Malware Attacking SCADA Systems - from USB Device

A really interesting article that I think we should all be aware of -Microsoft Investigating Windows Zero Day Trojan brings to light an even bigger threat to our overall ecosystem and economy from Cyber Terrorism.

For those that may not be aware of the importance of SCADA systems - you may want to recall the brown out a few years ago that took out the electrical grid from Ohio to New York. Many do not know that it was believed to be caused by a virus that was infecting the reporting system. These systems power nuclear plants, electrical grids, oil pipelines, etc.

This article brings to light very clearly that as a Global economy we have to think about the technologies we put in place and their impact. These types of viruses should not only be a concern for USB devices on SCADA systems but also those embarking on their Journey into client virtualization.

Why worry? Virtualization exponentially increases the threat of security risks to companies and our underlying infrastructure. How? VM sprawl and undetected/unregistered virtual applications that have security holes in their virtual operating systems. While SCADA systems are pretty locked down - if a USB device can communicate with the rootkit of the underlying operating system what about virtual operating systems that can go undetected by traditional inventory programs?

For VMs in the wild - they may not have inventory installed or be accessible on the client systems (not like VSphere in the datacenter) when the VMs are offline. Application virtualization poses an even greater threat here.

Typically inventory searches the registry for key elements that identify there is an application installed and Patch Management tools will apply the patch to the underlying OS. But if the OS is virtual unless it is specifically integrated or programmed to do so - the traditional tools will not see the virtual OS or be able to patch it. If the person using the virtual application has administrative rights to their machine - then the virus can continue to exploit the vulnerability within the virtual operating system and pass through to the underlying PC.

What are ways around this?

1. Lock down the PC - disallow administrative rights. This is hard to do of course for some organizations as many legacy applications still require administrative rights to function.
   
   
2. Register Virtual Application - ensure the virtual application allows you to register it with the underlying Operating system (For example with ThinApp they use ThinReg). Do not use technology from vendors that do not provide some mechanism for alerting the physical system that the application is there.
   
   
3. Ask you Inventory & Patch Management Vendors if they support that application type - some vendors do have integration with traditional tools such as SCCM, or BMC. Tools like BMC Bladelogic for Clients (Marimba) have the ability to provide inventory for applications deployed through their system. This is useful to at least provide base inventory when there is no clear out of the box integration. I would also recommend requesting support from the Systems Management Patch Vendors to provide some type of hook into these solutions to quickly patch them without repackaging. This last part is one of the biggest inhibitors to broad scale adoption of application virtualization beyond just a handful of applications.
   
   
4. Create Process with Service Level Agreements to patch the Virtual OS - Many companies I have worked with over the years have set SLAs to quickly apply patches to their many computers out there. How do they do it across dozens of virtual applications? It depends on the architecture of the virtual application. Make sure you work with your Vendors Services team to create a Disaster Recovery plan for Zero Day viruses such as this to ensure the Virtual OS receive the same patches on a monthly basis as part of your overall patch process.
   
   
5. Only run virtual applications in User Mode - When possible eliminate the administrative rights. Most of the SCADA systems are pretty locked down. What makes the USB trojan even more worrisome. Companies that are choosing to leverage application virtualization should take their overall imaging and rights management process to the next level. Now that you have technology that can lock down access rights - use it.
   

Some virtualization vendors will claim anti-injection etc. Which is great but you are only as strong as your weakest link. It is important to really think through the security ramifications prior to deploying virtualization technology (Virtual Machines or Applications) on clients. Make sure they fit into your existing SLAs and don't put your company at risk.

Regards,
Jeanne Morain
jmorain@yahoo.com

Impact of Virtualization & Cloud on License Compliance

The proverbial virtualization train has left the station - yet many software vendors & customers alike are still scrambling on to understand the impact on their current technology, licensing models, and processes. Like many major paradigm shifts - customers are moving forward and carving out what they believe to be the right pathway based on limited information and their interpretation of where this market is headed based on decisions from major technology vendors such as Microsoft, Oracle, and SAP.

Unfortunately for most customers there are no true best practices across software vendors for supporting virtualization. As consumers you need to be aware of what the pitfalls are, precautions you can take to avoid them, and ways you can leverage your existing tools and processes to reduce not only the costs but impact of virtualization to your organization.

Considerations to Address

1. What Delivered - there are many different types of virtualization that can be leveraged such as Server, Desktop, or Application. What you are delivering will impact how you count and license the product. Is it an open source application, custom homegrown application, regulated and restricted access, or an expensive off the shelf application such as Adobe Photoshop. Whether the application is a desktop application, server application or combination of the two - Web 2.0 - makes a difference to cost structures and tracking.
   
   
2. How Delivered - For example - is it a server application running inside a virtual machine, a virtual application launched off a USB stick or file media share, or a combination of virtual applications with a virtual desktop from a datacenter, or a virtual application delivered from the Cloud or Managed Service Provider. All can have license impacts depending on the software vendors support policies. Different software vendors have different rules depending on delivery: Concurrent desktops in Datacenter (VDI/HVD), Virtual Applications from a Client Device, or Streaming from the Cloud all typically have different caveats. For example, Microsoft requires an additional Services Provider License Agreement to distribute their applications from a cloud environment to customers. There are many unanswered questions that have come up regarding traditional delivery of virtual applications - if I stage it - does that count as a license? Do virtual applications (not installed) count against a EULA that claims it has to be installed? One rule of thumb - if you use it, you should expect to pay for it - Software Usage becomes even more critical in the virtual world.
   
   
3. How Discover & Audit - Virtualization can have significant impact on existing tools and process for Audit & Control of applications.
   
   Application -If you are using application virtualization - does the provider provide transparency into the virtual bubble? Does the virtual application have digital rights management to prevent copying from client to next? How do you detect a virtual application that isn't registered? What hooks are available to ensure there are no invisibility cloaks hiding applications that can call back to ISVs but are undetected by company?
   
   Desktop -When you check out the type 1 hypervisor - will your traditional tools be able to know that the license on the user endpoint is the same one under the agreement with the hosted virtual desktop? If you vary your update schedule for discovery - how do you audit the virtual desktop? What happens if the user never logs in during the appropriate window? What is the impact on audit trail for tracking who touched what pieces? How will the discovery tool input and discern between licenses on the different virtual machines? Particularly - the personal VM and company approved VM?
   
   Server - When you dynamically move one virtual machine to another host - will the discovery tool know to not double count the application? Will the software vendor support the flavor of server virtualization being used? What level of support will be provided? How is it licensed compared to traditional licensing when server farms may have a cluster of more powerful boxes with multiple CPUs to support capacity on demand in the cloud (private or off premise).
   
   
4. What is Impact on Performance - Oracle and many other major vendors provide prescriptive guidance on running certain applications in a virtual environment due to performance. There is no one perfect rule of thumb on virtualization and performance but there are some things to consider. Regardless of the type of virtualization - they all run on hardware of some type and are all affected by the traditional layers in the stack from network, to I/O, CPU, SAN/NAS, etc. The more layers you add to the stack will eliminate some problems but are still bound by the underlying hardware. When selecting the right type of virtualization - it is critical to understand what that is, where it will be run from, and impact on capacity requirements for individual users. There are tools out there from BMC - Capacity Management Essentials and Novell - Platespin acquisition- that can assist here.
   
   
5. What is impact on Security - If using Type 1 hypervisor approach - who is responsible for patching the personal VM and ensure there are no Distributed Denial of Service Attacks on the company network? What are the implications of regulations on this approach - Cyber Security Act, Personal Information Acts? For application virtualization - what measures are put in place to prevent viruses from executing from the virtual registry on systems that the users have Administrative rights to like their home PC, employee owned machines, or as required to support legacy applications that can not be virtualized? Is the right transparency there for virtual applications to detect if there is a virus in the virtual registry? Do they employ anti-injection techniques to prevent malware from impacting the virtual environment?
   

Like any paradigm shift - the benefits of virtualization and cloud computing far outweigh the risks and effort required to bring nascent markets and technology to mainstream but it will take time. The most important thing for customers and vendors both is to be informed and understand what the implications are, where adjustments need to be made and make decisions based on assessed impact. Typically I always advise customers to crawl, walk and then run when it comes to adopting new paradigms (this is not just new technology) that will impact the overall ecosystem in place around people, processes, and technology. An ounce of prevention is truly worth 100 pounds of cure when you consider how dependant we have all become on technology.