, so that they cannot be maliciously modified.
Spying software can in almost all cases only be incorporated into the device by the manufacturer of the device and/or the firmware. The best protection would be by not buying hardware from dubious sources.
Windows has also much advanced regarding protection, and the days when an external hard disk could infect the computer are long gone. Windows will not launch software from such disks, unless done explicitly by yourself.
I think that you have nothing to worry about, as long as you keep Windows, the router and the anti-virus completely up-to-date, and do not open holes in the firewall of Windows and your router. Windows does a very good job nowadays of keeping you safe, much better than any measure that you can do yourself.
