It's a well-known trick in the security auditing trade that dropping USB thumb drives in the parking lot of a company you want to crack is an easy way to infiltrate a network. Nine times out of 10, the unsuspecting employee will be curious about the contents of the thumb drive. Once plugged in, any viruses, malware, or scripts injected onto the drive are free to spread and compromise network security.
While viruses are right at the top of the list of reasons to disallow the use of USB thumb drives in the enterprise, data leakage is the top cause for concern for most. Fortunately, there are plenty of solutions to the problem out there, both cheap and expensive. If you're running XP, you can apply a registry hack to disable USB plug-and-play devices by brute force. That's certainly not a friendly solution, but it is a solution. Vista gives you a few more options in the way of USB device enforcement, but none rely on user credentials, which is where the more expensive enterprise offerings pickup.
ControlGuard, GuardianEdge, and Sanctuary Device Control from Lumension Security are three examples of enterprise solutions that provide protection from data leakage and malware from removable devices. More important for the security administrator, detailed logging, auditing, and regulatory compliance features are built into many of these offerings. End to end features that protect and report are enough to help CIO's sleep a little more soundly at night. And while these enterprise offerings aren'ot cheap, what's the cost of not having them?
Know of any highly effective, low-cost solutions in this space? Post a comment here and let me know about them.