IT Security Risk Mitigation Report: Virtualization Security


Published on

Security is a major area of concern for any organization deploying a virtual environment. The introduction of VMs has created security considerations unheard of just a few years ago. This report provides insight into managing these new risks, and shows how Booz Allen’s expertise helps organizations develop comprehensive and secure virtualization solutions that comply with federal security standards.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IT Security Risk Mitigation Report: Virtualization Security

  1. 1. IT Security Risk Mitigation Report Virtualization Security by Wilson Leung Nima Khamooshi Theodore Winograd
  2. 2. IT Security Risk Mitigation Report Virtualization Security Abstract new computing paradigms. For example, the hypervisor, Virtualization is the act of emulating individual computer which is the software that mediates all interaction between the VMs and the physical host, serves as systems within a single physical host system. Organizations the only separation between different VMs on a single have typically relied on the physical separation of servers host while maintaining communication channels to the (e.g., a separate machine for e-mail, one for Web Services, individual VMs (see Figure 1). Any successful attack and another for the Domain Name Server [DNS]) to prevent on these communication channels will successfully a single server’s compromise that then directly contributes hijack the VM itself. Similarly, virtualization’s support to the subsequent compromise of other systems or network for server imaging increases the likelihood that a malicious agent can copy and send an image of an services within the enterprise. Although this practice has organizational system to a remote site for testing and proven security benefits, it also adds a number of costs and analysis; it also enables the introduction of potentially obstacles to the information technology (IT) infrastructure. malicious VM modifications while the VMs are at rest. With the introduction of virtualization, organizations can This paper identifies the most prevalent risks of now leverage processing power that would otherwise sit virtualization and describes selected countermeasures idle by deploying a separate virtual machine (VM) for each that are available to mitigate these risks. network service on one physical host while maintaining a level of separation between distinct servers. Although Introduction Virtualization decouples the operating system VM deployment has its own security risks (e.g., increased (OS) from the physical hardware platform and the availability risks as result of a single point of failure), applications that run on it. As a result, organizations organizations have achieved practical benefits from can achieve greater information technology (IT) virtualization. Cloud Computing takes virtualization to the resource utilization and flexibility. Virtualization next step. It allows multiple organizations to deploy all of allows multiple virtual machines (VM), often with their individual VMs on the same virtualization platform heterogeneous OSs, to run in isolation side by side on the same physical machine. Each VM has its own set (e.g., one or more physical hosts) and leverage their of virtual hardware upon which the OS and applications hardware in previously impossible ways. are loaded. Today’s organizations are increasingly taking advantage Figure 1|Exhibit 1 | Virtualization Overview of various forms of virtualization to leverage new Virtualization Overview capabilities, ranging from server consolidation and enhanced recovery to increased secure computing operations through support of virtual networks and “sandboxing.” Because of its ability to enable a single physical platform to host multiple isolated and unique computing environments, virtualization has emerged as a key technology for supporting Cloud Computing Host OS delivery models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Although virtualization has many benefits, it introduces a number of risks into the enterprise—caused in part Guest Guest Guest by the increased complexity brought by the virtualized environment management (the “hypervisor”) and other OS OS OS 1
  3. 3. Virtualization has been gaining immense popularity Continuity of Operations and Data Recovery with both IT professionals and executives because it Business continuity of operations (COOP) and disaster represents an approach to data center consolidation, recovery (DR) initiatives have gained recognition over improved asset utilization, and improved control over the past few years. Customer demand and federal systems and other IT assets. However, virtualization regulations, including civil and Department of Defense has actually been around for more than three (DoD) regulations, have helped accelerate these efforts decades in one form or another, maturing this past and give them the attention they have needed for decade. Once only accessible by the large enterprise, some time. Virtualization is an ideal platform for most virtualization technologies are now available for cases of data recovery because it eliminates the need virtually every aspect of computing, including hardware, to purchase an excessive amount of equipment. Most software, and communications. software vendors of backup/recovery products support Although organizations can realize many benefits as the restoration of operational systems and applications they adopt and implement virtualization solutions, of physical servers to virtual servers. threats and risks are associated with these solutions. Traditional recovery plans are often difficult to test In the following sections, we address virtualization and keep up to date, and they depend on exact security benefits, threats to virtualized environments, execution of complex and often manual processes. attack vectors and security considerations, and They also require duplicating either the entire attacker VM detection methods. production infrastructure or the major or key portions of that infrastructure—which, for reasons of surety, Virtualization Security Benefits often equates to the total system. Although many Virtualization is not just a compelling solution organizations deploy total failover sites, smaller for server consolidation. It is becoming the most organizations may benefit from using a virtualized important security infrastructure element for security environment because more compact virtualized managers. Virtualization provides a wide range systems can be used for failover/backup and recovery of security benefits spanning key items, such as purposes. Recovery testing is simpler because it environment “sandboxing,” data recovery, malware/ allows for the execution of potentially disruptive tests forensic analysis, virtual machine introspection (VMI), using existing resources. Larger organizations may also and virtual machine live migration (VMLM). 1 benefit from virtualization by increasing the number of tests without straining the organization with a full Environment Sandboxing system-wide test of recovery procedures. Hardware A sandbox is a security mechanism for separating independence eliminates the complexity of recovery running programs. It is often used to execute and site maintenance by eliminating failures caused by validate the operation of new or untested code or hardware differences. untrusted programs from unverified third parties, Another area that increases costs and complexity in suppliers, and untrusted users. It offers a monitored any organization is the deployment of standby and and controlled environment so the unknown software failover servers to maintain system availability during cannot harm the real hosting computer system. times of planned or unplanned outages. Although Sandboxing is achievable simply by blocking some capable of hosting the targeted workloads, such critical operations or implementing a complete virtual equipment remains idle between those outages and environment, wherein the processor, memory, and in some cases is never used at all. Thus, the expense file system are simulated and the real system is provides primarily psychological, emergency, and inaccessible by the tested application. Virtualization is obligatory compliance value but little to no operational effective at providing a tightly controlled set of resources value to the organization. Virtualization helps solve for guest programs to run in, such as scratch space on this problem by allowing just-in-time or on-demand disk and memory. Network access, the ability to inspect provisioning of additional VMs as needed. A VM that the host system, and the ability to read from input has been built and configured can be put into an devices are often disallowed or heavily restricted. inactive state, ready to be activated when a failure occurs. When needed, the VM becomes active without hardware procurement, installation, or configuration. In addition, modern virtualization solutions provide 1In the following discussions, references are made to commercial products as examples of current tools. No endorsement is intended. 2
  4. 4. Exhibit 2 | Sample Malware Infection Figure 2 | A sample of malware infection 1 Hacker inserts 2 Web User visits 3 User is redirected malicious URL Good Web site to Bad Web site 4 Badsite sends obfuscated exploit for vulnerability on end user’s system 6 Malware sends 5 Malware installed private data without User noticing to hacker mechanisms for ensuring trans-system synchronization, “Trusted” Application Test and Deployment or VMLM, when performing hot-swapping or failover Most organizations do not have spare IT assets across multiple VMs. Unlike a physical system, or the time to provision an application that is not hypervisors can communicate the state of VMs’ associated with an approved project. As a result, most internal memory across the network—ensuring of the “proof of concept” applications and systems two VMs are running in the identical configuration are either set up on inadequate equipment, such as at the time of failover and thereby simplifying desktops, or not established at all. This situation previously complex and sometimes unwieldy system presents a significant risk if and when applications synchronization for failover or hot-spare activation. go to “production” status without appropriate testing. Virtualization helps resolve such problems. Malware Analysis and Defeat Rapid provisioning or minimal additional hardware As computers became more sophisticated, so did the investment, safety, security, and reliability are the malware problem. Workgroup networks were affected computing environment qualities needed to quickly by viruses that could infect not only local (server, build a proof-of-concept environment. If proof of node, or workstation) files but also the files of other concept is successful, the VM application can be users in the network. Malware researchers need a efficiently and effectively migrated from the test way to truly see what malware does to a server or a infrastructure to the production virtual infrastructure host in the workgroup network to have any hope of without additional cost. In addition, virtualization finding a way to prevent and recover from malware enables companies to streamline their software infections. Virtualization can be used to quarantine and/or system life-cycle development model. From malware in a controlled environment where it can be development and testing through integration, staging, studied, observed, tested, and eventually defeated and deployment, and management, virtualization offers eradicated, and future instances can be prevented. a comprehensive framework for virtual software life- Figure 2 illustrates that traditional malware infection cycle automation that streamlines these adjacent cycle. Using virtualization, the user’s machine in Step yet sometimes disconnected processes and 5 can be controlled and monitored to understand the simultaneously closes the loops between them. By malware itself while simultaneously preventing the pushing a staged configuration into production after compromised system from launching further attacks. successful testing, virtualization can minimize errors associated with incorrect deployment and configuration of the production environment. 3
  5. 5. Virtual Machine Introspection wherein a hacker submits malicious SQL code into an The recent development of virtualization products has online web application. led to the evolution of VMI techniques and tools to The need to update the software installed on the host monitor VM operations and behavior. VMI tools inspect itself a result of the increasing trend in client-side a VM from the outside to assess what is happening software attacks. Administrators should also address on the inside, making it possible for security tools, direct attacks against services, such as Domain Name such as virus scanners and intrusion detection and Server (DNS), Dynamic Host Configuration Protocol prevention systems (IDPS), to observe and respond (DHCP), Active Directory, etc. As with any system, to VM events from a “safe” location outside the system administrators must ensure they have fully monitored machine. A major advantage of VMI is secured the system and all of its applications to knowledge capture of context and environment, which provide the best protection profile. is critical to proper event interpretation. VMI allows event replay, which can determine whether analysis Although many of the standard attacks apply to any must be performed in real time as the target system system—virtual or physical—virtualization-specific executes or at a later time under the analyst’s control. considerations also exist. Many of these virtualization- specific attacks take advantage of the specific nature of the virtual environment and are not exploitable in Threats to the Virtualized Network non-virtualized systems. These attacks are known Environment in the IT community as VMEscape, VMchat, VMcat, Virtualization in a network environment complicates VMdrag-n-hack, VMdrag-n-sploit, and VMftp.2 the enterprise’s security needs. The standard threats and attacks to the enterprise infrastructure remain, VMEscape and the introduction of the virtualization software One of the most critical attacks on the virtualization simultaneously increases the surface area of attack. environment is the potential for a VM “escape.” In This situation creates a significant need to harden and this attack, a malicious actor gains access to a VM secure the virtualization system and protect against guest OS using one of the standard threats mentioned the standard attack channels. earlier. Once the hacker has access, he or she will The virtualization software itself is of particular escape the VM guest OS to gain access to the host concern. If an attacker can gain access to a virtualized OS. As previously mentioned, the host has direct environment, the attacker can potentially escape the access to all guest OSs. By taking over the host, a VM and move up the chain to the virtualization host. hacker has increased potential to negatively affect all Because this host runs, monitors, and administers the VMs managed under that host. Figure 3 illustrates a guest OSs contained under its purview, the host can successful VMEscape attack.3 be a jumping off point for additional system access by an attacker. In an environment where a single host Exhibit 3 | VMEscape can have numerous guest OSs running mission-critical Figure 3 | VMEscape network services, the problem is clear. If an attacker can gain access to the host, then it is an easy task for the attacker to gain access to the virtual guests controlled by that host. As mentioned earlier, the standard computing attacks Host OS are still present in the virtual environment. A system administrator must apply security patches, updates, service packs, hotfixes, etc., to secure and protect the OS against malicious attacks. The administrator must also ensure that any software installed on the VM (e.g., web server software or other client-side software) Guest Guest Guest is up to date. Likewise, the system developers must OS OS OS use high-quality coding practices to ensure the system is not vulnerable to other forms of attacks, such as Structured Query Language (SQL) injection attacks 2These names are based on the presentation from IntelGuardians at SANSFire 2007, which is referenced in the following web pages: and, accessed June 15, 2009. 3Joab Jackson, Government Computer News, “VMware vulnerability allows users to escape virtual environment,” escape-virtual-environment.aspx, accessed June 15, 2009. 4
  6. 6. VMchat Figure 4 | 4 | Memory in virtual environment Exhibit Memory in a a Virtual Environment One of the benefits of utilizing virtualization in a network is the ability to separate machines logically, thereby placing each OS into its own separate sandbox free from external inputs. However, utilities like VMchat raise certain issues. VMchat is an administration utility in which the system administrator is able to send Shared instant messages (IM) between VMs. This function Memory gives system administrators the ability to communicate service interruptions or other administrative issues Host to pertinent staff. The problem, however, lies in the Guest potential for a malicious actor to take advantage of OS OS this shared memory space and inject a malicious Dynamic-Link Library (DLL) into memory. When a hacker does this, he or she has effectively bridged the sandboxed memory space of each VM. VMdrag-n-sploit file in memory, which in turn executes on both of the VMs. The VMdrag-n-sploit file provides VMcat functionality to exploit VMchat or VMcat attacks. VMcat is a netcat equivalent software for the virtualized environment. Netcat is popularly known as VMftp the hacker’s “Swiss Army Knife.”4 It allows a plethora As seen with the other utilities, VMftp opens up yet of capabilities, including port scanning, file transfer, another channel for communication between VMs. IM/chat, and command shell sending. Netcat is a VMftp provides the ability to send files between VMs hacker’s tool of choice because of its numerous quickly and easily. It operates in much the same way capabilities and small file size. The problems with as a traditional File Transfer Protocol (FTP) system. VMcat are apparent. A system with VMcat installed It presents problems because it can potentially allow can facilitate the exfiltration of files and data in the a malicious actor to exfiltrate any file, as well as same way hackers use netcat. VMcat also supports take advantage of the shared memory space issues secondary attacks and OS fingerprinting, thereby described above. increasing its threat capabilities once installed. Security Considerations VMdrag-n-hack Although virtualization offers a number of benefits to VMdrag-n-hack is an exploit where an attacker organizations, like any new technology, virtualization attempts to take advantage of an unsuspecting system increases the attack surface of systems within an administrator’s ability to drag and drop files between organization. In many cases, the risks associated VMs. As the administrator drags a file between the two with virtualization can be mitigated in an effective systems, he or she is unknowingly executing malicious manner; however, it is important to fully understand code. An attacker can determine the area of memory these risks before introducing virtualization into an that is read and written to as the administrator moves organization’s infrastructure. This section provides a the file between systems (see Figure 4). Because full description of these risks, along with discussions of this, the attacker can inject malicious code into of the countermeasures organizations may put in place memory that the secondary system will read, thereby to mitigate each of these risks. allowing a hidden communication channel between the In general, the mitigation strategies for virtualization- two systems. related risks are very similar to the defense-in-depth strategies employed in any IT environment. Specifically, VMdrag-n-sploit organizations should expand their security patching VMdrag-n-sploit works very similarly to the VMdrag-n- programs to include the hypervisor, the host system, and hack attack. In this attack, the malicious actor takes all VMs used in the organization. In the past, this wide advantage of a user with system access who drags and coverage may have been difficult, but modern hypervisors drops a file between two VMs. When the innocent party provide capabilities for patching VMs even when they are performs this task, he or she unknowingly executes the 4More information about Netcat is available at 5
  7. 7. offline, removing the need for organizations to launch all • Artifacts in processes, the file system, or registry VMs to deploy security patches. • Artifacts in memory Organizations should also ensure their hypervisors are configured and deployed using least privilege: the • Hardware that describes itself as provided by a administrators and permissions on the hypervisor virtualization vendor should have privileges no higher than necessary to complete their functions. In some instances, least • Artifacts in the instruction set architecture (ISA) privilege may extend to hosting different categories that are accepted only by hypervisors. of VMs on separate physical hypervisors to prevent attacks against a single hypervisor from affecting the In light of these techniques, some virtualization entire virtual infrastructure. In addition, organizations vendors aim to reduce the number of “fingerprints” may take advantage of guidance for hardening provided by their virtualization software. Using the hypervisors provided by virtualization vendors and virtualization extensions to the x86-64 instruction other organizations (e.g., Center for Internet Security, set, it is becoming increasingly difficult for malware Defense Information Systems Agency). to determine whether or not it is running in a VM. Although malware’s ability to determine whether or not VMEscape it is running in a virtual environment is becoming less One of the most discussed attack vectors in of a concern (especially with the rise of Cloud services virtualization security is the concept of VMEscape. leveraging virtualization), the difficulty of determining VMEscape entails breaking out of the VM and directly which specific hypervisor is controlling a VM makes interacting with the hypervisor. There are only a few deploying effective malicious attacks against the instances of successful VMEscape occurrences. One of hypervisor even harder—adding to an organization’s the most detailed writeups on this topic was published defense-in-depth posture. in 2007 by Google’s Tavis Ormandy.5 In his paper, Ormandy developed tools to perform fuzzing attacks Communication Channels (e.g., sending random data to the hypervisor to assess Virtualization increases the number of communication its security). He identified several vulnerabilities that channels in a computing environment. These could potentially lead to a successful VMEscape. channels can range from virtual switches, networks, and firewalls to communication paths between VMs VMEscape has been highlighted as one of the and the hypervisor. This section discusses these most dangerous attacks an organization deploying communication paths and mitigation strategies for virtualization can face. To address this risk, virtualization securing them. vendors have begun developing “thin” hypervisors, with the goal of reducing the size of the code base and reducing the likelihood of exploitable defects. Virtual Switches and Networks Virtual networking allows organizations to logically deploy their VMs in a manner consistent with the VMDetection organization’s physical network. Organizations may With the advent of security researchers using configure virtual local area networks (VLAN), take virtualization to monitor malware, malware authors and advantage of switched port analyzer (SPAN) ports, attackers have begun performing detection routines and integrate with any existing network management to determine whether or not they are running in a infrastructure. Important key points to consider when virtualization sandbox. Although most organizations deploying virtual networks include— may not explicitly deploy virtualization in this manner, intrusion detection systems are increasingly offering • Ensuring VMs in promiscuous mode (i.e., utilizing sandboxing as an effective tool for detecting zero-day a network card configuration that makes the card exploits in an organization. pass all traffic it receives to the central processing In their presentation On the Cutting Edge: Thwarting unit rather than only packets addressed to it—a Virtual Machine Detection,6 Tom Liston and Ed Skoudis feature normally used for packet sniffing) may identify a number of techniques malware uses to access the necessary network traffic; this is determine whether it is running in a virtual sandbox: necessary when deploying an IDPS within a VM 5Tavis Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments,, accessed on June 15, 2009. 6Tom Liston and Ed Skoudis, On the Cutting Edge: Thwarting Virtual Machine Detection,, accessed June 15, 2009. 6
  8. 8. • Ensuring the virtual network complies with possibility that the hypervisor may unintentionally store appropriate policies and regulations regarding any sensitive information outside of the VM.8 network security devices; some organizations may VM State require an IDPS logically in front of the VM—an Because virtual machines exist as an abstraction on IDPS alone in front of the virtual network may be a hosted system, all state information is accessible insufficient to the host system. This scenario means the Basic Input/Output System (BIOS) does not reside within • Ensuring appropriate COOP procedures are in read-only memory (ROM) as it does on traditional place; if an organization relies on the virtual computing systems. Instead, the hypervisor emulates network for its mission, a failure of the physical the BIOS. In addition, most virtual machines are host may compromise the entire virtual network often represented as a file on the hard disk of the host OS, allowing any user with access to the file to • Ensuring malicious activity within the network view—and potentially modify—the VM, even when it is cannot leave the virtual network and affect external at rest. This file includes the current state of system systems. memory for the VM, the state of the VM hard disk, and information stored in central processing unit (CPU) To support these activities, organizations should registers—providing a wealth of information that may employ the same strategies they would in a physical benefit a potential malicious user. network environment: taking full advantage of VLANs, firewalls, IDPS, and—when necessary—MAC locking. Virtualization vendors offer solutions to mitigate the In most virtual environments, the virtual switches, risks associated with VM files by limiting access routers, and firewalls behave in a manner similar to to only the hypervisor and potential administrators. their physical counterparts—possibly with additional Organizations can also take advantage of disk capabilities. In addition, organizations should include encryption to ensure the VM—and any backups—cannot their virtual networks in all network architecture be viewed directly from the storage device (this is documentation and security risk assessments. especially true for network-based storage). Organizations should also be aware that VM state information travels over the network whenever VMLM is implemented— VM Introspection requiring assurance that the state transfer across the VMI is a powerful tool. It allows organizations to network is protected in transit as well. deploy security solutions that cannot be compromised by rootkits or other malicious software within the VM. However, this functionality can introduce privacy Hypervisor concerns in certain organizations. Although the When introducing virtualization into an organization, it hypervisor traditionally has physical access to all is important to understand the various communication components within a VM, VMI allows the hypervisor mechanisms between an individual VM and the to actively monitor—and in some cases modify—the hypervisor. Although some of these communication activities within the VM itself. This monitoring may be channels depend on the functionality deployed, the inconsistent with an organization’s security and privacy majority of these channels are in use and often policies. In addition, organizations offering Cloud required for the hypervisor to function properly. A services may need to explicitly state that they are number of these direct channels are implemented performing VMI to ensure customers are fully aware as extensions to the ISA as machine instructions, that some level of monitoring is occurring.7 meaning they may be accessible to any application on the system. It is important to note that in most VMI tools can be configured to meet organizational cases, applications in user mode will receive a general policy. For example, some instances of VMI simply offer protection fault when attempting to access these on-demand analysis of the processes running within interfaces. Some common functions include— the guest OS or the installed software; others may perform real-time anti-malware analysis of the running • Clipboard sharing—Where the hypervisor shares system. Software deployed within VMs may improve the contents of the OS clipboard between the their level of security and privacy by ensuring their guest OS and the host OS data is secure at rest and in transit—minimizing the 7This would be a part of the agreement between the user and the supplier in a services contract model. 8It is important to note that these privacy concerns are an inherent aspect of virtualization. Any information stored within RAM or on the VM’s hard disk may be accessible—often in plain text— through the host system’s RAM or on its hard disk as a snapshot of the running VM. 7
  9. 9. • Memory management—Where the guest OS Acronyms communicates with the host OS to coordinate BIOS Basic Input/Output System the amount of physical memory in use for the COOP Continuity of Operations application CPU Central Processing Unit • Device management—For some devices (e.g., DHCP Dynamic Host Configuration Protocol processor, graphics card, network interface card), the hypervisor mediates all communication DLL Dynamic-Link Library between VMs and physical devices9 DNS Domain Name Server DoD Department of Defense • Others—Depending on the vendor solution, DR Disaster Recovery additional communication channels exist; for FTP File Transfer Protocol example, when using paravirtualization solutions, all system calls are implemented as function calls to IaaS Infrastructure as a Service the hypervisor rather than as software interrupts. IDPS Intrusion Detection and Prevention System Because many of these interfaces are implemented as IM Instant Message simple commands (e.g., as machine instructions), it is possible to minimize their accessibility to only those ISA Instruction Set Architecture processes and applications on the VM that must have IT Information Technology access to these systems. In addition, organizations OS Operating System deploying virtualization environments that do not need specific functionality (e.g., clipboard sharing) may simply PaaS Platform as a Service disable the communication feature, preventing malicious ROM Read-Only Memory users or software from taking advantage of it. SaaS Software as a Service Conclusion SPAN Switched Port Analyzer Virtualization security is a major area of concern for SQL Structured Query Language any organization deploying a virtual environment. As VLAN Virtual Local Area Network shown in this report, the introduction of VMs creates VM Virtual Machine new and profound security considerations that were unheard of just a few years ago. Booz Allen is the VMI Virtual Machine Introspection one firm that can help clients solve their toughest VMLM Virtual Machine Live Migration IT security problems. Our experienced and proven staff works side by side with our clients, helping them achieve their missions every day. Our security experts have the experience and knowledge to help the Federal Government develop comprehensive and secure virtualization solutions. Booz Allen not only understands and implements the federal security standards that protect our homeland but also advises the policy organizations and contributes to thought leadership by helping them develop the policies on which those standards are created. Booz Allen is committed to delivering results that endure. 9Some devices (e.g., universal serial bus interface) have a channel-based architecture. With these devices, the hypervisor needs only to assign a specific channel to the VM and the majority of the interaction need not be mediated directly. 8
  10. 10. About Booz Allen Booz Allen Hamilton has been at the forefront of technology, systems engineering, and program strategy and technology consulting for 95 years. Every management, Booz Allen is committed to delivering day, government agencies, institutions, corporations, results that endure. and not-for-profit organizations rely on the firm’s With more than 22,000 people and $4.5 billion in expertise and objectivity, and on the combined annual revenue, Booz Allen is continually recognized for capabilities and dedication of our exceptional people its quality work and corporate culture. In 2009, for the to find solutions and seize opportunities. We combine fifth consecutive year, Fortune magazine named Booz a consultant’s unique problem-solving orientation with Allen one of “The 100 Best Companies to Work For,” deep technical knowledge and strong execution to help and Working Mother magazine has ranked the firm clients achieve success in their most critical missions. among its “100 Best Companies for Working Mothers” Providing a broad range of services in strategy, annually since 1999. operations, organization and change, information Contact Information: Wilson Leung Nima Khamooshi Theodore Winograd Associate Associate Associate 703/604-7557 703/984-7533 703/377-5544 To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit
  11. 11. Principal Offices ALABAMA KANSAS OHIO Huntsville Leavenworth Dayton CALIFORNIA MARYLAND PENNSYLVANIA Los Angeles Aberdeen Philadelphia San Diego Annapolis Junction San Francisco Lexington Park SOUTH CAROLINA COLORADO Linthicum Charleston Colorado Springs Rockville TEXAS Denver MICHIGAN Houston FLORIDA Troy San Antonio Pensacola Sarasota NEBRASKA VIRGINIA Tampa Omaha Arlington Chantilly GEORGIA NEW JERSEY Falls Church Atlanta Eatontown Herndon HAWAII McLean Honolulu NEW YORK Norfolk Rome Stafford ILLINOIS O’Fallon WASHINGTON, DC The most complete, recent list of offices and their and addresses and telephone numbers can be found on by clicking the “Offices” link under “About Booz Allen.” ©2009 Booz Allen Hamilton Inc. 10.134.09-A