1
00:00:00,300 --> 00:00:03,500
<v ->While virtualization brings with it a lot of capability</v>

2
00:00:03,500 --> 00:00:06,080
to add separations inside of our servers

3
00:00:06,080 --> 00:00:08,030
and bring in some additional security,

4
00:00:08,030 --> 00:00:09,900
there are some unique vulnerabilities

5
00:00:09,900 --> 00:00:11,540
that can be exploited by attackers

6
00:00:11,540 --> 00:00:13,550
when it comes to virtualization.

7
00:00:13,550 --> 00:00:16,420
These include VM escape, data remnants,

8
00:00:16,420 --> 00:00:20,040
privilege elevation, and live VM migration.

9
00:00:20,040 --> 00:00:23,330
Virtual machines are segmented and separated by default,

10
00:00:23,330 --> 00:00:25,610
so if an attacker is able to exploit the operating system

11
00:00:25,610 --> 00:00:27,730
being run inside one virtual machine,

12
00:00:27,730 --> 00:00:29,960
it doesn't necessarily mean that they can get into

13
00:00:29,960 --> 00:00:32,050
the other virtual machines being hosted

14
00:00:32,050 --> 00:00:34,300
by the same physical server.

15
00:00:34,300 --> 00:00:36,630
Virtual machine escape, or VM escape,

16
00:00:36,630 --> 00:00:38,720
occurs when an attacker is able to break out

17
00:00:38,720 --> 00:00:41,120
of one of these normally isolated virtual machines

18
00:00:41,120 --> 00:00:42,780
and they can begin to interact directly

19
00:00:42,780 --> 00:00:44,790
with the underlying hypervisor.

20
00:00:44,790 --> 00:00:46,810
From this position, the attacker could

21
00:00:46,810 --> 00:00:49,760
migrate themselves out, and into another virtual machine

22
00:00:49,760 --> 00:00:52,520
being hosted on the same physical server.

23
00:00:52,520 --> 00:00:56,040
Now, VM escape techniques are extremely difficult to conduct.

24
00:00:56,040 --> 00:00:58,480
They rely on exploiting the physical resources

25
00:00:58,480 --> 00:01:00,320
that are shared between the VMs.

26
00:01:00,320 --> 00:01:02,080
But it is still a vulnerability

27
00:01:02,080 --> 00:01:03,740
you need to be aware of.

28
00:01:03,740 --> 00:01:05,380
To mitigate this vulnerability,

29
00:01:05,380 --> 00:01:07,850
virtual servers should be hosted on the same

30
00:01:07,850 --> 00:01:10,180
physical server as other virtual machines

31
00:01:10,180 --> 00:01:12,400
in the same network or network segment

32
00:01:12,400 --> 00:01:14,610
based on its classification.

33
00:01:14,610 --> 00:01:17,110
One of the main benefits of using virtualized servers

34
00:01:17,110 --> 00:01:19,580
within a cloud-based environment is their ability

35
00:01:19,580 --> 00:01:22,310
to rapidly scale up and scale down.

36
00:01:22,310 --> 00:01:24,620
This is known as elasticity.

37
00:01:24,620 --> 00:01:27,210
While operationally, this is a wonderful thing,

38
00:01:27,210 --> 00:01:30,080
it does lead to a vulnerability that has to be addressed

39
00:01:30,080 --> 00:01:32,320
and this is called data remnants.

40
00:01:32,320 --> 00:01:35,080
When a server is scaled up, a new virtual instance

41
00:01:35,080 --> 00:01:37,200
is created on a physical server.

42
00:01:37,200 --> 00:01:39,910
This instance takes up some hard drive space

43
00:01:39,910 --> 00:01:41,500
for all those files that represent

44
00:01:41,500 --> 00:01:44,090
the virtual hard disk and the configurations.

45
00:01:44,090 --> 00:01:46,890
When this is no longer needed because the load has decreased,

46
00:01:46,890 --> 00:01:48,860
the virtual machine can be deprovisioned,

47
00:01:48,860 --> 00:01:51,970
which means it's shut down and the files are deleted.

48
00:01:51,970 --> 00:01:54,030
When this occurs, the confidential files from

49
00:01:54,030 --> 00:01:57,000
that virtual machine are left on the physical server.

50
00:01:57,000 --> 00:01:59,550
This is known as a data remnant.

51
00:01:59,550 --> 00:02:02,190
These data remnants could be recovered by an attacker,

52
00:02:02,190 --> 00:02:03,300
and therefore, it could

53
00:02:03,300 --> 00:02:05,910
breach the confidentiality of that data.

54
00:02:05,910 --> 00:02:07,920
For this reason, cloud infrastructures

55
00:02:07,920 --> 00:02:10,280
that rely upon virtualization can introduce

56
00:02:10,280 --> 00:02:12,770
a data remnant vulnerability to your company,

57
00:02:12,770 --> 00:02:15,050
since the physical servers are not controlled

58
00:02:15,050 --> 00:02:16,313
by your organization.

59
00:02:17,160 --> 00:02:19,440
Privilege elevation occurs when a user is able to

60
00:02:19,440 --> 00:02:21,990
grant themselves the ability to run functions as a

61
00:02:21,990 --> 00:02:25,800
higher-level user, such as the root or the administrator.

62
00:02:25,800 --> 00:02:27,940
While this can be bad on a single server,

63
00:02:27,940 --> 00:02:30,402
it can be catastrophic on a physical server

64
00:02:30,402 --> 00:02:32,490
if the attacker is able to perform this

65
00:02:32,490 --> 00:02:34,670
on the hypervisor itself.

66
00:02:34,670 --> 00:02:37,940
A few years ago, VMware had a flaw on their hypervisor

67
00:02:37,940 --> 00:02:40,350
and this allowed a user to escalate privileges

68
00:02:40,350 --> 00:02:42,320
into any of the guest operating systems

69
00:02:42,320 --> 00:02:44,230
hosted by that hypervisor.

70
00:02:44,230 --> 00:02:46,600
To prevent this, it's important to remain current

71
00:02:46,600 --> 00:02:48,780
on your hotfixes and your service packs

72
00:02:48,780 --> 00:02:51,240
for your virtualization software.

73
00:02:51,240 --> 00:02:54,110
Another vulnerability to consider is one associated with

74
00:02:54,110 --> 00:02:56,400
live migration of virtual machines.

75
00:02:56,400 --> 00:02:57,810
When a virtual machine needs to move

76
00:02:57,810 --> 00:02:59,810
from one physical host to another,

77
00:02:59,810 --> 00:03:02,050
this is called a live migration.

78
00:03:02,050 --> 00:03:04,500
If an attacker can gain a foothold into your network

79
00:03:04,500 --> 00:03:07,510
and place themselves between these two physical machines,

80
00:03:07,510 --> 00:03:10,290
they can implement a form of a man-in-the-middle attack

81
00:03:10,290 --> 00:03:11,580
where they can capture the data

82
00:03:11,580 --> 00:03:14,100
being sent between the two physical servers.

83
00:03:14,100 --> 00:03:16,260
If this data has not been encrypted,

84
00:03:16,260 --> 00:03:18,930
this can allow the attacker to breach the confidentiality

85
00:03:18,930 --> 00:03:21,144
of the servers being hosted as virtual machines

86
00:03:21,144 --> 00:03:23,750
when they're transmitted over the network.

87
00:03:23,750 --> 00:03:25,980
Finally, when we're specifically relying upon

88
00:03:25,980 --> 00:03:29,140
application containerization as our virtualization method,

89
00:03:29,140 --> 00:03:31,190
it's important to realize that the containers are

90
00:03:31,190 --> 00:03:34,210
all sharing a single common operating system.

91
00:03:34,210 --> 00:03:36,260
If the attacker's able to exploit that one

92
00:03:36,260 --> 00:03:38,410
operating system through some vulnerability,

93
00:03:38,410 --> 00:03:40,940
this causes all of those applications being hosted

94
00:03:40,940 --> 00:03:43,253
by that operating system to be at risk.