Technically speaking, what kind of logs does burning a CD actually leave on a hardened Win/Linux workstation compared to a USB mount? If the DLP is only looking for ‘Mass Storage Devices’, does the burning process even trigger a file-copy event in the logs?

def a rookie move! ^^ thx for the reply, appreciate it! yeah this case raises so many questions & i’m just guessing here. clearly a ton of security issues.

“Why was it a trainee… notifying security?” totally agree. besides the CDs, my main trigger was the trainee reporting it directly to security, skipping any manager or coworker. why? and why did no one else notice anything? makes me wonder if it’s really a single-man job… accomplices in the team maybe?

“Are there protocols in place…?” i d assume protocols exist but were bypassed. plugging in an external burner would def raise eyebrows or trigger dlp/edr. so i bet the workstations had built-in drives. in my dpo class, everyone just laughed bc it’s “old tech” nobody uses anymore… maybe the cybersec team thought the same? blocked usbs & set protocols for ports but underestimated optical? i have gen z students in my opsec classes who don’t even know what a tower’s cd-player is if i show them a photo. or they know it’s a player but don’t realize it’s a burner too.

what’s ur take?

why cd’s? less digital footprint? burnin a disc feels more ‘mechanical’ — maybe it leaves nothing on the host side compared to mounting a usb mass storage? is it off the grid coz its physical legacy tech and modern dlp/edr just ignore it? anyone ever seen optical media used as a stealth exfiltration vector like this?

hey! thx for the reply. your points hit exactly on what i’ve been obsessed with lol.

“Why is the IT guy trusted…?” & “Why does he have access…?” totally agree, huge mistakes. but what if they actually didn’t trust him? maybe they cut his privs to the bare minimum but since he knows the system, he found a loophole to bypass the DLP. in my class, everyone laughed bc CD-ROMs are “obsolete tech”… so did the sec team underestimate this attack surface? maybe they blocked USB ports & set alarms for external drives but forgot the optical burner? or maybe it was just easier to bypass optical media rules without triggering anything.

“Is access to the database monitored?” maybe he knew the exact threshold before a system alarm goes off? that would explain why he only picked “top” clients instead of the whole DB. plus, fitting a full banking DB on a few CDs is technicaly impossible anyway, so he had to cherry-pick.

my intuition is also on the trainee reporting it. why him/her? that’s a break in the incident reporting process. where were the managers? the fact that it’s neither a colleague nor a manager makes me wonder if it was a single-man job. any accomplices? i’ve seen enough teams to know that when ppl feel frustrated or abused, they tend to turn others against the board. keeping someone on notice after firing them is a massive danger for this exact reason.

what do u think?

–