You probably haven't heard about a similar, but less advanced, worm that infected computers at the U.S. Department of Defense a couple of years ago. Both of these worms share a common thread. Their initial vector was almost certainly contained in a USB memory stick left lying around where the right people would find it. In other words, someone simply left a few dozen USB sticks on shelves in restrooms, on bars, on desks in offices and other places where they would appear, seemingly forgotten.
The worm would initially enter the enterprise when someone would find the stick, and do what seems to be the universal reaction to finding a USB stick: plug it into their computer to see what was on it. The act of plugging the device into a USB port is all that's necessary for these worms to start working-you don't have to look at the contents.
While some computers might have up-to-date security software that prevents the worm from loading, if you leave enough USB drives around, some will find their way into a machine that's less protected. It only takes one. The risk is raised when organizations let people use personal computers to access the enterprise from home.
I spoke with Amit Klein, CTO of Trusteer, who explained that the growth of consumer devices such as USB drives is creating new levels of security risks in the enterprise. Convenience, he said, comes at a price. He said that each of the new technologies that make things easier or more convenient may also come with a new set of risks. He mentioned things like software-as-a-service (SaaS) and cloud-based applications as well.
The problem with USB drives is that they're extremely handy, they are looked upon as valuable pieces of technology, even if they really only cost a couple of dollars each, and few people think of them as the potential dangers they really are. Worse, many enterprises do nothing to control what people plug into their USB ports. Unlike Internet access, which is frequently well-protected by firewalls and malware controls, USB ports are often unprotected.