August 31, 2021

DVD-R vs DVD+R

At our place of work we have a policy that USB mass storage devices are not used to transfer data to and from the network that contains our IP. The justification for this is the following security control:

“Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured”

However I noticed today that they were using DVD+R disks. I don’t believe that this is read-only material, but DVD-R is.

If data was written to the DVD on the corporate network from a compromised machine, if that DVD was then put into the protected network is it feasible that data from the protected network could be written back onto that same DVD? I’m thinking yes – but I’m not sure so I thought I’d ask here.

TLDR= Is DVD+R a data diode or do you need DVD-R

Comments

ThiefClashRoyale

Dvd +r does support multi session although I believe some workarounds were found to enable miltisession even on dvd-r disks. Its been a long while since I used any dvds now.

I believe you could ensure a dvd+r disk cannot be written to again by finalising it in the burning software so even a dvd +r could adhere to the policy if this is done. Again this is from memory what I remember and i havent had to burn a disk for like 10 years.

Also one thing to note is the +r disks are more reliable so if this is for backup it would make sense to use the newer disks and change the policy because it would be bad if the backups became degraded.

Also I dont remember dvd being used as a medium for many viruses before or malicious payloads but I am sure there are some. It would be pretty inefficient in 2021 though as an attack vector. Most pcs dont even have dvd readers anymore.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.