Your SlideShare is downloading. ×
Is Security Optional20100608
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Is Security Optional20100608


Published on

Notes from the presentation "Is security essential" delivered at Lindholmen 2010-06-09

Notes from the presentation "Is security essential" delivered at Lindholmen 2010-06-09

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Is security optional for Ericsson? Jonas Andersson
  • 2. The answer is NO! (Atleast when it comes to product security)
  • 3. Some things are mandatory Risk Assessment (RA) Vulnerability Analysis (VA) Hardening guideline
  • 4. Verifying the product security A product should be as much secure as possible During the VA, tools are used to verify the security One of the tools are a software called “Nessus”
  • 5. What is Nessus? An open source security scanner Scans for known vulnerabilities Performs a scan from the “network” Gives us a nice looking report
  • 6. Who else are using Nessus? Customers Attackers ? ?? ?? ? ? ?
  • 7. The Nessus report Lets have a quick look at a Nessus report
  • 8. How can an attacker use the information from the Nessus report? If they could scan → They could attack ! (We put this in an ”Ericsson environment” later on)
  • 9. Lets perform an attack Green background = Target Red background = Attacker
  • 10. Removing vulnerabilities Do we really need to patch all the time? Our customers need products up and running Can we skip patching if behind a firewall? No one can reach our nodes anyway … or?
  • 11. Ways of getting closer to the target A lot of different ways of getting malicious software to the target CDs and USB-memory Email attachments Links to malicious sites on the Internet
  • 12. What if the target machine is a laptop that belongs to an O&M-user? (Or an Ericsson technician?) What if this laptop is connected to a node inside an Ericsson solution?
  • 13. Do we need to bother? There are several Ericsson products built on common operation systems and software. Example: Yesterday a patch for the Microsoft IIS was released. Everyone using IIS version 6, 7, or 7,5 on Windows Server 2003 and 2008 is vulnerable. By sending a special crafted request an attacker could execute code on the server.
  • 14. Do we need to bother… again.. Last week Adobe announced a severe vulnerability in Adobe Reader, Flash and Acrobat. This vulnerability is used by attackers in the wild… A patch is hopefully coming in the next two weeks (!) Should an Ericsson employee, or an O&M user, even consider reading a PDF-file attached to an email from his/her boss?
  • 15. What else could an attacker do? Rootkit Backdoor Redirect network traffic Sniff and collect useful information ?? ?? ? ?
  • 16. Why TE101? Gives the participants a deeper understanding of the importance when it comes to security requirements: – Generic baseline for Ericsson nodes – Design rules Security know-how inside Ericsson will increase To make Ericsson employees think ”security”
  • 17. TE101 includes the following topics Network protocols Malicious software Vulnerabilities Verifying security Programming security Firewall fundamentals Intrusion detection Cryptography
  • 18. Let's go out there and talk security!