InfoSec events London
I’ve been looking for a place that is listing Information Security events in London/UK for a while now and didn’t come across anything i particularly liked so i decided to start my own event overview. Obviously it consists mainly of events i’m aware of and/or i’m participating but i’m happy to add relevant events if someone let me know about them.
The calendar can be accessed via the top menu or this direct link – InfoSec Events London
Cloud Security Alliance announces certification
With all the news and information coming out of BlackHat 2010 , DefCon 18, BSides Las Vegas and not to forget WikiLeaks these past days the announcement of the first user certification for cloud security didn’t get much of the attention it probably deserved.
The Cloud Security Alliance, in cooperation with the European Network and Information Security Agency (ENISA), created the “Certificate of Cloud Security Knowledge” or CCSK to “…ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.” I think it was just a matter of time until a specialized certification would become available for cloud professionals but i didn’t expect it to happen this soon and not out of the CSA. The CSA is a great initiative and seems to have the clout and knowledge to initiate a trustworthy certification program but at this point the Common Body of Knowledge, which is derived primarily from -
- Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1
- ENISA Cloud Computing Risk Assessment
seems a bit light. That said the FAQ already accounts for upcoming revisions of the certification so i would expect a evolving CBK similar to e.g. EC Council’s CEH. I’m interested to see how the adoption rate in the first year will be and whether established certification bodies like ISC2, EC Council, Microsoft, etc. fully acknowledge it or start their own cloud certification.
On slightly related news – Microsoft’s research labs released a paper titled “Cloudward Bound: Planning for Beneficial Migration of Enterprise Applications to the Cloud“. It takes a pretty scientific approach looking at hybrid could hosting for enterprise applications. From the abstract -
“In this paper, we tackle challenges in migrating enterprise services into hybrid cloud-based deployments, where enterprise operations are partly hosted on-premise and partly in the cloud. Such hybrid architectures enable enterprises to benefit from cloud-based architectures, while honoring application performance requirements, and privacy restrictions on what services may be migrated to the cloud.”
NIST Guide to Security for Full Virtualization Technologies
The National Institute for Standards and Technology is currently working on a new Special Publication (800-125) that deals security concerns around virtualization technology. The paper is currently released as draft for comment and public feedback is requested until August 13th 2010 as described below.
“NIST requests comments on draft SP 800-125 by August 13, 2010. Please submit comments to 800-125comments@nist.gov with “Comments SP 800-125″ in the subject line.”
I quickly read through the draft and it turns out to be a quite general overview of virtualization types and common issues to consider regarding the technology but also the overall life-cycle. It is a good primer for the topic but it lacks some depth; most readers are probably already familiar with the content as it is covered in more depth in guides like -
- CPNI Security considerations for server virtualisation
- vSphere 4.0 Security Hardening Guide
- DISA Security Technical Implementation Guides
- Microsoft Hyper-V security guide
Overall the draft paper is a worthwhile read, especially since it is only 35 pages long at this point, but some sections leave me to wish for more. In section 4.1 “Hypervisor Security” i’m missing a better discussion about the VMM supporting/enabling hardware and the inherent trust the Hypervisor puts in this part of the underlying system. While the paper mentions hypervisor integrity and physical system security this point deserves some better coverage in my view.
Link to the draft – SP800-125 Guide to Security for Full Virtualization Technologies
Security, compliance and the World Cup 2010
I couldn’t really say that the whole conversation around security and compliance ever calmed down much but I seem to hear people talking about it a lot recently. On the one side there are the security vendors who see it as an opportunity to justify budget requests for whatever solution they try to sell; and why wouldn’t they? Regulations were put in place to force organizations to implement a basic level of controls and if the vendors solution covers a certain control area (however farfetched it is) the case might be just that little bit more appealing to the CFO to close the sale. On the other hand there are the security professionals whose responsibility it is to secure the organization and minimize the overall risk as a whole, not just that piece of the infrastructure the auditor shines his torch on. These guys typically struggle to find funding to implement essential security controls which are not necessarily related to any compliance requirement but would considerably raise the overall security posture. Being the smart people they are security professionals realized that complaining about the situation does not help as much as trying to make the best out of it.
The first step obviously is to understand what external and internal compliance requirements apply to your organization. Not an easy task but once it is understood the relevant regulations, policies, guidelines, etc. can be layered on top of each other and control requirements can be mapped to see where you can realize consolidation benefits. Services like the Unified Compliance Framework should help with this.
For the sake of this little write up I’m picking some random control requirements as an example.
Once the control requirements have been identified they can be addressed. You can approach this by looking at the requirements and start to work on them one by one until all the boxes on the audit sheet are ticked; you’ll likely pass your audit but the cost/benefit ratio from an overall security posture point of view might be less than desirable – a bit like fire fighting with a watering can. In the end you might find yourself without any budget for other security projects left as you’ve used it up to fulfil your compliance requirements. Not an ideal situation and I would assume rather annoying if you find yourself in this position. It might seem like security controls are randomly sprinkled on your infrastructure without much value add.
But you could also try to see compliance requirements as a chance to increase the security posture of your organization for real. This might not always be possible, it will be harder to accomplish, it requires some creativity and time but it will probably pay off and make your job more satisfying. So, step back, look at what you can work with and connect the dots. If you find the correct links, group the right controls and align your assets cleverly you might be on your way to win the game 
What I’m trying to say is that compliance requirements have the same goal as your security strategy – to keep your organization ahead in the game without risking any foul play, offside or penalties. The players nominated may not be your first choice and maybe you don’t like the condition of the playing field but you are the coach and can bring this home with the right game plan. Just like a real coach you would probably not put together a team of players who can do only one thing really well, but rather look for players who have their core talent but cover other areas in the game too. To snap out of the soccer analogy – if you look for solutions to cover your compliance requirements which are providing additional value that is beneficial to your overall security strategy your budget might go further and your CFO might like you better. (no promises)
Agent-based antivirus in virtualized environments
Someone recently approached me asking for advice on how to configure antivirus on virtualized endpoints as they received complains about poor performance on their infrastructure. After I got very briefly excited that the request would give me a chance to discuss hypervisor based malware protection it turns out that the only option at this point is plain old (thick) antivirus agents in each guest VM. To my surprise it seemed that few of the – seemingly obvious – configuration options to lessen the pain were set. After looking around online I found very thin coverage of this topic so I decided to write up my take on it. Please feel free to let me know your opinion, criticism or suggestions.
As the technology matures new options to protect data processed in virtualized environments becomes available. At this point however the malware protection strategy for VI in many organizations is still focused on agent based technology. Unfortunately conventional antivirus solutions have a potential to cause considerable stress on shared VI resources. However, many antivirus solutions do provide configuration options to mitigate the performance hit on these shared environments. The following sections will provide thoughts on what to implement.
Coordinated maintenance windows
As mentioned above the key point is to minimize concurrent load on the hardware resources. This requires planning inside and outside of the antivirus solution to avoid bottlenecks.
Identify service hours and maintenance tasks required for the virtual infrastructure
This might seem obvious but an effort should be made to correctly identify the core service hours of the virtual workloads. A capacity management team or similar personnel should be consulted in multi-tenant environments to identify periods with low workload pressure which would be suitable maintenance windows. Careful planning is required to ensure that maintenance tasks do not affect the other tenants during their core service hours where resources are scarce. Capacity management should collate relevant maintenance tasks for the environment to ensure capacity reserves are adequate to ensure seamless service.
Schedule maintenance tasks in a coordinated way
Once preferred/potential maintenance periods are known and necessary activities are understood the individual activities should be scheduled in non-conflicting timeslots where possible. Poor planning of multiple support teams trying to run service tasks on multiple assets might result in resource exhaustion for the whole infrastructure as illustrated below.
Ideally this can be avoided by assigning appropriately timed timeslots to the support teams spreading out the overall load on the virtual environment in the maintenance periods.
Typical maintenance tasks to consider in regards to resource contention are conventional backup and restore jobs, snapshot creation and clean up, software deployments to guests or host systems, Antivirus scans, vulnerability assessments and inventory scans, etc. Once it is clear what time and timeframe is available for antivirus related tasks further planning can take place.
Methodical endpoint configuration
There are several configuration settings to optimize the resource utilization within and outside the maintenance window. Often these settings are implemented on logical groups (e.g. ‘Domains’ in Trend Micro, ePO Site/groups in Mcafee ePO managed endpoints, etc) which necessitates the endpoints to be grouped according to their configuration requirements. This should be done as a first step where it does not conflict with existing categorization methodologies.
Set scan exclusions
Usually there are no special scan exclusion recommendations when it comes to guest OS in virtual machines but general advice on exclusions is provided by Microsoft, antivirus vendors and often application vendors. From a performance point of view it might be beneficial to limit the scope of the full scan to known risk file format extensions like .exe, .com, .vbs, etc. (e.g. IntelliScan setting in Trend Micro).
For further details please refer to:
What Anti-Virus scanning exclusions should be considered for system and servers?
VMWare http://www.vmware.com/files/pdf/VMware-View-AntiVirusDeployment-WP-en.pdf (pg.8)
Limit agent resource consumption
Many antivirus solutions provide the option to either tune or limit their resource consumption on the protected endpoint during selective scanning tasks. These setting can be used to reduce the load on the endpoints during resource intensive tasks but it is important to understand that
- this is an estimate of the consumed resources and not a 100% reliable measure
- limiting the available resources might result in an extended runtime of the maintenance task
If it is decided to use these configuration options it should be verified that all necessary maintenance tasks are completed within the allocated time window on all agents.
Aligning tasks and timings
Once the general maintenance windows are defined the antivirus specific tasks and timings can be reviewed. The key points to take into consideration are the update tasks (policies and Virus signatures) and the on demand scan timings.
Optimizing update tasks
Updates of agent components can consume considerable resources on shared infrastructure especially if the workload is scheduled to be executed at the same time for all agents across the cluster. This is easily illustrated by the simple equation below.
(((AV component * Update size)*Number out-dated components)*Number of endpoints) = Update Volume
Assuming there is a respectable number of live endpoints on a cluster the update distribution of a single Antivirus component (e.g. pattern file) can be quite a strain on the vswitch(es). This pain point can be reduced by regular incremental updates, phased update windows and pull randomization within the update window. The options you have to implement mitigation measures depend on the capabilities of your antivirus product.
On Demand scan schedule
It is debatable whether on demand scans are necessary if all endpoints are protected by on access scan. Some vendors recommend to turn ODS off in virtual infrastructures but ultimately this is a risk decision your business will have to make. Points to consider –
- Is OAS enabled all the time or might there be protection gaps introduced by automated processes or human error/deliberate acts
- Does OAS reliably identify and stop relevant malicious code
- Is OAS an appropriate risk mitigation for the environment or should it be turned off?
- Cost of other clean-up processes if malicious code got past OAS (out-dated AV component, disabled service, etc)
There are probably other reasons you might think off and every situation will lead to a different decision outcome. If you decide ODS is not for you just skip ahead.
Considering the timings of the update tasks the support groups should then go on and consider the time settings for the scheduled scan task to run. It makes good sense to run the ODS scans at a period after the updates have been applied to the endpoints. This will ensure that the latest available virus signatures will be used during the scan process.
As mentioned in the previous sections careful consideration must be taken to ensure that the on demand scan runs at a time that does not conflict or overlap with other system related tasks. Usually on demand scan can be configured for a maximum scan period after which time the ODS will forcefully end. Keep in mind however that the scan might be stopped before it inspected all data potentially leaving malicious code undiscovered.
The picture below illustrates the effect of a default – unmethodical – antivirus configuration. The tasks which are scheduled to be carried out during the allocated maintenance window start as soon as the maintenance window starts. While this might not have a negative impact on the overall service (as it is happening during maintenance period) it is certainly far from ideal.
The result of this setup would be random consumption spikes as agents on the shared infrastructure start their ODS task. This might trigger monitoring thresholds and raises (debatably false) alarms incurring unnecessary investigation work for support teams and/or dulling awareness to real alerts. Due to the overlap in pattern update and ODS some agents might scan with out-dated pattern files also reducing the effectiveness of the scan.
The setup illustrated below is preferable as it will ensure the shared resources are utilized in a more controlled pattern avoiding spikes in consumption as much as possible.
While there might be some overlaps of start/end times of ODS between the groups the overall resource consumption will be more evenly spread out. The asset owner will have to review and decide how their assets can be set up in logical groups and define the various scan times of all groups.
