Virtualization and Web2.0 Emerging as New Security Concerns

A poll conducted at a recent Black Hat Security Conference found that virtualization was a key emerging security concern. In other news, Microsoft Corp. issued a large security patch for 26 application flaws, while researchers found that a single laptop was responsible for massive identity theft at Countrywide Financial Corp.

Focal Points:

• A recent poll of the attendees of a recent Black Hat security conference found that Web services and virtualization are the top security considerations in enterprises today. Another key security issue is the process of "whitelisting" trusted sites and applications. 46 percent of attendees stated that Web 2.0 was their biggest security concern. Next on the list were virtualization issues, at 35 percent. The participants of Black Hat's survey included IT managers, security personnel, and IT executives. Other issues people are concerned about include loss of personal data, stolen laptops, data sent to third parties, and the improper posting of information to the Internet.
• Officials from Microsoft released its most recent "Patch Tuesday" set of patches. Its most recent update contained 26 different application flaws. These patches included fixes to a zero-day bug in Microsoft Office Access, which hackers are known to be exploiting. Other products targeted for Microsoft's patch included Excel, PowerPoint, and Windows. Six of the fixes are listed as "critical". The critical flaws, if exploited, allow the remote execution of code on the target machine by the hacker. The patches fix six bugs in Internet Explorer, five for Microsoft Office, four for Excel, three for PowerPoint, and one for Access and the Windows Image Color Management System. Almost all of these patches affect client-side systems.
• A recent public report showed that a security breach at Countrywide Home Loans occurred when a single employee was able to steal 20,000 customer records a week over two years. He then sold this information to a third party. An affidavit from an FBI agent that was working on the case stated that Countrywide has physically sealed USB ports on employee machines to prevent internal data theft. However, an employee found one machine in the company where this had not been done, and used a memory stick to steal information every Sunday for almost two years. Countrywide IT managers did not have any software deployed to check for downloads to portable storage, since they thought that was not a problem with their physical disablement all of these ports.

Experton Group believes IT security threats will continue to accelerate in Web 2.0 and virtualization environments. While these architectures offer new levels of flexibility, the disconnection between services and physical assets make it more difficult to consider every potential security attack, making them more vulnerable to exploits. IT executives and security managers should evaluate the current corporate Web 2.0 and virtualization elements for potential security vulnerabilities, and make sure security considerations are taken into consideration for all virtualization and Web services initiatives.