All your eggs in one basket, privileged user access, no segregation of duties, little or no monitoring and no preventive controls

The rest of the story can be found here…

Compared to traditional monitoring tools for a physical network, tools for virtual systems may not provide the same level of insight or monitoring within intra-host communications or traffic flowing between VMs on a virtual network.

They then lead on to say:

Similarly, specialized tools for monitoring and logging virtual environments may be needed to capture the level of detail required from the multiple components, including hypervisors, management interfaces, virtual machines, host systems, and virtual appliances.

VMinformer can help organizations rapidly audit and monitor virtual environments that need to meet PCI-DSS compliance regulations. We ship with out of the box policy templates based on a number of industry standards including PCI-DSS. To find out how sign up for a no obligation 14-day trial here.

PCI Security Standards Virtualization Guidelines Reference -PCI-DSS Guidelines for virtualization

Sydney – 15 June 2011 - VMinformer, a pioneer in compliance, security and auditing for virtual environments, has announced a major expansion in its Australian partner channel with the addition of four new specialist security resellers based in NSW, Victoria and the ACT.

These latest additions to VMinformer’s network include IPSec, tru Information Security Management, Shearwater Solutions and CommsNet Group and were specifically appointed for their capacity to successfully embrace new technologies and deploy experienced skills which offer the level of security protection end user organisations have come to expect.

Based in Melbourne, IPSec is a specialist provider of information asset protection solutions and services to both the Australian private and public sectors.

“Today’s security infrastructure requires a comprehensive solution that provides security enforcement from the core to the edge of the network, both in the physical and virtual environments. We’re proud to partner with a technology virtualisation leader like VMinformer to provide our customers with a solution that significantly enhances network security and ensures optimum network uptime,” says David McDonald, Sales Director, IPSec.

Headquartered in Sydney, tru Information Security Management, a specialist provider of information security solutions, partners with leading security vendors to offer comprehensive solutions as well as network and security assessment services, architecture, design and deployment support.

“We are excited to announce our partnership with VMinformer. Virtualisation presents unique security challenges and our customers are increasingly aware that they need to review their security policies to address these issues. VMinformer uniquely delivers on those requirements and is an ideal addition to Tru ISM’s portfolio of virtualised and cloud security solutions,” says Simon Coffey, Managing Director, Tru Information Security Management.

Shearwater Solutions specialises in information security with offices in Sydney and Canberra. The company has a diverse client base across multiple industries including government finance, retail, manufacturing, telecommunications and service providers. Its services include designing, implementing and managing security solutions, vulnerability assessments, education, security reviews, vulnerability and penetration testing, audits, development of policies and procedures, and particularly work relating to AS/NZS ISO/IEC 27001 and PCI DSS certification.

Shearwater Solutions’ Principal Consultant, Mark Hofman, said, “As a security consultant and a PCI Council Qualified Security Assessor we provide compliance, auditing and security assessments. VMinformer provides us and our customers with an easy method to prove they are compliant with best practices. No other product provides that level of visibility into the virtualisation security posture of an organisation at the moment. The only way to do it currently is through a manual audit, which takes time and is prone to human error.”

Shearwater Solutions believes there is a growing need for VMinformer’s technology. The company’s general manager, Raymond Kantor, said, “Infrastructure managers are trying to virtualise anything and everything in the data centre. The problem is the hypervisor isn’t inherently secure and hardening guide standards are difficult to audit and control in such a fluid environment. There is a great opportunity for us as in our market (PCI-DSS security), virtualisation is now being specifically referred to in the latest payment card industry data security standard v2.0 and VMinformer is therefore very relevant to all companies with PCI compliance requirements.”

VMinformer has also appointed CommsNet Group based in the ACT which will assist in bolstering VMinformer’s growth in the Federal and ACT government market by deploying skills in assessment and project management deployment.

“We are thrilled to be extending our reseller network in Australia with security partners that offer depth and breadth of services. These partnerships are indicative of our commitment to continually serving the evolving needs of today’s businesses and we look forward to working with them to optimise the security framework for government and private sector virtualised environments”, said John Reeman, Founder and Chief Technology Officer.

VMinformer, a security, auditing and compliance solution for organisations using virtualisation technologies, provides visibility and assurance of an organisation’s security infrastructure and can be used both across an entire virtual infrastructure or in a more selective approach for clients, whilst maintaining the integrity of the virtual computing platform.

About VMinformer

VMinformer are pioneers in compliance, security and auditing for virtual environments.

Established in 2009 VMinformer have been helping organisations understand how security is an essential part of their virtualisation strategy. Providing both services and solutions VMinformer enables organisations to gain insight, visibility and control of their virtual world.

VMinformer is headquartered in Sydney with a regional office in the UK and sales representation in Europe, Japan and North America. VMinformer sells through partners who either have expertise in virtualisation or IT security.

VMinformer has been designed as an affordable technology for assessing the security posture and compliance of virtualised infrastructure. It has been
deployed in over 80 countries.

VMinformer was recently honoured as the winner of the SC Magazine (Australia) 2011 Innovation Award at the AusCERT 2011 conference on the Gold Coast.

For further information, please contact:

Patricia Gibson /David Bass
Bass Public Relations
patricia@basspr.com.au/
david@basspr.com.au
T: 02 9922 6820

The MOB as it is known is used mainly by developers or for debugging. It has direct access to the VMkernel so as well as allowing view access it allows changes to be made. It can be access over port 443 (HTTPS) and requires authentication using the ROOT account password. The MOB if left accessible is a dangerous interface in the hands of an attacker. Therefore it is recommended you disable it or restrict access to it through access control methods.

Remediation

1. Logon to the ESX/ESXi console using SSH or directly.
2. Change directories to /etc/vmware/hostd
3. Edit the following file proxy.xml but before doing so make a copy
4. Find the line "<pipeName>/var/run/vmware/proxy-mob</pipeName>"
5. Comment out or remove the entire section between "<e id=" and "</e>"
6. Then make sure that all "<e id=" are in sequence by renumbering them accordingly
7. Save the file

IMPORTANT: If you mess the file up then make sure you have a backup as you will effect the authentication process and access to the Host.

This info came to me from Eric Sloof over at NTPRO.NL it is a Mind Map for Troubleshooting vSphere Network Issues, which is really cool!

Go Check it out over at Eric’s site here…

“Air travel is statistically the safest transport type. Of course, there are many factors that make for safe airline travel. Arguably, sound aircraft maintenance is the hallmark of safe carriers. Each airliner has thousands of components. While operating, feedback is continuously sent back to the flight and maintenance crews. Standard practice in a well run airline”

How does this relate to virtualization, and virtualization security specifically?

“Well, the aircraft is the platform, our virtualization system. Everyone on-board it is safe, they have had a health check and we know as best we can that they carry no viruses. They have also been through security at the airport so we are firewalled from ‘the bad guys’. The problem is you are expecting me – as well as flying the plane to run all the maintenance. I have to keep the plane running to schedule – when we land, or even while flying, you expect me to take the plane apart and check all the components are in good order AND I have to do this manually! I can do it, if you can give me more people then I can keep the airliner as save as the people in it. What I would really like is an automated tool to do all the checks – non intrusively”

Interestingly we looked up some statistics, the odds of being on an airline flight which results in at least one fatality on the top 25 airlines is 1 in 5.4 million; whereas on an airline flight with the bottom 25 safety record the odds are 1 in 159,119 – 500 times more likely!

There are some more analogies for cloud computing, puns really – we will spare you those today!

VMinformer’s consultants have spent the last 5 years researching and conducting virtualization audits. In 100% of cases organizations fail our audits because basic security controls have been ignored – time, and time again, the misconfiguration failures boiled down to human performance and behavior.

Of course, system failure due to human oversight is nothing new, so why should we be worried this time? There are several factors at play. Firstly, most people take too much comfort from the fact that the individual elements of their virtual computing infrastructure is protected from malware and firewalled – which indicates that there is a lack of understanding, or ignorance, of their virtualization manufacturer’s security recommendations.

The best firewalls, AV, IDS (no disrespect to those vendors – their products do an important job) provide little protection to virtual and cloud infrastructure.

Next in our experience, systems are unpatched and security updates (which there are many, and diligently communicated by the virtualization manufacturers) are ignored. Is it because the virtualization administrators are too busy? Maybe they don’t have visibility over their virtual computing estate, or lack in-depth expertise across so many of the IT disciplines they now control (network, storage, security). Generally it is a combination of all these factors. Now is the time, if you are responsible for a virtualization platform, to take a step back and do some risk analysis.

“What is the consequence of a loss of, or within, our virtual computing infrastructure and what is the likelihood of that happening?”

Unfortunately, there are more factors at play.

• Where’s the segregation of duties in your virtual computing environment?
• Who’s responsible for looking at the what, where, when and how?
• Who has oversight?
• What audit or assurance are you aware of?

You only have to look at what happened in the financial markets with its over confidence, self regulation and ultimate collapse to know that your overworked system administration team has no chance.

This platform is just too critical to fail….

but fail it will if these factors are not addressed. But this time it could be on a scale that we’ve never experienced before in corporate computing. You can envisage not just the inconvenience of losing a few systems, but the loss of an entire IT infrastructure. Why and how will it happen? The usual reason – humans ignoring the warning signs, and simply not taking precautionary preventitive action.

A classic example is the release of SQL Slammer in 2003 – it effected 75,000 systems in 10 minutes causingan estimated billion dollars worth of damage. How could this have happened? Microsoft had issued a patch 6 months before. A patch that was almost universally ignored!

VMware, Citrix and Microsoft all provide patches and make recommendations on setup and configuration but do people follow them? Generally, they don’t. Worse still people assume that the configuration that they deployed in development three years ago is suitable for production or even DMZ use today! Of course the usual reasons are at the forefront: people either don’t have the time to inquire; or are scared that if they make a change it may break a critical business process.

Human behavior, whether it be oversight, ignorance, a laissez faire attitude, lack of visibility, or lack of responsibility, will be the fundamental cause and systemic failure of security in virtualization and cloud computing infrastructures. Those organizations that choose to be complacent and ignore the warnings will be part of the most catastrophic system failure we have ever seen.

We don’t know how, or on what scale, but the warning signs are clear…it is inevitable.

It’s your choice what are you going to do…?

“What do you reckon, a reality or complete hype.. Yes or No?”

Over the last few years security researchers have been talking about attacks on SCADA systems. Last year there was an attack on a nuclear facility in Iran (stuxnet) it is believed or alleged this was carried out by security services in order to thwart Iran’s nuclear program.

Whatever the truth the fact remains that SCADA systems have for decades relied on the premise of:

• Security through Obscurity
• The SCADA network is not connected to the Internet
• That physical security is good enough to protect the SCADA network
• Weak authentication and control mechanisms were adequate
• No auditing or security monitoring

We all know that “Security through Obscurity” is nonsense, if someone has the will, the time and resources they will succeed. So what does SCADA have to do with virtualization or for that matter cloud computing security?

Well let’s just think for a minute and pose a hypothetical scenario. Let’s suppose that Organization A has a competitor Organization B. They have been in the same market for years but have never managed to dislodge the other from poll position in the market. They have been a thorn in their side for years. What if they could cause a failure in their rivals system on such a scale that it would take them not just days to recover but maybe months. Just enough time for them to either gain a reasonable market share and significant competitive advantage or maybe just maybe to put them out of business for good!

Organizations have or should have disaster recovery processes and strategies in place but to often and not these are never tested until the disaster situation arises. So yes organizations may be able to recover some data but what if the data itself had been corrupted intentionally and this had been going on for months if not years? What if this corruption had been happening at such a low level it was undetectable by the software controllers and third party software used to protect the data?

Virtualization and cloud computing infrastructures ultimately have to store data and typically that data resides on shared storage fabric irrespective of the technology. Those systems have control mechanisms and have management software to configure and control them as well. If these control mechanisms can be subverted or exploited in such away that would remain undetectable, even if for just enough period of time to cause damage then we will without doubt see a system failure on such as scale that has never been witnessed before.

We’re all human and maybe we did see an obscure error in the backup log or other system file, but you know what, we have a million and other one things to do so either forgot about it or we said to ourselves “that can wait until tomorrow.”

Tomorrow unfortunately is too late. If you are serious about protecting your organizations crown jewels you should do something about it now and get some visibility, and look at what is going on in your virtual or cloud computing infrastructures.

Traditional physical security controls such as Firewalls, IPS/IDS, Anti Virus are unfortunately not suited to virtualization at all. Although it is better to have something than nothing if such traditional measures are implemented they will ultimately end up costing organizations more, and undermine the initial cost benefits of virtualization.

The added push towards “Cloud” computing only compounds the situation, so should we bury how heads in the sand, be alarmed or run for the hills and give up? Or are there alternative approaches that can be adopted?

If you’ve got this far you won’t be surprised to hear me say a resounding “YES!” to the question “are there alternative approaches!”

Traditional security solutions have had there day, it’s time to wake up and smell the coffee!

The dynamic nature that is virtualization and for that matter cloud computing means that it is trivial for an administrator inadvertently or otherwise to bypass security controls such as firewall’s simply by adding an additional network card to a virtual machine. This behavior can often go unnoticed due to lack of visibility or controls.

Virtualization and cloud computing have many benefits, the most obvious being cost and ability to scale in a way that has not been possible before. This flexibility however brings with it complexities that unless understood will allow human traits such as complacency, ignorance and it won’t happen to me attitude to reduce the overall effectiveness, security and cost savings of virtualization.

There are no perimeters, endpoints such as the server, desktop and application are becoming blurred. In the future there will be no operating system as we understand it today and therefore we must adapt, those who don’t will be left behind. If you are unable or sceptical about doing anything make sure you do one thing, monitor and provide yourself with some visibility.

As Yoda said, “Do or do not. There is no try”

Those organizations that do approach the security concerns they have often end up deploying traditional security measures like Firewalls, Anti-Virus and IDS. These solutions are typically not built for virtualization frameworks and will start to erode any cost benefits that virtualization has brought to the business. The fact that these solutions have not necessarily been built for virtualization and have simply been virtualized from their physical form means they will impact the underlying virtual infrastructure. What I mean by this is that they will start to compete for the same resources that your critical business applications need and therefore will starve them of the computing power they need.

Virtualization is a dynamic framework and as machines and applications move around this infrastructure it is important that any security measures are maintained. Systems designed to protect these valuable resources often do not adequately maintain the security state of these machines. The end result is that when machines or applications move they may not be protected at all.

Virtualization security solutions are only part of the answer another element to this story is “Human Traits”. History has shown that despite best intentions, processes, responsibility of vendors in supplying patches we are still hearing stories today of systems being compromised and often in the simplest of ways. Despite have token based access control systems people are still using password management systems with weak passwords.

Why? Because it’s easy and convenient, “why bother with all the extra cost I’ll never get hacked”!

People are complacent, even the experts! This isn’t good enough, we should be better at this and some people are but there are a lot of organizations who aren’t.

When was the last time you looked at who was accessing your virtual infrastructure? or what is going on and by whom? Do you keep a good audit trail? What visibility do you have?

Worried? Not bothered? Think this is a load of FUD propaganda! Well maybe it is, but then again perhaps not. When SQL Slammer hit on Jan 25th 2003 it caught everyone by surprise, it spread with extreme ease and speed globally, it effected some 75,000 victims in 10 minutes! A patch had been released some 6 months previously by Microsoft.

History has an uncanny way of repeating itself don’t become complacent, take the time and effort to monitor what is going on in your virtual world.