Re: Reactive broken model?
Why should plugging in a USB stick mean that your OS is compromised? Firewire, I'd give you, because that allows arbitrary memory location DMA as part of the protocol (which is why Firewire should die a death and is disabled on every machine I manage).
But a USB stick is just a mass storage device. Autorun should not do run. Your systems should be configured to refuse to run executables from external device (if you have any care about the security of your system, that is). Users who manually execute a program from a USB stick via whatever method (e.g. copying it to the machine and authorising it) should be disciplined accordingly.
People just assume that there's nothing you can do about this because, on most people's home PC's, they don't BOTHER to do anything about it. It's nonsense. Arbitrary code execution is NOT required for any in-place system. And the bigger you are and the more customers and data you have, the more reason you have to STOP arbitrary code execution occurring.
It's not an AV issue (which is nothing more than a miner's canary for when you DO have something infect your machine), it's a security issue - spurred on by the use of general purpose machines and operating systems for EVERY LITTLE THING. You should NOT be running code. Why does the person who operates a till in a shop require anything more than till controls? Why does the person handling the legal stuff at your solicitors need more than a menu of options and a word-processor to run? They don't. We just think they do nowadays, because we're used to having that control. So rather than a list of options that it's not physically possible to choose the "Format my hard drive" option because it doesn't exist, we hand them a general purpose OS where they can literally do anything and then try, half-heartedly, to pare it back to stop them breaking it too quickly.
If your staff can run anything they like, can play about in browsers, can go on the Internet, can play Minesweeper and Solitaire, it means you DIDN'T lock down their computers for work-only use. Thus, anything that happens is your own fault. Your antivirus costs are ENTIRELY due to your own laziness in failing to secure the system.
With SELinux and even things like Windows Software Restriction Policies, there's no excuse for anyone larger than a small business to have virus infections on their systems. It's just laziness and the convenience of being able to do non-work things traded off against your system security. If you wouldn't play Flash games on your network servers, why would you allow it on the clients that handle your customers banking details (no matter how indirectly)? And a verbal ban, we all know if we have kids, is about as secure as a Ford Fiesta parked in a dodgy area. Don't tell your staff not to do X or assume they won't (e..g don't use Internet Explorer, don't run games, don't install software, etc.). Make it 100% impossible for them to do so, if you care about your security.
The tools are there. Nobody uses them because they obviously *don't* want to stop people going on Facebook in their lunch hour on the same machine that they're typing in customer's details into during the day. If they cared, it wouldn't be possible. And neither would a virus infection.