Mobile
6/13/2014
09:00 PM
100%
0%

VDI Under The Security Microscope

Black Hat USA researchers explore security risks with virtual desktop infrastructure with BYOD.

Desktop virtualization is often mentioned as an attractive way to address some of the security challenges around bring-your-own-device (BYOD) approaches.

Yet the promise of security that typically goes along with talk of VDI (virtual desktop infrastructure) is not ironclad. Understanding the security risks that exist with VDI as enterprises embark on BYOD initiatives is the subject Michael Shaulov and Daniel Brodie of Lacoon Mobile Security plan to address during their presentation at the upcoming Black Hat USA conference in Las Vegas.

"Our presentation is not about destroying the myth about VDI but rather a guidance of how to evaluate and quantify different security aspects when moving forward with mobility initiatives," Shaulov tells Dark Reading. "VDIs bring a lot of value in use cases when the device is lost ... it's just that VDI vendors do not have any cybersecurity expertise and therefore do not close the gap in that space."

One of the most touted security benefits of VDI is that data stays in the data center and is not stored locally on the device. Yet that may not matter in the event the device is compromised. As part of the research, the focus was on the idea of smartphones infecting with screen scraping, keylogging malware designed to steal data. With the malware in tow, it is possible for infected phones to cough up user login credentials for VDI sessions, leading to a wider compromise. The malware and surveillance kits the researchers used are in the wild and can be purchased for $50 to $100.

Two-factor authentication cannot fully address the issue, says Shaulov, nothing that a text message notification of a login attempt could still be intercepted by malware.

"We quantify the in-the-wild threats using the research we've conducted with [CheckPoint Software Technologies] and provide the statistics on their prevalence on employees' smartphones within enterprise networks," says Shaulov. "We show that many corporate clients are now exposed to targeted malicious activity on their employees' mobile devices."

"While we demoing the attacks with Citrix," he adds, "[these] attacks apply on and VDI solution. Moreover we are very careful with not to destroy the value of VDI solutions, as they do bring a lot."

The solution to the issue is mobile malware detection and scanning, he says. The company is currently working on a partnership with Citrix to provide the functionality.

"We are moving forward with our partnership with Citrix," he says, "and [are] just trying to raise the awareness around the gaps and why enterprises need to make sure that they cover everything when implement a mobility program." 

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
rowie3103
50%
50%
rowie3103,
User Rank: Apprentice
10/14/2014 | 4:39:03 PM
User Adoption
User adoption has been very low because I think of 2 main reasons - the User Experience is inadequate or the architecture does not scale. Providing Persistant desktops to 100 people on a PoC is easy, then when you go to 300 the projects typically end up having to acquire more hardware (server aqnd Storage) and the ROI goes out the door.  User Virtualisation (UV) technologies out there today can now provide that nirvana of a Non-Persistant desktop with a persistant look and feel. Providing a single gold image that is reset at log off and if the user has changed any of their settings then that is backended into the UV system. This must also be bi-directional and seamless from thick client to thin and back again, even OS to OS.

The user expeience can be a raft of issues but what I see mostly is poor login/logoff timnes due to poor execution of Windows login scripts, Windows GPO's being sequentially applied, and applied whether they are needed or not. Again UV technologies can assist here with applying GPO's in a multi threaded way, and also moving form a just in case delivery model to a just in time i.e. Load Outlook policies when i start Outlook etc..And of course the dreaded roaming profile .... these can be fixed as well with a good UV strategy.

The other big gotcha in VDI costing, that is never thought of, is Device Based License Control i.e. MS Visio, MS Project, Adobe etc...IF you have 10 licenses of visio for instance and 1,000 users connecting to the VDI envrionment you must license Visio for 1,000 users. See;

https://pinpoint.microsoft.com/Applications/4294982790?locale=en-gb

This becomes quite expensive....

 

My .02 cents worth - a great article and some great comments as well
rowie3103
50%
50%
rowie3103,
User Rank: Apprentice
10/14/2014 | 4:18:51 PM
Re: Virtualized Doesn't Mean Completely Different
Surely by impelementing effective controls like Application Whitelisting anc zero admins we can make virtual and physical PC's a lot more robust ? Certainly utilising a belts and brace approach to security you would deploy whitelisting on the servers and desktops from vendor A, and AV etc.. from Vendor B.

The key here is to ensure the technoklogy you choose has the ability to implement these controls without affecting the user or his experience. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/18/2014 | 12:24:10 PM
Re: VDI myths versus adoption rate
I hear you, Chrstian. Even for a basic user like me, there will always be that one app that I can only get on my own hard drive. 
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/18/2014 | 12:18:45 PM
Re: VDI myths versus adoption rate
@Marilyn Cohodas

I dreamed the dream of the cloud when I was young, and it was good.  Then the cloud came, and it was alright, but not what I'd hoped for.  I'd argue the point that we do and always will need PCs, for a particular subset of the tech user at least.  Consider this:  I am offline quite a bit, but I have my clunker Acer with Debian on it that holds every application I need to do what I do; at the heart of it, Git, so I can push back to the cloud when I get online.  I can't imagine life without my own personal box and I don't think I should have to; the cloud is nice for some things, but it isn't the end-all.  That's the user end, of course, and VDI and virtual technologies in general are often thought of more in the server space, where the super users and admins live.  But at the end of the day, while I love my 100+ strong VM farm of test systems, I would choose a small datacenter with real steel, iron and silicon over one that could vanish in a puff of bytes.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:32:41 AM
Re: Virtualized Doesn't Mean Completely Different
Agreed.  Also, I would like to point out that while I believe VDI is a great technology with great benefits it still suffers from the greatest flaw that traditional computing does, the user.  If a user follows a malicious link on a VDI desktop or Windows PC, the result is the same.

We keep putting up walls but our users keep putting welcome mats down and giving the bad guys milk and cookies.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/17/2014 | 2:08:20 PM
Re: VDI myths versus adoption rate
Good point, maybe it has and it may be a while before we see that come to fruition.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/17/2014 | 2:02:40 PM
Re: VDI myths versus adoption rate
If the profile resides on the server versus the device, I can see how it simplifies end user device management. As the end of the PC as we know it, I think that train has left the station. If I can access my files and profiles virtually, who needs a PC? 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/17/2014 | 11:43:12 AM
Re: VDI myths versus adoption rate
I do think it will have a big upside, you can have a wyse device or some kind of boot device that connects back to server where the profile resides. The best part of VDI is the support and how it can all be concentrated back at the server instead of the pc. This will not eliminate pc, and not that I want that but in certain areas it wil help.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/17/2014 | 11:32:36 AM
Re: VDI myths versus adoption rate
Randy, Do you think the problem with VDI is that users want to have their data where they can see it on the hard drive, or is more of a management issue? I would think users are pretty used to working in the cloud and that's less of a factor. What are some other reasons you think VDI won't live up to its promise.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/17/2014 | 2:12:11 AM
Virtualized Doesn't Mean Completely Different
Great train of thought from Black Hat USA.  One must remember that a virtual environment, be it network or OS, still has the potential exploitable holes the actual environment has.  VDI brings ease of management to an ecosystem, but can't block every penetration opportunity by virtue of being virtual.  Plus, you've added more layers of penetration opportunities in the form of thin/fat clients (seen the list of Citrix exploits lately?), VDM connection servers now a target, app virtualization services open to attack and use for transport, and so on.  A needed microscopic review. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.