The document discusses the importance of security for Ericsson products. It notes that risk assessments, vulnerability analyses, and hardening guidelines are mandatory. It describes using the open source security scanner Nessus to verify product security and find known vulnerabilities. It warns that attackers could use information from Nessus reports to target vulnerabilities. The document urges not skipping patches even behind firewalls, as attackers have many ways of introducing malware. It stresses taking security seriously for Ericsson nodes and employee laptops due to shared vulnerabilities with common software.

1. Is security optional
for Ericsson?
Jonas Andersson

2. The answer is NO!
(Atleast when it comes to product security)

3. Some things are mandatory
Risk Assessment (RA)
Vulnerability Analysis (VA)
Hardening guideline

4. Verifying the product security
A product should be as much secure as possible
During the VA, tools are used to verify the security
One of the tools are a software called “Nessus”

5. What is Nessus?
An open source security scanner
Scans for known vulnerabilities
Performs a scan from the “network”
Gives us a nice looking report

6. Who else are using Nessus?
Customers
Attackers
? ?? ?? ?
? ?

7. The Nessus report
Lets have a quick look at a Nessus report

8. How can an attacker use the
information from the Nessus report?
If they could scan → They could attack !
(We put this in an ”Ericsson environment” later on)

9. Lets perform an attack
Green background = Target
Red background = Attacker

10. Removing vulnerabilities
Do we really need to patch all the time?
Our customers need products up and running
Can we skip patching if behind a firewall?
No one can reach our nodes anyway … or?

11. Ways of getting closer to the target
A lot of different ways of getting malicious software to
the target
CDs and USB-memory
Email attachments
Links to malicious sites on the Internet

12. What if the target machine is a laptop that belongs to an
O&M-user?
(Or an Ericsson technician?)
What if this laptop is connected to a node inside an
Ericsson solution?

13. Do we need to bother?
There are several Ericsson products built on common
operation systems and software.
Example:
Yesterday a patch for the Microsoft IIS was released.
Everyone using IIS version 6, 7, or 7,5 on Windows
Server 2003 and 2008 is vulnerable.
By sending a special crafted request an attacker could
execute code on the server.

14. Do we need to bother… again..
Last week Adobe announced a severe vulnerability in
Adobe Reader, Flash and Acrobat.
This vulnerability is used by attackers in the wild…
A patch is hopefully coming in the next two weeks (!)
Should an Ericsson employee, or an O&M user, even
consider reading a PDF-file attached to an email from
his/her boss?

15. What else could an attacker do?
Rootkit
Backdoor
Redirect network traffic
Sniff and collect useful information ??
??
? ?

16. Why TE101?
Gives the participants a deeper understanding of the
importance when it comes to security requirements:
– Generic baseline for Ericsson nodes
– Design rules
Security know-how inside Ericsson will increase
To make Ericsson employees think ”security”

17. TE101 includes the following topics
Network protocols
Malicious software
Vulnerabilities
Verifying security
Programming security
Firewall fundamentals
Intrusion detection
Cryptography

18. Let's go out there and talk security!