Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization

It's that time of year again when we security pundits must climb up on our soapboxes and make sagacious predictions about the year ahead. My 2008 expectations focus on two non-traditional threat vectors: virtualization and voice over IP. Last year, there were early signs of security problems for each of the technologies, including significant vulnerabilities. Despite this, VoIP and virtualization have still managed to experience explosive growth, to the point where it wouldn't be surprising if significant VoIP or virtualization security concerns continued this year.

More information on virtualization Expert Ed Skoudis sets the record straight and explains what virtualization technology can and can't do. Lenny Zeltser explains how VMware can be used for malware analysis.

Virtualization becomes a target
The virtualization market grew significantly in 2007, thanks to organizations' desires to reduce the physical data center footprint and increase the utilization of hardware resources. Virtualization caught the interest of the bad guys as well.

Today's attackers are rushing to find virtualization vulnerabilities. One of their main goals is to escape the virtual machine: breaking out of the guest operating system to gain access to the underlying host. Pete Lindstrom, senior analyst with the Burton Group research firm, summed up the competitive and pressing atmosphere well when he said "attackers and enterprise architects are neck and neck on the backstretch when it comes to virtualization security."

During 2007, Ed Skoudis and a consulting team at Intelguardians demonstrated the ability to conduct an escape attack against VMware Workstation. Don't be surprised to see similar exploits against enterprise-class virtualization technology in 2008.

How can you protect yourself when deploying virtualization in the enterprise? Here are a few thoughts:

• Separate virtual environments by sensitivity. The degree of separation may depend on your budget and complexity tolerance, but it's a wise idea to keep data of dramatically different sensitivity levels in their own virtual environments. For example, it would not be a great idea to have a virtual instance hosting your public Web server and a second instance hosting your internal database server and living within the same virtual environment.
• Remember the old-fashioned stuff. Everything you've learned about operating system security is still true with virtualized servers. Lock down your systems by eliminating unnecessary services, tightening host firewalls and applying security patches. If you reduce your footprint and deny the bad guys an entry point onto your systems, you'll lower the likelihood of an attack.
• Watch the news and get ready to react quickly. Some unlucky enterprises will be victimized by a zero-day virtualization exploit. Statistically speaking, it probably won't be yours. But when the news hits the wire, the bad guys are going to read it just as quickly as you will. Keep your eyes peeled and take quick action to avoid being part of the second wave of victims.

More information on VoIP A reader asks network security expert Mike Chapple, "Will deploying VoIP on an 802.1x network create security problems?" Nemertes research analyst John Burke explains the threats to a unified communications infrastructure.

VoIP threats materialize
Love it or hate it, VoIP is here to stay. Juniper Research predicted in 2006 that the VoIP market will grow to $18 billion in annual revenue by 2010. Even if you're not already using VoIP in your enterprise, the chances are good that someone is sitting in a conference room right now talking about a potential migration.

Up until a couple of months ago, VoIP security was mainly theoretical. There was much wailing and gnashing of teeth over the fact that the world was embracing an emerging technology without first putting time and attention into securing it. (If that story sounds vaguely familiar, it's the same one we heard about the Internet a decade or so ago!)

SearchSecurity.com's Senior News Writer Bill Brenner borrowed a phrase from Malcolm Gladwell when he summed up the VoIP discussions at Black Hat 2007. Brenner stated that VoIP security is reaching a tipping point, with many easy-to-attack protocols in wide use. Don't be surprised to see it "tip over" in 2008.

A major VoIP exploit hit the public stage a few months ago when a researcher named Joffrey Czarny gave a presentation demonstrating a successful remote eavesdropping attack against Cisco Unified IP phones. Cisco acknowledged the vulnerability and released a workaround.

Here are a few simple ideas that can protect an organization against VoIP risks:

• Follow best practices for VoIP network security. For example, consider placing all VoIP phones on separate, secured VLANs to protect against rogue devices that may eavesdrop on intranet voice communications. Protect that VLAN against the introduction of unauthorized devices. Once you've isolated your VoIP devices, limit their inbound and outbound traffic so that they can only communicate with their call manager.
• Encrypt calls that travel over public networks. Encryption technology is somewhat spotty at this point and is not available from all vendors for all VoIP systems. Take some time to research available options for your VoIP deployment.
• Watch the news and get ready to react quickly. Does that sound familiar? It's the same advice you just read about virtualization, and it's just as relevant for VoIP or any other emerging technology.

This is by no means a comprehensive primer of the emerging threats to watch for in the year ahead, but there's little question that VoIP and virtualization security issues will affect just about every enterprise information security professional sooner or later. Remember to keep your eyes open throughout 2008 and be prepared to react as the threat landscape evolves.

Enterprise Security 2008 Learning Guide
  Malware trends suggest new twists on old tricks
  Addressing VoIP and virtualization
  Assessing access management
  Building trust into the application development process
  Security management in 2008: What's in store

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Application and Platform Security,   Virtualization Security Issues and Threats,   Network Protocols and Security,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Network Protocols and Security Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security How to create secure Windows FTP automation RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 5 terms you need to know before you employ VoIP  (SearchSecurity.com) digest authentication  (SearchSecurity.com) IGP  (SearchSecurity.com) IP spoofing  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) smurfing  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.