This tip is part of SearchSecurity.com's Enterprise Security 2008 Learning Guide.
It's that time of year again when we security pundits must climb up on our soapboxes and make sagacious
More information on virtualization
Expert Ed Skoudis sets the record straight and explains what virtualization technology can and can't do.
Lenny Zeltser explains how VMware can be used for malware analysis.
The virtualization market grew significantly in 2007, thanks to organizations' desires to reduce the physical data center footprint and increase the utilization of hardware resources. Virtualization caught the interest of the bad guys as well.
More information on virtualization
Today's attackers are rushing to find virtualization vulnerabilities. One of their main goals is to escape the virtual machine: breaking out of the guest operating system to gain access to the underlying host. Pete Lindstrom, senior analyst with the Burton Group research firm, summed up the competitive and pressing atmosphere well when he said "attackers and enterprise architects are neck and neck on the backstretch when it comes to virtualization security."
During 2007, Ed Skoudis and a consulting team at Intelguardians demonstrated the ability to conduct an escape attack against VMware Workstation. Don't be surprised to see similar exploits against enterprise-class virtualization technology in 2008.
How can you protect yourself when deploying virtualization in the enterprise? Here are a few thoughts:
- Separate virtual environments by sensitivity.
Love it or hate it, VoIP is here to stay. Juniper Research predicted in 2006 that the VoIP market will grow to $18 billion in annual revenue by 2010. Even if you're not already using VoIP in your enterprise, the chances are good that someone is sitting in a conference room right now talking about a potential migration.
Up until a couple of months ago, VoIP security was mainly theoretical. There was much wailing and gnashing of teeth over the fact that the world was embracing an emerging technology without first putting time and attention into securing it. (If that story sounds vaguely familiar, it's the same one we heard about the Internet a decade or so ago!)
SearchSecurity.com's Senior News Writer Bill Brenner borrowed a phrase from Malcolm Gladwell when he summed up the VoIP discussions at Black Hat 2007. Brenner stated that VoIP security is reaching a tipping point, with many easy-to-attack protocols in wide use. Don't be surprised to see it "tip over" in 2008.
A major VoIP exploit hit the public stage a few months ago when a researcher named Joffrey Czarny gave a presentation demonstrating a successful remote eavesdropping attack against Cisco Unified IP phones. Cisco acknowledged the vulnerability and released a workaround.
Here are a few simple ideas that can protect an organization against VoIP risks:
- Follow best practices for VoIP network security.
This is by no means a comprehensive primer of the emerging threats to watch for in the year ahead, but there's little question that VoIP and virtualization security issues will affect just about every enterprise information security professional sooner or later. Remember to keep your eyes open throughout 2008 and be prepared to react as the threat landscape evolves.
Enterprise Security 2008 Learning Guide
Malware trends suggest new twists on old tricks
Addressing VoIP and virtualization
Assessing access management
Building trust into the application development process
Security management in 2008: What's in store
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in January 2008