Cybersecurity more and more resembles nothing less than old-fashioned warcraft, with both sides confident in the weaponry they have and in their ability to either penetrate or defend borders. As the threat of cyberconflicts ratchets up, the two modes of warfare seem at times to be getting chillingly similar.
The latest expression of confidence came from Defense Secretary Chuck Hagel, who on March 28 spoke to an audience at the National Security Agency headquarters to mark the retirement of Gen. Keith Alexander, the head of both the NSA and the U.S. Cyber Command.
The Pentagon is well on its way to building a modern cyberforce, he said, which will be 6,000 strong by 2016.
The force will improve the U.S. ability to “deter aggression in cyberspace, deny adversaries their objectives,” and defend the country from cyberattacks. At the same time, however, he pointed out the “proliferation of destructive malware” that is being used to constantly, and aggressively, probe and disrupt networks.
More confidence shone through in a recent report that surveyed IT and security professionals in both the military and civilian agencies. Nearly all of them, some 94 percent, rated their own agency’s cybersecurity readiness as either good or excellent, saying they feel they have the right tools, processes and policies in place.
(Well, OK the survey also found 9 percent of the respondents were unsure if there even were cyberthreats that affected their agency).
Perhaps of most interest, though, was what kinds of threats they considered the most serious. Insider threats, which until relatively recently were seen as the greatest, have fallen behind those from “external hacking,” even in the age of Wikileaks and Edward Snowden.
In fact, of the six top threats, insiders come in fifth, behind external hacking, malware, social engineering and SPAM, and just ahead of distributed denial of service.
Where do the bad guys come out in all of this? It’s no secret they’ve become much more sophisticated in their ability to get on the inside of networks, but a report from the RAND Corp., Markets for Cybercrime Tools and Stolen Data, shows also just how professionalized and extensive their ability has become.
The black and gray markets for hacking tools and services, and for the ill-gotten gains they produce, are expanding and growing in complexity, the RAND report said. What was once a varied landscape of discrete, ad hoc networks of individuals motivated by little more than ego and notoriety, it said, “has emerged as a playground of financially driven, highly organized, and sophisticated groups.”
Adding to the complexity for government defenders are the rapidly emerging and highly secretive markets for zero-day vulnerabilities, RAND said, which are available in both licit and illicit markets.
The potential impact of these market-driven tools was seen in the 2013 attack on Target stores, which were confirmed earlier this year. The malware used for that was a tailored version of the “BlackPOS” malware, which according to writer Brian Krebs was available on the black market for the low, low price of $1,800 to $2,300.
Of course, Target seems to have screwed up in so many ways in its own security. A reportfrom the Senate Committee on Commerce, Science and Transportation lays it out in excruciating detail.
Nevertheless, it all makes a point. The business of creating malware and other tools to attack US networks and infrastructure now really is a business, with all of the profit-based energy and innovation that brings with it. Add the even more focused abilities of nation states, and the threat industry is vibrant.
Hagel and others are confident that government has the ability to withstand it. Are they right?
By (ISC)2 Government Advisory Board Executive Writers Bureau Despite the impending end-of-life date for Windows XP, many agencies have decided to continue using the nearly 13-year-old operating system after it is no longer supported by Microsoft. Although there was plenty of advance warning, XP remains the second most popular operating system and, according to NetMarketShare, is still used by more than a quarter of all users. Unfortunately, the end of support for an operating system as popular as Windows XP brings with it very serious security risks with its continued use. After April 8, unsupported XP systems will no longer be able to receive security updates and patches to any known vulnerabilities. Security experts believe that adversaries have been holding on to the otherwise unknown vulnerabilities for use after April 8 to maximize their potential impact when the operating system will no longer be patched. Making matters even worse for lingering Windows XP users is the fact that future patches for Windows 7 and Windows 8 will make it easier for attackers to compromise unsupported XP systems because of the architecture and code base shared between Windows XP, Windows 7 and Windows 8. When patches are provided for Windows 7 and 8, exploit developers can analyze the patch, reverse-engineer the security updates and then apply what they’ve learned about the vulnerability in the common code base to attack XP. Ordinarily, attackers have a limited amount of time to exploit vulnerable systems before patches are deployed. But for future Windows 7/8 vulnerabilities that also apply to unsupported XP systems, this small window of opportunity will turn into an open door for attackers. Any unsupported Windows XP systems will always remain vulnerable. As Microsoft stated in its security blog, “Windows XP will essentially have a ‘zero day’ vulnerability forever.” Understanding the very real security risks associated with the end-of-life of Windows XP is critical. However, even more critical are the actions and mitigation efforts organizations with Windows XP still in their environment should take immediately. 1. Upgrade or replace Windows XP systems. Many organizations are spending more time and resources searching for and implementing other mitigation techniques than it would take to simply upgrade or replace XP systems. Since all Windows XP systems will eventually need to be retired anyway, most organizations would benefit by investing existing resources in expediting the upgrade. 2. Purchase Custom Support from Microsoft. After April 8, Microsoft will still provide XP security updates and patches – but only for those who are willing to pay a premium via Custom Support through Microsoft’s Premium Services program. While organizations should make every effort to migrate away from Windows XP as soon as possible, Microsoft’s Custom Support provides the next best alternative for any lingering XP systems. Custom Support for XP is expected to cost approximately $200 per system for the first year. Although this may seem expensive, it pales in comparison to the likely costs of recovery or harm to brand reputation after an XP-enabled security incident. 3. Isolate XP systems. The only way to completely secure XP systems is to remove all network connections and prevent any access to removable media (the argument can also be extended to remove all users). Obviously, this would render the system effectively unusable. One step short of a completely disconnected system is one that is logically or physically isolated to prevent all external Internet communications (i.e., Web browsing and email) and restricting any internal communications to only known and required destinations over specific ports and protocols. This could be achieved via a combination of techniques including personal and network firewall rules, router access control lists, proxy restrictions and isolated VLANs. In all likelihood, the cost of associated architectural changes to isolate vulnerable XP systems may outweigh the cost of simply upgrading; additionally, the systems would be far less functional and still carry a residual risk of compromise and lateral infection via any remaining permitted communications. 4. Prioritize upgrades. Depending on the size of an organization, the enterprisewide upgrade of Windows XP systems may not be a trivial task. However, the task can be simplified significantly with proper focus and prioritization. Although it is important to realize that any vulnerable system may be used as a starting point for attacks within an organization, not all systems and users are created equally. When phasing an upgrade of XP systems, focus first on the most sensitive systems such as those where users have administrative access or connectivity to critical and other highly sensitive systems and data. 5. Don’t forget Windows XP Mode. Windows XP Mode was included in Windows 7 to make the transition to the new operating system easier. Unfortunately, the end-of-life of Windows XP makes the use of Windows XP Mode within Windows 7 essentially as dangerous as a separate physical Windows XP system. Microsoft recommends that after April 8, Windows XP Mode only be used if disconnected from the Internet. If possible, XP Mode should be disabled entirely if it is not receiving security updates and patches. Although Microsoft has recently extended its anti-malware support for Windows XP, this will not mitigate the threat of using the unsupported operating system. If you are lucky, the anti-malware signatures may inform you of an infected system and help to quarantine the malware after the fact. However, adversaries have been very successful at crafting malware to circumvent detection via signatures, and even Microsoft notes that, “the effectiveness of anti-malware solutions on out-of-support operating systems is limited.” If you have no other option, the aforementioned actions may help offer some mitigation to the Windows XP end-of-life; however, for those serious about security, you know what you need to do. [Source: GCN]
This is Part 1 of my tale of the last 180 days of my life, my adventure from VCP5 to becoming …drum roll… VMware VCDX #125. Yes, I successfully defended my design at VMware PEX 2014 in San Francisco this past week, which was for VCDX5-Datacenter Virtualization (DCV)! It was a fun, educational, and a surprisingly pleasant experience. I’m blogging about this experience because I know if I can become a VCDX, then anyone can do it with enough experience and dedication. Do keep in mind that prior to starting my 180 day adventure, I had approximately 4 years of VMware architecture experience for Government and commercial enterprise systems. Years of architecture-level experience is key, however VMware does not require a specific number of years or job title to apply for the VCDX certification.
This was my first attempt at the VCDX certification, and was a great learning process. Nearly all candidates and those who have passed either work for VMware or a VMware partner. At PEX 2014 Josh Coen (VCDX #129) and I were the only customers that I know of defending out of the ~14 candidates. According to the latest unofficial stats Josh and I doubled the customer VCDX count from two to four out of the 132 VCDXs.
VCAP5-DCD Journey
Back in the spring of 2013 I was talking to my boss about goals for my next six month review period. He mentioned something about a big VMware certification and I said “VCDX”. He was like ya…”Why don’t you go for that?” I looked at him like a third eye appeared on his forehead and thought no way in hell can I do that. I mean, those people are book authors, world renowned bloggers, and levitate at will, right? But after a little thought I settled on trying the VCAP5-DCD (VMware Certified Advanced Professional – Datacenter Design) exam…that seemed reasonable. I love architecture/design, and was fairly proficient with VMware virtualization.
Time passed on, and VMworld 2013 SF was just a couple of weeks away. The review period was nearly over, so I had to take the test, pass or fail. Due to lack of time, I didn’t even look at the blueprint and pretty much went in cold (NOT recommended, BTW). I did a little Googling just to see what others experienced, and learned time, or lack thereof, was a big factor. I put down the $400 exam fee, and sat the exam. By some miracle I passed, on August 23rd, the day before I left for VMworld 2013. Review goal accomplished.
The Turning Point
Happy that I passed the VCAP5-DCD, I eagerly packed my bags for SF for a week of learning and adventure. While I had been a beta tester for vSphere 5.5 thanks to my vExpert status, I was eager to get the scoop on the GA features. I was able to get into VMworld TAM Day (Technical Account Manager) on Sunday, which is basically a preview for specific customers of what VMware would unveil the coming week.
As a quick aside, the prior year VMware had released vSphere 5.1, which we all know had a few rough edges around the SSO service and trusted SSL certificates. I lead the way in trying to figure out how to make that work, and my 15-part vSphere 5.1 install series skyrocketed my daily webpage views. But those were just numbers.
Back to TAM day, I was sitting in the front row of a panel session getting ready to blog about the content. One of the panelists, which was also a top rated blogger, came over to me. He had some very nice comments about my blog, and I was floored that someone like him would be a regular reader. I hardly knew what to say. I also attended a few VMworld parties, where strangers recognized me and came up to introduce themselves. This was a completely foreign experience to me, but felt great that my content was helping people. By the end of the conference several people were calling me “The SSL Guy” due to my vSphere 5.1 SSL work. My blog page view count was now growing real faces.
One of the very last sessions at VMworld that I attended was Software Defined Storage the VCDX Way by Wade Holmes and Rawlinson Rivera. It was a kickass session, and by the end I was thinking…you know I should shoot for VCDX. I can do it! I checked the VCDX defense schedule, and figured I would shoot for Partner Exchange 2014, which was in February. I thought submissions would be due early January 2014, based on last year’s schedule. I would later find out that was a bad assumption, and presented a risk to my success.
VCAP5-DCA Journey
Next up on the VCDX trip was taking and passing the VCAP5-DCA (Datacenter Administration exam). I wrote a blog article about therehere. To summarize, I knew I’d have my bacon cooked if I didn’t study. I was not as adept at vSphere command line or PowerCLI as I wanted to be, and knew that time was also a huge factor. So for the first three weeks in September I spent several hours with Jason Nash’s (VCDX #49) excellent TrainSignal (now Pluralsight) DCA prep series. Due to my vExpert status, TrainSignal gave us one year free of unlimited training. I also read every page of Josh Coen (VCDX #129) 250 page unofficial DCA study guide. I went through numerous exercises in my home lab using my Haswell ESXi hosts. I took the exam on September 20th, and got my results back a couple of business days later. I passed! Huge relief. Little did I know that I’d cross paths with Josh a few weeks later.
Time To Blog
By this time it was September 22, and vSphere 5.5 went GA. Clustering the vCenter SQL server was now officially supported, so of course I wanted to blog about how to setup a SQL 2012 failover cluster on vSphere 5.5. The last week of September I published a 12-part SQL clustering guide that of course used SSL and new vSphere 5.5 Microsoft clustering features. Ok, now we were ready for a vSphere 5.5 install guide. Since my vSphere 5.1 install series was popular, I wanted to outdo myself and really ramp it up for vSphere 5.5. Long story short I knocked out Parts 1 – 15 of the series in October, and wrote the first versions of the my vSphere 5.5 Toolkit script. Somewhere around this time the official VCDX defense schedule was published, and the submission deadline was moved up to just before Christmas. I had a mini heart attack, since I knew this would be a lot of work and would likely need the time over Christmas.
The VCDX Design
Picking your design for a VCDX defense is critical. Too complex, and you open up your attack surface area and may have a higher chance of failure (or need more prep time). Too simple, and you risk rejection. Plus VMware stipulates you must have played the role of an architect in the design (although need not be the sole architect.) Thankfully the new VDI refresh project I was the architect for fit the bill, was complex enough to make it interesting, yet not so complex that I couldn’t fully understand all the areas called out in the VCDX-DCV blueprint. Literally the only documentation that existed for the project was a warmed over vCenter install guide. No architecture guide, operations guide, or test plans existed. I had A LOT of work ahead of me. VCDX submission packages typically run into the hundreds of pages, although size is not what counts and less can actually be better.
Time to Write
Having settled on my design, I started writing day and night and weekends. Since I was documenting a production system, and making tweaks based on additional research, I was able to put time into the project during work hours. During this time I also found out that Josh Coen (@JoshCoen), of DCA Guide fame, and Bobby Stampfle (@BobbyFantast1c) were also working on their VCDX submissions. So we formed a study group (extremely important), and reviewed each others documents. It’s very enlightening to see other approaches, and we each ended up melding in changes and suggestions from each other. Working on this in a vacuum is a recipe for a headache and an uphill battle.
All told, the architecture guide topped nearly 200 pages, 60,000 words, 42 Visio figures, and 137 tables. Yes, it was comprehensive. All twelve major sections in my architecture guide followed a strict taxonomy of conceptual design, logical design, physical design, and design justifications. Customer requirements, constraints, assumptions, and risks guided the whole flow of the document. I based some of the flow and content on Duncan Epping’s (VCDX #007) excellentVMware Cloud Infrastructure Architecture Case Study. The installation guide, operations guide and test plans were all much shorter, but still important.
Time to Review
An extremely important facet of a VCDX design is peer review from your study group and ‘real life’ VCDXs. You should aim to finish your complete architecture guide at least 3-4 week prior to the submission deadline. I’m now a Twitter addict, so I was able to find VCDXs that graciously gave up some of their spare time to provide feedback on my design. The level of detail and different viewpoints is very interesting, and provided a good 360 degree view. Chris Wahl (#104), Romain Decker (#120), Jon Kohler (#113) and Chris McCain (#79) possibly others I’m not recalling, all gave great feedback and I really appreciate their time. I made several changes based on input. Josh and Bobby were also great supporters. We also did webex design reviews, each going over our docs and making suggestions for changes or areas to clarify.
As a side note, by this time I had also published four more vSphere 5.5 installation guide posts (now up to 19) and made major updates to the Toolkit script to support more SSL scenarios and added VCSA/ESXi support as well. Talk about busy…I had no life. I heard one VCDX say that “Behind every VCDX is a spouse that hates VMware.” And I can believe it. All told I probably spent 400 hours on the documentation package, since I had to build nearly all of it from scratch and I’m a bit of a perfectionist. I also like pretty diagrams, which are a big time suck.
VCDX Submission Time
December 20th rolls around, the submission deadline for PEX 2014 in February. All the reviews are done, and I finish up a couple of days early. I did one final proof reading, let it simmer over night, zipped up the contents, and sent it off to VMware for review. A nice little payment of $300 was included for them to review my design. We are now 120 days after from passing the VCAP5-DCD exam, 32+ blog posts and one script later. Whew! Talk about my brain being fried. It was burnt to a crisp. Also during this time I rescheduled a New Zealand trip from early January to late April, in the hopes I would get accepted and need the prep time in January.
Next up in Part 2, will be the final installment where I’ll cover how I prepared for the actual defense, my defense experience, and tips for those wanting to pursue your VCDX. Plus…my new and exciting job.
PART 2
In Part 1 of this two part VMware VCDX journey series I accounted for the first 120 days of my VCP5 to VCDX #125 journey. This post will cover the final 60 days, which were just as important, if not more so, than the first 120. In my last post we left off with my completed design package, application form, and a sacrificial payment of $300 was submitted to the VMware Gods. Would my application be chopped in half and sent back in pieces, or spared to live another day?
Accept or Reject?
On December 23rd my application was ‘administratively accepted’ meaning I passed the basic sanity check of filling out the application form and attaching documents. Given the fried status of my brain, I took a couple of weeks mental break from looking at my design documents. I also didn’t want to jinx my acceptance by starting to work on my presentation slide deck. A birthday also came and went without too much fanfare during the waiting.
Fast forward a couple of weeks to January 10th, 2014, and I got a short email stating the technical review was completed and that I was invited to defend my design at PEX 2014 in San Francisco. Yippee! Major goal accomplished, and another payment of $900 to VMware. Twitter went a little crazy that day, and also got a large spike in LinkedIn profile views. Ok time to update LinkedIn profile, check. A couple of days later I got my timeslot booked. The fateful day would be Monday February 10th, 2014 at 0900. Reality set in, tempered with a little panic and excitement. This is real.
Oil Thy Slide Deck
For those of you not familiar with the VCDX defense format, it is in three parts. The first is the 75 minute defense, where you give a short presentation that covers your design. The panel generally interrupts the presentation, and starts asking you questions. You also have a 30 minute simulated design session, and finally a 15 minute simulated troubleshooting session.
Thanks to Chris McCain (VCDX #79), I got some great pointers on how to create a well oiled PowerPoint presentation with a plethora of internal hotlinks and hot spots. The panelists can ask you questions in any order on any topic, so you must be able to flip between slides in literally just seconds. The clock does not pause for slow slide flippers. I spent the better part of a week, dragging my fried fingers across the keyboard trying to assemble my deck. Concentration was difficult…after four months of living my design I just wanted this to be over…like the 70s Calgon commercials, “Just take me away.” Oh how I wished was in Middle Earth instead of staring at PowerPoint.
My basic presentation was just 12 slides, covering key drivers, compute, network, VMs, BC/DR, and other areas. In my over achieving appendix I had 99 slides, with content all pulled from my architecture guide. All 99 slides were organized by category, each slide with its own hotlink on the appendix page. I also had buttons in the lower right on all slides, for easy navigation to my table of contents, appendix, forward, backward, and last slide. Within a couple of clicks I could jump anywhere in the deck, and back. Apply oil liberally. VCDX candidates need a short class on mastering PowerPoint. Oh yes, I should not fail to mention that Josh Coen and I were working closely bouncing ideas off each other, and help each other formulate our deck. Again, don’t work on your VCDX in a vacuum. Misery loves company.
You Mock Me, I Mock You
Somewhere around this time I also saw on Twitter that this guy named Brad Christian was invited to defend. He appeared to be a VCDX candidate wrangler (and Dallas VMUG Leader), and started corralling all of us anointed to defend at PEX. The clock was now ticking, and we were about three weeks away from our defenses. Due to his strong leadership and immense motivation, he helped us organize nightly mock defenses. One lucky victim, I mean candidate, presented their slides and the group ripped them to shreds (gently) with questions.
Many of us looked like Humpty Dumpty after 75 minutes, and had to put ourselves and slide deck back together again. But it was all for a good cause, right? All of us revised our slides, took note of questions others got asked that we (I) didn’t know the answer to. One of my favorite moments, was when we were really beating up a candidate and someone asked him to describe how Load Based NIC teaming worked. By this time Thelma (name and gender changed to protect the innocent) had really been slammed and was a wee bit agitated. So her snippy response was, “Well let me go grab the source code for that and then I’ll tell you.” Ok now…let’s all settle down a bit.
I bet the WebEx server was getting tired of the nightly beatings. The last couple of days during that three week period I was once again deep fried, and actually ditched the sessions. I just couldn’t take it any more. We are now at February 7th, three days before my defense.
WebEx wasn’t enough..let’s do it in Person Too
As if three weeks of beating on each other virtually was not enough, Brad reached out to the VMware community to see if anyone would sponsor a boxing ring for the weekend prior to our defenses so we could beat each other up in person. Nutanix came through and rented a boxing ring, which suspiciously looked like a conference room at the W hotel. All weekend long nearly all candidates were packed into the room taking turns doing mocks.
Some new faces appeared whom had not been in our WebEx sessions, which were fresh and angelic like, but partially resembled Humpty Dumpty after we got done with them. But it was all for the common good, right? Seated along side the boxing ring were VCDXs like James Charter, Tim Antonowicz, and Mark Gabryjelski giving pointers and wiping up the blood.
Oh yes, and let’s not forget the insanely evil troubleshooting scenarios that [redacted] dreamed up from real life. Or how about the customer design scenario where a service provider had both adult streaming media and conservative non-profit tenants? Workload isolation? If it was *EVER* needed, this was the time! XL vShield to the rescue. Or a VDI scenario using linked clones where the master VM was 62.9TB? Yes, we were ruthless..and perhaps got a little carried away. Let’s not forget James Charter frantically waving “Why?” on a napkin, like he was a stranded survivor trying to flag down a rescue mission, during our troubleshooting scenarios.
Dooms Day
Now that all the prep was done, February 10th at 0900 was just hours away. I got a good night’s sleep, had breakfast at the hotel, and made my way over to the Hilton. As you can see from my selfie to the left, I was very relaxed and carefree. Actually I was pretty relaxed, and was confident that I knew my design and slide deck very well. Promptly at 0900 I was led like a sheep by Mark Brunstad into the defense room. No ‘death squad’ members were present, so I relaxed and started off the 75 minute presentation. A worm hole opened up, and before I knew it the 75 minutes were up. I felt like I did really well in that section. Of my 99 backup slides I used possibly three.
Next up was either the design or troubleshooting session, I don’t recall. Either way, the design session was a bit more rocky than I had wanted…and reverse-wormhole formed and the 30 minutes seemed to take forever. Troubleshooting went OK. Overall I felt good about my performance, and the experience was actually quite pleasant and not scary. The panel is there to help you score higher, not pick you apart or make you feel like a dummy. Mark escorted me out, and said the official results SLA was 10 days.
And the Results are in…
Past performance is not an indication of future performance. That was certainly true in this case, but in a good way. For prior defenses VMware released the results a few days after everyone had completed, which was still much quicker than the stated 10 day SLA. However, Mark pulled a fast one on us and in less than a couple of hours after the last defense on Thursday he sent everyone the results. I was so not expecting them, that I wasn’t looking at my phone every time I got an email. There was just no way results would come in that fast. Impossible!
But I was on my computer, happened to have OWA open and heard the ding. The sender of the email was Mark, and my heart practically stopped mid beat. Tunnel vision set in. The results were in a PDF which I had to open. This may sound easy, but it’s not when your heart has stopped. Tunnel vision gets even narrower. Acrobat takes forever to launch..I had never wanted Acrobat to open so fast in my entire life, and it never seemed so slow.
Upon opening I see a number…no text..just a number. 125. I’ve never been happier to be called a number in my life. I now see the words “congratulations.” Yes, I’m now VCDX #125. Shortly thereafter Twitter practically explodes. Yes, Josh tweets his number, Garrett, Kalen, Hersey, Sean……eight of us tweet three digit numbers. The numbers 125 through 132 have new owners. 175 days after my VCAP5-DCD exam mission is accomplished.
Thank you!
I want to give a huge shout out to Brad Christian, Josh Coen, and other VCDXs that participated in mock defenses like Josh Odgers and Romain Decker. Brad did a stellar job at organizing the mock panels. The full weekend of in-person mock defenses was also critical, and want to thank Nutanix for sponsoring the room. I’ve been told this is the first time in VCDX history where nearly all candidates did mocks for so many weeks, and in person, prior to the defenses. That credit goes to Brad! I also really want to thank all my Twitter followers, friends, family and co-workers that were supportive during the whole six month process. There’s no way I could have done this alone.
Aspiring VCDX Resources
If you are still with me at this point, you get an award. No fancy stickers like Chris Wahl, just a pat on the back. Beyond knowing your design inside and out, here are a few must-have resources that you need to start your VCDX journey.
1. Don’t even think about starting the VCDX without reading every word in the VMware VCDX Boot Camp book. Buy it here from Amazon. Read. Every. Word. Read. Again. Read. Again. This your beacon on the VCDX road.
2. Buy the Storage Implementation in vSphere 5.0 by Mostafa Khalilhere from Amazon. Think you know a lot about storage? You won’t after you get done reading this book. Excellent reference book, and a must-read prior to a defense.
3. Buy the relevant version of Clustering Deepdive by Duncan Epping and Frank Denneman. 5.1 version is here.
4. Buy the VMware vSphere Design book by Scott Lowe (and others) from Amazon here.
5. Attend in-person the VCAP and VCDX workshops. These are normally held at large events like VMworld and PEX, but they are also ramping up at other locations and times as well. I’m pretty sure that everyone that passed this time attended one or more in-person boot camps.
6. Watch the VMware VCDX prep videos with John Arrasjid and Rawlinson Rivera here.
7. Check out the blog post by Brad Christian about his experience, and more tips here.
8. Check out the @vSential VCDX Study Group form here.
9. Although not out yet, Chris Wahl is publishing a vSphere networking book that I know will be killer and a must read.
My #1 tip is to join a study group as soon as you know you want to get on the VCDX bandwagon. Share often, share early! Get on Twitter and find other VCDX candidates, and use the group sign up form link above. Yes, you too can become a VCDX with enough experience, dedication, and a study group.
My new Journey
I was so looking forward to my life returning to ‘normal’ post-VCDX. Every weekend and practically every waking hour for the last 180 days was VCDX. Well, there’s a new normal starting in less than two weeks.
I’m very honored and very excited to announce that starting in March I’ll be joining Nutanix as a Sr. Solutions and Performance engineer. This is the same team that Josh Odgers (VCDX #90) and Michael Webster (VCDX #66) are on. Last year The Register wrote an article about Nutanix assembling an elite squad of ‘crack VMware designers’. Michael was the fourth VCDX to join Nutanix, and I will be the fifth. I’m sure I won’t be the last to join. Nutanix has a great blog post about the value of VCDXs to the VMware ecosystem, which you can read here.
I don’t see obtaining a VCDX as the end of a journey, but rather the start of a whole new adventure. I know I can learn a tremendous amount from Josh, Michael, the other VCDXs and the extraordinary bright Nutanix staff. This will be my first startup, and I’m relocating to the Nutanix HQ in San Jose. Storage has always been a passion of mine, and love a good Fibre Channel SAN or tier-1 array. But enterprises need something that now linearly scales out, vastly easier to use, much higher performance, and more dense. That is Nutanix.
Very important to me is being able to blog about my passions, and Nutanix is the perfect fit. I can continue to write about VMware, Microsoft, Citrix, and expand my knowledge base to other products. I will have a lot more opportunity to blog about new passions, and give back even more to the community and Nutanix customers. I’m excited to start this brand new adventure, so expect my blogging to ramp back up to pre-VCDX levels with even better content.
Being held in Vietnam for seven consecutive years since 2007, Security World has gained its recognition as a prestigious unique national forum where officers from Ministry of Public Security update and seek security technologies for the Ministries and Government’s ongoing projects. It also served as a meeting point for enterprises from Banking, Finance, Telecommunication, E-commerce, Retailing and Manufacturing industries, who will gather to exchange experiences for better development of IT Security.
This year featuring the theme “Align your information security programs to enable business growth”, Security World 2014 will take into account such hot common issues raised today as: discussing key trends of information security, evolving the mobile device management policies, mitigating security threats, integrating information security and risk management into business. Topics related to strategies, practices, and technologies for IT Security will also be discussed.
Along with the Conference, the Exhibition showcases diverse Information Security Technology/ Solutions and brings unique access to 600 CIOs, CSOs, IT Directors – Key decision makers for IT and Security Purchasing.
Palo Alto Networks joined as Conference Sponsor for Security World 2014, with Philip Hung Cao as speaker for topic: “Living with Next-Generation Security”.
It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. Released in 2001, the support policy for the life of Windows XP soon followed in October 2002. In September 2007, we announced that support for Windows XP would be extended an additional two years to April 8 2014. We are very clear about the lifecycle of our products, deliberately communicating this information years in advance, because we know customers need time to plan for changes to their technology investments and manage upgrades to newer systems and services.
We’ve also focused on communicating regularly, such as an article posted in August of last year. That piece focused on the fact that supported versions get security updates that address any newly discovered vulnerabilities, which Windows XP won’t receive after April 8, 2014. This means that running Windows XP when the product is obsolete (after support ends), will increase the risk of technology being affected by cybercriminals attempting to do harm. This blog post continues on from that article, and also provides guidance to consider as people look ahead.
Many of the enterprise customers I’ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8. However, I’ve also talked to some small businesses and individuals that don’t plan to replace their Windows XP systems even after support for these systems ends in April. In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so.
The cyber threats discussed here are based on data and insights from recent volumes of theMicrosoft Security Intelligence Report. This report includes aggregate data on the threats that hundreds of millions of systems around the world encounter – many of which are successfully blocked by Microsoft antivirus software and the security features built into Windows, Internet Explorer, Bing, and other Microsoft products and services. This data gives us a good picture of the tactics that attackers have been using to try to compromise computer systems, including which attacks are used most often on Windows XP systems. The information then helps Microsoft and antivirus security companies develop ways to combat those attacks. From the year that Windows XP was built, cyber attacks have increased in sophistication. Systems receiving regular updates get the protections they need based on the latest cyber threats. But at some point an older model of any product will lack the capability to keep up and becomes antiquated. Obsolescence for Windows XP is just around the corner.
What Motivates Cyber Attackers?
Attackers’ motivations have changed over the past decade. Ten years ago attackers were primarily motivated by making a name for themselves through notoriety for each malicious act they completed. Today, attackers typically steal personal and business information from the systems they go after and try to keep a lower profile, as the goal is financial profit more regularly than mischievous disruption or ego. The attackers that steal the information from computer systems sometimes choose to trade or sell that stolen information to other criminals to use for identity theft and bank fraud schemes. And, access to compromised computer systems is often sold or leased by attackers to other criminals to perpetrate more crimes against additional unsuspecting victims, while providing anonymity to the original criminals.
Microsoft Security Innovations made it Harder for Cyber Attackers to be Successful
Following Windows XP’s release and through 2004, there were several cyber attacks that gained widespread awareness in news outlets and with many customers. In the wake of those computer virus attacks, Microsoft invested further in several important security protections and turned existing improvements (called “mitigations” by security experts) in order to better protect customers that were running Windows XP. This protection push resulted in a major update called Windows XP Service Pack 2, which was released in 2004. One of the security mitigations that was turned on in Service Pack 2 was a feature called Windows Firewall. This helped stop many of the attacks that were common at that time and made it much harder for attackers to violate Windows XP systems. Our security intelligence report shows that the time between major attacks extended in length after Windows XP Service Pack 2 was released, proving that Service Pack 2 provided more protections than prior versions of Windows XP.
The Usual Suspects – Threats to expect against Windows XP
The types of attacks that we expect to target Windows XP systems after April 8th, 2014 will likely reflect the motivations of modern day attackers. Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues. Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.
Here’s a list of risks that Windows XP based systems might encounter over time, along with some guidance to help small businesses and individual consumers temporarily protect themselves against cyber attacks while moving to a modern operating system:
RISK #1: SURFING THE INTERNET: New exploits for Windows XP will likely be added to cybersecurity exploit kits that are sold/leased to attackers. Exploit kits make it easy for professional and novice attackers alike to build malicious websites that try to install malware on systems that visit those sites. Surfing the Internet on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP are distributed among attackers via exploit kits.
Guidance: Since browsing the Internet is a risky proposition if running on out-of- support systems like Windows XP after April, small businesses and consumers should limit where they go to on the Internet to help manage the risk. Limiting the specific websites these systems can get to on the Internet, or simply not using Windows XP systems to connect to the Internet, will reduce the probability of compromise via a malicious website.
Important note: Changing browsers won’t mitigate this risk as most of the exploits used in such attacks aren’t related to browsers.
RISK #2: OPENING EMAIL AND USING INSTANT MESSAGING (IM): Many attacks typically start with a well-constructed phishing attack via email. The email will likely contain the Internet address (also known as a URL) to a malicious website that has been constructed for unsupported Windows XP based systems. The email could also have a specially crafted malicious attachment that when opened, exploits an unpatched Windows XP vulnerability, potentially giving attackers control of the system. Attackers have also used Instant Messaging (IM) to deliver malicious URLs and attachments. Opening email or using IM on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP may be integrated into phishing attacks, malicious emails and IMs.
Guidance: Malicious e-mail messages are a very common tactic attackers use to gain entry to systems. Given this, it would be prudent to avoid using Windows XP systems to send or receive email. Avoid clicking on links or opening attachments sent via email or IM.
Important note:Using a different email or IM program likely won’t mitigate this risk as these attacks are typically in the content of the messages themselves, not a vulnerability in a specific email or IM program.
RISK #3: USING REMOVABLE DRIVES: Attackers can attempt to use USB drives and other types of removable drives to distribute malware that seeks to leverage new vulnerabilities in Windows XP to compromise systems.
Guidance: This is a common way that Windows XP systems get infected with malware. Some customers have decided to physically block access to USB ports on systems in their organizations in an attempt to block this type of threat. Connecting removable storage devices to Windows XP systems should be avoided. More information is available in this article: Defending Against Autorun Attacks.
RISK #4: WORMS WILL USE ANY NEWLY DISCOVERED VULNERABILITIES TO ATTACK WINDOWS XP: Malware purveyors will likely integrate new vulnerabilities targeting Windows XP, into malware that tries to multiply. The success of the virus named Conficker, to infect systems in enterprise environments, illustrates that security firewalls and strong password policies are still not comprehensively used. Organizations that continue to run Windows XP after support ends, should be on guard for this type of threat in their environment, which is typically introduced into systems by infected USB drives in an attempt to get past firewalls.
Guidance: Review any exceptions you allow, through firewalls, in your environment. Only keep the exceptions in your firewall rules that you really need. Follow the earlier guidance to limit removable drive use on Windows XP systems. Use strong passwords on your systems that can’t be easily guessed.
RISK #5: RANSOMWARE: We have seen a large uptick in ransomware in recent years. Attackers use this type of malware to extort users into paying them to unencrypt files that the malware has encrypted on their system, or to unlock the system’s desktop. After April 2014, attackers will likely attempt to use unpatched vulnerabilities on Windows XP based systems to distribute ransomware. This type of attack can have a crippling impact on small businesses and consumers that lose access to important data or systems.
Guidance: Restoring data from backup is a good way to recover from a ransomware infection. More frequent backups of data stored on Windows XP systems or that Windows XP systems have access to, would be prudent after April.
So What Should You Do?
The guidance above provides suggestions towards managing some of the risks of running Windows XP post April 8. However, the primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after April 8, 2014.
Upgrade Advice
For customers considering upgrading a device designed to run Windows XP, we recommend purchasing modern hardware – from touch laptops to tablets to all-in-ones – to take full advantage of the features and touch-based user interface available in Windows 8 or later systems. Modern devices are not only faster and have greater performance than devices running older operating systems, but come with greater security features, new and improved networking tools for when you’re on the go, modern apps and more.
If a customer wants to upgrade an existing machine to Windows 8.1, upgrade activities depend on what current operating system is on the machine, and the capabilities of that hardware. System requirements to install a new operating system can be found here.
Computers running Windows 8 can be updated to Windows 8.1 via the Windows Store (for consumers) or using media (for larger organizations with volume licensing).
Computers running Windows 7 can be upgraded to Windows 8 using media, then updated to Windows 8.1 (using the process above).
Computers running Windows XP cannot be upgraded in-place to Windows 7, Windows 8, or Windows 8.1. A clean install is necessary, although user data can be migrated.
For customers who are unsure of what version of Windows they are using, visitAmIRunningXP.com, a website designed to automatically tell if a computer is running on Windows XP or a newer version of Windows like Windows 7, Windows 8 or Windows 8.1. If it detects Windows XP, the website provides guidance on how to upgrade ahead of the April 8th end of support deadline.
Additional information on the end of support for Windows XP and how to upgrade can be foundhere.
