I had an Austin Powers moment today when I opened an email from eSecurityPlanet.com and saw a link to an article called, Feel Vulnerable? Time for Vulnerability Management Tools.  I felt like I had been in suspended animation for years and just woke up. I have not seen an article on vulnerability management in forever and ever. There was nothing earth shattering in this article.  Meat and potatoes VM. That is vulnerability management, not virtual machines.  The fact that VM is more commonly associated with virtualization than vulnerability management in and of itself probably speaks volumes.

Just last week at the Infosec World conference I had remarked to some folks that walking the show floor I did not see one vendor using the term vulnerability management in their signage.  Even some companies that are plainly in the VM space such a nCircle and Qualys, are using risk management and similar terms to describe what they do. So why has vulnerabiity management fallen out of disfavor?  Is it any less important?  In the words of "The Shagadillic One", do they think it ain't sexy? That may be it.  It is not sexy or trendy anymore.  I remember going to RSA a few years ago and every vendor had some strategy around vulnerability management.  I will be looking at this years show and report how many times I see the VM word.

So what is it about the security world.  Do we collectivley have the attention span of a flea. Do security tools go from golden to rust that quickly?  Why are we constantly searching for the next great thing but seemingly at the expense of the last great thing.  Wouldn't it be nice to see something through and make it really work before we rush on to the next one.

I had an Austin Powers moment today when I opened an email from eSecurityPlanet.com and saw a link to an article called, Feel Vulnerable? Time for Vulnerability Management Tools.  I felt like I had been in suspended animation for years and just woke up. I have not seen an article on vulnerability management in forever and ever. There was nothing earth shattering in this article.  Meat and potatoes VM. That is vulnerability management, not virtual machines.  The fact that VM is more commonly associated with virtualization than vulnerability management in and of itself probably speaks volumes.

Just last week at the Infosec World conference I had remarked to some folks that walking the show floor I did not see one vendor using the term vulnerability management in their signage.  Even some companies that are plainly in the VM space such a nCircle and Qualys, are using risk management and similar terms to describe what they do. So why has vulnerabiity management fallen out of disfavor?  Is it any less important?  In the words of "The Shagadillic One", do they think it ain't sexy? That may be it.  It is not sexy or trendy anymore.  I remember going to RSA a few years ago and every vendor had some strategy around vulnerability management.  I will be looking at this years show and report how many times I see the VM word.

So what is it about the security world.  Do we collectivley have the attention span of a flea. Do security tools go from golden to rust that quickly?  Why are we constantly searching for the next great thing but seemingly at the expense of the last great thing.  Wouldn't it be nice to see something through and make it really work before we rush on to the next one.

No, if you're a security administrator. Many people still aren't aware of the security risk that autorun raises. It isn't new anymore, but DarkReading's Social engineering, the USB way is still the best story the make the point. Check it out.

I really can't think of any business reason for keeping this feature enabled. Please shut if off, domainwide, as soon as you can.

In Windows Vista/Server 2008, go here:

Computer Configuration | Administrative Templates | Windows Components | AutoPlay Policies

Enable the "Default behavior for AutoRun" policy and set the default to "Do not execute any autorun commands."

Enable the "Turn off Autoplay" policy and set it to "All drives."

In Windows XP/Server 2003, go here:

Computer Configuration | Administrative Templates | System

Enable the "Turn off Autoplay" policy and set it to "All drives."

While this might be old news for many of my readers, disabling autorun still doesn't seem to be a common security mitigation. At a recent conference I was surprised at the number of folks who haven't considered the risks of leaving it enabled. Surely by now most of you have heard about how certain music CDs can spread rootkits in your network. Yeah, holding down the [Shift] key when inserting a CD-ROM or USB drive will bypass the autorun.inf file -- but do you really want to rely on individual users remembering this? Nope. Group policy is your security friend: put it to good use here and disable autorun right now.

(BTW, Sony is up to their dirty old tricks again.)

Updated, 22 September 2007. Turns out there's a registry key that keeps track of all USB drives your computer has ever seen, and this key will override the Autorun settings if you insert a drive that your computer has seen before. So in addition to changing Autorun, you'll also need to delete this other key. Write a little script and call it from group policy. Here's the key to delete:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

More details here.