Virtualization and Security
In the light of new hacker and virus attacks, which in 2017 were aimed not only at corporations, but also at public institutions, including educational institutions and hospitals, as well as at private users, the topic of information security became extremely resonant. You will learn about current IT security issues and the impact of virtualization tools on the protection of information systems under the cat.
Let's talk first about the facts. According to Kaspersky Lab, the frequency of occurrence of viruses since 1994, when it was about one virus per hour, increased to 5–6 viruses per second. Bitdefender, on the whole, confirms this fact, considering that more than 12 million new versions of malware appear every month, i.e. more than 400 thousand every day. Mandiant's survey found that organizations, on average, take about five months to detect company security breaches, and in half of the cases companies need external help to solve the problem.
Over the course of two years, the epidemic of the Carbanak worm has brought about $ 1 billion in losses, and more than 30 countries have suffered. Infection occurred through files attached to emails that exploited vulnerabilities in Microsoft Office. JPMorgan, HSBC, Halifax, Barclays, and in total - more than a hundred banks suffered. As a result, JPMorgan Bank alone planned to spend more than $ 0.5 billion on IT security. On average, according to Kaspersky Lab, corporate structures spend $ 800,000 each year to recover from cyber attacks. Why is this happening?
')
Firstly , because modern computer platforms were originally developed in the 1990s, when it was impossible to take into account the security requirements of the late 2010s. This is precisely what led to the fact that anti-virus systems and firewalls have become an indispensable add-on for any operating environment, and untimely updating of the antivirus and operating system inevitably makes the system vulnerable.
Secondly , because the number of client devices connected to the Internet that are vulnerable to viruses and malware has increased significantly in the world. Accordingly, the number of end users has increased many times - and the threshold of their computer literacy and the threshold of protection of computer systems, of course, “slid” to an extremely low level.
Very symptomatic: not everyone understands the danger of cybercrime. On average, 73% of users are aware that cybercriminals and hackers pose the greatest danger to their electronic data, but agree that this is not 100% (and if you ask who steals wallets, 100% will answer - thieves). Interestingly, Americans are wary of cybercriminals much less than residents of the countries of the Asia-Pacific region - 61% against 82.
Thirdly , because many information system administrators could do their job, let's say, somewhat better. If at all corporate structures at least all updates were installed on time, viruses such as Petya and WannaCry would simply not have a chance. Measures such as regular data backup, offline storage of backup files, restriction of administrative privileges and segmentation of the corporate network would significantly reduce the damage, but now they are not even about them.
Judge for yourself. The vulnerability of the SMB network protocol of the Microsoft Windows operating system, which later (I’ll tell you exactly when) the WannaCry virus took advantage, was published by Microsoft back in February 2017. On March 14, 2017, it wasn’t very fast, but as Microsoft could released a series of updates designed to neutralize the vulnerability in all supported operating systems.
And the total distribution of WannaCry began on May 12, 2017. During the first four days of the attack, about 300 thousand users in 150 countries suffered. They had two months to install patches. In this light, the unprecedented action of Microsoft, which the next day after the start of the attack, released updates even for unsupported operating systems, looked at least naive and caused not just fair, but understandable complaints from specialists who wrote Twitter messages like: stop the release of patches for Windows XP and Windows 2003, because by doing so they themselves prevent to get rid of outdated software systems in corporations ”and“ Oh no. Stop supporting Windows XP. If she cannot die with honor, just let her die ... ”
Home computers have been and remain a weak link in the information security chain. Users with a clear conscience use an administrator account for permanent work. The mentality of users who believe that if there is no secret data on their computers, then they are not interesting to hackers, it’s a trick on you. Of course, they do not think that their computers are used for DDoS attacks — or, at best, for mining Bitcoins.
Or take a recent attack on restaurants. Restaurant employees received emails with attachments called “menu.rtf”, “Olive Garden.rtf” or “Chick Fil A Order.rtf”. Nested RTF files used OLE objects and ran obfuscated JavaScript code — when the RTF document was opened, the victim saw a large envelope icon and a suggestion to open it with a double click of the mouse, after which, as a rule, of its own accord, it would launch the code that allowed corporate network any information, including cash flow ...
But there is a simple rule - if you were not supposed to send anything, but sent, do not open the sent document or click the link first. After all, this is a hygiene rule, no less important than maintaining the latest updates of the operating system and antivirus package — and, if you have the appropriate skills, disable unused services, etc.
Strictly speaking, “virtualized” does not mean “protected from cyber attacks”. The purpose of the hypervisor and its associated services is to help the organization efficiently organize all operations related to the administration of the information system, the provision of resources, the optimization of performance and the provision of information security. The condition necessary for all this to work is, no matter how boring it is, once again studying hardware by IT administrators.
Why, for example, still not everyone knows that turning off or stopping a virtual machine does not mean protecting it from an attack by intruders? On the contrary, such machines become the focus of the attack, the “direction of the main strike”, because their protection is not updated, the antivirus cannot update the anti-virus database. Similarly, “golden” images of workstations are exactly the same point of vulnerability, because they, as a rule, are updated very irregularly, once every 3-4 months.
Therefore, in the general case, the seemingly simple question of whether a terminal service can be considered more secure than working on a local computer does not have a clear answer. It all depends on how you configure the system. Theoretically, the terminal service is more secure than the local machine, because there is nothing on the user's local device. There, where the workload actually occurs, the user sends keystrokes and mouse clicks, and in response receives image changes, and security is completely in the hands of the administrator. But if the administrator does not follow the rules, opens unnecessary ports, does not use additional services, does not provide for blocking the workplace, checking the connection location and the connection device - it’s ridiculous to talk about a protected workplace. A competent administrator who follows best security practices in terms of setting up services will provide the best protection for the virtual environment.
One of the typical advantages of a virtual environment is the ability to use the “golden” image of a virtual machine, which we have already commemorated today. On the one hand, the “golden” image is protected from changes, if the user spoils the virtual machine, it is very easy to fix it with the help of the “golden” image. But this does not replace the need to use antivirus. The “golden” image itself, as we already know, needs to be regularly updated. And what will happen if the “golden” image gets infected with a virus? What happens when you restart virtual machines for a thousand people?
That is why it makes sense to use solutions that protect virtual environments. For example, I have already mentioned our partner, Bitdefender — its Hypervisor Memory Introspection solution allows scanning the memory of the hypervisor in order not to install the agent inside virtual machines and, accordingly, not to overload them with network activity and updates. True, if a restaurant administrator receives an email with a malicious attachment disguised as tomorrow's menu and saves this attachment, then nothing will help him except an actual antivirus solution designed to work in a virtualized environment. A solution such as Kaspersky Security for Virtual Environments uses a special agent that, working in a virtual infrastructure, checks only those hashes that seem suspicious, and the system centrally notifies about the hashes of these virtual machines. This systematically reduces the load on the disk subsystem and processor resources.
And of course, do not forget about secure remote access, a system such as Citrix NetScaler ADC, provides essential network functions - balancing network applications, security of applications and resources, organizing remote access to the corporate network of an enterprise - without duplicating the functionality of specialized information security solutions, but working as part of a business continuity plan. For example, protection of web application traffic, web applications themselves and network resources will be provided by our NetScaler Web Application Firewall solution. If an organization requires data encryption, but not according to the standard American standard that Citrix uses, but according to a standard approved by GOST, we offer specialized solutions from our partners, for example, C-Terra, and another interesting product, the Gatekeeper of the company Sovintegra provides authentication to XenDesktop with GOST certificates. And if the main data center of the company is stopped, NetScaler will switch users to work with a backup data center using GSLB (global load balancing between geographically separated sites), while a specialized software / hardware solution for data replication restores the primary data center.
To answer this question, it is not necessary to count the return on investment. Just appreciate what will lose your business in cases of data destruction, downtime of the information system and other types of damage. Compare this with the costs that you incur when purchasing a product - a virtualization system, antivirus, etc. - as well as its implementation and staff training in working with it.
Next - select the software or hardware-software complex that will solve the tasks you need, and the cost of which will be quite small compared to the possible damage, and quietly purchase it.
On the peculiarity of the current moment
Let's talk first about the facts. According to Kaspersky Lab, the frequency of occurrence of viruses since 1994, when it was about one virus per hour, increased to 5–6 viruses per second. Bitdefender, on the whole, confirms this fact, considering that more than 12 million new versions of malware appear every month, i.e. more than 400 thousand every day. Mandiant's survey found that organizations, on average, take about five months to detect company security breaches, and in half of the cases companies need external help to solve the problem.
Over the course of two years, the epidemic of the Carbanak worm has brought about $ 1 billion in losses, and more than 30 countries have suffered. Infection occurred through files attached to emails that exploited vulnerabilities in Microsoft Office. JPMorgan, HSBC, Halifax, Barclays, and in total - more than a hundred banks suffered. As a result, JPMorgan Bank alone planned to spend more than $ 0.5 billion on IT security. On average, according to Kaspersky Lab, corporate structures spend $ 800,000 each year to recover from cyber attacks. Why is this happening?
')
Firstly , because modern computer platforms were originally developed in the 1990s, when it was impossible to take into account the security requirements of the late 2010s. This is precisely what led to the fact that anti-virus systems and firewalls have become an indispensable add-on for any operating environment, and untimely updating of the antivirus and operating system inevitably makes the system vulnerable.
Secondly , because the number of client devices connected to the Internet that are vulnerable to viruses and malware has increased significantly in the world. Accordingly, the number of end users has increased many times - and the threshold of their computer literacy and the threshold of protection of computer systems, of course, “slid” to an extremely low level.
Very symptomatic: not everyone understands the danger of cybercrime. On average, 73% of users are aware that cybercriminals and hackers pose the greatest danger to their electronic data, but agree that this is not 100% (and if you ask who steals wallets, 100% will answer - thieves). Interestingly, Americans are wary of cybercriminals much less than residents of the countries of the Asia-Pacific region - 61% against 82.
Thirdly , because many information system administrators could do their job, let's say, somewhat better. If at all corporate structures at least all updates were installed on time, viruses such as Petya and WannaCry would simply not have a chance. Measures such as regular data backup, offline storage of backup files, restriction of administrative privileges and segmentation of the corporate network would significantly reduce the damage, but now they are not even about them.
Judge for yourself. The vulnerability of the SMB network protocol of the Microsoft Windows operating system, which later (I’ll tell you exactly when) the WannaCry virus took advantage, was published by Microsoft back in February 2017. On March 14, 2017, it wasn’t very fast, but as Microsoft could released a series of updates designed to neutralize the vulnerability in all supported operating systems.
And the total distribution of WannaCry began on May 12, 2017. During the first four days of the attack, about 300 thousand users in 150 countries suffered. They had two months to install patches. In this light, the unprecedented action of Microsoft, which the next day after the start of the attack, released updates even for unsupported operating systems, looked at least naive and caused not just fair, but understandable complaints from specialists who wrote Twitter messages like: stop the release of patches for Windows XP and Windows 2003, because by doing so they themselves prevent to get rid of outdated software systems in corporations ”and“ Oh no. Stop supporting Windows XP. If she cannot die with honor, just let her die ... ”
Home computers have been and remain a weak link in the information security chain. Users with a clear conscience use an administrator account for permanent work. The mentality of users who believe that if there is no secret data on their computers, then they are not interesting to hackers, it’s a trick on you. Of course, they do not think that their computers are used for DDoS attacks — or, at best, for mining Bitcoins.
Or take a recent attack on restaurants. Restaurant employees received emails with attachments called “menu.rtf”, “Olive Garden.rtf” or “Chick Fil A Order.rtf”. Nested RTF files used OLE objects and ran obfuscated JavaScript code — when the RTF document was opened, the victim saw a large envelope icon and a suggestion to open it with a double click of the mouse, after which, as a rule, of its own accord, it would launch the code that allowed corporate network any information, including cash flow ...
But there is a simple rule - if you were not supposed to send anything, but sent, do not open the sent document or click the link first. After all, this is a hygiene rule, no less important than maintaining the latest updates of the operating system and antivirus package — and, if you have the appropriate skills, disable unused services, etc.
Virtualization will help!
Strictly speaking, “virtualized” does not mean “protected from cyber attacks”. The purpose of the hypervisor and its associated services is to help the organization efficiently organize all operations related to the administration of the information system, the provision of resources, the optimization of performance and the provision of information security. The condition necessary for all this to work is, no matter how boring it is, once again studying hardware by IT administrators.
Why, for example, still not everyone knows that turning off or stopping a virtual machine does not mean protecting it from an attack by intruders? On the contrary, such machines become the focus of the attack, the “direction of the main strike”, because their protection is not updated, the antivirus cannot update the anti-virus database. Similarly, “golden” images of workstations are exactly the same point of vulnerability, because they, as a rule, are updated very irregularly, once every 3-4 months.
Therefore, in the general case, the seemingly simple question of whether a terminal service can be considered more secure than working on a local computer does not have a clear answer. It all depends on how you configure the system. Theoretically, the terminal service is more secure than the local machine, because there is nothing on the user's local device. There, where the workload actually occurs, the user sends keystrokes and mouse clicks, and in response receives image changes, and security is completely in the hands of the administrator. But if the administrator does not follow the rules, opens unnecessary ports, does not use additional services, does not provide for blocking the workplace, checking the connection location and the connection device - it’s ridiculous to talk about a protected workplace. A competent administrator who follows best security practices in terms of setting up services will provide the best protection for the virtual environment.
One of the typical advantages of a virtual environment is the ability to use the “golden” image of a virtual machine, which we have already commemorated today. On the one hand, the “golden” image is protected from changes, if the user spoils the virtual machine, it is very easy to fix it with the help of the “golden” image. But this does not replace the need to use antivirus. The “golden” image itself, as we already know, needs to be regularly updated. And what will happen if the “golden” image gets infected with a virus? What happens when you restart virtual machines for a thousand people?
That is why it makes sense to use solutions that protect virtual environments. For example, I have already mentioned our partner, Bitdefender — its Hypervisor Memory Introspection solution allows scanning the memory of the hypervisor in order not to install the agent inside virtual machines and, accordingly, not to overload them with network activity and updates. True, if a restaurant administrator receives an email with a malicious attachment disguised as tomorrow's menu and saves this attachment, then nothing will help him except an actual antivirus solution designed to work in a virtualized environment. A solution such as Kaspersky Security for Virtual Environments uses a special agent that, working in a virtual infrastructure, checks only those hashes that seem suspicious, and the system centrally notifies about the hashes of these virtual machines. This systematically reduces the load on the disk subsystem and processor resources.
And of course, do not forget about secure remote access, a system such as Citrix NetScaler ADC, provides essential network functions - balancing network applications, security of applications and resources, organizing remote access to the corporate network of an enterprise - without duplicating the functionality of specialized information security solutions, but working as part of a business continuity plan. For example, protection of web application traffic, web applications themselves and network resources will be provided by our NetScaler Web Application Firewall solution. If an organization requires data encryption, but not according to the standard American standard that Citrix uses, but according to a standard approved by GOST, we offer specialized solutions from our partners, for example, C-Terra, and another interesting product, the Gatekeeper of the company Sovintegra provides authentication to XenDesktop with GOST certificates. And if the main data center of the company is stopped, NetScaler will switch users to work with a backup data center using GSLB (global load balancing between geographically separated sites), while a specialized software / hardware solution for data replication restores the primary data center.
Is the game worth the candle?
To answer this question, it is not necessary to count the return on investment. Just appreciate what will lose your business in cases of data destruction, downtime of the information system and other types of damage. Compare this with the costs that you incur when purchasing a product - a virtualization system, antivirus, etc. - as well as its implementation and staff training in working with it.
Next - select the software or hardware-software complex that will solve the tasks you need, and the cost of which will be quite small compared to the possible damage, and quietly purchase it.
Source: https://habr.com/ru/post/339410/
All Articles