If you have worked in IT long enough, you have experienced the dreaded phone call when something unusual is happening...
in the data center. Your first thought is to recollect what has changed in your environment that could be causing the issue. If it wasn't you, then maybe it was another admin? Or an approved change control task that introduced these odd symptoms? What could it possibly be?
Once you go through the list of possible reasons and rule out the most likely candidates, then you may be faced with the unwelcome conclusion that you could be experiencing a virtual attack.
It's important to remember to stay calm and don't panic. This isn't the end of the world. You have already been preparing for just such an event, whether knowingly or unknowingly. As a virtualization expert, you have been implementing industry best practices to make your environment safe, secure and manageable. By undertaking due diligence each step of the way, you have minimized the potential impact of a virtual attack. Let's review some of these steps that help keep virtualized environments secure.
Build layers of defense
You and your team have built a multilayered defense into your VMware environment rather than just a single big padlock. You have designed your defenses from the outside looking in, realizing that each layer needs unique safeguards. Every layer, starting with external access then moving to internal networks, storage, virtualization hosts, guest virtual machines and data need their own protection. Assigning access using the principle of least privilege is second nature to you. Sure, despite all your precautions someone may get through a layer -- or even two -- but defense in depth will protect the most critical data. This also buys you time to analyze the intrusion and take additional steps to prevent further penetration.
Use complex passwords
In the classic Mel Brooks movie Spaceballs, the big password is revealed to be 12345. Dark Helmet then shouts, "That is the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"
It is easy to laugh at it now -- you would never allow such a password to be used on any system or access point, right? Password policies require complex passwords at each level, and password change intervals are enforced by means of monitoring policies and are reported for tracking. Closely guard privileged accounts such as root, and disable or disguise them whenever possible. Furthermore, do not permit the sharing of passwords, thus creating auditing headaches and making tracking of internal access nearly impossible. Your diligence each day with enforcing your password policies and authentication processes has just made it immensely more difficult for an intruder to get to your most valuable data assets.
Don't delay those patches
You are already subscribed to security and vulnerability alerts from VMware, so you know when to patch your systems to keep them secure. In addition, you realize the importance of patching at every level, including hosts, virtual machines, applications and hardware. Can patching be time consuming and tedious? You bet. However, you realize that it is an important, nay necessary, aspect of keeping your data safe.
Check event logs
The virtual environment has a pulse. You not only keep up with changes to your environment, but you also have a sense of when things are "as they should be." Reviewing event logs, either through automated tools or manually, keeps you in tune with how everything is running and provides clues when something seems out of place. Network security devices such as intrusion prevention systems and intrusion detection systems keep the network secure; you depend on them to identify potential invasions. Ensure that auditing is also being done regularly, realizing that it may turn up something you have missed.
Fall back on your plan
However, despite all your preparations, someone with too much free time, and no doubt of dubious character, is attacking or intruding your systems. What do you do? As you have already done with your day-to-day preparations, you have a plan, which greatly reduces the stress of the moment, allowing you to focus on the task at hand.
This is when your incident policy needs to be close at hand, preferably in hard copy in case the system that stores it is unreachable. This is the guidebook your colleagues have put together outlining what to do in just such a situation.
When a security incident occurs, the following protocols can help your organization respond and minimize the damage from the breach.
- Contact information for outside agencies that need to be notified, particularly if you are handling sensitive or non-public information that could be compromised.
- Lists of resources to help you deal with the incident, including outside experts. Many of these may be crossovers from business continuity planning.
- Processes and tools that will help you gather evidence of the intrusion, as well as a means to keep the evidence secure.
- Guidelines on how to handle the incident, including how to provide accurate and meaningful communication to those who may be affected, such as clients. We have all seen examples of how communications during a breach should not be handled, thus isolating clients or making them feel responsible or at fault. Don't do that. Take ownership of what is happening, work hard to resolve it and communicate quickly to those that need to know.
Intrusions and hacks are costly in time, money and reputation. Through careful planning, you can substantially reduce all those costs. Moreover, you will greatly reduce the stress on yourself, as well as those around you.
How to recognize and prevent a hypervisor attack
Why data separation is important for cloud users?
Is a virtual administrator more dangerous than a hacker?