Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is Security Optional20100608


Published on

Notes from the presentation "Is security essential" delivered at Lindholmen 2010-06-09

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Is Security Optional20100608

  1. 1. Is security optional for Ericsson? Jonas Andersson
  2. 2. The answer is NO! (Atleast when it comes to product security)
  3. 3. Some things are mandatory Risk Assessment (RA) Vulnerability Analysis (VA) Hardening guideline
  4. 4. Verifying the product security A product should be as much secure as possible During the VA, tools are used to verify the security One of the tools are a software called “Nessus”
  5. 5. What is Nessus? An open source security scanner Scans for known vulnerabilities Performs a scan from the “network” Gives us a nice looking report
  6. 6. Who else are using Nessus? Customers Attackers ? ?? ?? ? ? ?
  7. 7. The Nessus report Lets have a quick look at a Nessus report
  8. 8. How can an attacker use the information from the Nessus report? If they could scan → They could attack ! (We put this in an ”Ericsson environment” later on)
  9. 9. Lets perform an attack Green background = Target Red background = Attacker
  10. 10. Removing vulnerabilities Do we really need to patch all the time? Our customers need products up and running Can we skip patching if behind a firewall? No one can reach our nodes anyway … or?
  11. 11. Ways of getting closer to the target A lot of different ways of getting malicious software to the target CDs and USB-memory Email attachments Links to malicious sites on the Internet
  12. 12. What if the target machine is a laptop that belongs to an O&M-user? (Or an Ericsson technician?) What if this laptop is connected to a node inside an Ericsson solution?
  13. 13. Do we need to bother? There are several Ericsson products built on common operation systems and software. Example: Yesterday a patch for the Microsoft IIS was released. Everyone using IIS version 6, 7, or 7,5 on Windows Server 2003 and 2008 is vulnerable. By sending a special crafted request an attacker could execute code on the server.
  14. 14. Do we need to bother… again.. Last week Adobe announced a severe vulnerability in Adobe Reader, Flash and Acrobat. This vulnerability is used by attackers in the wild… A patch is hopefully coming in the next two weeks (!) Should an Ericsson employee, or an O&M user, even consider reading a PDF-file attached to an email from his/her boss?
  15. 15. What else could an attacker do? Rootkit Backdoor Redirect network traffic Sniff and collect useful information ?? ?? ? ?
  16. 16. Why TE101? Gives the participants a deeper understanding of the importance when it comes to security requirements: – Generic baseline for Ericsson nodes – Design rules Security know-how inside Ericsson will increase To make Ericsson employees think ”security”
  17. 17. TE101 includes the following topics Network protocols Malicious software Vulnerabilities Verifying security Programming security Firewall fundamentals Intrusion detection Cryptography
  18. 18. Let's go out there and talk security!