The hypervisor performs many of the roles a conventional OS does on a non-virtualized host or server. It provides isolation between the various applications, or processes, running on a server. The hypervisor controls VM access to physical hardware resources as well as provides isolation among VMs. There a number of security threats to the hypervisor and many of these threats emanate from insiders, such as virtualization, network, cloud and security administrators, in addition to threats from external attackers. The National Institute of Standards and Technology (NIST) recently published some important research in a Special Publication 800-125-A on the potential security threats to hypervisors, and recommendations to mitigate them.
Rogue VMs pose significant threats to hypervisor security. Rogue VMs can initiate side channel-attacks from target VMs running on the same physical host. A rogue VM could hijack control of the hypervisor, performing malicious actions such as installing rootkits as well as launch attacks on another VM on the same virtualized host. A rogue VM could also manipulate virtual switch configurations and compromise isolation between VMs to snoop on east-west network traffic between VMs. More often than not, attacks launched from rogue VMs are permitted because of incorrectly configured settings and parameters.
Other attacks on the hypervisor include resource starvation leading to denial of service attacks, or a hypervisor providing privileged access to a virtual security tool that could in turn be exploited. A misconfigured VM may consume shared compute and memory, resulting in other VMs being starved. Hypervisors provide privileged interfaces which can be targeted by rogue VMs. Privileged operations such as memory management can be invoked by rogue VMs and executed by the hypervisor.
Traditional approaches to privileged identity management emphasize perimeter-based security controls. Relying solely on firewalls and perimeter-based security strategies still expose networks to insider threats, a growing risk. Increasingly, external hackers are targeting privileged users with sophisticated phishing attacks. Cyber-attackers commonly use a combination of social engineering and malware, often in the form of an email phishing attack. Specifically, they target an organization using information harvested via social engineering, social media, and open source data, and then lure unsuspecting users into downloading malware onto their computers. The attackers’ objective is gaining account credentials or personally identifiable information, contact information and links to other accounts, including those to networks. Attackers typically remain present for long periods of time, moving laterally across systems and organizations. Incident response firm Mandiant has reported that the average mean time to detection for network security breaches is 205 days. During this phase, it’s likely that the attacker is using the legitimate credentials. As a result, service provider network and security operations teams are increasingly the target of phishing attacks. In a recent case, a service provider’s network was compromised in this fashion allowing hackers access to modify the configuration network firewalls in order to create persistent pinholes into the network for snooping.
Fraud is another critical threat facing communication service providers. The Communications Fraud Control Association (CFCA) estimates that Telecom Fraud costs the industry over $40B USD annually. This equates to almost 2% of revenues. The most common types of fraud include but are not limited to subscription identity theft and International Revenue Share Fraud (IRSF). This occurs when hackers obtain Subscriber Identity Management numbers (SIMs) from service providers and use them for international roaming status to begin placing outgoing international calls in order to exploit some countries' high termination rates, or inflate traffic into other high value numbers with the intention of sharing any revenues generated. PBX (Private Branch Exchange) hacking is one of the leading types of fraud globally. In this scenario, a company’s PBX system is compromised and long distance/international calling access is provided to third parties. The CFCA estimates that this type of fraud costs close to $5B annually in lost revenue. Often PBX administrator credentials are used to change call routing configurations. New hosted and virtual PBX services create new types of attack vectors. Often, these types of fraudulent activities are in collaboration with internal employees and collaborators.
Privileged identity access management (IAM) is a key challenge for service providers. On average, a typical user has on average 35% more access rights than needed. In another example, a service provider had roughly 4,000 employees, but over 40,000 privileged user accounts. The boundaries of networks, and between elements within the network themselves are becoming more blurred. Service providers will distribute virtualized infrastructure and VNFs throughout their networks. New configurations, new