Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/6/2011
09:56 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Virtualization Security: Your Biggest Risk Is Disgruntled Insider

Could 88 of your virtual servers be deleted by an angry insider during one McDonald's visit? Learn from Shionogi's experience.

Virtual environments can be made more secure than physical ones--there are more logical boundaries that can be defended than physical ones. The fault for leaving virtual environments exposed to attack lies not in our stars, nor even in our hypervisors, but in ourselves.

It's now clear that virtualized environments not only offer the opportunity to manage the data center more flexibly; they also offer a renegade administrator a more powerful avenue of attack. With virtualized environments, we can establish defenses in depth that far surpass what could be done in the physical world. But we are just getting used to this adaptable, shape-shifting world of virtual machines, and in some cases, we're creating greater exposures instead of mutually reinforcing protections in depth.

Take Shionogi, a North American subsidiary of a Japanese pharmaceutical firm. In July 2010, Jason Cornish, an IT staff member at Shionogi's operations in Atlanta, had a difference with his manager and resigned. A friend of 15 years at the company, who was not named in the court papers, advocated that he continue working for Shionogi as a contractor, due to his familiarity with its network, according to the case filed by the U.S. district attorney Paul Fishman in Newark, N.J.

Work channeled to Cornish stopped in September 2010, and later that month, Shionogi announced layoffs that affected Cornish's friend. On Oct. 1, the friend refused to turn over network passwords to the remaining Shionogi administrators, prompting his dismissal.

On Feb. 3, Cornish used a Shionogi user account, CVAULT, and a password accepted by the system to access a server where he had secretly installed a VMware vSphere client several weeks earlier. Shionogi operated a heavily virtualized infrastructure, and Cornish, working from a laptop that he had taken to a Wi-Fi-equipped McDonald's restaurant, proceeded to delete Shionogi's email, BlackBerry, order tracking, and financial management servers.

All in all, using the vSphere client to access vSphere's virtualization management console, Cornish with a single click systematically eliminated each virtual server on Shionogi's 15 virtualized hosts. While munching down the equivalent of a Big Mac and fries, Cornish eliminated the 88 virtual servers Shionogi depended on for its day-to-day business.

The fact that he was caught might lead you to think that Shionogi's defenses won out in the end, but it shows nothing of the sort.

His apprehension had more to do with the quick involvement of FBI Cyber Crimes teams, which existed in both Newark, where the attack took place, and Atlanta. The scene of the crime was the nearby Smyrna, Ga., McDonalds and the attack could be traced as coming from that site by tracing the attacker's IP address. Cornish was placed at the site a few minutes before the attack by his use of a credit card to make his $4.96 purchase. He must have been short of cash. Otherwise, his plan might have worked--and he might still be on the loose with no direct tie to $800,000 in damages to Shionogi.

It also helped that Shionogi discovered he had accessed its systems 20 times between the September layoffs and the Feb. 3 attack. They found the offending vSphere client and proceeded to build a case that lead to Cornish's Aug. 16 guilty plea. On Nov. 10, he will face a sentencing judge and be subject to up to 10 years in jail and a $250,000 fine.

But there's little comfort in justice being done in this case. Shionogi's procedures seem lax, and yet I know several instances where well-managed firms lost track of contractors who were periodically doing work for the company. Even in cases where former employees are swiftly expunged and contractors strictly monitored, every company struggles to protect itself against an inside job. The case against Cornish doesn't make clear where he obtained his working password. It's possible under the circumstances of this case that Shionogi took the correct action to protect itself from one disgruntled employee, then fell prey to another against whom no case could be made.

At a moment when IT staffs are being reduced, companies are particularly susceptible to inside jobs and much about this case smacks of an inside job.

Shionogi, however, might have followed the best practice of placing restrictions on IT administrator's privileges, restricting each to a set of defined servers. But Shionogi is not alone in assigning general privileges to trusted IT staff; doing otherwise sometimes means the people with the right skills can't access the right trouble spot. Shionogi might have set a software watchdog on who logged into which servers and who deleted servers, but many shops have no such protection in place capable of tracing a software event to a single individual.

What's truly interesting about the Shionogi case is not how quickly justice was done but how swiftly major damage was done--thanks to the management interface to the virtual environment. Shionogi was put out of business for several days until the virtual servers could be reconstructed and known, valid data reestablished.

I often get positive feedback on the amazing capabilities of IT managers in these emerging, virtualized data centers. But it would be wise to remember that with virtualization, it's not only the good guys who get "god-like" powers.

To see how VMware is extending its reach into data center operations, see VMware's Next Act: Operations Expert .

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.