This tip is part of SearchSecurity.com's Enterprise Security 2008 Learning Guide.
It's that time of year again when we security pundits must climb up on our soapboxes and make sagacious predictions about the year ahead. My 2008 expectations focus on two non-traditional threat vectors: virtualization and voice over IP. Last year, there were early signs of security problems for each of the technologies, including significant vulnerabilities. Despite this, VoIP and virtualization have still managed to experience explosive growth, to the point where it wouldn't be surprising if significant VoIP or virtualization security concerns continued this year.
Virtualization becomes a target
The virtualization market grew significantly in 2007, thanks to organizations' desires to reduce the physical data center footprint and increase the utilization of hardware resources. Virtualization caught the interest of the bad guys as well.
Today's attackers are rushing to find virtualization vulnerabilities. One of their main goals is to escape the virtual machine: breaking out of the guest operating system to gain access to the underlying host. Pete Lindstrom, senior analyst with the Burton Group research firm, summed up the competitive and pressing atmosphere well when he said "attackers and enterprise architects are neck and neck on the backstretch when it comes to virtualization security."
During 2007, Ed Skoudis and a consulting team at Intelguardians demonstrated the ability to conduct an escape attack against VMware Workstation. Don't be surprised to see similar exploits against enterprise-class virtualization technology in 2008.
How can you protect yourself when deploying virtualization in the enterprise? Here are a few thoughts:
VoIP threats materialize
Love it or hate it, VoIP is here to stay. Juniper Research predicted in 2006 that the VoIP market will grow to $18 billion in annual revenue by 2010. E
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ven if you're not already using VoIP in your enterprise, the chances are good that someone is sitting in a conference room right now talking about a potential migration.
Up until a couple of months ago, VoIP security was mainly theoretical. There was much wailing and gnashing of teeth over the fact that the world was embracing an emerging technology without first putting time and attention into securing it. (If that story sounds vaguely familiar, it's the same one we heard about the Internet a decade or so ago!)
SearchSecurity.com's Senior News Writer Bill Brenner borrowed a phrase from Malcolm Gladwell when he summed up the VoIP discussions at Black Hat 2007. Brenner stated that VoIP security is reaching a tipping point, with many easy-to-attack protocols in wide use. Don't be surprised to see it "tip over" in 2008.
A major VoIP exploit hit the public stage a few months ago when a researcher named Joffrey Czarny gave a presentation demonstrating a successful remote eavesdropping attack against Cisco Unified IP phones. Cisco acknowledged the vulnerability and released a workaround.
Here are a few simple ideas that can protect an organization against VoIP risks:
This is by no means a comprehensive primer of the emerging threats to watch for in the year ahead, but there's little question that VoIP and virtualization security issues will affect just about every enterprise information security professional sooner or later. Remember to keep your eyes open throughout 2008 and be prepared to react as the threat landscape evolves.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
