UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to meetmalware defenses requirement.
Requirement
Resource Custodians must configure covered systems to not auto-run content from removable or remotely-mounted media.
Description of Risk
Malicious software allows attackers direct access to covered data and provides attackers the means to access covered data.
Recommendations
Autorun configuration was intended to provide users with convenience of automatic software response to known media devices such as CDs, external hard disks, etc. However, malicious software has been known to exploit this convenience feature to install malware and conduct unauthorized activities on misconfigured devices.
To mitigate the risks of running malware that exploits the autorun configuration, follow instructions from operating system vendor (Microsoft Windows) to disable autorun on both removable and remotely-mounted media. This requirement does not apply to Mac or Linux devices.
Additional Resources
- Microsoft Windows instructions to disable autorun,
http://support.microsoft.com/kb/967715