When it comes to virtual systems, reality shows us threats are constantly evolving.
Virtualization enables companies to pool their operating systems, storage and data centers. Those virtual environments allow businesses to scale more efficiently, and to faster implement new services. According to Forrester Research, 75 percent of organizations are using server virtualization or will move to it by the end of 2014. But that switch might also bring in a false sense of security.
“Companies think virtual systems do not need any special care for security,” says Symantec analyst Candid Wueest. “And therefore neglect to include them in a special security group. In addition to this, a small number of customers still think that malware does not run on virtual systems, which is of course a wrong assumption.”
Virtual systems are just as susceptible to malware as physical servers. “Once malware executes its payload there is not much difference between virtual or physical systems,” says Wueest. “The impact depends more on the content and services provided by each system.”
Additionally, malware is being specifically designed to avoid detection within virtual systems. Those systems are basically a series of files on the disk of the host server. They can be manipulated or mounted. And afterward, they can be spread.
Attacks that can spread
Attacks made on virtual systems can spread to other virtual systems connected to the same network. Intrusion detection systems or data loss prevention tools will not detect those attacks, because the information never passes through a physical server.
It’s also possible for at attacker to breach a host server and create a new virtual system capable of executing an attack. This so-called “crisis malware” can target multiple operating systems. It’s added as a Java file and steals information before attempting to spread to the connected virtual systems.
By checking for specific files, registry keys or MAC addresses, malware can detect whether it’s running on a virtual system. Symantec security analysts have studied 200,000 malware samples since 2012. Eighty-two percent of those samples run successfully on virtual systems, infecting the users.
Additionally, malware is being written and rewritten to avoid detection. Standard screenings of suspicious samples can last for 5 – 10 minutes. Malware can be written to delay its execution either by time, number of clicks or system reboots.
Protecting virtual systems
According to Wueest, inclusion is the best protection. “Companies should ensure that they include virtual system in the security process (like backups, patching, monitoring, etc.) and verify that they account for special requirements of those virtual systems. Specifically updating the snapshots and monitoring the virtual networks is essential.”
Wueest offers the following advice for companies working to secure their virtual systems. You can find additional best practices in this webcast regarding the implementation of virtualized systems.
- Hardening: The host server needs to be well protected as it provides access to multiple virtual machines. Administrators can adjust policies and whitelisting to only allow trusted system applications to run.
- Advanced malware protection: Protection with proactive components that go beyond the classic antivirus scanner needs to be in place. Depending on the setup, threat protection can be deployed on each virtual machine separately or agentless from the hosting server in order to maintain a high level of performance.
- Access control: Administrators need to apply proper access control management to virtual machine hosting servers in order to ensure that only eligible users can perform changes.
- Disaster recovery: Virtual machines need to be integrated into the disaster recovery and business continuity plan. Administrators should apply high availability and backup strategies for the data.
- Virtual network protection: Administrators should ensure that network security tools have access to traffic in the virtual network between multiple virtual machines on the same host server.
- Updating: Snapshots and images of virtual machines need to be included in the patch and upgrade cycle, so that they are up-to-date when deployed.
- Logging: Virtual machines need to be integrated in the security logging and SIEM visualization systems just like any other IT device. Since virtual machines can dynamically be provisioned and moved around the network, these acts need to be consistently logged as well.
Danie D. Taylor is an Emmy ® Award winning journalist, content producer and blogger based in San Francisco.Tags: Technology,Virtualization