As anyone predicted, the move to virtualization is gradually being adopted by more and more organizations. And why not? It saves space, uses less electricity, and ultimately saves a company more money on their IT infrastructure. What could possibly go wrong?
As it turns out, there are an alarming number of insecure virtual servers out there. A Gartner study from a few years ago suggested the percentage of virtual servers was greater than physical servers (although that percentage has gone down in recent years and I’d say they are about 50/50 now).
Why Are We Ignoring Virtualization Security?
The reason for insecure virtual servers has nothing to do with the inherent concept of virtualization, but rather on how operating teams are naively implementing virtualization.
The aforementioned Gartner survey said that 40 percent of virtualization deployment projects did not involve the information security team involved in the initial architecture and planning stages. This is because operation teams feel like nothing is really changing, the same workload is just moving from a physical server to a virtual one. Or sometimes people think that virtualization is just somehow inherently secure.
Meet the Hypervisor, Your Target for Cyber Attacks
But this assumption ignores the new layer of software in the form of the hypervisor and the virtual machine monitor (VMM) that present new security issues that must be considered. The hypervisor and VMM is introduced to the security picture when workloads are virtualized, and this changes the basic operation of the server – opening up new vulnerabilities.
The hypervisor has privileged access to the system, making it a juicy target for cyber-attacks. If someone can take control of just the hypervisor, they have control of just about everything. This is something that many virtualization deployments are still not paying attention to. Access to the hypervisor must be tightly controlled.
How Can you Make Sure your Virtual Servers are Secure?
To correct this common oversight, an organization’s security team needs to be included in the initial discussion of virtualization of workloads from the very beginning. They need to realize virtualized systems are not inherently secure and they systems require the same type of monitoring as physical systems. Finally, administrative access to the hypervisor must be tightly controlled and monitored.
It’s an internal combative relationship found within most organizations. Users attempt to sneak in instant messaging software, use BitTorrent and P2P file sharing, access company data with their unauthorized mobile devices, and store data on USB flash drives.
Why are end users trying to destroy your IT security? Well, despite what it may seem to the security engineers who have to corral end users into the IT safe zone at all times, the end users are just trying to do their job in the easiest and most efficient way they know how. That doesn’t sound so bad does it?
Ease of Use Trumps Security for End Users
Instant messaging, typically a big no-no for IT security, is a fast and convenient way of exchanging information – information necessary for end users to do their jobs. USB Flash drives are another quick and easy way to move information from one location to another. And smart phones allow end users to access vital data while on the go.
The point is that end users break security policy because they want to do their jobs better and not for any heinous reason. And instead of spending all our energy fighting against this and keeping them in line, we should be working with them to accommodate their needs.
In a way, it’s our fault that these end users are violating security policy, because we haven’t given them or shown them how to operate within security guidelines as effectively. Instead, we are giving them strict rules that they inevitably circumvent, creating more security problems than we are solving.
Ending the War and Finding Common Ground
Consumers are going to continue to bring in outside hardware and software if they are more comfortable using it. IT security can’t fight this forever. What we can do is use this as an opportunity to learn what the needs of the end users are and then find new, secure solutions that meet these needs.
Working with end users as opposed to against them also allows the IT department to be more aware of what’s going on. And end users will be more inclined to follow IT policy if they feel the department is working to help them achieve their ends. But the more quarrelsome the relationship between end users and IT becomes, the more end users will fight against policy and subvert it – to the detriment of the entire organization.
Unless you are an extraterrestrial, you probably don’t want planet Earth to be reduced to an inhospitable wasteland. And you’ve probably heard that “going green” can greatly reduce the negative impact your business has on the environment. But times are tough. If your business is struggling to just stay afloat during a recession, how can you be expected to worry about the whole planet too?
There’s good news. Saving money and going green do not have to be mutually exclusive. Some green IT solutions actually help save you money while saving the earth at the same time.
Start with the easy stuff. Turning off PCs and monitors after business hours can save 40 percent on your electricity bill. That’s an obvious one. But did you also know you can set timer switches on your printers to automatically turn off when they aren’t in use? That’s less drain on the planet’s resources, and more money in your pocket.
If you drop your desktop printer altogether and switch to a multi-function device, you can have fewer electronic devices running in the office. If the printer is duplex, now you’re saving on paper too.
Data centers are a big area where green IT can create an impact. Server consolidation through virtualization can save on the cost to buy, maintain, administrate, and power multiple servers. At the same time, you’re using less energy and fewer physical resources to accomplish the same thing.
Salesforce.com had a study showing how cloud computing was 95 percent more carbon efficient when processing data than on-premises. This is because the cloud does not require the same hardware and resources as physical servers. Cloud computing saves money too, of course, with some estimates as much as 50 percent on hardware and 90 percent on management. In fact, a report by the Carbon Disclosure Project on how cloud computing may save businesses $12.3 billion annually by the year 2020.
An unnecessary hardware upgrade is also a wasteful and expensive practice. Instead of buying new hardware each year, you should question the business case of the upgrades. Avoidable hardware refreshes not only cost you more, but they waste time in staff retraining and other overheads involved.
If you do need new hardware, there are many affordable, energy efficient devices that will lower your overall consumption of electricity. As green initiatives increase in momentum, new energy-saving technologies are emerging every day.
I’ve noticed that there is often a communication breakdown when a security expert talks to upper management regarding exactly what is “risk.” While we may define risk as the probability of a threat overcoming security controls to exploit a vulnerability resulting in loss, the confusion lies in these assumed “security controls.” What security controls, if any, are we factoring in before gauging risk? For this reason, we need to clarify the difference between inherent risk and residual risk.
Inherent Risk – We can define inherent risks as the risk to a company in the absence of any security controls or actions that might be taken to alter, mitigate, or reduce either the likelihood or impact of a data loss. In other words, the inherent risk of a system is the risk that the system poses “out of the box,” before any processes, technologies, or people are put in place.
Residual Risk – The probability of loss that remains to systems that store, process, or transmit information after security measures or controls have been implemented. Implemented controls may include best practice control frameworks such as ISO 27002, and regulatory compliance requirements such as HIPAA or PCI.
Risk management is something that every one of us does every waking minute. Not a second goes by that we do not evaluate risk and make a decision based on our assessment. It becomes so automatic, that we are not entirely aware we are doing it.
A great example I like to use to illustrate the difference between inherent risk and residual risk is walking across the street. If you cross the street, there are a nearly infinite number of inherent risks. One of the inherent risks with a high probability and large impact would be getting hit by a car. So to mitigate this risk we implement the control of “looking left and right to check for oncoming traffic before crossing.” But this will not eliminate every possible risk and residual risks remain. For example, you could still be hit by a meteor because you did not look up.
Despite the devastating impact of such an event, we don’t look up for meteors when crossing the street because of the low probability of one hitting us. As security experts, our job is to determine when the cost of reducing risk is more than the cost of having the risk occur.
The purpose of defining inherent risk is so we can assess the residual risk and arrive at the optimal cost point:
Inherent Risk = Threats x Vulnerability
Residual Risk = Inherent Risk x Control Risk
The goal in the end is to link risk to budget.
ISO 27001 implementation and certification is a difficult sell for security analysts. When it comes to convincing upper management to take steps towards any information security goal, we have to keep in mind that they think in terms of investment versus benefit, or ROI.
This means that we have to clearly understand the benefits of ISO 27001 certification in order to make it palatable to decision-makers. There are several approaches to take here:
Compliance Readiness – ISO 27001 makes sense for organizations where information security compliance is already mandated by client, regulatory, or legal requirements. For financial, health, or government organizations that must comply with various regulations regarding data protection, privacy, and IT governance anyway, ISO 27001 can create a methodology allows itself to specific compliance regulations like SOX or HIPAA. In the language of upper management, “ISO 27001 implementation saves money on conforming to mandatory compliance regulations.”
Customer Confidence – The key objective of ISO 27001 is to ensure that confidentiality, integrity, and availability is assured for critical data assets. This can actually be strong selling point and differentiator for organizations where not all competitors can boast such claims. ISO 27001 can give your organization a marketing edge to capitalize on, especially if your organization handles sensitive customer information.
Better Performance – While security is typically about the doom and gloom of loss prevention, we have to remind ourselves that better performance can be a welcome side effect of security measures such as ISO 27001 implementation. Fewer interruptions in service, less data leakage, and happier employees increase productivity and efficiency – and this means more money for the organization.
More Organization – By establishing a formal information security framework for implementing security controls and objectives, your organization will have practices in place that it can rely on as it grows in size and scope. Rather than scrambling to determine who has to decide what, who is responsible for certain information assets, or who has to authorize access to information systems, these roles are already defined by your ISO 27001 implementation. Your internal organization is strengthened by forcing you to define very precisely the responsibilities and duties regarding your security practices.
Most people still think that the security concerns of using work-related mobile devices are limited to leaving your iPhone in an airport bathroom. But the proliferation of mobile devices is presenting a new set of security challenges to businesses that encompass the same wireless and application security issues we’ve been dealing with for the last few decades.
If your employees use mobile devices to access sensitive company data wirelessly while outside the office, here are three areas of concern for your security department.
Lost Mobile Devices
The most obvious are of concern for security is the inherent mobility of mobile devices. Unlike the desktop computers of the past, employees use their mobile devices to access their work while on the go outside of the office. So if a device is lost or stolen, it is the security equivalent of a five alarm fire. A smart hacker can bypass the basic protection features and look for unencrypted credentials and cached sensitive data. It’s very difficult to detect such unauthorized access on your network when it is originating from an approved device. However, the simplest preventative measure one can take is to have a way to remotely wipe data from a mobile device in the event it is lost.
Malware
We all knew that it was just a matter of time before the same kinds of malware that have been the bane of PC users for the last decade would begin to target mobile devices. Poison text messages grew 300% in 2010 and 400% in 2011. Right now, about 1 out of every 100 texts you receive is a scam to get you to sign up for some worthless service that charges you a monthly fee or download an app that will try to access your email, steal credentials from mobile banking applications, or read your passwords. App installation is the most common method of infection and Android’s open source software is most often the target; however, BlackBerry and iOS users are not immune. Users should be advised to only download apps from reputable sources and be extra suspicious of free apps.
Server Vulnerabilities
Sometimes security vulnerabilities do not originate from the device itself, but from the outside sources it uses. Often mobile applications have a server component that the client interacts with, such as an HTTP or Web Service formats. That server may have its own set of security issues beyond the control of the user. They may be subject to command injection, business logic, application logic flaws, and cross-site scripting. Attacks that prey on weak servers can steal access credentials from unwitting users who use the mobile application.
Despite these serious concerns, it does not mean that businesses should discontinue utilizing mobility in favor of security. There are steps that can be taken to address these potential security issues that any business can follow. This video can walk you through managing your mobile devices by creating a secure environment.
You’d be surprised how many security vulnerabilities in major web applications are pointed out by grey hats. These noble hackers don’t work for the company, and they don’t intend to profit from the bug. They simply wish to notify the developers of the vulnerability so it can be corrected before exploited.
If only all hackers were so thoughtful and kindhearted. But, ultimately, the black hats are driven by money. So, if they can use their talent to discover vulnerabilities, why not pay them for it?
That’s what the big dogs like FaceBook and Google are doing. Users who discover bugs or vulnerabilities in their applications are being rewarded with cold hard cash. Grey hats can earn $500 or more per bug from Google, or up to $3,133.70 for “severe or unusually clever” vulnerabilities found in Chromium, the open-source project behind the Chrome web browser.
Such bounty programs are increasingly becoming the norm. Companies that have tried the practice say they get more bug reports, so they can fix the bugs and deliver a better experience for their users. At the same time, they can patch any vulnerabilities for a small fee given to the bounty hunter rather than risk the staggering costs of a major security breach.
But are companies that adopt bounty programs turning black hats into grey hats or are they simply paying off the bad guys? That’s how Microsoft sees this practice. They believe that instead of putting bounties on bugs, we should be putting them on the hackers who exploit them. After all, if they didn’t exist, then security vulnerabilities wouldn’t matter. That’s one way to look at it.
Also, some are also worried about the possibility of “double-dipping.” A hacker could reveal the exploit, collect the bounty, then proceed to profit off the exploit anyway. “Hey, thanks for breaking into my house and taking my stuff. Here, have some more cash for your trouble.”
For businesses, the debate here will inevitably boil down to the bottom line: Does it cost more to pay hackers for catching bugs than to have security vulnerabilities? The costs of the former are at least somewhat more predictable. The costs of poor security can range from nothing to everything. Just ask any company that ever had their clients’ credit card numbers stolen and shared on BitTorrent.
However, the truth is that companies should be taking responsibility to find and correct security vulnerabilities and bugs themselves rather than releasing them into the wild and waiting to hear about them from grey or black hats. Some of the most common vulnerabilities can be found on this checklist. Making sure none are affecting your company’s software can save you from costly security exploits and costly bounty hunting rewards.
Folks, we’re running out of IP addresses. With more people getting online, using more devices, from more parts of the world, we soon won’t be able to allocate enough IPv4 addresses for everyone. That’s the biggest reason we’ll all be moving soon to IPv6.
A few weeks ago, the Internet Society announced “World IPv6 Launch Day” for June 6, 2012. This is about one year after the “IPv6 Day” which test drove IPv6 for many prominent Internet businesses for a 24-hour period. The day was seemingly successful. The major providers reported users could access their sites fine and things were running smoothly.
That may be fine for Google and FaceBook. But how will June 6 affect you, the SMB? Should you be worried about the switch to IPv6?
The answer is “maybe,” or, perhaps, “yes, if you’re not prepared.” In this case, some knowledge and awareness is the key to preparation. There are definitely a few things you should know before the big day.
Don’t Rely on NAT for Obscurity – We’ve been using Network Address Translation to get us around the limited address problem. But with the flood of new addresses available in IPv6, NAT won’t be needed anymore. However, obscurity is a security side bonus of using NAT. You may be using it to hide your servers from the Internet. So before you toss NAT in the dumpster, you may need to rethink or purchase additional equipment to protect IPv6 servers.
Don’t Expect Automatic Encryption with IPv6 – IT professional have been promoting a misconception that IPv6 is inherently more secure than IPv4 because it includes authentication and encryption. Don’t overestimate these security benefits. The truth is IPv6 has many of the same performance problems as IPv4. So if you didn’t encrypt with IPv4, you will have just as much trouble with IPv6. Also, don’t forget you still need to configure and deploy the technology all the same.
Don’t Believe Endless Addresses Drastically Improves Security – Another common misperception is that with IPv6 administrators should assign public IPs to all systems. But if everyone has a public address, doesn’t that make it easier for black hats to access them and exploit any vulnerability? Even though they’d have to scan billions of possible addresses, many administrators end up simply assigning computers predictable addresses. These scans can be greatly optimized with predictive algorithms. And as long as one address is known, like the corporate web server, the rest will come easy.
Don’t Ignore Your Configuration – Making IPv6 too easy to configure may end up being a mistake. Since IPv6 is enabled and functioning by default, most admins won’t bother to disable it if they revert back to IPv4. This means an attacker could use it to communicate between machines and evade any IPv4 or host-based IPv4 firewalls installed. They can also tunnel IPv6 into IPv4 to use one IPv4 server to proxy malicious traffic to your enabled IPv6 network. Scary stuff, I know.
So even though the big providers are optimistic, I’m sure we can expect some growing pains as we transition to IPv6. If you want to avoid these potential security problems, check out this report of all the issues you want to be aware of with the switch to IPv6. June 6 is still a ways away, but you don’t want to be among the SMBs caught on that day with their pants down.
Cyber-attacks can come from a variety of sources: foreign criminals, nation-states, script kiddies, hacktivists. But many still originate from the corporate sector; competing industries hacking into each others’ systems to steal company secrets. This shadiness in the business world is nothing new. But what you might not know is that even small and medium-sized businesses are increasingly becoming the target of this cyber-espionage.
According to a new report from PricewaterhouseCoopers, cyber-espionage is no longer restricted to governments and large international companies. Small and medium-sized businesses are potentially at risk. PwC’s report cites the London-based security intelligence agency MI5 sent a confidential letter to 300 U.K. businesses warning them of a coordinated, web-based cyber-espionage campaign.
But industrial cyber-espionage attacks are more targeted to specific organizations. These cyber-espionage attacks are usually considered “advanced persistent threats” because they have the capability and intent to effectively target a specific entity over a long period of time. Ultimately, industrial cyber-espionage attacks attempt to gain an advantage, either by theft or damage or both.
So what are your chances of being the target of industrial cyber-espionage? The answer depends on what your business does and what kind of competition you have. Charitable organizations are probably in the clear, but defense contractors are at a high risk of attack. If your company has any proprietary information that could benefit a competitor, or if a competitor has something to gain by causing harm to your business, then there is a risk.
But even if you take information security seriously to protect from outside attacks, what about attacks that originate from inside your organization? It’s rare, but disgruntled, bribed, or corporate spies may already be working from within your company. They would have intimate knowledge of your organization and your data access methods. Armed with this knowledge, these malicious insiders can be far more dangerous to your business than any outside threat.
In order to detect and stop these malicious insiders, check out this whitepaper How To Detect And Stop Malicious Insiders In Your Organization. It looks at what motivates them, how they might harm or steal your data, and what steps you can take to stop them.
