0
Is security optional
   for Ericsson?
    Jonas Andersson
The answer is NO!

(Atleast when it comes to product security)
Some things are mandatory


 Risk Assessment (RA)

 Vulnerability Analysis (VA)

 Hardening guideline
Verifying the product security


 A product should be as much secure as possible

 During the VA, tools are used to verify...
What is Nessus?


 An open source security scanner

 Scans for known vulnerabilities

 Performs a scan from the “network”
...
Who else are using Nessus?


 Customers

 Attackers

                               ? ?? ?? ?
                            ...
The Nessus report


 Lets have a quick look at a Nessus report
How can an attacker use the
information from the Nessus report?

  If they could scan → They could attack !



(We put thi...
Lets perform an attack


 Green background = Target

 Red background = Attacker
Removing vulnerabilities


 Do we really need to patch all the time?

 Our customers need products up and running

 Can we...
Ways of getting closer to the target

 A lot of different ways of getting malicious software to
 the target

 CDs and USB-...
What if the target machine is a laptop that belongs to an
O&M-user?
           (Or an Ericsson technician?)


What if this...
Do we need to bother?

 There are several Ericsson products built on common
 operation systems and software.

 Example:
 Y...
Do we need to bother… again..

 Last week Adobe announced a severe vulnerability in
 Adobe Reader, Flash and Acrobat.

 Th...
What else could an attacker do?

 Rootkit

 Backdoor

 Redirect network traffic

 Sniff and collect useful information    ...
Why TE101?


 Gives the participants a deeper understanding of the
 importance when it comes to security requirements:

  ...
TE101 includes the following topics

 Network protocols
 Malicious software
 Vulnerabilities
 Verifying security
 Programm...
Let's go out there and talk security!
Upcoming SlideShare
Loading in...5
×

Is Security Optional20100608

233

Published on

Notes from the presentation "Is security essential" delivered at Lindholmen 2010-06-09

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
233
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Is Security Optional20100608"

  1. 1. Is security optional for Ericsson? Jonas Andersson
  2. 2. The answer is NO! (Atleast when it comes to product security)
  3. 3. Some things are mandatory Risk Assessment (RA) Vulnerability Analysis (VA) Hardening guideline
  4. 4. Verifying the product security A product should be as much secure as possible During the VA, tools are used to verify the security One of the tools are a software called “Nessus”
  5. 5. What is Nessus? An open source security scanner Scans for known vulnerabilities Performs a scan from the “network” Gives us a nice looking report
  6. 6. Who else are using Nessus? Customers Attackers ? ?? ?? ? ? ?
  7. 7. The Nessus report Lets have a quick look at a Nessus report
  8. 8. How can an attacker use the information from the Nessus report? If they could scan → They could attack ! (We put this in an ”Ericsson environment” later on)
  9. 9. Lets perform an attack Green background = Target Red background = Attacker
  10. 10. Removing vulnerabilities Do we really need to patch all the time? Our customers need products up and running Can we skip patching if behind a firewall? No one can reach our nodes anyway … or?
  11. 11. Ways of getting closer to the target A lot of different ways of getting malicious software to the target CDs and USB-memory Email attachments Links to malicious sites on the Internet
  12. 12. What if the target machine is a laptop that belongs to an O&M-user? (Or an Ericsson technician?) What if this laptop is connected to a node inside an Ericsson solution?
  13. 13. Do we need to bother? There are several Ericsson products built on common operation systems and software. Example: Yesterday a patch for the Microsoft IIS was released. Everyone using IIS version 6, 7, or 7,5 on Windows Server 2003 and 2008 is vulnerable. By sending a special crafted request an attacker could execute code on the server.
  14. 14. Do we need to bother… again.. Last week Adobe announced a severe vulnerability in Adobe Reader, Flash and Acrobat. This vulnerability is used by attackers in the wild… A patch is hopefully coming in the next two weeks (!) Should an Ericsson employee, or an O&M user, even consider reading a PDF-file attached to an email from his/her boss?
  15. 15. What else could an attacker do? Rootkit Backdoor Redirect network traffic Sniff and collect useful information ?? ?? ? ?
  16. 16. Why TE101? Gives the participants a deeper understanding of the importance when it comes to security requirements: – Generic baseline for Ericsson nodes – Design rules Security know-how inside Ericsson will increase To make Ericsson employees think ”security”
  17. 17. TE101 includes the following topics Network protocols Malicious software Vulnerabilities Verifying security Programming security Firewall fundamentals Intrusion detection Cryptography
  18. 18. Let's go out there and talk security!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×