Simply Security - News, Views, and Opinions from Trend Micro

Into the Abyss of Virtualization-related Threats

Posted on August 7th, 2012 in Cybercrime, Trend Labs by TrendLabs | Be the first to comment |

The security holes in virtual environments open up enterprises to threats that may result in business disruption, data theft, and financial loss. Cybercriminals leverage web server and web applications’ vulnerabilities to access parts of a company’s servers that they should not be able to. These vulnerabilities can be used to access company assets ranging from customer databases to trade secrets. The stolen information can be sold in underground forums or used to launch a far more damaging attack.

However, despite the obvious risk to the company’s data and the cost of data breaches, system administrators either prefer or are forced to keep their servers unpatched. System administrators sometimes delay patch deployment since restarts are necessary for updates to take effect. For systems requiring 100% uptime, this could mean significant business loss. Vendors may also take time (ranging from days to weeks, even years) in developing patches for vulnerabilities, so administrators have no choice. Just recently, Microsoft announced about zero-day attacks on the vulnerability in Microsoft XML Core Services. Once exploited, it could control an infected system via web-based browser attack. At the time of announcement, there’s no patch available yet. In 2011 alone, 1822 critical ‘software flaw’ vulnerabilities were reported, which more or less put organizations at risk. As such, administrators make a difficult call that may expose their networks to threats, putting company data at risk.

The infographic “Into the Abyss” shows virtualization-specific issues that can introduce threats to the corporate network such as legacy exploits, PoCs (proof-of-concept) and zero-day attacks. Once enterprises slip through security holes, these may potentially damage a brand name/image or worse lead to the loss of company “crown jewels.”