Would a VM such as Virtualbox be my best option for everyday security while working?

Question

I run a small business out of my home and I'm not really doing anything labor intensive, no games and I'm not cutting any code or anything of that nature. A lot of what I do is phone based sales, so I'm basically just accessing my web based work gmail account, sending PDF contracts out to be e-signed and storing those on cloud based drive and a lot of browsing for info, finding leads etc.

I could probably get away with a thin client but I just bought a cheap laptop, and I am curious to know if I'm on the right track here by thinking that Virtualbox for everyday business is my best option for security and usability for just one desktop running Windows 10 (and if so maybe I should go with a lighter weight OS).

Why don't you just use Windows 10 directly, the way it's meant to be used? — Dmitry Grigoryev, Jun 21 '17 at 08:49
You might want to have a look at [Qubes OS](https://en.wikipedia.org/wiki/Qubes_OS). This project has good documentation on how to separate your tasks into different VMs. — A. Hersean, Jun 21 '17 at 09:57
Also, in a VM you can take snapshots that allow you to restore to a previous state and they can't be accessed from the client OS. — , Jun 21 '17 at 14:01
As our [help/on-topic] says, "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. Are you trying to protect something of global value against Advanced Persistent Threats? Or are you looking for a cost-effective approach for a low-profile small business? To get the most helpful answers you should tell us: [...] who uses the asset you're trying to protect, and who you think might want to abuse it (and why), [...]" -- see there for full quote. Can you edit the question accordingly? — D.W., Jun 23 '17 at 00:23
if somebody wants to track your browsing / read keyboard inputs, there should not be much of a difference between native and virtual OS. In fact, if a malware is coded good, there should not be much of a difference at all. — clockw0rk, Jan 04 '20 at 06:21

score 65 · Answer 1 · answered Jun 21 '17 at 04:53

65

By using the same VM for browsing, word documents, and email, you are exposing all of your data to the same level of risk.

Instead of doing all of this activity in the VM, consider doing your browsing and email in the VM, but the contract work and bookkeeping stuff on the host OS. That way if you get phished, the attack is limited to the VM, and can't do really nasty stuff like encrypt your docs and hold them for ransom.

answered Jun 21 '17 at 04:53

John Deters

33,650
3
57
110

10

just make sure you don't share folders or drives between the host and the VM - or if you really have to, just use it as a temporary folder (copy in and move out) – HorusKol Jun 21 '17 at 10:57
11

Using email in VM and document work in the host without file sharing seems highly impractical. – zakinster Jun 21 '17 at 11:16
19

@zakinster and security at cost of usability often costs security? Something like that, as far as I remember. – Mołot Jun 21 '17 at 13:24
On top of John Deters advice, you should create a snapshot of the machine right after it was installed or upgraded to the latest patch. Remember to revert to it at the end of the day, at the end of the week or just after doing something suspicious, like running an unknown software or visiting a dodgy site. – null_pointer Jun 22 '17 at 03:05
1

Are you sure you mean *phishing* in the second paragraph? Phishing is a social engineering attack. This is one of the threats where a virtual machine *isn't* offering much protection. – Philipp Jun 22 '17 at 12:24
2

@Philipp if the phishing attack convinces you to download a dodgy file that then attempts to hold your system for ransom, it will end up holding the guest VM hostage rather than the host VM. If you sign into a fake site though and enter your bank credentials, it won't help against that ;) – Doktor J Jun 22 '17 at 18:59
I was going to upvote, but then I remembered [macros in Windows](https://security.stackexchange.com/q/98224/89949). In his VM they may not do a thing, but in his Windows bookeeping admin account may cause a silent "deadly" strike. Using [qubes (as suggested in another answer)](https://security.stackexchange.com/a/162426/89949), even when opening a single document, there would be an "office-app" virtualization, that supposedly wouldn't be able to affect any other document. – Armfoot Jun 22 '17 at 19:08
@Armfoot, there are many levels of detail that I could have gone into with this answer. Rather than telling him to juggle three VMs, which would result in a complex, confusing user experience for him, I suggested a single VM for the highest risk activities the user performs, and the host OS to isolate the most important data at greatest risk of loss. It seemed to be the simplest answer that would give him a reasonable level of protection while providing a workable experience. – John Deters Jun 22 '17 at 21:01
@Mołot You're thinking of [Avid's Rule of Usability](https://security.stackexchange.com/a/6116/46979). – jpmc26 Jun 22 '17 at 23:08
I would add that Microsoft releases free OS images with web browsers installed for testing purposes. You can use those of course. – Aron Jun 23 '17 at 01:00
By the way, he could share folders if the folders are read only, can't he ? – Dinaiz Jun 23 '17 at 01:20
@zakinster that is SO not the case. Since both machines have web access, one can use a cloud service to synch files between them. Just pick one that have version control. As an added bonus, some cloud services do virus scanning on uploaded files. – Mindwin Jun 23 '17 at 13:01
@Mindwin One could argue that cloud-syncing is some kind of file sharing. Anyway, waiting for a file to be synced on the cloud and then synced back to the VM before using it as a mail attachment is precisely what I call "highly impractical". – zakinster Jun 23 '17 at 13:34

William Sandin · Answer 2 · 2017-06-21T16:44:08.360

In context of a Windows setup, a hypervisor such as VirtualBox, VMware helps isolate your guest from the host (the main installation of your OS).

This is a considerate move in terms of Security, if you're dealing with activities or files/software that pose a risk to compromise your data. One example would be for Security Analysts, who is analyzing malware on a daily basis.

So, if this is your business computer: It might make sense to encapsulate an installation inside a virtual machine if you ever would lend your computer for someone to use it, download/install unsigned software or torrents, etc. Breaking out of a virtual machine takes some very sophisticated attacks, and is a highly regarded exploit on the 0-day market.

It's the guest you want to isolate from the host and not vice versa.

There is some operating systems such as Qubes (https://www.qubes-os.org/), who does app virtualization - which means that every single application run in it's own isolated instance.

Judging by your description of daily use you are a fairly low risk user.

Only open files, e-mails from trusted entities.
Have unique passwords, and change then regularly. Monitor leaks from hacked sites you might have registered yourself on through haveibeenpwned.com
Always use the latest version of your web browser, Adobe PDF, Java and Flash if you need them at all.
Be conservative with browser extensions.
Don't install unsigned, outdated or pirated software.
Enable 2-factor authentication for your crucial accounts such as GMail, Facebook, etc.
Encrypt your backups, if having any (pull).
Be considerate with how you choose to split up your virtual machines.
Configure your Virtual Machines with none or limited access to folders etc, on your host machine.
There is a myriad of software for hardening in Windows such as EMET (The Enhanced Mitigation Experience Toolkit), Microsoft Security Essentials and Windows Defender.
If you run a Linux based installation in your virtual machime, I'd suggest you to install a supported release and enable unattended Security upgrades, reboot the server whenever there is a new kernel installed.

These steps will improve the average users information security significantly.

NOTE: Don't forget that the virtual machine, separation only mitigates certain threats and attack vectors. There is a lot more to take into consideration to have all the Security best-practices in place.

Thanks so much guys- I just took a look at qubes and I really think that may work for me. My issue is when I'm hunting for small business leads I usually end up getting tangled up in adware, especially when I'm mentally fatigued. So I'm really just looking for a way to separate browsing from everything else as seamlessly as possible. Thanks again great suggestions — user151357, Jun 21 '17 at 05:53
Suggestion for your last point on backups - make sure you setup a PULL backup on a system that runs headless by itself, and that your main computer cannot access without you initiating an action - an SSH key, or a password. — Canadian Luke, Jun 21 '17 at 16:29

score 5 · Answer 3 · answered Jun 21 '17 at 05:49

Usings VMs as a lone security measure is not enough. However, for a security conscious person who's already practicing other security hygiene, using VMs for additional security works well.

Here is how I use VirtualBox for routine daily use. You should consider your use and tailor it for your purpose.

Separate VMs for separate purposes. e.g., Documents received from / going to external sources that I must download and use go into one VM. Online purchases and banking into a separate temporary VM.
Keeping VMs updated with latest patches / updates is a chore. To keep it to a minimum I use VM templates - VMs that I don't use directly, other than to run updates. I clone these VMs when needed and use the clones as temporary VMs. Delete after use (typically 1hr to 1wk, never longer).
As much as possible, leave attachments and documents online (e.g., use Chrome's in-browser PDF viewer / document viewer). This works when you're not worried about document leakage but do want to avoid malware infections from external documents.
Use uBlock Origin and uMatrix browser plugins even within the VMs to minimize contaminating the VMs through the browser route.
One VM where most "semi-parmanently logged in social media accounts" are maintained. Recycle this VM less frequently than others - about once a month. Be extra alert with this one because of extra risk.
Setup Shared Folders to make sure the necessary files are available in each VM, but keep the access to a minimum (only the specific directory that's needed). Over a period, this falls into a pattern and becomes manageable. At first it's a pain.
Absolutely no work at all on the host machine. The idea is to keep the host with the lowest risk of all. If that's gone, then everything is gone.

Hope this helps.

If you're afraid a malicious PDF could compromise your reader, why do you think it's safe to open with a browser? — Dmitry Grigoryev, Jun 21 '17 at 08:54
Good point. Exploits are usually software specific. If the browser's PDF reader is targeted, the approach won't work. Yet, if Chrome (and other browsers) implement their sandboxing well, there is still that extra layer. — Sas3, Jun 21 '17 at 09:11
FYI, PDF readers use [sandboxing](https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedmode.html) as well. — Dmitry Grigoryev, Jun 21 '17 at 10:07
@DmitryGrigoryev Adobe Reader has a longstanding and well earned reputation of being highly insecure with little apparent concern from Adobe. Chrome contains a hardened PDF reader in a sandbox environment that is well regarded. Many online cloud services actually display PDFs converted to images as well. — trognanders, Jun 22 '17 at 22:16
@BaileyS True, but in practice apparent security is inversely proportional to SW popularity. If Adobe claims they have added a sandbox, I see no reason to distrust their claim unless a vulnerability in this sandbox is discovered. — Dmitry Grigoryev, Jun 23 '17 at 07:36
@DmitryGrigoryev I actually do think that Adobe has cleaned up their act with respect to security significantly in recent years, and trust their products much more now. The better updater for Reader was a huge step. Chrome is a very popular piece of software as well with a more venerable and proven sandbox environment. — trognanders, Jun 23 '17 at 23:55

score 3 · Answer 4 · answered Jun 21 '17 at 07:54

A short answer here : if you're doing everything inside a virtual machine then the risk is exactly the same as if you were doing everything outside of it. If your virtual machine get compromised, then you lost everything but your computer.

As others stated, you should only use a VM for some stuff, especially for work requiring access to risky websites / ressources / the internet in general. In this way, you limit some risks on what you have on your computer outside of the virtual machine.

However, keep in mind things like downloading a ressource in your virtual machine before running it on your own computer (like a PDF with potential malicious macro) are not 100% secure. Some malware were designed to evade sandboxing solutions, so that they only trigger when they are outside of a virtual machine / test environment.

score 1 · Answer 5 · answered Jun 22 '17 at 20:34

what do you want to secure yourself from? - schroeder

If your answer to this question would be something similar to:

I want to protect my business from people that may be determined enough to cause damage or steal my contractual and research documents that I keep in my computer.

Then using qubes, as mentioned by William in a previous answer, virtualizes the apps that are used to access those same documents, thus reducing most attack vectors that may be caused just by opening them.

Many people use Windows with the default Admin account and/or have UAC settings on a low level. If this is your case, there is perhaps a tiny possibility of one of your "well intended" and more determined "clients" to send you an unconspicuous word/excel document, produced by a "friend who can do wonders with documents", that when opened on your Windows 10 executes macros, causing a silent and "lethal" strike.

If your computer does not have the minimum requirements for qubes or you just feel it's too much trouble to go for it, then I would perhaps reverse John's suggestion, in the sense that you should only keep, access and modify your documents in an encrypted VM with a frequently updated linux OS (limiting the possibility of these attacks) while shredding the documents from your Windows OS.

Backup this VM image frequently and if you want to go a bit further then use another VM just for accessing your mail and work websites (as SaS3 suggested) and transfer your documents through a shared flash drive or folder whose files you shred after your daily work.

Thank you for your previous comment @schroeder. I'd agree except none of the previous answers mentioned macros, VM encryption, exclusive storage and manipulation of documents in a VM and, especially, that data/business-sensitive risks may directly come from clients. — Armfoot, Jun 22 '17 at 22:29

score -1 · Answer 6 · answered Jun 21 '17 at 22:18

If you have a business were the uptime is critical I recommend an hypervisor such as ESXi or XenServer where you can can have separate VMs for different purposes and manage networks inside of the hypervisor. For the VMs inside the hypervisor to communicate with the outside world (rest of the Internet) I recommend a Firewall, for example PFsense, that works as a Firewall/Router for the internal networks you may have in the hypervisor.

If you want to go really big and provide maximum uptime as possible, I suggest 2 physical machines with a bridge connection between them, have a hypervisor on each computer (from the same company for compatibilities purposes) and with a live migration system in place in case something happens, for example not enough memory or a computer has lost power but the other is alive. What the live migration does is the hypervisor migrates (transfers) the VM still on to the other computer and keeps it on at all times. It's really cool.

I feel like this is not really answering the specific situation mentioned in the question. As the question says "I run a small business out of my home...", "I just bought a cheap laptop...", etc. Somehow I think suggesting enterprise-level solutions, with multiple servers for physical redundancy, isn't really tailored to this particular question. — D.W., Jun 23 '17 at 00:26
Haha and of course a 2 drives in Raid 1 + a backup per machine :) — Dinaiz, Jun 23 '17 at 01:25

Would a VM such as Virtualbox be my best option for everyday security while working?

6 Answers6