Few technology administrators enjoy imposing strict restrictions on end users, especially when the restrictions appear excessive or draconian. Policy implementation is typically reserved for readily evident issues (Internet and e-mail usage, data retention and security, etc.) known to require enforcement.
Thus, it should come as no surprise that few organizations prohibited CD or DVD playback on company PCs, at least before November 2005. Numerous employees took laptops on the road; what harm could come from playing back a CD or DVD after-hours in a hotel? Further, network administrators or support staff pulling all nighters really couldn't be blamed if they chose to cue a Dexter Gordon CD while they worked, could they?
Yes, it turns out.
The Sony fiasco
What happened in November 2005 to change all that? Millions of Sony BMG Music CDs were found to be installing clandestine rootkit programs. Possibly the most feared type of vulnerability, due to rootkits' ability to compromise security while evading detection, the rootkits were being installed as part of a copy-protection effort.
Sony outsourced development of its digital rights management technology to First 4 Internet. First 4 Internet subsequently created a program that required users to accept a licensing agreement before playing back the CD on a PC. When users accepted the licensing agreement, a seemingly benign act, the rootkit was installed.
Windows systems everywhere quickly became infected. Sony was forced to recall the offending CDs. Confusion reigned while rumors flew regarding which CD titles installed the rootkit. Soon calls grew for class action lawsuits and settlement agreements. In the interim, technology administrators were caught in the middle. How could they identify systems that had been infected? How serious a threat did the rootkits pose? No one knew for sure.
Soon exploits began appearing on the Internet. Hackers created attacks that leveraged the vulnerabilities the rootkit's posed. Trojan horse exploits appeared that aimed to give hackers complete remote control over infected systems. Ultimately the issue became so widespread Microsoft was forced to issue a fix through a monthly update to its Windows Malicious Software Removal Tool.
Once the dust cleared organizations everywhere realized that previously secure proprietary and confidential data had been placed at risk simply because some well meaning employees listened to seemingly innocuous audio CDs at the office or using organization systems. Information protected by federal legislation (including HIPAA, and Sarbanes-Oxley), even, had been jeopardized.
CD and DVD policies
To prevent such security vulnerabilities in the future, organizations must now consider implementing CD and DVD policies that prohibit the installation and playback of any prerecorded CD and DVD using organization-owned equipment. In some cases, depending upon the industry in which an organization operates, it may also be necessary to require that no audio CDs or DVDs are installed or played back on any system that connects to the organization's network, either through a remote desktop connection or VPN.
Once a CD and DVD policy is implemented, organizations must also take the appropriate steps to ensure the policy is enforced. Without enforcement the policy will prove useless. Then, the next time a similar fiasco ensues, the organization will lose time and money attempting to determine its level of exposure and the manner in which the new vulnerability will be eliminated.
The time and effort required to identify and eliminate the security vulnerabilities that arise from such an incident should not be underestimated. When news of such an event firsts breaks, weeks can pass in which vendors deny the issues' breadth, consult with third parties to determine the source of the issue and debate a solution. It can even take weeks just to determine which titles, in fact, include the offending software.
All the while, hackers work overtime during these delays to design new hacks and exploits--some fueled by automated Internet bots--in their efforts to attack infected systems. Once installed, as a stealth rootkit was to blame with the Sony vulnerability, there's no simple way to determine whether your network or systems are even compromised.
Thus, policies offer the best defense against recurrence. Implemented and enforced properly, a CD and DVD policy essentially eliminates these issues from concern. While such policies might not prove popular, the organization can point to the confusion, vulnerabilities, attacks and lost time that occurred in the past to warrant the action.
For help determining your organization's CD/DVD risks, and for assistance drafting a proper CD/DVD policy, check out TechRepublic's CD/DVD Vulnerability Assessment and CD/DVD Policy template.
For more information on implementing effective policies, review the TechRepublic articles "Use a policy audit to ensure that your policies are followed," "Learn how to win support for your new IT policy," and "Creating an IT policy that works."
You can quickly implement a CD and DVD policy in your organization by downloading TechRepublic's CD And DVD Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.