Few technology administrators enjoy imposing strict
restrictions on end users, especially when the restrictions appear excessive or
draconian. Policy implementation is typically reserved for readily evident issues
(Internet and e-mail usage, data retention and security, etc.) known to require
Thus, it should come as no surprise that few organizations
prohibited CD or DVD playback on company PCs, at least before November 2005.
Numerous employees took laptops on the road; what harm could come from playing
back a CD or DVD after-hours in a hotel? Further, network administrators or
support staff pulling all nighters really couldn’t be blamed if they chose to
cue a Dexter Gordon CD while they worked, could they?
Yes, it turns out.
The Sony fiasco
What happened in November 2005 to change all that? Millions
of Sony BMG Music CDs were found to be installing clandestine rootkit programs.
Possibly the most feared type of vulnerability, due to rootkits’ ability to
compromise security while evading detection, the rootkits were being installed
as part of a copy-protection effort.
Sony outsourced development of its digital rights management
technology to First 4 Internet. First 4 Internet subsequently created a program
that required users to accept a licensing agreement before playing back the CD
on a PC. When users accepted the licensing agreement, a seemingly benign act,
the rootkit was installed.
Windows systems everywhere quickly became infected. Sony was
forced to recall the offending CDs. Confusion reigned while rumors flew
regarding which CD titles installed the rootkit. Soon calls grew for class
action lawsuits and settlement agreements. In the interim, technology
administrators were caught in the middle. How could they identify systems that
had been infected? How serious a threat did the rootkits pose? No one knew for
Soon exploits began appearing on the Internet. Hackers
created attacks that leveraged the vulnerabilities the rootkit’s posed. Trojan
horse exploits appeared that aimed to give hackers complete remote control over
infected systems. Ultimately the issue became so widespread Microsoft was
forced to issue a fix through a monthly update to its Windows Malicious
Software Removal Tool.
Once the dust cleared organizations everywhere realized that
previously secure proprietary and confidential data had been placed at risk
simply because some well meaning employees listened to seemingly innocuous
audio CDs at the office or using organization systems. Information protected by
federal legislation (including HIPAA, and Sarbanes-Oxley), even, had been
CD and DVD policies
To prevent such security vulnerabilities in the future,
organizations must now consider implementing CD and DVD policies that prohibit
the installation and playback of any prerecorded CD and DVD using
organization-owned equipment. In some cases, depending upon the industry in
which an organization operates, it may also be necessary to require that no
audio CDs or DVDs are installed or played back on any system that connects to
the organization’s network, either through a remote desktop connection or VPN.
Once a CD and DVD policy is implemented, organizations must
also take the appropriate steps to ensure the policy is enforced. Without
enforcement the policy will prove useless. Then, the next time a similar fiasco
ensues, the organization will lose time and money attempting to determine its
level of exposure and the manner in which the new vulnerability will be
The time and effort required to identify and eliminate the
security vulnerabilities that arise from such an incident should not be
underestimated. When news of such an event firsts breaks, weeks can pass in
which vendors deny the issues’ breadth, consult with third parties to determine
the source of the issue and debate a solution. It can even take weeks just to
determine which titles, in fact, include the offending software.
All the while, hackers work overtime during these delays to
design new hacks and exploits–some fueled by automated Internet bots–in
their efforts to attack infected systems. Once installed, as a stealth rootkit
was to blame with the Sony vulnerability, there’s no simple way to determine
whether your network or systems are even compromised.
Thus, policies offer the best defense against recurrence.
Implemented and enforced properly, a CD and DVD policy essentially eliminates
these issues from concern. While such policies might not prove popular, the
organization can point to the confusion, vulnerabilities, attacks and lost time
that occurred in the past to warrant the action.
For help determining your organization’s CD/DVD risks, and
for assistance drafting a proper CD/DVD policy, check out TechRepublic’s CD/DVD
Vulnerability Assessment and CD/DVD Policy template.
For more information on implementing effective policies,
review the TechRepublic articles “Use
a policy audit to ensure that your policies are followed,” “Learn
how to win support for your new IT policy,” and “Creating
an IT policy that works.”
You can quickly implement a CD and DVD policy in your organization by
downloading TechRepublic’s CD And DVD Policy. Included you’ll
find a risk assessment spreadsheet that will help you determine the
importance of such a policy to your organization’s security along with a
basic policy that you can use and modify. You can purchase it from the
TechRepublic Catalog or download it for free as part of your
TechRepublic Pro membership.