Is security optional
The answer is NO!
(Atleast when it comes to product security)
Some things are mandatory
Risk Assessment (RA)
Vulnerability Analysis (VA)
Verifying the product security
A product should be as much secure as possible
During the VA, tools are used to verify the security
One of the tools are a software called “Nessus”
What is Nessus?
An open source security scanner
Scans for known vulnerabilities
Performs a scan from the “network”
Gives us a nice looking report
Who else are using Nessus?
? ?? ?? ?
The Nessus report
Lets have a quick look at a Nessus report
How can an attacker use the
information from the Nessus report?
If they could scan → They could attack !
(We put this in an ”Ericsson environment” later on)
Lets perform an attack
Green background = Target
Red background = Attacker
Do we really need to patch all the time?
Our customers need products up and running
Can we skip patching if behind a firewall?
No one can reach our nodes anyway … or?
Ways of getting closer to the target
A lot of different ways of getting malicious software to
CDs and USB-memory
Links to malicious sites on the Internet
What if the target machine is a laptop that belongs to an
(Or an Ericsson technician?)
What if this laptop is connected to a node inside an
Do we need to bother?
There are several Ericsson products built on common
operation systems and software.
Yesterday a patch for the Microsoft IIS was released.
Everyone using IIS version 6, 7, or 7,5 on Windows
Server 2003 and 2008 is vulnerable.
By sending a special crafted request an attacker could
execute code on the server.
Do we need to bother… again..
Last week Adobe announced a severe vulnerability in
Adobe Reader, Flash and Acrobat.
This vulnerability is used by attackers in the wild…
A patch is hopefully coming in the next two weeks (!)
Should an Ericsson employee, or an O&M user, even
consider reading a PDF-file attached to an email from
What else could an attacker do?
Redirect network traffic
Sniff and collect useful information ??
Gives the participants a deeper understanding of the
importance when it comes to security requirements:
– Generic baseline for Ericsson nodes
– Design rules
Security know-how inside Ericsson will increase
To make Ericsson employees think ”security”
TE101 includes the following topics