security

Payment Card Industry Lack Virtualization-Specific Requirements For Security Audits

April 30, 2008 by Robin Wauters Leave a Comment

Good catch by Eric Siebert over at the Server Virtualization Blog: the Payment Card Industry’s data security standards (PCI DSS), requirements set forth by the major credit card players – Visa, Mastercard, American Express and Discover in order to protect credit card data, apparently don’t have any virtualization-specific requirements put into practice so far.

“Having just survived another annual PCI compliance audit, I was again surprised that the strict standards for securing servers that must be followed contain nothing specific concerning virtual hosts and networks. Our auditor focused on guest virtual machines (VMs), ensuring they had up-to-date patches, locked-down security settings and current anti-virus definitions. But ironically, the host server that the virtual machines were running on went completely ignored. If the host server was compromised, it wouldn’t matter how secure the VMs were because they could be easily accessed. Host servers should always be securely locked down to protect the VMs which are running on them.”

Read the rest of the blog post here.

Is Virtualization The Biggest Security Vulnerability In IT Today?

April 9, 2008 by Robin Wauters 2 Comments

The question is asked by Senior Reporter from Forbes Andy Greenberg, who attended the security industry’s big annual confab, the RSA Conference, and wrote up an article aptly titled ‘Virtualization Dark’s Side’. He writes:

“In the past few months, security researchers have revealed bugs in practically every piece of virtualization software, including products from virtualization heavyweights VMware and Microsoft.

Exploiting those bugs, attackers can use what researchers call “virtual machine escape,” or “hyperjacking.” By taking control of the hypervisor, the piece of software that controls all the virtual computers within a machine, an attacker can “escape” from any single virtual computer hosted on the machine and quickly multiply his or her access to a company’s data.”

Virtualization security researchers and experts were quick to point out the weaknesses of virtualization and several techniques to breach the security.

Joanna Rutkowska, the founder of security research firm Invisible Things Lab, reportedly described a new type of virtualization-based malware that could be used to take control of a machine running virtualization software. Because virtualization allows companies to store many virtualized software “images” of computers on a single physical machine, an attack like the one Rutkowska envisions would allow a hacker “not only to control a single machine but to siphon data from any virtual machine it contains”.

Rutkowska also described how an intruder could install what she calls a “blue pill,” a second, malicious hypervisor that controls the original hypervisor and all of the virtual machines beneath it.

Fortunately, she also said that the attacks she discussed are likely too new to have ever been used by real-world cybercriminals, and are unlikely to become common.

What do you think?

Third Brigade Wants In On The Virtualization Security Conversation

April 7, 2008 by Robin Wauters Leave a Comment

There’s lots of conversation going on about virtualization and security (e.g. InformationWeek’s take), and now Third Brigade is anxious to be included in the conversation. The company issued a press release today with a presentation of their new approach to virtualized security.

Third Brigade announced a new licensing model designed to address the accelerated adoption of virtual environments and help customers achieve the lowest total cost of ownership for virtualization security. Third Brigade licensing now allows for an unlimited number of virtual machines to be protected per physical server. The company also introduced a new, coordinated approach to intrusion defense for virtualized environments that will deliver better data protection than can be achieved by virtual security appliances.

When asked why Third Brigade’s approach to virtualization security is better, Wael Mohamed, President and CEO, Third Brigade said:

“The biggest threat left exposed by omitting virtual machine-based security, or relying solely on virtual security appliances, is the potential for one compromised virtual machine to be used to launch an attack against another virtual machine. An appliance or gateway model can’t see, and prevent, the malicious traffic between the VMs; Third Brigade can.” Mr. Mohamed continued, “We also believe sophisticated security coordination will be required between a security agent on a virtual machine and a security agent leveraging the VMsafe APIs, when they are available. We have created an attractive licensing model that will enable customers to take advantage of these advanced features.”

The new licensing model helps accelerate mission critical virtual deployments and removes any barriers to delivering best-of-breed security capabilities to every VM by allowing an unlimited number of VMs to be protected per physical server. For customers that are moving to, or have mixed physical and virtual environments, Third Brigade licenses are portable as a server is transitioned from the physical to virtual world. Pricing is also available for individual virtual machine instances for enterprises that have unique security requirements.

[Source: press release]

McAfee Wants To Secure Virtualization

March 17, 2008 by Robin Wauters Leave a Comment

McAfee, one of the world’s leading security companies, today unveiled what it refers to as the industry’s first service designed to help organizations securely deploy virtualization technologies.

As part of its strategy to provide the most complete solution for secure virtualization, McAfee Foundstone Professional Services also outlined a set of security guidelines covering people, processes and technology to educate enterprises adopting virtualization technologies.

“With the popularity of virtualization and the rush to reap its benefits, companies may not always follow the best security best practices,” said Patrick Hayati, Regional Director McAfee, Middle East. “Many of the security practices that work in physical computing environments also work in the virtual world, yet there are some unique requirements. Our new service will help customers meet the security requirements of these new virtual environments.”

McAfee offers additional insight into securing virtual environments in “Virtualization and Risk – Key Security Considerations for your Enterprise Architecture,” a new paper available at http://www.mcafee.com/virtualization. For more information about the Foundstone Virtual Infrastructure Security Assessment service visit www.foundstone.com/virtualization.

[Source: Al Bawaba]

Video: Interview Greg Ness, VP Marketing with Blue Lane Technologies (VMworld Europe 2008)

March 5, 2008 by Robin Wauters 6 Comments

The interview below is part of our Virtualization Video Series, a recurring theme we want to implement on Virtualization.com featuring interviews with key players from the industry, event reports, etc.

This interview was recorded at VMWorld Europe 2008 in Cannes, France, and features Greg Ness, VP Marketing with Blue Lane Technologies.

DivX HD 1280×720 3.5mbit/s: Play (pop-up)
WMV HD 1280×720 3.5mbit/s: Play (pop-up)

Flash versions: Blip (embedded below), Myspace, Putfile, Revver, Sevenload, Vimeo, Youtube

Interviewer: Tarry Singh
Video blogger: Charbax