Speaker: Fabian "Fabs" Yamaguchi
Permission management and patch management are difficult challenges in larger corporate environments. Many organizations have nevertheless successfully implemented processes and tools to cope with the constant stream of software updates for desktop and server systems, with the goal of maintaining a secure and reliable corporate infrastructure. For historical, technical and practical reasons, however, most networks are still designed around the perimeter security paradigm, considering the inside to be protected and the outside to be potentially malicious. Within the networks, traffic interception, manipulation or Denial of Service attacks are considered unlikely. Embedded devices are the core of the networks as well as the edges of the daily workflow. From routing and switching equipment to printers, copiers, desktop phones and embedded mass storage solutions, they handle at least as much critical data as the well-managed servers do. But neither security processes nor network designs currently take these devices into account. The presentation will highlight some of the fundamental problems when dealing with embedded device security in an enterprise environment, the gap in software quality, security response and patch options between the embedded and the server world, and how attacks can leverage the low visibility of that Other Network to easily circumvent all these security measures put in place.