Hacker’s Blog

Let me begin by saying that I have a deep respect for Frank Hayes understanding of general IT issues. However, Mr. Hayes just doesn’t get security as seen again in Common Insecurity. Mr. Hayes suggests that virtualization would have helped separate the data frrom the three different agencies so that a breach of one would not have breached the others. He also suggests that virtualization can make security easier. Both are incorrect in this scenario.
Cain & Abel poses a threat here because of its sniffing and cracking abilities. The sniffer can grab packets to any of the virtual systems, so it is a threat to all. The cracking tools threat would only be limited to one system if the accounts used to manage each virtual system were different.

Having separate systems for common functionality also complicates other security matters, such as patching, system monitoring, and the budget for high end OS security hardening tools which are licensed by the instance. Virtualization allows for some separation, but does not simplify everything. It is much better to consolidate systems doing the same thing with the same security requirements, just as a Bank’s safe deposit box is generally better than a safe at home. Cost is a significant factor here. The banks is able to spread the high security costs across many more customer’s without adding large risks.
Perhaps Mr Hayes does not recognize that this server is serving a common function, that of credit card processing, in a Service Oriented Architecture like system. This seems to be the case and led him down the path of separating these systems. Neverless, his points on virtualization and security are naive and the problem is much deeper than he considers here.