This tip is part of SearchSecurity.com's Enterprise Security 2008 Learning Guide.
It's that time of year again when we security pundits must climb up on our soapboxes and make sagacious predictions about the year ahead. My 2008 expectations focus on two non-traditional threat vectors: virtualization and voice over IP. Last year, there were early signs of security problems for each of the technologies, including significant vulnerabilities. Despite this, VoIP and virtualization have still managed to experience explosive growth, to the point where it wouldn't be surprising if significant VoIP or virtualization security concerns continued this year.
The virtualization market grew significantly in 2007, thanks to organizations' desires to reduce the physical data center footprint and increase the utilization of hardware resources. Virtualization caught the interest of the bad guys as well.
Today's attackers are rushing to find virtualization vulnerabilities. One of their main goals is to escape the virtual machine: breaking out of the guest operating system to gain access to the underlying host. Pete Lindstrom, senior analyst with the Burton Group research firm, summed up the competitive and pressing atmosphere well when he said "attackers and enterprise architects are neck and neck on the backstretch when it comes to virtualization security."
During 2007, Ed Skoudis and a consulting team at Intelguardians demonstrated the ability to conduct an escape attack against VMware Workstation. Don't be surprised to see similar exploits against enterprise-class virtualization technology in 2008.
How can you protect yourself when deploying virtualization in the enterprise? Here are a few thoughts:
- Separate virtual environments by sensitivity. The degree of separation may depend on your budget and complexity tolerance, but it's a wise idea to keep data of dramatically different sensitivity levels in their own virtual environments. For example, it would not be a great idea to have a virtual instance hosting your public Web server and a second instance hosting your internal database server and living within the same virtual environment.
- Remember the old-fashioned stuff. Everything you've learned about operating system security is still true with virtualized servers. Lock down your systems by eliminating unnecessary services, tightening host firewalls and applying security patches. If you reduce your footprint and deny the bad guys an entry point onto your systems, you'll lower the likelihood of an attack.
- Watch the news and get ready to react quickly. Some unlucky enterprises will be victimized by a zero-day virtualization exploit. Statistically speaking, it probably won't be yours. But when the news hits the wire, the bad guys are going to read it just as quickly as you will. Keep your eyes peeled and take quick action to avoid being part of the second wave of victims.
Love it or hate it, VoIP is here to stay. Juniper Research predicted in 2006 that the VoIP market will grow to $18 billion in annual revenue by 2010. Even if you're not already using VoIP in your enterprise, the chances are good that someone is sitting in a conference room right now talking about a potential migration.
Up until a couple of months ago, VoIP security was mainly theoretical. There was much wailing and gnashing of teeth over the fact that the world was embracing an emerging technology without first putting time and attention into securing it. (If that story sounds vaguely familiar, it's the same one we heard about the Internet a decade or so ago!)
SearchSecurity.com's Senior News Writer Bill Brenner borrowed a phrase from Malcolm Gladwell when he summed up the VoIP discussions at Black Hat 2007. Brenner stated that VoIP security is reaching a tipping point, with many easy-to-attack protocols in wide use. Don't be surprised to see it "tip over" in 2008.
A major VoIP exploit hit the public stage a few months ago when a researcher named Joffrey Czarny gave a presentation demonstrating a successful remote eavesdropping attack against Cisco Unified IP phones. Cisco acknowledged the vulnerability and released a workaround.
Here are a few simple ideas that can protect an organization against VoIP risks:
- Follow best practices for VoIP network security. For example, consider placing all VoIP phones on separate, secured VLANs to protect against rogue devices that may eavesdrop on intranet voice communications. Protect that VLAN against the introduction of unauthorized devices. Once you've isolated your VoIP devices, limit their inbound and outbound traffic so that they can only communicate with their call manager.
- Encrypt calls that travel over public networks. Encryption technology is somewhat spotty at this point and is not available from all vendors for all VoIP systems. Take some time to research available options for your VoIP deployment.
- Watch the news and get ready to react quickly. Does that sound familiar? It's the same advice you just read about virtualization, and it's just as relevant for VoIP or any other emerging technology.
This is by no means a comprehensive primer of the emerging threats to watch for in the year ahead, but there's little question that VoIP and virtualization security issues will affect just about every enterprise information security professional sooner or later. Remember to keep your eyes open throughout 2008 and be prepared to react as the threat landscape evolves.
Enterprise Security 2008 Learning Guide
Malware trends suggest new twists on old tricks
Addressing VoIP and virtualization
Assessing access management
Building trust into the application development process
Security management in 2008: What's in store
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.