Virtualization as security

Virtual computer, real security

There are many ways to keep your computer secure. Your own behavior affects it a lot and we at F-Secure are happy to help protecting you with our products. But there are also many tools that can improve your security even if that wasn’t their initial purpose. Melissa and Sean described how you can use separate browsers to lower the risk for human errors. Virtualization is another technology that can improve security as a side effect. It’s a like the separate browsers idea, but takes it a lot further. Read on to learn more.

Virtualization in computing means to simulate something with software. What we talk about here is to create a whole virtual computer inside a real computer. It’s complex under the hood, but there are luckily easy products that can be used by almost anyone. This technology is by the way used extensively in the software industry. Huge number of virtual computers can be used to process data or test software. A large portion of the Internet is also provided by virtual servers.

But how can this improve my security? Most malware is made for profit and interfering with your on-line banking is a common payload. But what if you run your on-line banking on a separate computer? Buying another machine costs money and consumes space, but that can be solved by using a virtual computer instead. That virtual machine would only be used for banking, nothing else. A malware infection could happen if your guard is down and you open a malicious file in the mail. Or surf to a site witch is infected with a drive-by download. Both cases could infect your real computer, but the malware can’t see what you are doing with the bank inside the virtual machine. One could also use the opposite strategy. Use a virtual machine when doing something risky, like looking for downloads on shady servers. A previously made snapshot can easily be restored if something bad hits the virtual machine.

An additional benefit is that this gives you an excellent opportunity to play around with different operating systems. Install Linux/Windows/OS X just to become familiar with them. Do you have some hardware which driver won’t work in your new machine? No problem, install a virtual machine with an older operating system.

OK, sounds like a good idea. But can I do it? Here’s what it takes.

  1. You need a fairly new and powerful computer. Especially the amount of RAM memory is critical. You are usually OK with 8 GB, but more is desirable. This is probably a bad idea if you have less. (This depends a lot on what operating system you are running and what you want to run in the virtual machines.)
  2. You need to download and install a virtualization product. Two good alternatives are VirtualBox by Oracle (free) and VMWare Player by VMWare (free for personal use).
  3. You need to have an installation media for the operating system you want to run in the virtual machine. This is easy for Linux as you can download the installer freely from the net. Hint: Google: download linux.
  4. You need to know how to install an operating system. This is not as nerdy as it sounds. Modern operating systems have easy installers that most people are able to use. And don’t worry if you make a mistake. It’s just a virtual machine and you can go back to the beginning at any time without losing anything (except some time).

I’m not going to provide detailed instructions for this. That depends too much on which virtualization product and operating system you use. And it would beside that be like reinventing the wheel. You will find plenty of step-by-step instructions by Googling for what you want to do, for example “install Linux in VirtualBox”.

But for your convenience, here’s an overview of the process.

  1. Select one of the virtualization products and ensure that your computer meets its system requirements.
  2. Download and install the virtualization product.
  3. Ensure that you have an installation media for the operating system you want to use and any keycodes etc. that may be needed during installation. The media can be a physical disk or USB-memory, or a disk stored as an image file. The virtualization software can mount disk image files as a device in the virtual machine and there’s no need to burn a disk for this purpose.
  4. Now follow the instructions you found on the net. They will help you create the virtual machine, mount the installation media in it and go through the operating system installation.
  5. After this you can use the virtualization product’s console to start the virtual machine when needed. It shows up full-screen or in a window depending on the settings. Inside it you can do what you want, install programs surf the net, etc.
  6. For the banking virtual computer you just need to install the browser of your choice, make sure it’s updated and patched and make your bank the home page. Don’t install anything else unless it really is needed for the banking connection and don’t use this virtual machine for anything else.
  7. You can create multiple virtual machines, but be careful if you try to run them at once. Your computer may not have what it takes. As said, RAM memory is the critical resource here.

Safe surfing,
Micke

Edited to add: It is of course a good habit to exercise the same basic security measurements inside virtual machines as in real computers. Turn on the operating system’s update function, install your anti-virus program and make sure your browser is kept up to date. Doing just banking with the virtual machine reduces the risk a lot, but this is good advice even in that case. And needless to say, the virtual machine’s armor is essential if you use it for high-risk tasks. Thanks Dima for providing feedback.

More posts from this topic

842710939_d8f092ed9f_b (1)
April 28, 2016
BY 
Why press freedom matters and how tech can help

World Press Freedom Day: Why it Matters and How Tech Can Help

Finland is home to the freest news media in the world, according to Reporters Without Borders. It's fitting, then, that the annual UNESCO World Press Freedom Day conference will be held in Helsinki this year, May 2-4. Freedom of information is a topic that's close to our heart. We were fighting for digital freedom before it was cool - yes, before Edward Snowden. A free press is foundational to a free and open society. A free press keeps leaders and authorities accountable, informs the citizenry about what's happening in their society, and gives a voice to those who wouldn't otherwise have one. Journalists shed light on issues the powers that be would much rather be left in the dark. They ask the tough questions. They tell stories that need to be told. In a nutshell, they provide all of us with the info we need to make the best decisions about our lives, our communities, our societies and our governments, as the American Press Institute puts it. That's a pretty important purpose. But it can also be a dangerous one. Journalists working on controversial stories are often subject to intimidation and harassment, and sometimes imprisonment. Sometimes doing their job means risking their lives. According to the Committee to Protect Journalists, 1189 journalists have been killed worldwide in work-related situations since 1992, when they began counting. 786 of those were murdered. Freedom of the press and digital technology are inextricably intertwined. Journalists' tools and means of communication are digital - so to protect themselves, their stories and their sources, they also need digital tools that enable them to work in privacy. Encrypted email and messaging apps. Secure, private file storage. A password manager to protect their accounts. A VPN to hide their Internet traffic and to access the content they need while they're on assignment abroad. F-Secure at World Press Freedom Day It's because press freedom and technology are so intertwined that it's our honor to participate in this year's World Press Freedom Day conference. Here's how we'll be participating in the program: Mikko Hypponen, Chief Research Officer at F-Secure, will keynote about protecting your rights. Tuesday May 3, 14:00 to 15:45 Erka Koivunen, our Cyber Security Advisor, will participate in a pop-up panel debate on digital security and freedom of speech in practice. Tuesday May 3, 15:45 – 16:15 Sean Sullivan, our Security Advisor, will be on hand to answer journalists' questions about opsec tools and tips. One of our lab researchers, Daavid, will be inspecting visitors' mobile devices for malware. We'll feature our VPN, Freedome.   Check out our Twitter feed on May 3 for livestream of Mikko's and Erka's stage time.                 Banner photo: Getty Images

April 27, 2016
BY 
Internal startups are a way for big companies to innovate and adapt.

Why an Internal Startup Could Be Companies’ New Recipe for Success

AirBNB. Uber. These are but two examples of disruptive startups that are popping up to challenge big organizations' legacy mindsets and business models. Digitalization has completely shaken the world, and companies have two options: adapt to stay in the game, or be left behind in a cloud of dust. But it's hard to turn a big ship around. That's why F-Secure's Harri Kiljander, Janne Jarvinen and Marko Komssi believe that a great way for companies to accelerate innovation is to bring the startup model in-house. They've collaborated with peers from other organizations in a new ebook, The Cookbook for Successful Internal Startups. The book is a practical guide to establishing and running an internal startup. An internal startup, they say, is a great route to cheaper innovation execution and faster time to market. And the three have experience to draw on: F-Secure has developed its VPN product, Freedome, its password manager, Key, and its smart home security device, Sense, all as internal startups. The book pulls together F-Secure's learnings as well as the learnings of other companies who use the model. I caught up with Harri, Janne and Marko to talk about the internal startup scene. What is your definition of a startup? Harri: A startup is an organization that is established to build a new product or a new service under a significant uncertainty. Trying to do something new that doesn't exist yet, and constrained by a lack of established processes or budgets or resources. Janne: To me, a startup is the means to build something new and disruptive, and build it as fast as possible, with the intention of scaling as quickly as possible. You're not trying to make something that just a few people can do for a living, but you're trying to build up a big business quickly from something new. Marko: A startup is an entity that is searching for a scalable, profitable business model. It differs from a company in that a company has already found its business model. Why do you want to encourage big companies to form internal startups? Harri: Big companies are really good at doing old things. An internal startup is great way to introduce new ways of working and to try developing and launching new and better products and services. Janne: All companies want to explore new areas, but in the established organization it's difficult to start something new. With an internal startup, you don't worry about the existing organizational structures. From a company perspective, because the startup is not embedded into the larger organization, it's easier to handle and it's easier to see whether it's producing results. It also gives employees the chance to be involved in something new. How has the internal startup model been beneficial for F-Secure products Freedome and Key? Harri: One of the key elements has been the rapid development and feedback cycle - the classic cycle of build, measure, learn. Build something, release it, gather feedback from users and markets, and then adjust your product, pricing, channels, etc. The more rapid you can make this cycle, the higher the likelihood of being able to generate success. Janne: We built Freedome and Key much faster as internal startups than we would have done in the traditional way. The global launch took place just nine months after the idea, and that's extremely fast. Marko: Freedome was incubated in strategic unit, not the business unit. It had more freedom as it was able to work independently, without being under any existing business pressure. What is the biggest advantage an internal startup has over an independent startup? Harri: The ability to access the big company resources, including free labor and expertise. In a big company there are a lot of experienced people who yes, may be stuck with old ways of working, but they still have lots of experience and know about doing business. Marko: Access to the company lawyers, marketing competence, PR, company name brand, social media channels with established followings, etc. A startup has to pay for everything or get the competence somehow, whereas a big company has it in house. And vice versa, what is the biggest advantage an independent startup has over an internal startup? Janne: It's not constrained by a company's mindset and objectives, so it has more freedom. However, once an independent startup gets financing, the people writing the checks will start to want some control anyway, so in that sense it's not so different from an internal startup. Marko: The feeling of ownership. The independent startup team really feels that they own the idea. With an internal startup you somehow still feel that you are a company employee first. So ownership is weaker in an internal startup and that has an impact. What do you hope people take away from the startup cookbook? Harri: I hope people get a spark of courage to establish this kind of exercise in their own established organization. If they're not sure how to go about it, they are welcome to contact the writers of the book and we might be able to help them. Even big organizations can do things fast if they follow the recipes or principles we outline in the book. Janne: I hope people in large organizations see that they can explore new areas using this model. Our goal is to really help people learn from other companies' experiences so that they don't have to learn everything on their own. Read The Cookbook for Successful Internal Startups The Cookbook for Successful Internal Startups was created by the industrial organizations and research partners of Digile’s Need 4 Speed program. F-Secure is the driver company of N4S and Janne Järvinen leads the N4S consortium. Harri Kiljander is Director of Privacy Protection, Janne Jarvinen is Director of External R&D Collaboration, and Marko Komssi is Senior Manager, External R&D Collaboration at F-Secure.

April 26, 2016
BY