Suspended virtual images can reintroduce old threats

Organizations have been utilizing virtualization at deeper levels than ever in the past few years, but one expert from Trend Micro has warned that there may be virtualization security vulnerabilities left unaccounted for by organizations. CSO.com spoke with Trend technical consultant Michael Gioia, who said while these services are able to easily allow organizations to deploy server and desktop images, the process means that these images will only be able to have security protections that were in place when it was posted. Attendees at the VMware Series 2013 conference in Melbourne, Australia, were warned by him that these images were vulnerable to exploits that have been since been patched, thereby creating something of a security hole in these virtualized environments.

“When you turn on the machine it needs to come up to spec,” Gioia said, explaining the problem of ‘instant-o gaps’. “You have tools to cater for that updating, but there’s always going to be that delta. … I have clients today that have Conficker running around their networks. It’s fine, and we will catch it – but it means that it’s on your network somewhere. It’s often because of that instant-on gap, from something that has been turned off for a long period of time and reactivated with out-of-date security.”

Using these old images can lead to even more clones and an awful security posture, Gioia told the crowd, saying that the threats out in the wild are now more sophisticated and targeted. These leaves these security holes looking even more wide open than they otherwise would have, so organizations need to update virtual machines to help quell these attacks and their negative effects.

Most likely, the easiest solution for organizations would be to regularly update the malware scanners these virtual machines are using to make sure protection is happening throughout the entire network. However, Gioia told the Melbourne crowd that this will create spikes in demand that organization need to anticipate and address.

Best practices for securing virtualized environments
TechTarget’s Thomas Ptacek wrote on the website about some best practices for keeping virtualization security in tact, saying enterprises cannot silo virtualization security out on its own. He spoke with Christofer Hoff, chief security architect at Unisys and an expert on virtualization security, who said the organizational impact of the virtualized environment can be “profound” when it is done correctly, but said many organizations are getting caught “flat-footed” and network teams are throwing out roadblocks for deployments. This causes silos and a lot of fragmented architectures.

Properly pushing virtualization out gives organizations that may have previously failed a second chance to get their IT security playbook done correctly, Ptacek said. Administrators deploying this solution need to have a plan for staging and patching the virtual machines in place and security teams must have policies in place for deployment and configuring the environment.

Another best practice for virtualization security from Ptacek is to never ignore the inherent risks, such as silos and holes, that may be in place within a company’s environment.

“Don’t overlook backup, either,” he wrote. “Checkpointing and snapshoting capabilities in virtualization software are giving rise to a cottage industry of special-purpose products that promise to streamline backup storage for systems like VMware ESX. There is no more sensitive function in IT than backup and disaster recovery, which handle vast quantities of protected information. Be sure your backup vendor understands that.”

Enterprises must also carefully parse their options for virtualization security, as IT professional Marty Roesch told Ptacek that each company needs to find the option that fits best for them, as policies for how security will be enforced is likely the most important issue at hand.

Virtualization Security News from SimplySecurity.com by Trend Micro.

CATEGORIES

Cloud Security , Cybercrime, Data Privacy

TAGS

Opinions & Education