Virtualization Pitfalls

By Sean Martin  |  Posted 08-10-2010

Black Hat 2010: 10 Security Hotspots for CIOs

The annual Black Hat Technical Security Conference is known for its colorful audience, many of which are self-described hackers. Some have even been known to hack the hotel TV billing systems and ATM machines in the hotel lobby. The training sessions and security briefings held throughout this year's event, July 24-27 in Las Vegas, NV, offered deeply technical information of interest to security pros and hackers alike. These sessions likewise offer crucial insights for the security-minded CIO. We highlight the 10 hottest security topics, and provide actions every CIO can take to minimize enterprise risks. 

Cloud Security Challenges

As you probably know, the Cloud is the mass-market, low-cost, commodity abstraction of hyper-scalable computer, network and storage capabilities. These are delivered as a managed service, replacing and/or augmenting what was once an in-house collection of physical IT infrastructure, platforms, and software. This dramatic change in how information is stored, accessed, and transferred certainly opens up cloud computing to many security concerns. Primary among these is that, with cloud solutions, the traditional boundaries of an information system - for example, a firewall that surrounds the perimeter of an organization's physical IT infrastructure -- either disappear and/or continuously move based on the business needs for the system. Additionally, trust and security for the service is typically transferred to the cloud provider's physical and virtual infrastructure, while the legal liability remains with the enterprise using the cloud service.As you consider the cloud for any off-site hosted infrastructure, platform, or software services, your organization should only look to outsource routine processes and systems. Once the decision has been made to outsource, it is critical that you have a clear view into the steps the cloud provider has taken to continuously protect your data, the operating systems and the applications accessing and storing that data, including the virtual and physical systems tasked with hosting your environments. These are the top three things to look for:

  1. Data Confidentiality: Who has access to the system and its data, from which locations/systems/applications, and for which activities. Are there other Cloud instances residing physically next to yours, such as that of your biggest competitor?
  2. Data Integrity: How are the providers controlling and monitoring how the data has been accessed or manipulated; are they employing any identity management and/or timestamping technologies to authorize access and prove data integrity?
  3. Data Availability: How are they ensuring operational continuity of the systems and consumption of the data - what are the redundancy, failover, archiving, and recovery technologies and processes?

    Virtualization Pitfalls

Virtual machines and hypervisors deliver flexible, elastic computing capabilities that allow organizations to stand up new environments in a matter of minutes, while gaining more operating function from each individual physical system. As with cloud computing solutions, virtualization constantly redraws the traditional boundaries that we're accustomed to with our physical systems.

For example, a company might physically house its web-services-based customer portal right beside the operating environment, the applications, and the data for its highly sensitive financial database. These two data sources may be separated only by a virtual operating system boundary. If the customer portal is compromised, it's not much of a leap for the attacker to gain access to the financial data residing on the same machine.Many of the same concerns and due diligence that apply to cloud solutions also apply to virtualization. However, in the case of virtualization, the ownership and related actions remain completely in the hands of your organization.

Therefore, all of the standard information security measures must be employed, including protecting the operating system and its applications from attack and compromise as accomplished through the use of anti-malware, intrusion prevention, and firewall technologies. Similarly, protecting the data on the system remains a key aspect of virtualization security, employing the likes of access control, application control, device control, encryption, and other DLP-oriented technologies. The challenge for the CSO/CIO will be to find vendors that have purpose-built their solutions to work within the virtual environment. They are out there - consult the industry analysts and look at some startup events in the security space to see what innovations might help you secure your virtual business.

Risk Management: Depth or Breadth?

Years ago, as viruses began to use email in lieu of infecting computers though floppy disks, organizations had to find additional layers of protection to combat the threat; in came the use of email anti-virus (AV) technologies. As viruses morphed into well-designed Trojans, worms and other stealthy system-compromising and network-infecting pests, intrusion prevention technologies were added to the stack. Commonly referred to as 'defense in depth', this strategy uses multiple layers of defense in a coordinated fashion throughout an information technology system at both logical and physical tiers to protect the integrity of information. Turns out, this remains a relatively decent method for protecting the organization. With multiple layers of protection, ranging from the network perimeter down to the kernel of the computer system, the likelihood of an attack is minimized.

However, there is growing movement toward a 'defense in breadth' strategy as an optimal way to protect the organization. This way, once any single layer of depth is penetrated and compromised, it becomes very easy to move up and/or down the stack to bypass the other layers of defense. There are numerous vulnerabilities from which to choose to make that initial connection into the stack; hackers typically avoid the hardened areas anyway. According to the Verizon Business 2010 Data Breach Report, the most common entry point for most attacks is initiated through stolen or weak credentials. How well are we controlling the user accounts? How well are they educated to protect themselves? Are our users over-privileged? There is plenty to think about here.

CSOs/CIOs should look outside the big firms to find new technologies to help them ensure the most effective 'defense in depth' measures possible; cloud-based patch management, network/device/application control, token-free two-factor authentication, and data integrity via hash-based timestamps are just a few options. CIOs also need to look for protection across the layers to build out a true 'defense in breadth' strategy. Here are a few steps to take:

  • Don't just focus on multiple layers of protection to block an attack. Look at processes and tools for handling a successful attack. Place additional attention here to mitigate risk associated with the payload, such as preventing unauthorized network traffic and confidential data from leaving the organization. You already have a lot of the technology required here, such as perimeter and desktop web filters and firewalls. Consider gaining additional breadth by looking at application control, device control, and network access control technologies.
  • Identify the weak areas by performing regular vulnerability assessments, patch/policy/configuration assessments, and penetration tests. These are areas hackers will find and exploit. Available tools available come in various forms, including software, appliance and cloud-based options. Most vendors providing these packages and services can help to perform the tests and prioritize the actions based on their results.
  • Logs...logs...logs. While the security event and information management (SIEM) market has gained some traction in recent years, this is a relatively untapped space. We have the depth of protection providing us with most (if not all) of the information we need to better arm ourselves, we just don't do a good job at analyzing and using the information. Use this information and toolset to provide a layer of protection across the defense in depth protections.

    Collaboration Carries Exploit Potential

Information sharing and collaboration will always bring with it defects that lead to vulnerabilities, which lead to exploits, and, ultimately, to successful attacks. The real question is whether more can be done from a vendor perspective to reduce the risk exposure of these exploits, including minimizing the sale of exploits on the black market.

The CIO or CSO needs establish strong relationships with security researchers and vendors. A relationship with the research community can help a CIO understand risks within a specific environment. A relationship with the vendor community helps keep the vendors grounded in the business realities of building secure solutions. A great way for the CIO/CSO to stay connected with the security community is to participate in some of the leading security groups. Here are two worth considering:

  1. OWASP - The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of application software with a mission to make application security visible so that people and organizations can make informed decisions about true application security risks.
  2. CSA - The Cloud Security Alliance is a global non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, providing education on the uses of Cloud Computing to help secure all other forms of computing.

In addition to becoming part of the community, it is important to have regular conversations with the providers of your information technology solutions to ensure that they know how important security is to your business. Demand security as a must-have feature when you negotiate your licensing agreements with them.

Enterprise Mobility Has Inherent Risks

App stores allow mobile applications to be published for the top mobile operating systems, including BlackBerry, iPhone, Windows Mobile, and Android. Each platform provides a robust SDK that could allow nearly any developer to build an app that could compromise the mobile device and use it as a gateway into the organization. Some mobile OS providers do a better job at securing the OS and restricting access to the hardware and memory; therefore, due diligence is necessary if your organization intends to utilize mobile devices for business purposes.

If you're not controlling which mobile devices have access to your network and data, it's certainly time to do so. If you're not monitoring or controlling which applications are installed on your employees' company-approved mobile devices, you should consider defining processes and leveraging tools to help with this too. Finally, if your organization is planning to build custom mobile applications, be sure to do so by using a secure application development lifecycle, with your applications validated through analysis tools and/or outside testing sources in order to ensure proper security has been built into the application. OWASP is a great source of information.

Open-Source Tools Carry Dangers

There appears to be a never-ending line of open-source tools and commercial debuggers that allow the common computer user to explore the inner workings of nearly every aspect of a computer network system - including hardware, I/O ports, operating system, drivers, and applications. With the introduction of hypervisors, even more tools have become available, opening up the virtual environments to deep inspection and analysis.

A hardware-based attack method, for example, leverages many of the pre-defined functions that exist in the USB Human Interface Device (USB-HID) standard in order to perform cross-platform attacks. With an abundance of USB-HID-enabled devices available in the market, the attacks become extremely easy to carry out.

Hacking the Java client is also a common way to bypass client-side security controls. A Java client-server application can be compromised using an entirely open-source toolset. By injecting an interactive console into the running Java application, one could call any method desired on the client side, thereby bypassing client-side security controls.

There are also myriad ways to exploit vulnerabilities in the device, protocol, application, host, and network components of the SCADA Systems and Smart Meters. These systems and meters control the generation, transmission, and distribution of power throughout neighborhoods across the US. Successful attacks against these vulnerabilities could allow one to steal power from their neighbor. Brings new meaning to 'love thy neighbor,' doesn't it?

The public use of these open source tools cannot be controlled by your business. Therefore, your organization is left with managing the protection against the potential attacks that could come from the use of these tools. The best options for the CIO to combat this risk is to employ a comprehensive information security program that includes regular vulnerability assessments to identify the weaknesses before they are compromised, coupled with security configuration validation through the regular use of penetration testing solutions. Controlling and managing devices will help reduce the risk of physical system compromise. Overall system hardening is a good method with which to prevent vulnerabilities from being exposed, and therefore, exploited.

System Hardening: Its Time Has Come

The main point of an operating system is to provide lots of useful functionality to applications and the users of the system. There are many features that can leave the system open for attack. But, there are also a number of features that can be used to enhance the security of the system.

Depending on the business role that a system plays within the organization, leaving it unhardened could lead to serious trouble for an organization. For example, an on-stage remote attack of two ATMs during one Black Hat session caused the machines to spit out all of their cash, proving that hardening the Microsoft Windows CE platform would have been a good idea for those ATM manufacturers.

Clearly the hardening and protection of the security systems themselves is of concern. Are vendors doing enough to help here? Are appliances as a replacement to open systems really the solution to this problem? Will the cloud help or hinder the hardening and protection of security systems?

The bottom line for the CSO/CIO is to ensure that only the necessary systems, applications, and users are able to interact with each other within the approved business context. To help monitor and control this, organizations should look to policy compliance solutions that allow them to define the approved business rules and enforce them based on the following factors:

  • who is logged in
  • where they are logged in
  • when they are logged in
  • what they are trying to do
  • where they are trying to do it
  • what will the outcome be when the action is performed

Some technologies to help with this include network access control, identity management, device control, application control, and data loss prevention.

SSL and HTTPS: Not So Strong?

The research community at large is calling for serious changes to the SSL and HTTPS protocols that securely connect our systems and transmit our sensitive data. In particular, most of us fall into a false sense of security when using HTTPS/SSL. For example, did you know that the US government has a technique that allows it to read SSL-encrypted traffic? Another example of insecure protocols involves hackers exploiting certificate-warning mechanisms to trick a user into accepting a bad certificate, which then causes his or her credentials to be stolen. Can we really rely on HTTP/SSL as failsafe and completely secure protocol set?

"Security experts might be able to avoid these situations, but normal consumers have to live with it," said Robert Hansen, CEO/Founder of security consulting firm secTheory, during a session he led at Black Hat. "We're really stuck with what we've got. I'm not sure there's a simple way to fix this." So, until the networking and security communities come together to address this risk at the root level, organizations will have to continue to rely on the security companies to combat the attacks coming from these protocols - primarily through traditional security measures and other network/application/device control protections.

Web-Based Attacks Gain Power

Web-based attacks remain a hot topic. The Google Web Toolkit (GWT), for example, allows for some of the quickest, slickest web-based applications to be built today. But the framework, built entirely in JavaScript, provides significant support for remote procedure calls (RPC). While the engineer has the option to securely implement the RPC, it turns out that insecure remote functionality is very common via the GWT. And, you guessed it, these insecure implementations result in vulnerabilities that can be exploited to compromise these pretty, slick web applications.

Even with the PCI requirement to store cardholder data in an encrypted fashion, hackers have found ways to bypass database encryption methods by using SQL injections through web applications in order to gain an escalation of privilege. With these newly acquired SYS-level privileges, hackers can obtain clear text data from an Oracle database backend - regardless of whether or not the data is stored as encrypted content in the database.

The standard response to these types of risks include employing web filtering, application control, and vulnerability assessment technologies, coupled with selecting securely built applications from your business solution vendors. If your organization is building custom web applications, these applications should be built using secure coding best practices while leveraging tools and services to validate that what has been built was done securely.

Social Networking Hides Hazards

The most obvious risk in the widespread use of social networks is the amount of publicly available and seemingly unimportant data that can be joined together in order to create extremely valuable information. For example, your company's sales representative might tweet that he is "heading to North Carolina to close a deal with a large bank." Imagine how valuable this seemingly innocuous information could be to your competitor.

Additionally, since social networks are a great way to connect people with like-minded objectives, they have also become a place for hackers to communicate, collaborate and share information. It's become even easier for exploit samples to make their way around the hacker community thanks to the ubiquity of social networks.

Social networks are also a great environment for social engineering. False, yet realistic-looking identities can be created in order to establish connections and friendships with strategically selected individuals, which can then be used to gain access to sensitive information. Who does your CEO have as friends on Facebook?

A lot of the risk here comes from activities outside of the organization, and therefore, mostly out of the control of the CSO/CIO. To manage the risk on the inside, organizations can leverage well-defined policies and related application control technologies to prevent the use of social networks within the workplace. There is no technical control over the personal use of these technologies outside the workplace, and therefore written HR policy will need to be the primary control in these situations. The policy will need to guide the employees to keep company-related information out of the social space, unless, of course, their job specifically calls for it. As for the act of social engineering, organizations should consider monitoring the top social networks (Facebook, Twitter, LinkedIn, MySpace, and others relevant to your industry) to see who is saying what about your company; you may just find identities, both real and fake, (mis-)representing the company in ways you don't want.

Sean Martin, CISSP, is founder of imsmartin consulting. He can be reached at sean@imsmartinc.com