Security threats have existed for almost as long as computers have been around. Few interactive systems can claim to be immune – even venerable systems like the IBM mainframe, UNIVAC and VAX have had their share of malware. Then, the PC brought computing to the masses, but also brought a new environment for malware to bloom. …
It's very unfortunate...
...that most people are too technically illiterate to even care about PC security. Then they wonder why their PC gets a virus or their personal info. is hacked.
So who exactly said that the different virtual machines on the host are to share the same network and can talk to each other or VMs from a different class over said network?
So what is the exact problem to deploy an 802.1q trunk to each desk, run a thin hypervisor and assign the different VMs to the different VLANs?
You then can run a development VM, business VM and even a "SC cleared" VM on the same machine and they never ever cross their dataflows on the machine. They talk to each other only across a dedicated firewall which polices which VLAN talks to which and about what.
You can bolt down each to a different level. Additionally you can remove all Internet access off the development VMs along with most of the security layer. Ditto for high security stuff just with the security layer jacked up to "overkill" setting.
Voila, problem solved. However that means no more money for expensive research junkets and no more snake oil peddling as it all can be solved via the _CURRENT_ tech. All enterprise switches support q-marks, ditto for network cards, ditto for hypervisors and the OS can (and should) have the .q mark stripped for it by the virtual switch in the supervisor so it actually does not play.
Anyone know of a LAN-spreading virus that has VLAN-jumping capability? I know there's MANY tools that can do so. Don't believe me? Look into a VoIP snooping program. They can jump VLANs as well as intercept and record/decrypt VoIP calls. Shouldn't be too hard to make a virus that has the same capability. Fortunately for us, keyloggers are usually spread by scareware tactics nowadays. Training end users to call the helpdesk if/when they get a virus warning on their computer will prevent 90% of virii from actually getting installed on the system. Sure, it puts a bit of burden on the helpdesk by having to spend 5 minutes remoting to the desktop and safely closing the IE/FF window, but saves 2hrs+ repairing/reimaging the machine.
Also, VMs aren't the end-all-be-all solution, but having a "dumb windows" client setup (that would be a non-persistant disk for those in the know) can solve many problems. Granted, they can't save anything locally, but they shouldn't be doing that in a corporate environment anyway.
Type 1 hypervisor protection is here....
It is with VMware anyway and Trend Micro, they have a solution for agentless AV, granted it is new but it shows the potential here where you could have the security sevices sitting on the Type 1 hypervisor doing the necessary IDS, IPS, AV, Malware, Firewall etc etc for all the virtual machines.....then users dont have to care or worry about protection as they will be by default.
"Type 1 hypervisor protection is here"
if (the Type 1 HYPErvisor can see everything in the guest (which it has to be able to do in order to protect the guest OS))
who is protecting the HYPErvisor ? who is ensuring the HYPErvisor is trusted?
Back in the day, you'd just have run it on the mainframe, on the VMS box (not just VAX, btw), or on a decent UNIX box. Xwindows over a decent network could be quite quick theses days, and Linux is already showing that X-based apps can be quite acceptable for non-gaming stuff.
But as Anton already said, there's a lot of snake oil around these days, and a lot of young 'uns can't tell when they're being sold snake oil, or actually enjoy the snake oil sales commissions.
And as the article fails to state, for obvious reasons: the problem is not PCs per se, the problem is Windows PCs. But there's big money at stake, so better not say that.
"the problem is Windows PCs"
Only because, as of now, most users are on Windows.
Once you get a good share of users on Mac OS, Linux whatever or something else, the laws of statistics will ensure that you'll get your share of morons there too.
At that point, you'll see them do all the crazy, moronic things they possibly can, and you might even find out that non-admin accounts can wreak a lot more havoc than you ever thought possible.
Windows security (ahem) has been tested, and found lacking. That is a fact. That fact does not mean that the alternatives are any better. They have not been tested yet.
The problem is not PCs. The problem is users.
And that problem is not going away because of a platform.
There are no laws against human stupidity
except for a few which are unenforceable anyway.
The same applies for users of the PC or any other system for that matter.
How do "threats spread rapaciously"?
Seems like more trianing is needed...
Sneaker net is still here
I work with a network that can have up to 100 USB sticks a day inserted to select PC's. These sticks usually belong to sutdents and more often than not are infected. The AV usually deletes most of the junk and its not the users fault if they get an infection as they have to get the data off the sticks to do the work.
Does anyone else have to put up with this soft of crap and is there anything better than Sophos Endpoint Security and Control ?
Beer as i usually need a few after an outbreak :(
"Does anyone else have to put up with this soft of crap and is there anything better than Sophos Endpoint Security and Control ?"
Well you could give the USB stick a security label which prevents data on the stick being used in unauthorised ways (such as being executed or copied outside of user directories). Oh, that's on that "Linux" toy operating system. Looks like you'll just have to suck it up until Microsoft catches up.
Not sure if this helps....
Inside the door of the lab\ library\whatever have a standalone unit off the lan with AV on it. Get the students in the habit of plugging their USB into this unit before using the lan machines.
Failing that build a huge electro magnet into the door frame.
Here's a real idea, really, really, needs thinking through though. Give the students USB sticks when they join. The USB sticks have access codes in them that open the doors to the labs. The doors only open when the USB stick has been AV scanned. If they have malware, door remains locked, they come to you, you....retrain them.
Basically, with that many mobile viral transfer possibilities, you're stuffed.
Especially when you have about a billion students all with keygens, pirate software and crap on their USB's.
SSDD - no change of approach at all..
Same sh*t, different day.
Just adding layers of protection (in whatever shape) just continues the arms race with some new toys. Why not get a bit more creative? Tarpits, deception toolkits with false data - there is so much more than can be done to mess with a hacker's mind.
But hey, that would require talent..
Malware on Univac, Vax & IBM???
Somehow I doubt that. During 35 years with the company (under its various names) the only malware I heard of on Univac machines was some of the officially supported software we delivered to the 1100-series machines during the 1970s.
I did once write an ASM program which put a phony Exec 8 login sequence on Uniscope 100 screens and left it running. In those days interactive terminals were a common resource we all had to share. But it didn't do anything with the supplied passwords, just wrote rude messages back to the user, specially tailored to his userid.
VLANs and security
Essentially it boils down to having access to the tagged frames or not. If you set the port to only have access to one VLAN it's secure, otherwise it's just a very small hurdle for malware.
Ever heard of 'doors'
We use this composite fibre-reinforced thing called a 'door'. The people who are allowed into the lab are also allowed to do what they need in order to get the job done. Oscilloscopes etc have generic accounts 'lab' that anyone with physical access can use.
Oh, and very frequent backups...
IT tried to enforce stricter rules on passwords etc, but productivity ground to a halt. Now we instead try to limit the amount of people with physical access, and give them more responsibility, not less.
"that problem is not going away because of a platform."
It's not going away completely when Windows is replaced by a platform built on a secure foundation, but it is going to get several orders of magnitude smaller, especially as Windows will remain defective by design, and therefore an easy target. I know how difficult it is to break into a decent OS. Getting unauthorised access is tricky enough, let alone elevating that to unauthorised privileged access. It may not be impossible, but it's a lot trickier than it is with Windows, whatever stories to the contrary may be put about by clueless certified-Windows-dependent stooges. Far easier in most cases to try an alternative tactic.
"a phony ... login sequence on ... screens and left it running."
VMS (as used on VAXes etc) prevents that with a "secure login" sequence and has done for a decade or two: if you do the right magick key sequence, any user application running on the terminal is killed, and the OS puts up a guaranteed-genuine "Username" prompt, so password-grabbing apps aren't possible. Can Windows do something like that (I thought at one time it could, but I never see it in use, why might that be?)
its here - McAfee Management for Optimized Virtual Environments (MOVE)
The methods described in the summary fit exactly with the way that clam antivirus works. clamd could be run on a vmware hypervisor (after all its linux). clamdscan could be run on the clients and communicate with the hypervisor via tcp/ip. There's even a Windows version. I think its very doable. clamd (at least on my mail servers) runs at about 205MB of RAM.
"The ‘sneaker net’ at first kept the rate of spread at a relatively low level." Really?
When I started work way back in the dark ages of Novell 2.x and everybody was still using the new 1.2M high density 5 1/4" floppy disks (720K 3.5" disks were just coming out and still cost too much) we could not get rid of the Stoned virus because it was impossible to have all of the floppy disks in the building at the same time to scan them. So at least one PC on the network was always infected, and from it, more floppy disks would inevitably become infected.
In some sense my career in IT started there. As the DTP Specialist, I couldn't afford to lose clock cycles to Stoned and therefore was one of the few people constantly scanning my local and floppy disks to make sure they were uninfected. Well, that and the fact that my printing activities could crush the network so I had to become best buds with the Network Admin and carefully manage my work so I didn't down the network.
"Few people would sticky-tape their keys to their car after all...."
1) You always use the same key. You don't have to work out which of the 30 or so identical keys in your pocket open your car every time you want to use it, nor do you have to swap all the keys and locks every month.
2) Nobody forces you to swap your key for one that's four feet long and weighs 20 kilos as a result of a security initiative.
3) If you lose your car key, you can get out the spare and have a copy cut rather than having to jump through hoops with some 'tard on the Helldesk to get your car opened sometime next Tuesday.
4) If you do need to get a replacement key, it doesn't both get changed and sent to a safe deposit box which may only be opened with the current key, the sole copy of which is now inside it. Yes, I have seen the "reset your own pwd and get the new one mailed to you" idea floated for a corp environment using single signon.....
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24
- Pics It's Google HQ - the British one: Reg man snaps covert shots INSIDE London offices
- White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!