Justin Morehouse and Tony Flick's presentation, "Stealing Guests...theVMware Way," detailed the attack and included an easy-to-use tool that would allow an unauthenticated attacker to download any guest virtual machine from an affected system. Even without the tool, the attack was simple enough to carry out with a Web browser -- throw in a quick search with Shodan, and well, you know what they say about "idle hands."DarkReading contributor John Sawyer offers some advice for companies looking to stay ahead of virtualization security risks. First, he notes, IT admins need to focus on the same fundamentals that apply to all server security efforts: "Just like physical servers and networks, virtual systems need security controls to protect and monitor sensitive data to make sure it's not being leaked, intentionally or unintentionally."
A growing number of vendors now offer security software and dedicated appliances that integrate with hypervisors. These products, says Sawyer, allow admins "to regain the visibility and control of traffic that is lacking in most virtualized server environments." As a result, they offer improved security yet rely upon the same rule-based implementations employed in physical security tools.
Don't Miss: NEW! Virtualization How-To Center
Sawyer also says this is a good time to remind IT admins about the importance of "solid system hardening practices" in both physical and virtual server environments. System hardening guides for many prominent virutalization platforms, including VMware, Xen, and Hyper-V offer a good place to get acquainted with this process.
Warning IT departments against complacency might seem unnecessary. Real-world experience, however, suggests that too many companies still see virtualization technology as a solution to their server security concerns.
"In the end," Sawyer concludes, "they're all servers -- and someone somewhere is going to want to break into them." The only question is whether your company's IT staff will have the tools and the knowledge required to stop them.