Rutkowska herself doubts that anyone will actually use a Blue Pill-type rootkit to compromise virtual machines. "The bad guys don't really have any incentive to use such sophisticated rootkits," she says, especially since better-known rootkit technology from the '90s still works well for attacking traditional operating systems.
"People are wringing their hands over theoretical scenarios rather than ones that have been documented to be a problem," Trussell says.
But virtualization does involve risks if best practices aren't followed and adapted to a virtual infrastructure. For example, the hypervisor must be patched just like any other operating system, says KC Condit, senior director of information security at Rent-A-Center.
Security consultants say they've noticed a wide variety of security problems at customer sites.
Lovejoy is seeing malware and cross-site scripting issues that result from poorly constructed virtual machine images, for example. "Commonly, that image will contain malware or have vulnerabilities that can be exploited very easily," she says. "It used to happen once. Now these images are being deployed without end, creating massive headaches for people."
"We're seeing a lot of misconfigured hypervisors," adds RSA's Mulé. He says he often sees poor patch-management practices for virtual machines and the use of easily guessed or default usernames and passwords for virtual machine manager programs that have full access to the hypervisor. In addition, he says, "we sporadically see virtual machine management tools on the wrong side of the firewall."
Using default passwords when creating new virtual servers is very common, says Harold Moss, CTO of cloud security strategy at IBM Security Solutions, and people responsible for administering the new machines don't always change them either. Would-be thieves could dial into a machine, guess the password and have complete control, he explains.
In addition, because virtual machine images are data -- program code stored on a hard disk drive somewhere -- those files must be protected. "You don't want someone walking away with an entire server on a USB drive," says Vauda Jordan, senior security engineer for the Phoenix city government. She says the city uses a combination of physical security, network storage access controls and file integrity monitoring to protect virtual machine images.
The traffic flowing between virtual machines is another area of concern, since firewalls, intrusion-detection and -prevention systems, and other monitoring tools can't tell if the virtual machines are running on the same hardware.
"I've put packet sniffers on virtual servers, and nothing is going in and out of the physical network interface. So, how are those communications happening? And are they over secure channels?" asks Jordan. While the city has a significant investment in virtual infrastructure, Jordan won't even talk about the technology or its scope, citing security concerns.
Sign up for Computerworld eNewsletters.