Saturday, February 9, 2008

Virtual Security

I teach a Securing Windows class once a week, and I make my students prepare presentations on subjects that I chose to make them think about security implementations and tools. In our last meeting, one of my students took on VMware and the applications of using virtual machines. She did a great job of pointing out the strengths of using virtual environments, even citing the use of a customer she works with.

I write this not just to give my student kudos, but also to make security people think about using virtual environments. We all know that a Windows box is pwned if there is physical access. Physical access for only a couple minutes makes any Windows machine's security pointless. Even if we disable CDROM access and USB so that it can't be booted into a live disc environment, and password protect the BIOS, it really only requires a little more time to break. What if, however, all the sensitive data is contained inside a virtual machine on the Windows box. Now physical access isn't the pwnage it used to be. Even if you get on the Windows box, you still have to crack the login to the Virtual Machine- which, as far as I know, can't be cracked with a live disc. If it can, I'd like to know about it.

Virtual Machines also help with redundancy, eliminating single point of failures. Not only can we have a mirror image on the same box, but we can back up the Virtual Machine to a second box rather easily- which we can do with a non-virtual machine, but the beauty of it is that we can run multiple machines on one box (assuming none of the virtual machines require 100% of the hardware resources). For smaller companies, we could run the file server and the web server from the same hardware, in different virtual machines. We can even run a firewall off the same box so the web server is in the DMZ. With clustering, we could, potentially, run this configuration for some moderate size businesses. This cuts the hardware costs while still having a fully fail-over capable system.

With 8-core processors coming out, and new server operating systems able to handle huge amounts of RAM, using virtual machine technology in your network can be a cost effective AND secure way to go.

Friday, February 1, 2008

My security outlook

As a n00b in the security world, I have still to prove myself as a true security professional. Until then, and perhaps building up to that, I'm going to go ahead and post my thoughts and hope that the day comes when people point at this blog and say "He said it there months/years ago!". Here's hoping!

There are many facets to information security, as we all know, and no one blog post can touch on them all. I want to touch on the consumer side of things in the area of malware and online identity protection. As much as security experts focus on malware scanning and detection, you'd think we could be in a safer state on the Internet. We aren't, and I think I know why. If you arrest a meth addict and throw him/her in jail, what have you accomplished? Virtually nothing. The addict will be in jail for a while, able to obtain meth in jail, and will emerge still addicted. Even if they can't obtain drugs while in jail, they will still emerge addicted or go back to the same group of friends and get back into it. With malware we see the same trend. If a computer user spends his time browsing a particular kind of site, he gets infected. Maybe he cleans his computer, but he continues to visit the same sites, and will continue to become infected. So by identifying a malware on your computer and cleaning it, you've managed to arrest the meth addict, accomplishing very little.

Drug addicts have a better chance of going clean if they change their surroundings and who they talk with. If they stop hanging around the same friends that use, they aren't tempted to use again (as much, anyway). Also, if the drugs are harder to come by, that helps. That's why many attorney generals are focusing on finding the drug labs/sources. Finding the labs/sources of malware, is significantly more difficult, but not impossible. Changing the environment is another story.

My point is, to boil things down, that we have malware detection (telltale signs of the meth addict), and we have people searching for the labs/authors (attorney generals initiatives), but we have done almost nothing to change the environment that general users are operating in. Sure we release security patches for software, and come out with new versions of operating systems, but how many actual users have patched systems, or upgrade to the new operating systems? Pathetically few. That's because we haven't brought security to the masses. It's time to educate the users. Fewer vulnerable computers on the net mean fewer places for malware to spread to. This means smaller botnets, and fewer losses of personal info. Any AUP author can tell you the key to enforcing it is educating the users. Now we need a public AUP or as I like to call it, SUP (Suggested Use policy, or Smart User's Policy, Smart Use Policy, Stupid User's Policy, Safe Use Policy- it's that versatile of an acronym) :) I understand that we can't reach everyone, and that some people just won't listen, but if we can teach people to drive a car, we can teach them to drive a computer.

So how do we do it? Well, I call upon ISP's to start educating their users- less malware traffic on the ISP's network means less bandwidth wasted so there is monetary incentive for it. I also call upon security people with an affinity for words to write "For Dummies" books, or other info security books written in straight English/German/etc (i.e. not in geek language). I also call upon security professionals to write blogs that educate general users. And lastly, if you advertise security, provide it! (Hint hint ScanAlert, Microsoft, Apple).