The risks of USB sticks are top of many IT security professionals' worry list
While the risks of USB sticks are top of many IT security professionals' worry list, a recent case in the US highlights that any computer media can potentially be used to subvert security systems. A 20 year old US Army private recently smuggled a huge collection of sensitive data, including over 150,000 diplomatic messages, on a recordable CD tucked into a Lady Gaga CD sleeve. The incident happened at an intelligence center in eastern Iraq. Ironically the US DOD had banned the use of USB devices following several high profile incidents in 2008, but had failed to extend the ban to other media such as CDs. This incident underlines the need for "least privilege" in sensitive security facilities; you have to wonder what the legitimate purpose is for music CDs in such a facility (and I wonder if anyone has mentioned it to the Performing Rights Organization who may want royalty payments :) More important is the need to accurately assess all possible methods that data can be extracted and properly address the risks. Most data leak prevention products do support control of writable CDs, but their use in environments where there are legitimate requirements for writing CDs can require careful management. Once again this shows the need to focus on the proper control of information flow, regardless of the medium.
