In August 2012, the IT industry read headlines about a malicious Trojan known as Crisis or Morcut, which spread across PCs and Macs with the purpose of intercepting financial data.
But what made this particular piece of malware special was one of the ways it spread – by targeting virtual machines. This was one of the very first pieces of malware to target virtual machines for infection…in the past, malware intentionally avoided virtual environments, since they are frequently used by security researchers to analyze malware. But cybercriminals will always “follow the money,” and as virtualization has surged in popularity, it’s no surprise to see this change in tactics.
Just how popular has virtualization become? According to a Forrester survey in 2012, 85% of companies have either implemented server virtualization, or are planning to do so. According to a global survey of businesses conducted by O+K Research in 2012, 81 percent of US companies run business-critical services in virtual environments.
But, while virtualization has grown in popularity, securing virtual environments has lagged behind. In fact, a Gartner report claims that “… in 2012, 60% of virtualized servers will be less secure than the physical servers they replace”. So what reasons lie behind the apparent paradox of ‘fast to virtualize, slow to secure’ when security threats – particularly from malware – are greater than ever before?
The primary reason behind this lag in virtualization security is a perception that a virtual machine is more secure than a physical one. The truth is that while virtual machines may be less prone to threats such as spyware and ransomware, they are just as vulnerable to malware in the form of malicious email attachments, drive-by-downloads, botnet Trojans and even targeted ‘spear-fishing’ attacks. One major security benefit of virtualization is when a temporary virtual machine is “turned off,” any malware is typically wiped away with it, and a new virtual machine can be created from the base configuration. Now, we’re seeing examples of malware that can survive the decommissioning of non-persistent virtual machines and become active again when the virtual machine is put back into operation.
In fact, the main befit of virtualization is actually the source of its greatest security weakness. According to the National Institute of Standards and Technology:
“Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls. Combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs. Further, virtualization systems, which rely on a shared resource infrastructure, create a dangerous attack vector in which a single compromised virtual machine impacts the entire virtual infrastructure.”
Here is a quick overview of the top risks to the virtual environment:
- Infection in one virtual machine has the ability to infect data stores that other virtual machines use, spreading the infection and compromising additional systems and data.
- One virtual machine can be used to ‘eavesdrop’ on another virtual machine’s traffic.
- Malware has historically been created to avoid virtual systems. Now malware creators are writing code that targets both physical and virtual machines. Some malware is designed to survive the ‘tear-down’ of a non-persistent virtual machine allowing it to ‘return’ when the virtual machine is re-commissioned.
But despite these risks, Security has been largely an afterthought in the server virtualization movement. In most IT organizations, it is the network team, the server team, or the Data Center team that handles server virtualization deployment projects, with the security team often joining in at a later time. In most cases, the conventional thinking is to apply existing security practices for physical devices to the virtualized environment, and believe that whatever has worked for physical environments will be good enough in the virtual environment.
Businesses may assume that their virtual infrastructures are already secured via perimeter security. But now that VMs are being deployed for desktop applications and critical server applications, securing the edges of a network isn’t enough. Having “no security” on these critical endpoints isn’t an option anymore.
It’s also important to understand that since virtual systems are different from physical systems, virtual machines should be protected differently than physical endpoints. When evaluating virtualization security solutions, businesses should pay attention to the differences between “agent-based” and “agent-less” offerings. An agent-based offering follows the traditional model used to secure standard workstations – a copy of the software runs on each machine. But with virtual machines, instead of having each individual workstation responsible for protecting itself, businesses can instead off-load security activity onto a single, separate appliance. This agent-less approach offers several advantages for virtual endpoints, including:
- A central scanning engine means each machine isn’t wasting time scanning the same files – they are scanned centrally, which doesn’t drain resources from each endpoint
- Virtual machines are created under the security umbrella of the central scanning engine, eliminating the so-called “Instant-On Gap,” where a new virtual machine is created, but defenseless until security software can be installed.
- Security updates are downloaded, configured, and installed once by the central security appliance, not by each virtual machine. This avoids “AV-Storms” caused by numerous machines downloading updates at the same time, and drastically slowing down the network.
Understanding the realities of virtualization security lets IT managers take the first steps towards securing their network without sacrificing the performance and flexibility that made virtualization so appealing in the first place.
-Mark Bermingham, Director, Global Product Marketing, Kaspersky Lab
 The CISO’s Guide to Virtualization Security, Forrester Research, Inc., January 2012
 Gartner: Virtualization security will take time, SCMagazine.com, March 2012
 Guide to Security for Full Virtualization Technologies, National Institute of Standards & Technology