Expanding Security Services and Virtualization Security Issues

The United States Department of Transportation (DOT) recently announced a new center for CyberSecurity Management. In other news, researchers have found more problems with virtualization security, while new security vulnerabilities have been found with the Linux operating system. 

Focal Points:

• The United States DOT recently established its CyberSecurity Management Center. The intent of this office is to perform information security services for the department's 13 operating agencies. If all goes well, it plans on offering these services to other federal agencies outside DOT. Officials from DOT have stated that various other agencies are already considering using these services. This center has expanded from the FAA's original Cyber Security Incident Response Center. The FAA then agreed to let this group handle all IT security for the DOT, increasing the scope of its responsibilities over the last four years. Some of the services the group provides include detecting and responding to information security incidents, and analysis of sensor data and trends, with corrective action capability.
• Security researchers have found that along with virtualization's capabilities come some potential security issues. The agility and flexibility that are key advantages bring with them a loss of visibility into network traffic, which can be critical in identifying malicious security activity. The abstraction of the hypervisor can alter the way that some security products work, making them ineffective in functioning as they were designed. Another new vulnerability, "hyperjacking", is when the hypervisor itself is compromised, which gives attackers access to all of the virtual machines sitting on top of the hypervisor. In addition, the fundamental application architecture is changed with the hypervisor, which changes the way in which existing security products work.
• Security researchers have recently found a major bug in cryptography that exists for several versions of Linux. Some of the packages affected include Software in the Public Interest, Inc. Debian Linux and its derivatives, such as Ubuntu. While there was a patch made to the operating systems in September 2006 to fix a problem, the fix decreased the strength of the Open Secure Sockets Layer (OpenSSL) distribution. SSL is used for authentication and encryption of Web Traffic. The bug reduces the size of keys from over 1000 to only 16 bits, making it much easier to break.

Experton Group believes security services will continue to increase in popularity, but will largely be relegated to routine, non-mission-critical security tasks. Companies will continue to rely on internal security expertise for building and protecting most assets. In addition, new security skills will need to be groomed, especially as virtualization expands and is used to run increasingly critical business applications.

IT executives should consider outsourcing routine security tasks, such as email screening, and increase security education and skills in emerging virtualization technology.