Virtual infrastructures protection

Started by mishraviplav7877, Aug 15, 2022, 09:55 AM

Previous topic - Next topic

mishraviplav7877Topic starter

Four wrong approaches to cloud security

There are opinions that are quite common among business owners and managers (we will highlight them in bold) that ensuring the cybersecurity of cloud services is either a priori not necessary, since clouds are secure (1), or this is the task of a cloud provider: paid for VPS means everything must be configured, secure and work without problems (2). There is also a third opinion, which is inherent in both information security specialists and businessmen: clouds are dangerous!

No known security tools can provide the necessary defence for virtual environments (3) - business leaders with this approach refuse cloud technologies due to mistrust or misunderstanding of the difference between traditional and specialized security tools (more on them below). The fourth category of citizens believes that yes, it is necessary to protect your cloud framework, because there are standard antiviruses (4).

All these four approaches are wrong - they can cause losses (except perhaps, in addition to the approach, do not use virtual servers at all, but here you should not neglect the business postulate "lost profit is also a loss").

"About half of [large] companies do not use any defence for virtual machines, and the second half believe that any standard antivirus will suffice. All these companies [each] spend on average almost a million dollars [per year] on incident recovery: investigation, system recovery, cost recovery, loss compensation from a single hаck...
What would their spending be if they themselves compromise? Direct losses for restoration, replacement of equipment, software ... Indirect losses - reputation ... Losses for compensation for their clients, including reputation ... And also investigation of incidents, partial replacement of framework, because it has already compromised itself, these are dialogues with governments, these are dialogues with insurance companies, dialogues with customers who have to pay compensation."

Why These Approaches Don't Work

Approach 1: Clouds are safe, they don't need to be protected. About 260,000 pieces of malware that appear every day "live" perfectly inside the clouds: from simple code written by a schoolboy and posted on the Internet (which means it can potentially damage data) to complex targeted attacks developed specifically for specific organizations, cases and situations that are very good at not only breaking and stealing data, but also "hiding" themselves.
Virtual infrastructure is also interesting for hаckers: it is much easier to hаck it and gain access to all your virtual machines and data at once, rather than trying to hаck each physical server separately. Plus, it should be taken into account that inside the virtual framework, malicious code spreads at a tremendous speed - tens of thousands of machines can be infected in ten minutes, which is equivalent to an epidemic (see the aforementioned report). Malware and ransomware that can leak company data account for about 27% of all cloud threats. The most vulnerable places in the cloud: insecure interfaces and unauthorized access - about 80% in total (according to the Cloud Security Report 2019 with the support of Check Point Software Technologies Ltd. - a leading provider of cybersecurity solutions for governments and corporate enterprises around the world).

Approach 2: Protecting the cloud infrastructure is the responsibility of the VPS provider. This is partly true, because the provider of virtual servers cares about the stability of their systems, about a sufficiently high level of protection for the main components of the cloud: servers, drives, networks, virtualization (regulated by a service level agreement, SLA). But he should not care about preventing internal and external threats that may arise in the client's cloud framework. Let's take a dental analogy here. Having paid even a lot of money for a good implant, the client of the dental clinic understands that the correct operation of the prosthesis depends largely on him (the client).
The orthopedic dentist, for his part, did everything that was necessary in terms of safety: he selected high-quality materials, securely "attached" the implant, did not break the bite, cured the gum after the operation, etc. And if the user does not follow the hygiene rules in the future, it will become, for instance, open metal bottle caps with your teeth and perform other similar unsafe actions, then it will not be possible to guarantee the good work of a new tooth. The same story with the provision of 100% cloud security on VPS rented from a provider. "Not in the jurisdiction" of the cloud service provider, protecting the client's data and applications is his personal responsibility.

Approach 3: No security tools can provide adequate protection for virtual environments. Not at all. There are specialized cloud-based security solutions, which we will discuss in the last part of the article.

Approach 4: Use a standard antivirus (traditional defense). It is important to know here that the traditional security tools that everyone is used to using on local computers are simply not designed for distributed virtual environments (they do not "see" how communication between virtual machines takes place) do not protect the internal virtual infrastructure from internal hаcking attempts. Simply put, conventional antiviruses almost never work in the cloud.
At the same time, installed on each WM, they consume a huge amount of resources of the entire virtual ecosystem during virus checks and updates, "draining" the network and slowing down the company's work, but resulting in almost zero efficiency in their main work.

In the next two sections of the article, we will list what dangers can arise when a company works in clouds (private, public, hybrid) and tell you how these dangers can and should be prevented correctly.

Dangers that constantly threaten cloud services

▍Remote network attacks

This is a different kind of information destructive impact on a distributed computing system, carried out programmatically via communication channels to achieve various goals. The most common of them:

    DDoS attack (Distributed Denial of Service). Massive sending of information requests to the server in order to use up resources or bandwidth on the attacked system in order to disable the target system, thereby causing damage to the company. Used as a bespoke service by competitors, extortionists, political activists, and governments to generate political dividends. Such attacks are carried out using a botnet - a network of computers with bots installed on them (software that may contain viruses, programs for remote computer control and tools for hiding from the OS), which are used by hаckers remotely to spread spam and ransomware. Read more in our post DDoS: IT maniacs at the forefront of the attack.
    Ping Flooding - to call line overload.
    Ping of Death - to cause the system to freeze, reboot and crash.
    Application layer attacks - to gain access to a computer that allows applications to run for a specific (privileged system) account.
    Data fragmentation - to crash the system through the overflow of software buffers.
    Autorooters - to automate the hаcking process by scanning a huge number of systems in a short time by installing a rootkit.
    Sniffing - to listen to the channel.
    Packet pushing - to switch to your computer the connection established between other computers.
    Packet sniffing on the router - to obtain user passwords and information from e-mail.
    IP Spoofing - so that a hаcker inside or outside the network can impersonate a computer that can be trusted. It is carried out through the substitution of the IP address.
    Brute force attacks (brute force) - for guessing a password by brute force combinations. Exploit vulnerabilities in RDP and SSH.
    Smurf - to reduce the bandwidth of the communication channel and / or to completely isolate the attacked network.
    DNS spoofing - to damage the integrity of data in the DNS system through the "poisoning" of the DNS cache.
    Trusted host spoofing - for the ability to conduct a session with the server on behalf of a trusted host.
    TCP SYN Flood - to overflow the server's memory.
    Man-in-the-middle - for theft of information, distortion of transmitted data, DoS attacks, hаcking of the current communication session in order to gain access to private network resources, traffic analysis in order to obtain information about the network and its users.
    Network intelligence - to study information about the network and applications running on hosts before an attack.
    Port redirection is a type of attack that uses a compromised host to send traffic through a firewall. For instance, if the firewall is connected to three hosts (on the outside, on the inside, and in the public services segment), then the outside host is able to communicate with the inside host by port forwarding on the public services host.
    Trust exploitation - Attacks that occur when someone takes advantage of a trust relationship within a network. For instance, hаcking one system within the corporate network (HTTP, DNS, SMTP servers) can lead to other systems being hаcked.

social engineering

    Phishing - to obtain confidential information (passwords, bank card numbers, etc.) through mailing on behalf of well-known organizations, banks.
    Packet sniffing - to gain access to critical information, including passwords. It is successful largely due to the fact that users often reuse their username and password to gain access to various applications and systems. In this way, a hаcker can gain access to the system user account and create a new account through it in order to have access to the network and its resources at any time.
    Pretexting is a scenario attack using voice communication tools, the purpose of which is to force the victim to take an action.
    Trojan horse is a technique based on the emotions of the victim: fear, curiosity.
Malware is usually found in an email attachment.
    A quid pro quo (something for this, a quid pro quo) is an attacker's call through a corporate phone or e-mail under the guise of a technical support employee reporting problems on the victim's computer and offering to solve them. The goal is to install software and execute malicious commands on this computer.
    Road apple - tossing infected physical media into corporate common areas (flash drive in the toilet, disk in the elevator), equipped with inscriptions that arouse curiosity.
    Collection of information from social networks.


Any illegal and unauthorized attacks aimed at either obtaining data, or disrupting the functioning of the system, or seizing control over the system are called exploits. They are caused by errors in the software development process, as a result of which vulnerabilities appear in the software defense system, which are successfully used by cybercriminals to gain unlimited access to the program itself, and through it to the entire computer and further to the network of machines.

▍Compromised accounts

hаcking by an unauthorized person of a company employee's account in order to gain access to protected information: from interception of information (including sound) and keys by malware to penetration into the physical storage of information media.

▍Compromising repositories

Infection of storage servers for software installer files, updates, and libraries.

▍Internal risks of the company

This includes information leaks due to the fault of the company's employees themselves. This can be simple negligence or deliberate malicious activity, ranging from the deliberate sabotage of administrative security policies to the sale of confidential information to third parties. This also includes unauthorized access, insecure interfaces, misconfiguration of cloud platforms, and installation/use of unauthorized applications.

Now let's look at how you can prevent such an extensive (and far from complete) list of cloud security problems.

Modern specialized cloud security solutions

Every cloud framework requires comprehensive, multi-layered protection. The methods described below will help you understand what your cloud security suite should consist of.


It is important to remember that any traditional antivirus will not be reliable in trying to provide cloud security. You need to use a solution specially designed for virtual and cloud environments, and installing it also has its own rules in this case. Today, there are two ways to ensure cloud security using specialized multi-component antiviruses developed using the latest technologies: agentless protection and light agent defense.

Agentless defense. Developed by VMware and available only on its solutions. On the physical server with virtual machines, two additional virtual machines are deployed: the Protection Server (SVM) and the Network Protection Server (Network Attack Blocker, NAB). Nothing is placed inside each of them. The SVM, the Dedicated Security Appliance, installs only the antivirus engine.
In the NAB machine, this component is only responsible for checking communications between the virtual machines and what is happening in the ecosystem (and for communicating with NSX technology). This SVM checks all traffic coming to the physical server. It constitutes a pool of verdicts that is available to all SVMs through a shared verdict cache. This pool is accessed by each SVM first, instead of scanning the entire system - this principle allows you to reduce resource costs and speed up the ecosystem.

Light agent defense. Developed by Kaspersky and not limited by VMware. As in agentless protection, an anti-virus engine is installed on the SVM, but unlike it, there is also a light agent installed inside each WM. The agent does not perform checks, but only monitors everything that happens inside the native WM based on the technology of self-learning networks. This technology remembers the correct sequence of applications; when faced with the fact that the sequence of actions of the application inside the WM is wrong, it blocks it.

Integration with services to prevent or fix cloud security issues

    Change management platforms. These are proven services that support the main ITSM processes of the company, including such as IT security and incidents. For instance, ServiceNow, Remedy, JIRA.
    Security scanning tools. For instance, Rapid7, Qualys, Tenable.
    Configuration management tools. They allow you to automate the work of servers and thereby simplify the configuration and maintenance of tens, hundreds and even thousands of servers that can be distributed around the globe. For instance, TrueSight Server Automation, IBM BigFix, TrueSight Vulnerability Manager, Chef, Puppet.
    Tools for secure notification management. Allows you to provide continuous service and continue to monitor the situation during incidents, provide competent support for phone integration, messaging, email (According to Cisco, more than 85% of email messages were spam in July 2019, which could potentially contain malware, phishing attempts, etc. Malware is now often sent through "regular" types of attachments: the most common malicious attachments in email are Microsoft Office files. OpsGenie, for instance, can become such a tool.

Exploit Protection

Since exploits are the consequences of vulnerabilities in software, it is up to the developers of this software to fix bugs in their product. It is the responsibility of users to timely install service packs and patches to it immediately after their release. The use of an automatic search and installation tool for updates or an application manager with such a function helps not to miss updates. Automatic exploit defense is built into the Kaspersky Security for Virtualization Light Agent application described above.


Firewall, brandmauer. Filters and controls network traffic according to pre-configured rules. A firewall can be thought of as a series of filters that process network traffic. A properly configured firewall is effective against brute force attacks. You can allow RDP or SSH connections only from certain IP addresses of the server owner and secure the server from password guessing attempts. Firewalls are found in all modern operating systems.
In addition to this, a free firewall at the level of network equipment is offered in the RUVDS personal account. Thus, unwanted network traffic will not enter the virtual machine, but will be filtered out at the data center level. For additional convenience of the client, the most frequently used filtering rules have been added to the firewall interface. In case of changing the IP address, the client can simply go to his personal account and edit the rule without having to go to the server.

DDoS protection

There is such an additional service that can be purchased from
provider of virtual (and physical) servers. It is based on network traffic analysis technologies, which, for instance, are performed in RUVDS 24/7, and defense allows you to stably withstand up to 1500 Gb / s. You pay only for the traffic you need. Now, according to the promotion in RUVDS, the first month is free of charge 0.5 Mbps, then - from $5. per month.

Drafting regulatory requirements and achieving compliance with them

Significant weight in cloud security issues from the point of view of the human factor, including hаcking by social engineering methods, is written and implemented by user rules and rules for rehabilitation measures (cybersecurity incident response plan).
This item can also include employee access control, and the definition of the company's main cloud applications (no other applications, except for those few that are on such a "white list", can be installed), and ensuring the security of mobile devices that can be used in the company to interact with the company's cloud framework, and device control, which is responsible for policies on the use of external media.


Do you need free 0.5 Mbps to protect against dDos pinging dudes?
in other words, the attack can be of any magnitude, pure traffic will go to the server at a given speed.