Securing the Virtual Environment: How to Defend the Enterprise Against Attack

Table of Contents:
Introduction xxi Chapter 1 Virtualized Environment Attacks 1 A Brief Introduction to the Cloud 1 Flavors of "Cloud" 3 Powering the Cloud 3 Why the Cloud Is Here to Stay 4 Managing Cloud Security 5 Principles of Information Security 6 Information Assets 7 Potential Threats 8 Potential Vulnerabilities 8 Potential Consequences 8 Incremental Risk Mitigation 9 Deny by Default 9 Never Trust Input; Assume the Worst 11 Confidentiality, Integrity, and Availability 12 The Human Factor 13 Managing Cloud Risks 14 Asset Management 20 Vulnerability Assessment 22 Communication 22 Authentication and Authorization 23 Software 25 Managing Cloud Compliance 31 Defining Compliance and Security 33 Making Use of Warnings 34 Cloud and the PKI 35 Summary 36 Chapter 2 Attacking from the Outside 41 Who Is an Outsider? 41 HR Policies and Procedures 42 Contracting and Outsourcing Talent 44 Friends and Family Discount 45 Configuring Cloud Audit Logs 46 Keeping Tabs on Accounts 50 Extending and Trusting Communication 50 Delegating and Spreading Roles in Order to Scale 62 Novice Users Empowered by Cloud Environments 62 Outsourced and Offshored Resources 62 SaaS Software Development at "Cloud Speed" 63 The Needs of Bespoke Solutions 63 Ensuring Continuity 64 Underspecialization 65 How to Piggyback on Fixes 66 Sudo and Shell Logging 70 Spoofi ng a Certifi cate 73 Summary 74 Chapter 3 Making the Complex Simple 77 Looking Around Without Getting Caught 78 Checking to See If Anyone Is Watching 78 Checking for Gaps in Awareness 79 Checking for Responsiveness 80 Complexity and the Cloud 81 Choosing a Spot with a View 83 The Hypervisor 83 The Director/Orchestrator/Manager 88 Assessing the Risk from Assessors 93 Slicing and Dicing Data 94 Detecting Layers of Virtualization Technology 94 Identifying and Targeting Assets 96 Versions 102 Supporting Infrastructure 103 Mail Servers 103 Web Servers 103 Domain Name Service 104 Databases and Directory Services 104 Timing an Attack 104 Long-versus Short-Term Objectives 104 How Long before You Are Ready to Attack? 104 How Long before You Can Attack Again? 105 Summary 106 Chapter 4 Denial of Service 109 Finding Signal in Noise 109 Improving Denial 111 Distributing Denial 112 Defi ning Success 113 Finding Service Vulnerabilities 115 Scanning and Validating Service Levels 115 Abstracting and Overcommitting 115 Validating Complexity 118 Limits of Penetration Testing 120 Denial of Testing 120 Testing for Denial 121 Abusing Proximity of Services: Step Attacks and Speed Attacks 125 Exploiting Service Vulnerabilities 127 Breaking Connections Between Services 127 Exhausting Resources 130 CPU 130 Memory 130 Disk Space and IOPS 131 The Dangers of Overcommitment 132 Locking Out Others 132 Summary 137 Chapter 5 Abusing the Hypervisor 141 Replacing Hardware Layers with Software 142 Relating Physical to Virtual 142 Displays 143 Memory 144 Disk 145 Network 147 Compromising the Kernel 147 Low-Level Interception 148 Real-World Example: Duqu 148 Classification and Defense 150 Breaking Out of KVM 151 Attacking Virtual CPU and Memory 161 The Cup Is Half Secure 162 Taking Plato's Shadow Pill 162 Demonstrating the Risks 163 Qualifying Fear and Uncertainty 164 Measuring Failure Rates 165 Focusing on the Shortcomings of New Technology 166 Finding the Different Yet Old Attack Surfaces 167 Network 168 Systems 171 Databases 172 Escaping Jails, Sandboxes, and Buffers 174 What Is the Purpose of Root, Anyway? 176 Breaking Away from Identifi ers 177 Every Door Is the Front Door 178 Summary 180 Chapter 6 Finding Leaks and Obtaining a Side Channel 185 Peeping Toms 186 Working Around Layer 2 and Layer 3 Controls 187 Becoming a Regular Man in the Middle 189 VMware vmKernel, vMotion, and Management Traffic 190 Xen and Live Migration 190 Mayhem with Certificates 191 Eliciting a Response by Manipulating State 193 Noisy Neighbors 194 Working on Shared Paths 195 Risk of Co-Tenancy 195 Detecting Co-Tenancy 197 IP-Based Detection 197 Timestamp Fingerprinting 198 Latency Testing 198 Cache-Based Detection 199 Conclusion 199 Forcing Co-Tenancy 199 Avoiding Co-Tenancy 200 Summary 201 Chapter 7 Logging and Orchestration 205 Logging Events 205 Virtualization and Cloud Logs 208 Multitenancy 210 Collating, Archiving, and Protecting 216 What to Look for in a SIEM Solution 217 Safety and Reliability 219 Sampling, or Getting Ready for the Auditors 219 Testing Incident Responsiveness 220 Tampering with Infrastructure 220 Adding, Duplicating, Deleting, and Modifying VMs 226 Modifying Logs: Hiding from SIEM 234 Orchestration: Good and Evil 236 Solving Business Challenges 237 Why Orchestrate? 237 The Power of Elasticity and Agility 238 Devops and the Cloud 238 Risks Resulting from Orchestration 239 Outdated Images or Templates 239 Archived Exploits 241 Runaway Infrastructure Intelligence 242 Exploiting Orchestration Directly 243 Tarnishing Gold Images 243 Exploiting Image Customization to Modify VMs 246 Attacks Against Backups and Snapshots 248 P2V 249 Summary 249 Chapter 8 Forcing an Interception 251 Mapping the Infrastructure 251 Finding and Exploiting the Middle Ground 258 Abuse of Management Interfaces 259 APIs and System Communication 261 Getting around API Blockades 264 Playing Games with Management Tools 265 Elastic Nightmares: Moving Data in the Clear 265 Finding Secure Boundaries 266 Summary 270 Chapter 9 Abusing Software as a Service 273 When All You Are Is a Nail, Everything Wants to Be a Hammer 274 Managing Identities 277 Centralizing and Federating 278 Finding Integrity Bugs 279 Finding Confidentiality Bugs 282 Trusting Authorities 285 Secure Development 287 Data Entropy 290 The Ubiquity of the Browser 299 Average Users and the Pain of Software Evolution 301 Stuck on JavaScript 303 The Risks of SaaS 305 The Attackers Have Your Environment 310 Homogeneity and the Rate of Infection 312 Summary 313 Chapter 10 Building Compliance into Virtual and Cloud Environments 319 Compliance versus Security 319 Virtualization Security 322 Brokering 326 Proxies 327 Federation 329 Virtualization Compliance 330 Working with Auditors and Assessors 335 Using Checklists and a Master Matrix 339 Should Do versus How To 341 ISO 27001, SAS 70, and SOC 2 341 Managing Expectations 342 Service Organization Controls 344 Automating Scope Assessments 347 Managing Change 348 HIPAA 351 FISMA, NIST, and FedRAMP 353 Summary 356 Appendix A Building a Virtual Attack Test Lab 361 Components of the Virtual Penetration Testing Lab 362 Physical versus Virtual 362 Hungry for RAM 363 Installation Order 363 Bill of Materials 364 Building the Gateway 364 Building the ESXi Hypervisor System 367 Configuring Shared Client Networking 372 Adding a Secondary IP Address to Windows 7 372 Adding a Secondary IP Address to a Mac 374 Adding a Secondary IP Address to a Linux System 375 Building Xen 376 Building KVM 383 Using Your Virtual Environments: Virtual Attacks 392 Adding Vulnerable Virtual Machines 392 Setting Up Backtrack 396 Where to Go from Here 398 Build the Cloud Stack 398 Eucalyptus 399 VMware vCloud 399 OpenStack 399 Amazon AWS 399 Start Building an Archive 400 Appendix B About the Media 401 Index 403

About the Author :
Davi Ottenheimer is president of flyingpenguin and a security/compliance consultant to VMware. He was previously responsible for security at Barclays Global Investors and at Yahoo! He also has helped secure Cisco, U.S. DoD, IBM, Intel, State Farm, and the University of California. Matthew Wallace is a solutions architect at VMware and was the founding engineer of Exodus Communications' Managed Security Services.