Is Security Optional20100608

Publish in



Please download to get full document.

View again

of 18
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
1. Is security optional for Ericsson? Jonas Andersson 2. The answer is NO! (Atleast when it comes to product security) 3. Some things are mandatory Risk Assessment (RA)…
  • 1. Is security optional for Ericsson? Jonas Andersson
  • 2. The answer is NO! (Atleast when it comes to product security)
  • 3. Some things are mandatory Risk Assessment (RA) Vulnerability Analysis (VA) Hardening guideline
  • 4. Verifying the product security A product should be as much secure as possible During the VA, tools are used to verify the security One of the tools are a software called “Nessus”
  • 5. What is Nessus? An open source security scanner Scans for known vulnerabilities Performs a scan from the “network” Gives us a nice looking report
  • 6. Who else are using Nessus? Customers Attackers ? ?? ?? ? ? ?
  • 7. The Nessus report Lets have a quick look at a Nessus report
  • 8. How can an attacker use the information from the Nessus report? If they could scan → They could attack ! (We put this in an ”Ericsson environment” later on)
  • 9. Lets perform an attack Green background = Target Red background = Attacker
  • 10. Removing vulnerabilities Do we really need to patch all the time? Our customers need products up and running Can we skip patching if behind a firewall? No one can reach our nodes anyway … or?
  • 11. Ways of getting closer to the target A lot of different ways of getting malicious software to the target CDs and USB-memory Email attachments Links to malicious sites on the Internet
  • 12. What if the target machine is a laptop that belongs to an O&M-user? (Or an Ericsson technician?) What if this laptop is connected to a node inside an Ericsson solution?
  • 13. Do we need to bother? There are several Ericsson products built on common operation systems and software. Example: Yesterday a patch for the Microsoft IIS was released. Everyone using IIS version 6, 7, or 7,5 on Windows Server 2003 and 2008 is vulnerable. By sending a special crafted request an attacker could execute code on the server.
  • 14. Do we need to bother… again.. Last week Adobe announced a severe vulnerability in Adobe Reader, Flash and Acrobat. This vulnerability is used by attackers in the wild… A patch is hopefully coming in the next two weeks (!) Should an Ericsson employee, or an O&M user, even consider reading a PDF-file attached to an email from his/her boss?
  • 15. What else could an attacker do? Rootkit Backdoor Redirect network traffic Sniff and collect useful information ?? ?? ? ?
  • 16. Why TE101? Gives the participants a deeper understanding of the importance when it comes to security requirements: – Generic baseline for Ericsson nodes – Design rules Security know-how inside Ericsson will increase To make Ericsson employees think ”security”
  • 17. TE101 includes the following topics Network protocols Malicious software Vulnerabilities Verifying security Programming security Firewall fundamentals Intrusion detection Cryptography
  • 18. Let's go out there and talk security!
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks