Friday, February 22, 2013
NCUA Releases Distributed Denial-of-Service Mitigation Guidelines
I had the opportunity the other day to help put together a blog piece on our firm's blog. If you are involved in the Credit Union industry at all, I'd advise you check it out!
Thursday, February 21, 2013
Virtualization Deployment Planning and Security
Virtualization is a huge hot button issue right now, everyone is jumping in feet first, but just because it is new doesn't mean you should install it in your data centers tomorrow. Yes, virtualization could save the federal government up to $30 billion by 2015 (as reported by MeriTalk), and yes, VMWare sponsored research shows significant decreases in operational expenses by those that adopt virtualization technologies. Virtualization could save you a lot of money, which is always nice for strained IT department budgets.
But, without a plan, without identifying risks, and without the proper knowledge at your disposal, none of those savings will ever materialize.
Planning and Identifying Risks
By planning, I don't just mean deciding between Microsoft Hyper-V technology and VMWare ESXi. Virtualization has a whole set of new risks and security concerns that need to be muddled through. If you don't consider these risks and plan for them, your virtualization implementation will fail or worse, appear to succeed until it hacked to pieces by a passing Script Kiddie.
By far the most significant risk to a virtual environment is the consolidation of hosts into one physical layer where one point of failure may be the new lynch pin in you operation. Imagine, for a moment, if a hacker managed to socially engineer one of you admin's passwords or use one of those exploits you've been meaning to patch. Then imagine the hacker taking a nice stroll through your hypervisor. What will he or she find? Well now that he has access to the host layer, he can easily dig into the guest operating system's files or even take them over, or copy them for offline analysis.
Secondarily to the security risk is the operational risk of consolidated servers. What if that shiny new server you just purchased craps out on you due to a faulty install or faulty manufacturing, then what happens to all the virtual servers you just lit up? They all die, with all the business applications on them. Sure, you'll be able to get them back up pretty quickly on a different server (hence the power of virtualization, right?), but the business owners will not pleased with the loss of availability and possibly missing SLAs.
Solutions
Virtual machines require the same sort of security as physical machines, including separation when required. It's important to note that you don't want to over-virtualize; this is where new virtual environments are being created when current servers could easily handle any additional functionality needed (just because it is easy to clone a new machine, you shouldn't necessarily always do it - the more operating systems in a network environment, the more chances for one to be configured incorrectly or become out of date).
As you can see, controls over virtualization are similar to traditional security controls, just with a little twist:
As you can see, controls over virtualization are similar to traditional security controls, just with a little twist:
- Control change - only designated virtual machine administrators should be adding, creating or modifying virtual machines (even test machines should be controlled appropriately).
- Put standards in place (such as policies and procedures) - all virtual machines should be created equally based on baselines, and they should be maintained to the same standards throughout their business life.
- Physical separation - virtual machines may be able to communicate within the physical host even when configured properly - i.e., puting your DMZ and your back-end database in the same host isn't a good idea (check out some research describing hacks through a vSphere 5.0 to the host - Aidan Finn has a nice summary here).
- Segregation of duties - determine how to handle segregation of duties between system administrators, security administrators, developers and users. Virtual environments, if configured improperly, can allow any one of these groups to potentially gain access to data they shouldn't.
- Monitor, monitor monitor - can't stress this enough. Make sure the right tools are in place to ensure all communication is monitored. Virtual infrastructures allow for the creation of virtual networks that never leave the host. These networks still require firewalls, sniffers, intrusion detection, etc. Virtual monitoring tools need to be installed in every host to ensure you know what is going between your servers.
Conclusions
Virtual infrastructure needs to be understood by everyone (security admins, system admins, developers, and management) so that everyone understands the risks that are different from physical servers. Once everyone understands the risks, the proper preventive and detective controls need to be put in place to provide the same level of security as with physical servers.
This post was inspired by an ebook article at SCMagazine.com called Virtualization posted January 24,2013 (find original posting here).
This post was inspired by an ebook article at SCMagazine.com called Virtualization posted January 24,2013 (find original posting here).
Hello World!
Well, I've officially set up a blog...
And, I figured I'd start it off with a little introductions. My name is Blake R. Waud, I am a Certified Public Accountant working through my third year in the field. About a year ago, I began to move into the IT Audit group of my firm (specifically the IT Assurance and Security group). I am so far extremely happy with this move, IT auditing is so much more rewarding to me than financial statement auditing (where you basically tick and tie the numbers out).
Don't get me wrong, financial statement audits are important and serve a very specific public function that needs to be fulfilled, I just don't like doing it that much. I am not sure what it is, but I always get exhausted when I perform financial statement audit stuff.
Now, IT Audit, that's where things get interesting. This field is changing non-stop, I've been in it almost 2 years now and it's already radically different than when I first started. I love the challenge all the information poses and I further love the people. Maybe they are just the kind of people I've always got along with the best, but IT professionals just click with me.
I love to go into their areas, see how they work, see where I can help, and see where I can learn from them (yes I learn something from every client I visit - it is imperative to me actually that I do).
But, now that I've been doing this awhile, it is time to dig into my real passion - IT Security. I love security, and I am even more passionate about white hat side of it all. My goal is to become a respected ethical hacker/penetration tester in the field with a strong business background so that I can bring unique perspective.
To that end, I have begun to develop my personal brand, and this blog is part of that effort.
This blog will be a collection of information that I have learned and synthesized. I will post helpful recommendations and basic info that I have picked up along the way. Not only will this be available to everyone who reads this blog (and I do hope it helps some people), but it will help me know where I have come from and help me remember and find things I have researched.
So, without further ado...
And, I figured I'd start it off with a little introductions. My name is Blake R. Waud, I am a Certified Public Accountant working through my third year in the field. About a year ago, I began to move into the IT Audit group of my firm (specifically the IT Assurance and Security group). I am so far extremely happy with this move, IT auditing is so much more rewarding to me than financial statement auditing (where you basically tick and tie the numbers out).
Don't get me wrong, financial statement audits are important and serve a very specific public function that needs to be fulfilled, I just don't like doing it that much. I am not sure what it is, but I always get exhausted when I perform financial statement audit stuff.
Now, IT Audit, that's where things get interesting. This field is changing non-stop, I've been in it almost 2 years now and it's already radically different than when I first started. I love the challenge all the information poses and I further love the people. Maybe they are just the kind of people I've always got along with the best, but IT professionals just click with me.
I love to go into their areas, see how they work, see where I can help, and see where I can learn from them (yes I learn something from every client I visit - it is imperative to me actually that I do).
But, now that I've been doing this awhile, it is time to dig into my real passion - IT Security. I love security, and I am even more passionate about white hat side of it all. My goal is to become a respected ethical hacker/penetration tester in the field with a strong business background so that I can bring unique perspective.
To that end, I have begun to develop my personal brand, and this blog is part of that effort.
This blog will be a collection of information that I have learned and synthesized. I will post helpful recommendations and basic info that I have picked up along the way. Not only will this be available to everyone who reads this blog (and I do hope it helps some people), but it will help me know where I have come from and help me remember and find things I have researched.
So, without further ado...
Subscribe to:
Posts (Atom)