Securing the Virtual Environment, Included DVD: How to Defend the Enterprise Against Attack [Paperback]

Davi Ottenheimer (Author), Matthew Wallace (Author)

Book Description

Publication Date: May 8, 2012 | ISBN-10: 1118155483 | ISBN-13: 978-1118155486 | Edition: 1

A step-by-step guide to identifying and defending against attacks on the virtual environment

As more and more data is moved into virtual environments the need to secure them becomes increasingly important. Useful for service providers as well as enterprise and small business IT professionals the book offers a broad look across virtualization used in various industries as well as a narrow view of vulnerabilities unique to virtual environments. A companion DVD is included with recipes and testing scripts.

• Examines the difference in a virtual model versus traditional computing models and the appropriate technology and procedures to defend it from attack
• Dissects and exposes attacks targeted at the virtual environment and the steps necessary for defense
• Covers information security in virtual environments: building a virtual attack lab, finding leaks, getting a side-channel, denying or compromising services, abusing the hypervisor, forcing an interception, and spreading infestations
• Accompanying DVD includes hands-on examples and code

This how-to guide arms IT managers, vendors, and architects of virtual environments with the tools they need to protect against common threats.

Editorial Reviews

Review

'Anyone who is serious about virtualization security should certainly make sure that Securing the Virtual Environment: How to Defend the Enterprise Against Attack is on their reading list, and that of every security administrator in their company.' (RSA Conference, 7th May)

From the Back Cover

Defend your virtual environment from attacks

Your virtual environment might be a prime target for hackers and attackers who want to steal data or exploit your resources. This book arms you with the knowledge and tools to safeguard your virtual and cloud environments against external and internal threats. You'll gain insight into how to avoid denial of service, log and audit activity, protect virtual networks from eavesdroppers, and harden virtual servers. If your job involves protecting assets in virtual and cloud environments, this book will be invaluable to you.

• Perform vulnerability assessments of your virtual environment to uncover security weaknesses

• Learn how attacks in a virtual model differ from traditional computing models and how to best use technology and processes to defend yourself

• Learn how attackers use and abuse APIs to manipulate and gain entry to virtual environments

• Understand the risks of Software as a Service and how to get the protection you must have

• Be ready for audits by ensuring that your virtual and cloud environments comply with standards and regulations such as PCI DSS and ISO 27001

• Build your own low-budget virtualized test lab for hands-on evaluation of attacks and to practice prevention and response

ON THE DVD

Use the files on the DVD to follow along with the hands-on examples, or use them as the basis for your own code. Using the code and the book, you can

• Conduct a "hypervisor escape", breaking out of a virtual machine into the host system

• Load the included, ready-made penetration testing virtual machine—which is preloaded with tools such as nmap, ettercap, the Open VAS vulnerability scanner, and more—directly into your virtual environment

• Test the security posture of your Xen or VMware environment using automated scripts that peek at virtual disks and copy or modify virtual machines

• See the code used for hands-on exercises in the book that audit or attack virtual environments

See all Editorial Reviews

Product Details

• Paperback: 456 pages
• Publisher: Wiley; 1 edition (May 8, 2012)
• Language: English
• ISBN-10: 1118155483
• ISBN-13: 978-1118155486
• Product Dimensions: 7.3 x 1 x 9.2 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 4.5 out of 5 stars  See all reviews (2 customer reviews)
• Amazon Best Sellers Rank: #712,182 in Books (See Top 100 in Books)

Most Helpful Customer Reviews

5 of 5 people found the following review helpful

4.0 out of 5 stars Excellent guide to virtualization security May 7, 2012

By Ben Rothke

Format:Paperback

One of the selling points around virtualization is about its perceived added level of security. But virtualization, like any other piece of software can be implemented incorrectly, and itself have flaws.

Last year, NIST came out with SP 800-125, Guide to Security for Full Virtualization Technologies. The guide is intended for system administrators, security program managers, security engineers and anyone else involved in designing, deploying or maintaining full virtualization technologies.

NIST SP 800-125 recommends organizations do the following:
* secure all elements of a full virtualization solution and maintain their security
* restrict and protect administrator access to the virtualization solution
* ensure that the hypervisor, the central program that runs the virtual environment, is properly secured
* carefully plan the security for a full virtualization solution before installing, configuring and deploying it

All good items to do; but at 25 pages, SP 800-125 is clearly inadequate to cover all of the details around how to securely use virtualization. With that, Securing the Virtual Environment: How to Defend the Enterprise Against Attack, by Davi Ottenheimer and Matthew Wallace is a great new book that that provides a comprehensive overview on how to secure systems and defend against attacks on virtualized environments.

The book takes a very strong approach that in order to secure virtualization effectively, one needs to understand how adversaries will attack a virtualized environment. The authors provide numerous details on how to precisely do that.

The book is a highly technical guide meant for those designing, deploying and administering virtualized systems.... At 400 pages, the books 10 chapters provide a wealth of information to secure virtualized systems.

Chapter 5 on Abusing the Hypervisor is perhaps the best chapter in the book and the most important topic regarding virtualization security. The hypervisor is the software, also called the virtual machine manager (VMM) that manages the entire virtualization environment. Malware will often attack the hypervisor in order to gain control.

The book also contains an appendix on how to build a virtual attack test lab. It details the components of the virtual penetration testing lab, including how to build the gateway, Xen hypervisor and KVM, and how to build the cloud stack.

The accompanying DVD contains code and scripts from the book and also contains a Ubuntu 6 virtual machine, pre-loaded with various network security tools.

Chapter 1 on virtualized environment attacks is freely available here. After reading that, most readers will likely want to read the entire book, and they should.

Anyone who is serious about virtualization security should certainly make sure that Securing the Virtual Environment: How to Defend the Enterprise Against Attack is on their reading list, and that of every security administrator in their company. Read more ›

3 of 3 people found the following review helpful

5.0 out of 5 stars Excellent and Detailed Work on VirtSec July 1, 2012

By David Shackleford

Format:Paperback

I have been meaning to get to this review for a while, as I have had the book since it came out. In a nutshell, Davi and Matthew have done a fantastic job outlining general premises of virtsec, as well as detailed attack methods and examples for all aspects of a typical virtual environment. My general notes on each chapter are as follows:

1. "Virtualized Environment Attacks" - this chapter lays out a lot of terminology and general theory on virtualization and why it's vulnerable technology. This book is really geared towards a security audience, so I found a lot of the infosec basics in this chapter unnecessary, but I see why they're there.

2. "Attacking from the Outside" - this chapter breaks down the differences between outside and internal attacks, and show why and how roles and privileges play a big role in the security ecosystem, especially around virtualization. Great discussion and examples on some basic technology issues, like reliance on certificates and automated patching.

3. "Making the Complex Simple" - Really cool chapter on enumeration of virt and cloud systems and applications. How to time attacks, how to "read between the lines" on scanner output when looking at cloud infrastructure, etc.

4. "Denial of Service" - Those of us in the virtsec space know how DoS attacks can be executed differently in virtual environments, but the authors do a nice job of breaking these attacks down. Covers all manner of DoS attacks, including authentication DoS, remote packet-based DoS, resource over-consumption DoS, and more.

5. "Abusing the Hypervisor" - One of my two favorite chapters in the book. The authors explain how hypervisors are constructed, and how kernel attacks are possible and subtly different when done in virtual environments.... Great coverage of "sandboxes" and "jails", which are core tenets of multitenant cloud environments, too.

6. "Finding Leaks and Obtaining a Side Channel" - my second favorite chapter in the book, really focusing on data leaks (both passive and forced), and I have to admit there were a few examples I had not really even considered. A very thorough and detailed chapter on a topic that doesn't get enough attention.

7. "Logging and Orchestration" - more focused on defense than the other chapters, but also covers exploitation of orchestration workflows and process steps.

8. "Forcing an Interception" - Mostly about API shenanigans, but also some good discussion on management interface attacks.

9. "Abusing Software as a Service" - this chapter was interesting conceptually, and had a lot of good examples. Since the authors couldn't really attack SaaS providers, a bit tough to show "real world" attacks, but they do give examples for pen testing providers, etc.

10. "Building Compliance into Virtual and Cloud Environments" - a good general discussion of compliance and controls strategy for virtualization security. A little more dry than some of the other chapters, but compliance usually is.

Anyone who needs to understand virtualization security theory and attack strategy should pick up this book, without a doubt. Geared a bit more toward security people, not operations, and pen testers in particular will enjoy this. Read more ›