A few days ago, a story hit newspapers in the UK that didn't get a lot of notice in the U.S., mainly because here we're all tied up with November's elections. The news was that a bus driver found a USB memory stick on the floor of his hotel room, and on examining it, found it to contain a wealth of highly sensitive documents on nuclear security. Fortunately for all concerned, the bus driver passed it along to the authorities. In this case, nothing bad happened, except that some executive somewhere has a lot of explaining to do.
This situation, unfortunately, is all too common. Because they're small and highly portable, USB memory sticks also get left in places where they shouldn't. And because they're highly desirable, people pick them up, and of course, examine the contents. This is bad from two perspectives. First, as was the case with the USB stick that originated with the UK nuclear facility, if you lose the stick, you lose the information. But there's another scenario-USB memory sticks are in some ways the perfect vector for distributing malware.
The current thinking about the Stuxnet worm is that it originally appeared in Iran loaded on USB memory sticks that were left lying around in places where nuclear facility workers were likely to find them. Because the first reaction seems to be to take the memory stick to your computer, insert it and see what's on it, this ensures that any malware also gets loaded on to your computer. In most companies, the malware spreads around the network almost instantly because it's injected from inside the firewall.
So the two downsides, the potential loss of valuable information, and the injection of malware, make you wonder why any company would want to use these handy little devices.
The reason, of course, is because they are so handy. And they're still enough of a novelty that people will pick them up and see what's on them, which is what happened to the English bus driver and probably to the nuclear plant workers in Iran. Unfortunately, it could also happen to you and your company.
Fortunately, there is a way to prevent this. Several companies including GFI and Credant have products that give you control over USB memory devices, including memory sticks, PDAs and iPods. You can simply disable USB ports for such devices, you can require that all material saved to them be encrypted, and you can create logs of who used these devices, what they did with them, and when they did it. This way, if someone manages to load a zero-day worm through a USB stick, at least you'll know who did it and when.
Unfortunately, this will annoy your employees who probably enjoy the ability to use USB drives for their own versions of sneaker net. However, encryption of the data is pretty transparent these days, which is why encrypted USB sticks are high on everybody's security wish list. There's no reason you need to allow outside material on to the computers in your enterprise, at least without some significant precautions. In the meantime, keep the USB ports closed to unencrypted outside data, and teach your employees to avoid plugging USB devices from unknown sources into ANY computer, not just the ones at work.