Here are 10 serious security threats and some suggestions on what to do about them.
1. Virtual host security
Virtualisation can help make more efficient use of hardware, but it also creates new security problems. In particular, it allows different virtual hosts to reside in the same physical machine where the traffic between them is difficult to monitor and screen.
The problem is compounded if virtual hosts replicate to other physical machines to meet increased demand for the services they provide. Rules for accessing these machines must accompany them, and this is complex, says Rob Whiteley, an analyst with Forrester Research.
"When you deploy virtualisation at scale, it becomes a burden to manage the virtual machines," Whiteley says. Access control is still important in virtual environments, but tools for replicating it are scarce.
This can cause problems in regulated environments such the Payment Card Industry (PCI), which has standards for handling sensitive customer data. PCI standards specify what types of machines are not allowed to talk to each other.
There are three ways to deal with the problem. First, all traffic can be routed out of the physical hardware that contains virtual machines, scanned and then passed back into the hardware to reach another virtual machine. "That is a huge tax on the I/O system," Whiteley says.
Second, businesses can deploy existing software firewalls such as Check Point"'s on each virtual machine, but deploying, licensing and managing them is difficult because they were designed for real-world firewalling, not virtual world firewalling. "It"'s an operational nightmare," Whiteley says.
Third, businesses can turn to purpose-built products that are designed specifically for virtual environments such as those from Altor Networks, Reflex Security and Stonesoft, he says.
Features to look for: whether the products scale well; whether the license structure is affordable; whether policies follow new images of virtual machines.
Another way to address the problem is involving network staff in server virtualisation projects. This insures that traditional security measures that would be considered if physical servers were being added for virtual machines.
2. Protecting the virtual machine monitor (hypervisor)
If the software that keeps track of multiple virtual machines on a single hardware platform is compromised, so are all the virtual machines it tends. "There are no known threats, so there are no known remedies, but it’s only a matter of time before someone hacks a hypervisor," Whiteley says.
Networks need to defend the hardware with firewalls and intrusion-protection systems (IPS) to keep known threats away from the hypervisor if possible. As for specific threats against the hypervisor, it is uncertain what products will work.
As a rule, seek embedded hypervisors that ship with server hardware because they generally occupy a smaller footprint, making them more difficult to break. The less code involved, the fewer places there are to find vulnerabilities.
Botnets -- millions of machines co-opted to do the bidding of a command and control center -- have the potential to take down networks via coordinated attacks. Bot software is becoming more sophisticated, changing its form to be less detectable on zombie systems it takes over and with the potential to morph slave machines into command servers.
When they attack, bots can paralyse networks via denial-of-service (DoS) attacks, but businesses can take steps against the threat through agreements with their ISPs, says Greg Young, an analyst with Gartner. They have a better chance of recognising traffic patterns that indicate botnets in use and of blocking them before they affect customer networks.
Users should also take steps to protect themselves against DoS attacks that botnets can generate within an organisation. Using IPSs for networks and individual machines can help mitigate the impact of zombie machines that generate high volumes of traffic as bot zombies, Young says.
"There"'s no silver bullet," he says, but points to start-ups such as Damballa as focusing solely on bot detection and mitigation as a place to begin.
4. Targeted attacks
Because this is a broad category, it is the most difficult to defend against, Young says. These attacks are custom designed for individual businesses or employees of companies in an effort to gain access to valuable resources.
They may combine a number of techniques such as phishing, exploiting application or Web vulnerabilities and use of bots.
"One common element is they manipulate you to take action yourself [such as clicking on a bogus URL] in order to work," he says.
These attacks are most often launched for economic gain, which can range from stealing personal data for resale, compromising intellectual property or holding a business for ransom by demonstrating the ability to take down the corporate network. In the latter case, businesses may decide to pay ransom because it is less expensive than network failure.
The steps that businesses can take are a collection of best practices such as human resource screening to defend against disgruntled employees, service protection contracts with carriers to fend off DoS assaults, and employee education about social engineering ploys that could get them to compromise the network.
5. Attacks via gaming and virtual reality sites
Attackers have developed exploits in multiplayer games that can take over a player"'s machine when the image of a malicious player crosses the screen, says Ed Skoudis, security consultant with Inteleguardians. This can take the form of bot-like control of the target machine, he says.
The exploit could also be used in virtual reality markets such as Second Life where participants can carry on transactions. "That attack vector is very fruitful," Skoudis says.
6. Browser threats
Public Web sites that are vulnerable to attacks can be seeded with malicious code that in turn attacks or takes over control of machines that connect to the site. This has the potential to undermine the networks that these machines are associated with, Skoudis says.
Besides stealing browser history and scanning other systems on a machine, these attacks have been shown to support Java-based TCP stacks that can set up VPN endpoints in the browser of a compromised machine. A VPN tunnel to such an endpoint would give an attacker access to a machine behind the corporate firewall, where it could connect to other systems inside the firewall, Skoudis says.
Similarly, such infiltrated browsers could infect systems that are then checked via browser by a network administrator, compromising the administrative machine and the entire network, he says.
The best defense is keeping virus software up to date, employing intrusion-protection gear and educating users about the problem.
7. Mobile phone browser exploits
Vulnerabilities found in certain mobile phones can be exploited to surrender control of the devices to attackers.
When users connect to malicious content within Web sites visited by their browsers, the content can take over the machine so it responds to commands from a remote attacker, says Rohit Dhamankar, the chief security analyst at Tipping Point.
8. Lost mobile devices
Proliferation of handhelds and smartphones in corporate environments mean more data will be lost or stolen along with the physical machine that holds it.
Countermeasures include encrypting data on the devices and installing software that can lock or wipe out the hard drive remotely to prevent thieves from accessing the data.
9. Insecure Web applications
Applications whose coding leaves them vulnerable to custom attacks pose a threat not only to the application and the content it can access, but to the network as well, says Nick Selby, an analyst with The 451 Group.
Applications are being developed with secure coding in mind, but many legacy corporate applications were designed for closed networks, Selby says. These include such basic applications as the control software used in manufacturing and utility networks as well as highly customised applications designed for individual businesses.
"We need secure coding in the development stage," Selby says, and that is coming, but it is not here yet.
He suggests that businesses use open platforms when possible because they often receive more scrutiny. "More eyes on the code gets protocols fixed faster," he says.
Quality assurance programs and production testing of applications are key to making sure they cannot be hacked. "Theses protocols need to be fuzzed," he says, referring to the process of barraging an application with random input data to find data a way to break the application.
IBM, White Hat Security, SPI Dynamics and others sell tools to put applications through the wringer before they are exposed to real-world traffic that may include hacking attempts, Selby says.
Web application firewalls, automated source-code analysing and manual testing of applications for vulnerabilities also can help, says Michael Montecillo, an analyst with Enterprise Management Associates.
Oddly, being too diligent in protecting against threats may become a liability if those threats are no longer the most dangerous to the corporate network, Young says. "You may spend money on upgrading an [intrusion-detection system], but that might not have the most value for your organisation," he says.
He calls this phenomenon rust-out because the usefulness of a tool may wear away over time without businesses recognising this and they may blindly upgrade without weighing whether it delivers the most cost-effective protection for the network.
Newer, more potentially damaging threats may warrant new tools, Young says, and because businesses always work within budgets, they must regularly review their entire security architecture to make sure its effectiveness hasn't corroded with time.
This can challenge well-established security thinking such as the value of firewalls, says Babeck Pashdar, a security analyst and founder of consulting firm Bat Blue. "Firewalls are noise-management only," he says. "A firewall has only the ability to say who the source is, the IP address, what the destination is and the conduit [the traffic] uses. It does not have the ability to look within that conduit to tell if it's well- or mal-intended."
The best remedy for rust-out is regular bottom-up review of security architecture in context with the latest threat patterns and spending money on the most effective defenses, Young says. "Issues of balance are least exciting but most effective," he says. "You can"'t have the IT-security budget exceed the IT budget."