From Paul's Security Weekly
Enterprise Security Weekly #86
Recorded April 4, 2018 at G-Unit Studios in Rhode Island!
- Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
- Visit securityweekly.com/domaintools to register for our next webcast “Detecting Malicious Domains” hosted by myself and Keith Hoodlet. Tim Helming of DomainTools joins us to show you how to interpret each of the many data points related to a domain. @Wednesday, April 4th 3:00-4:00pm ET
Topic: Security Threats from Virtual Machines
Five, no six Security Threats from Virtual Machines
- Circumvention of Privilege -- VMs can ride below the radar of overall l7 controls. If a L7 security controller like Active Directory is regulating group permission, VMs may not be in the domain and as such can be used at L3 and subsequently circumvent all sorts of restrictions.
- Circumvention of Privilege 2 (Electric Boogaloo) -- VMs are harder to see in the environment especially if they are set up with NAT/PAT type situations on local machines. A VM would act with the L3 privilege of the local machine but could subsequently be used in many different ways up to and including SNAT outward facing daemons which would not be seen if the VM was paused or shut down during vulnerability assessments.
- Circumvention of Privilege 3 (Oh, hell no) -- VMs can circumvent L3 restrictions in other ways by allowing local users who are restricted in their own environments to install and execute code on the vm. Even when a local machine has install restrictions in place on the desktop, a VM could be used (and, of course, assuming it can be installed) to install and utilize third party, unlicensed, or other code which would otherwise be detected and disallowed in the regular environment.
- Biggie Smalls, the Revenge of the Cycle -- Cloudsourced VMs which are available to users create a situation where, unless carefully managed, users can utilize blind vms or even controlled vms to generate cycles which are then billed. AWS, Azure, etc. all default allow users of privilege to both spin up and utilize vms of all sorts which can then be left running, overrun for some purpose, or simply spun up out of control and as such result in unexpected billings and overages.
- The Bridge over the River VPN -- creation of VPN outbounds on VMS can allow relayed network traffic or even routed traffic into other VPNs which may compromise security in the local L3 environment.
- Circumvention of Privilege 4 (Rocky Lives) -- shared folders in the VM may be shared as can usbs and other local and virtual devices. These types of shares may be enabled and as such create chained shares into the enterprise network L3 or higher. If these types of shares are not monitored carefully, it may be possible to create shares which are not prevented by the L7 tools.
What to do:
- Develop sound policy and enforce it
- Don't assume that your current L3-7 policies behave in the same way when users are allowed to create VMS and/or spin up VMs in vpn based remotes
- Don't assume that VMs are subject to the same desktop restrictions which have been emplaced on the live desktops
- Don't assume that permission permeate the VM world in the same way
- You need to control VM spin up, desktops, and structure but you need to find more direct methods of detecting VMs (scanning, IDS, etc.) that may be rogue.
- Don't forget to pen test and VS (and develop methods for conducting those audits) as well.
- Prevent the installation of Type 2 hypervisors
- Set careful controls on Type 1 Hypervisors and ensure through audit that permissions are controlling user abilities in the same ways you expect controls to behave at the local desktop level.
- Ensure that audit controls test all these permissions carefully
- SolarWinds Unveils Cloud-First Backup Service for Dedicated Servers and Virtual Servers - Hosting Journalist.com
- VMware acquires E8 Security to boost endpoint management platform
- Media Alert: RiskIQ Expands its Worldwide Threat Hunting Training Workshop Tour for Cybersecurity Analysts
- [primary-term/gfi-software-launches-gfi-unlimited-revolutionary-business-software-subscription-0 GFI Software Launches GFI Unlimited -- A Revolutionary Business Software Subscription]
- NGINX Simplifies the Journey to Microservices
- Qualys Buys 1Mobility Software Assets