This article brings to mind an interesting trend we see going on among our financial and highly regulated clients – using a virtual machine for all Internet browsing. Several of our clients have begun using this technique in testing and small production groups. Often they are using ChromeOS images with VirtualBox or some other dedicated browser appliance and a light VM manager.
Have you or your organization considered, tried or implemented this yet? Give us a shout on Twitter (@lbhuston, @microsolved) and let us know your thoughts. Thanks for reading!
Virtual environments are becoming more popular, providing advantages such as enabling multiple OS environments to co-exist and providing disaster recovery solutions.
Virtual machines easily tests scenarios, consolidate servers, and can move disk files and some configuration files between physical machines.
Safeguarding your virtual server environment is vital, even though it doesn’t have the same issues as a physical environment. Here are a few tips to keep things running smoothly:
- Install only what you need on the host machine. Keep your OS and applications current for both virtual and host machines.
- Isolate each virtual machine you have by installing a firewall. Only allow approved protocols to be deployed.
- Ensure that antivirus programs are installed on the virtual machines and kept current with updates. Virtual machines, like physical machines are at risk for viruses and worms.
- Utilize strong encryption between the host and virtual machines.
- Avoid internet surfing from the host computer. Spyware and malware could easily infiltrate through the the host computer and spread to the virtual machines.
- Prevent unauthorized access by securing accounts on the host machine.
- Only use what you need. If you’re not utilizing a virtual machine, shut it down.
- If a virtual machine does not need to connect with each other, isolate it. Use a separate network card on a different network range.
- Monitor the event log and security events on both the host machine and on the virtual machine. These logs need to be stored in your log vault for security and for auditing purposes at a later date.
- Ensure that any hardware you use is designed for VM usage.
- Strictly manage remote access to virtual machines and especially to the host machine, this will make exposure less likely.
- Remember, the host machine represents a single point of failure. Technologies like replication and continuity help with reducing this risk.
- Avoid sharing IP addresses. Again this is typical of sharing a resource and will attract problems and vulnerabilities.
Using these tips will help you make the most of your physical and virtual environments so if anything interrupts your business, you are prepared.
I have been following a number of attacker trends and I see a potential point of convergence just over the horizon.
Most especially, I think that an intersection is likely to occur between bot development/virtual machines/rootkits and man-in-the-browser. My guess is that a hybrid juggernaut of these technologies is likely to emerge as an eventual all-in-one attack platform.
The use of these technologies alone are already present in many attack platforms. There are already a ton of examples of bot/rootkit integration. We know that man-in-the-browser has already been combined with rootkit technologies to make it more insidious and more powerful. If we add things like installation of illicit virtual machines, evil hypervisors and other emerging threats to the mix, the outcome is a pretty interesting crime/cyber-war tool.
If all of these problems would come together and get united into a super tool, many organizations would quickly learn that their existing defenses and detection mechanisms are not up to the challenge. Rootkit detection, egress traffic analysis, honeypot deployments and a high level of awareness are just beginning to be adopted in many organizations whose infosec teams lack the budgets, maturity and technical skills needed to get beyond the reactive patch/scan/patch cycle.
Vendors are already picking up on these new hybrid threats, much like they did with worms – by offering their products wrapped with new marketing buzzwords and hype. We have heard everything from IPS to NAC and hardened browsers (that mysteriously resemble Lynx) to special network crypto widgets that provide mysterious checksums of web transactions with other users of the special widgets… I don’t think any of these thigs are going to really solve the problems that are coming, though some might be interesting as point solutions or defense in depth components. My guess is that more than a few of the currently hyped vendor solutions are likely to be practically useless in the near future.
The real problem is this – security team maturity needs to be quickly addressed. Attackers are nearing another evolutionary leap in their capabilities (just as worms were a leap, bots were a leap, etc…) and we are still having issues dealing with the current levels of threats. It is becoming increasingly clear that we need to have infosec folks start to think differently about the problems, learn more about their adversaries and embrace a new pragmatic approach to defending data, systems and networks.
Maybe we need less whiz bang technology and more Sun Tzu?