Product Security Education - PSIRT

New Product Support Training

CWSi224
Lenovo Global Product Education
January 2019

2019 Lenovo Confidential. All rights reserved.

Lenovo Legal Disclosure
Lenovo Training Solutions
1009 Think Place
Morrisville, NC 27560
lts@lenovo.com

• This presentation contains specifications about unannounced products that Lenovo intends to bring to market. Please keep it confidential.
• Confidential within Lenovo, with distribution limited to individuals only with a specific business need to know.
• This information is for Lenovo INTERNAL USE ONLY!
• This information is subject to change without prior notice. Lenovo reserves the right not to bring any of these products to market. These products might not be
made available in all countries.
• If you get customer calls prior to Announcement, you can discuss this information ONLY IF the customers are able to give you the valid machine type and serial
number of the machine they have in their possession. Otherwise, you are not to disclose this information until Announcement.
• Please be careful, as usual, in your use of this information. Remember that you are under a Nondisclosure Agreement.
• This information is as up to date as possible, but could change before Announcement, including the announce date itself.
• The information provide in this package may change before product is shipped and may contain errors.
• All dates specified are target dates, are provided for planning purposes only and are subject to change.
• All products, dates, and figures specified are preliminary based on current expectations, provided for planning purposes only, and are subject to change without
notice.

• Intel and the Intel logo is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries.
• Lenovo and the Lenovo logo is a trademark or registered trademark of Lenovo Corporation or its subsidiaries in the United States and other countries.
• *Other names and brands are the property of their respective owners.
• Copyright © 2019, Lenovo Corporation

2019 Lenovo Confidential. All rights reserved. 2

Agenda
• Topic 1: Product Security Office Introduction and Training Objectives
• Topic 2: Frequently Asked Questions
• Topic 3: Recognizing a Potential Product Security Vulnerability
• Topic 4: Escalating a Potential Product Security Vulnerability

2019 Lenovo Confidential. All rights reserved. 3

Product Security Office
Introduction and Training Objectives

4
Lenovo Product Security Incident Response Team
• Daily Operations and Program Management
PSIRT Program Manager • Metrics Reporting
• Advisory Coordinator/Exec notifications
Beverly Miller
• Manage Tool requirements
Mission Statement
“Improve customer Technical Project Manager
•
•
Triage & Assign cases
Advisory draft & review of PR deliverables
trust and awareness in Blake Irwin • Communicate with customers & researchers
• Drive Lessons Learned, as needed
the security of Lenovo
product offerings in • Vulnerability reproduction, as needed
Security SMEs • Penetration Testing, as needed
order to • Support brand development teams
gain and keep
•
customers’ confidence Supporting Functions •
Advisory scheduling/review/approval
Reactive statements (Internal + Media)
in Lenovo as their • Support for legal matters
Comms + Legal + Support
• Provide direction to customer-facing support
solutions provider.”
• Impact assessment for supported products
Product Security Leaders • Fix target plans for affected products
• Timely release of remediation
Business Units
• Review advisories, as needed
2019 Lenovo Confidential. All rights reserved. 5
Training Objectives
1. Enable Level 1 to respond to simple product security inquiries by providing answers to
frequently asked questions
2. Assist Contact Centers in understanding what a potential security vulnerability sounds like by
providing information on 6 common threat categories (STRIDE), a list of key words & phrases
and some common scenarios
3. Provide a point of escalation for potential security vulnerabilities

2019 Lenovo Confidential. All rights reserved. 6

Product Security Vulnerabilities
Frequently Asked Questions

7
Product Security Vulnerability FAQs
Q: Where can I get more information about known security vulnerabilities affecting Lenovo products?
• A: You can get more information about known vulnerabilities from Lenovo’s security advisory website:
www.lenovo.com/product_security/advisories
Q: I heard about a vulnerability (security issue) and want to know if my product is affected.
• A: You can check our security advisory website to determine if caller’s product is affected. www.lenovo.com/product_security/advisories. If
not found, customer may send email directly to the product security team at psirt@lenovo.com
Q: I am a security researcher. How do I report an issue?
• A: Researcher may send email directly to the product security team at psirt@lenovo.com
Q: Does Lenovo have a bounty program? Does Lenovo pay for information about security vulnerabilities?
• A: Lenovo does not offer monetary compensation for information about potential security vulnerabilities. If the caller has information about
a potential vulnerability, try to get them to provide their contact information and a brief description and then escalate to PSIRT@lenovo.com
•Q: Does Lenovo have a public PGP/GPG key?
• A: You can get our public key here: https://download.lenovo.com/lenovo/content/psirt/lenovo_psirt_key.asc
Q: What is Lenovo’s vulnerability disclosure policy?
• A: You can review Lenovo’s Vulnerability Disclosure Policy on our Security Vault website. https://www.lenovo.com/us/en/product-
security/reporting-a-vulnerability
• Q: What is ransomware and how do I protect against it?
• A: Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the
creator(s) of the malware in order for the restriction to be removed. Ransomware may be automatically downloaded if you visit a malicious
website or a website that has been hacked. To protect yourself, be sure you are regularly running the latest version of antivirus software.

2019 Lenovo Confidential. All rights reserved. 8

Product Security Advisory Website www.lenovo.com/product_security/advisories

2019 Lenovo Confidential. All rights reserved. 9

Product Security Vulnerabilities
Recognizing a Potential Product Security Vulnerability

10
“S.T.R.I.D.E.” Threat Categories
These 6 threat categories are representative of the types of issues handled by the Lenovo PSIRT:
1. Spoofing is illegally accessing and then using another user's authentication information, such as username and
password.
2. Tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent
data, such as that held in a database, and the alteration of data as it flows between two computers over an open
network, such as the Internet.
3. Repudiation threats are associated with users who deny performing an action without other parties having any way to
prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the
prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. For example, a
user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt
as evidence that the user did receive the package.
4. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access
to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to
read data in transit between two computers.
5. Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily
unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability
and reliability.
6. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system
defenses and become part of the trusted system itself. In this type of threat, an unprivileged user gains privileged
access and thereby has sufficient access to compromise or destroy the entire system.
2019 Lenovo Confidential. All rights reserved. 11
 Key Words and Phrases
These are possible words and phrases customers may use when describing a security vulnerability.
Please consider these when assessing if a customer issue needs to be escalated to the PSIRT team.
• Primary Words and Phrases
• Attack • Exploit • Security issue/lapse/problem
• Data Tampering • Hack or Hacker • Security researcher
• Denial of Service • Information Disclosure • Spoofing
• Elevation of Privilege/Privilege Escalation • Repudiation • Vulnerability

• Secondary Words and Phrases (important when used with Primary words)
• Adware • DLL hook • Reverse engineer
• Authentication override • DLL injection • Ring 0
• BIOS modifications • Execution of arbitrary code • Root store Certificate
• Bloatware • IDA pro • SANS
• Buffer overflow • Malware • Sent in the clear http (or clear text http)
• Bypass of secure boot • Man in the middle attack • Social engineer/phishing
• Cache poisoning • Ollydbg • Spyware
• Compromise the system • OpenSSL vulnerability • subvert
• Cross-site scripting • OWASP • Trojan detected in code
• Data compromised • Preloaded software being flagged by AV (preloaded or downloaded from Lenovo)
• Privacy (collect my private data) • Unencrypted

2019 Lenovo Confidential. All rights reserved. 12

Common Scenarios
• “I heard about a security issue on the news. Am I affected?”
• You should check for Tips and/or refer to the Lenovo Security Advisories page (www.lenovo.com/product_security/advisories).
A If there is a published Security Advisory, refer the customer to it.
• You should escalate to the Lenovo PSIRT if there is not a published advisory.

• “ I am a security researcher (or White Hat researcher) and have found a vulnerability I want to report.”
• You should show interest and respect. Treat all claims as credible.
• Refer the researcher to the Lenovo PSIRT, provide our email address (psirt@lenovo.com) and let the researcher know he can
B obtain our public PGP key which is located on our Vulnerability Disclosure Policy page @ https://www.lenovo.com/us/en/product-
security/vulnerability-disclosure-policy to encrypt the content of the email.

• “I am a security researcher and would like to know if Lenovo will pay me for information about a vulnerability I
discovered?”
• You should encourage the researcher to share his findings (refer to Scenario B).
C • Currently, Lenovo does not pay researchers. Every case is unique and the Lenovo PSIRT would like the opportunity to talk with
the researcher since there may be other ways to satisfy him.

• “I ran an enterprise grade vulnerability scanner (Nessus and Qualys) and I have questions about the output or results.”
• You should help the customer as much as you can. If there are questions about the output that you are unable to answer,
D escalate to the Lenovo PSIRT.

• “I installed a clean version of Windows (not preload) on my machine and still see pop-ups from Lenovo.”
E • You should escalate to the Lenovo PSIRT

2019 Lenovo Confidential. All rights reserved. 13

Out of Scope
PSIRT scope does not include:
• My AV program found a virus on non preloaded SW
• Stolen computer, tablet, phone
• Password issues
• Lenovo infrastructure
– www.lenovo.com
– Support.lenovo.com
– Other Lenovo websites
– Lenovo infrastructure security concerns should be directed
to ITSupport@lenovo.com. Reference “Security
Vulnerability” in the subject line.

14
 Reporting a Product Security
Vulnerability to the Lenovo PSIRT
Escalation Process

2019 Lenovo Confidential. All rights reserved. 15

Escalation Process Flow

Caller has potential security concern or question

L1 refers to Product Security FAQs, Tips, and

Security Advisory webpage

If unable to provide resolution to caller, L1 engages

Lenovo PSIRT via email (psirt@lenovo.com)

Lenovo PSIRT will validate potential product security

issue and assume ownership of issue if confirmed

2019 Lenovo Confidential. All rights reserved. 16

Q&A

17