Ask the Pros: How to Defend Autorun Attacks?

Question: With some of the new threats going around that use the Autorun feature of CD-ROMs and Flash Drives; what’s the best defense against this type of attack. You can turn the Autorun feature off with a Group Policy, but then you have some CDs (i.e. PACS images, etc.) that depend upon the Autorun feature to open the view application and displace the PACS images.

 

HIS Pros Answer: This situation exists in every hospital in America. How do you protect the healthcare data while providing necessary desktop functions for the users?

Today there are many nasty viruses that can propagate by exploiting the Microsoft Autorun feature. To answer this question we should look at several mitigation steps involved in protecting against these viruses and decreasing the risk of exposure.

• Education and common sense: The hospital must have the USB and CD drives addressed in their HIPAA education process. There should be a policy in place that requires the scanning of all external devices unless the user can verify the chain of custody of the external media. Scanning is always a good idea. In the event of exposure leading to compromised data, a reviewer or auditor will ask for this evidence first.
• Prophylactic software: There should be real-time virus monitoring software present on the workstations that is updated via an online or network virus dictionary. This software should be periodically tested on all workstations and regularly tested on high-risk workstations.
• Locking unnecessary devices: As was pointed out in the body of the question, disabling external media drives is easy to manage via Microsoft Policies. This is by far the most secure defense but also creates a fair amount of user dissatisfaction. The hospital should complete a risk assessment focused on external media and disable all unnecessary external media devices.
• Audit: We no longer work in a “fire and forget” environment where any mitigation step can go untested and unmonitored. Hospitals should routinely audit their mitigation efforts to ensure they are functioning properly and users are complying with policies.

So what remains are those few workstations that simply must have access to their external media drive unimpeded. These should be the few and exceptions to the standard workstations.

There are some tools such as “Autorun Protector” that can be used to disarm the Autorun feature while allowing access to the media. These small applications load into resident memory and treat the autorun.inf as if it does not exist. This does however create an extra step and would require the user to access the external drive and view or execute the desired file.

It is possible there is a silver bullet for this one, but I have yet to run across such a solution. I will invite the readers to respond if they are aware of one.

In the end, there are always going to be careless users that believe they know better than anything they have read or any instructions they have received. So the best offense against these idiots is a good defense against their actions.