Time to Put Restrictions on USB Use

By Wayne Rash  |  Posted 2011-02-16 Print this article Print


While the major anti-malware makers say they're ready, most of those are assuming that the new Stuxnet-like malware will be delivered over the Internet. But suppose some infected USB sticks are mixed in with the info kits delivered at a trade show?  

You know how those work: Companies hand out logo-imprinted USB memory devices like they were candy and people take them back to the office and try to use them. Frequently the goal is to erase the brochure and use the memory. But in the case of USB drives, they'd be infected before you could look at the first file. You could bring down an entire industry if you chose your target well. 

And that's the problem with this sort of removable mass storage. It's all too common for people to get USB memory or CD-ROMs that they want to put into their computers and either look at the information or use the memory. But it's very easy to infect these devices and use them as a vector for a massive infection. 

To prevent this, you have a couple of choices. The first is to buy computers without USB ports, but that move has its own set of problems. The second choice is to manage your removable storage so that it can only do certain things. For example, set a USB port so it can only run a keyboard or mouse, but not use mass storage. Or you can set a CD drive so it can't execute programs. 

Either choice will likely cause complaints in the user community, but that may not matter. It's very likely that most users won't have a business-related reason for looking at these devices or using the media, and you can always enable access on a case by case basis if they do. 

But that's only part of the solution. You have to also educate users to not do what I did. By that I mean they have to really believe that they shouldn't just put a USB stick or CD of unknown origin into their computers. All I got for my lapse in judgment was a brief look at a new Range Rover. But it could have been much worse. I was lucky, but next time I need to be smart enough to follow my own advice.  

You're invited to laugh at me or even point fingers and make gestures. I deserve it. Just don't make the same mistake. 

Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÔÇÖs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel