Thanks to all who came out at 8:30 AM on the third day of the con. It was a good group and I’m very happy to say that the panel was all user questions about half way through. Good to see the interaction and people engaged.
A question got posed about virtualization hacks/0day/academic research targeting the hypervisor and if that should prevent companies from adopting virtualized tech. While I love a good conversation on security research, the vast majority of organizations don’t have the risk profile where those attacks are likely. They require targeted attackers with the skills, expertise, and desire to burn extremely valuable exploit dev to access your network. Those things cost great deals of time and money and attackers aren’t going to expend the effort when the attacks we already know work all too well. Far more likely is that those overwhelmingly successful and well known techniques will be used. Hacks like SE’ing users to visit malicious sites that exploit client side bugs, phishing campaigns that exploit known vulnerabilities in un-patched third party apps (Java/Flash/Reader) , or poor secure coding techniques that enable SQLi or XSS vulns are far more common. Why stop using what’s already working?
What’s important about this question is that these concerns typically throw a delay or confusion in the works of an IT shop or a security program as to ‘how secure is it’ and ‘is this compliant’? This is a big deal; I consistently see people struggling with these questions and causing all sorts of chaos.
The good news is that we already have techniques and methods to help understand this stuff and controls we already know are still relevant. Worried about hypervisor attacks? This isn’t anything new – we’ve seen the same stuff against all platforms and technologies. If you’re worried about vulns in your applications or systems – assess them and more importantly, patch regularly. You don’t know if what 0day in your MS Office products, your Oracle DBs, your iOS stuff, etc… You won’t find out much reading the release notes beyond things like ‘remote code exec’ or ‘auth bypass’, etc… assume the worst and patch your gear. More later on good strategies on how to do that at scale and consistently such but I’ll stick with stomping my foot at a practice that bites so many people and is so often done poorly.
I’ll leave with a quick note about the work we presented and say I’m proud of the direction that we’re taking to actually looking at products (hands-on) and validating the compliance controls in them and providing guides to VMWare customers. Having been an infosec guy at a big enterprise this kind of material didn’t exist with anyone’s products. Most importantly, this isn’t giving the garbage ‘gold star of compliance certification’ that exists all too often in our industry. It’s a good jumpstart to helping people manage a complex and diverse network and making people’s lives easier.
Looking forward to more good work to come in this space.