How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition...
Transcript of How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition...
Agenda 3
IntroductionCase for SAP Cybersecurity Framework
Current state 5
CISO
CIO
PATCHING SAP SYSTEMS
SAP BASIS
SAP SECURITY
SEGREGATION OF DUTIES
IT OPERATIONS
MONITORING SAP SYSTEMS
ENTERPRISE SECURITY
VULNERABILITY MANAGEMENT
NO EFFECTIVE OVERSIGHT
NO VISIBILITY
COMPLEXITYPOOR
INTEGRATION
SLIPPED THROUGH THE CRACKS
Future state 6
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Secure
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
7History
Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks
Source: https://www.gartner.com/doc/2665515/
EAS-SEC
Process Description 9
Category PREDICT
Process Secure Development
Purpose To ensure security during SAP systems development and acquisition
Outcomes• Security Requirements• Development Standards and Processes• Security Plans
Implementation tiers
1. Develop basic security requirements for configuration of servers, networks, SAP applications and client stations
2. Create secure development standards and processes3. Automate secure development processes
Implementation Tiers 10
50%
80% 99%
3-6 months
6-12 months 12 months
1
23
PREVENTReduce the surface area of attack
Prevent SAP Security Incidents 12
ACCESS CONTROLAWARENESS AND TRAINING
DATA SECURITY SECURE ARCHITECTURE
To ensure personnel and contractors have the necessary cybersecurity knowledge in order to perform their duties and responsibilities
To limit user privileges and prevent unauthorized use of an SAP systems
To enforce confidentiality, integrity and availability requirements on the data layer
To ensure security through-out all SAP components, connections, infrastructure facilities and enterprise security controls
Implementation: Outcomes:
13Access Control
• Access Rules
• Access Mechanisms
• Access Control Reports
To limit user privileges and prevent unauthorized use of an SAP systems
Secure the network, servers and endpoint devices
Implement role-based access control to SAP functionality
Enforce Segregation of Duties controls according to business process rules
1
2
3
Access Control. How to Create a User? 14
Ways to create a user in SAP system:1. Transaction SU01
2. Database table USR02
3. RFC function BAPI_USER_CREATE
4. Web exploit using InvokerServlet feature and CTC servlet
Number of objects:1. More then 300 000 transactions
2. More then 500 000 tables
3. More then 40 000 RFC functions
4. 500 known web exploits
Common SOD issuesHow to analyze SOD rules without interview?
1. Authorization objects with * field values (i.e. S_TABU_DIS)
2. Distribution of users by roles
3. Profiling of user access (transaction traces)
15
37%
31%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
2
% of users with given roles
SAP_RCF_INTERNAL_CANDIDATE ZRCFUIX_WEB_SERVICES_INT_CND IDESUS_HR_ESS_MENU
VS::FI_DISPLAY_LINE_ITEMS VS::OM_DISPLAY SAP_DAL_ADMIN
SAP_LO_EMPLOYEE VS_MM_IM_DISPLAY IDES_XRPM_ADMINISTRATOR
VS_FI_GE_GLDISPLAY /0CUST/WELCOME_NWBC30 SAP_RCF_MANAGER
VS_HR_PA20_REPORTS ZIDES_PLMWUI_DISCRETE_MENU VS::SD_SALES_DISPLAY
Implementation: Outcomes:
16Awareness and Training
• Training Materials
• Training Records
• Knowledge Assessment Reports
To ensure personnel and contractors have the necessary cybersecurity knowledge in order to perform their duties and responsibilities
Enlist commitment of Board and C-level executivesProvide SAP security trainings for BASIS and security teams
Provide awareness trainingto SAP users
1
2
3
Board Commitment 17
Dissatisfaction + Vision + First Steps > Resistance to Change
• SAP security project news• SAP security articles• Board interviews
• Establish security team activities• Hire staff• Purchase tools• Provide trainings• Conduct audits and assessments
Top SAP Security Websites 18
• darkreading.com
• sapsecuritypages.com
• websmp108.sap-ag.de/public/security
• erpscan.com/press-center/blog/what-is-sap-security-2/
• cert-devoteam.fr/publications/en/category/securite-sap-en/
• resources.infosecinstitute.com/sap-security-for-beginners-part-4-sap-risks-espionage/
• udemy.com/sap-cyber-security-training/
• SAP Security and Risk Management 2nd Editionby Mario Linkies, Horst Karin
SAP Security for Users 19
Consequences
• blocked data (ransomware)
• compromised reports
• spread of infection
Attack Vectors
Implementation: Outcomes:
20Data Security
• Data Inventory
• Data Flows
• Data Security Reports
To enforce confidentiality, integrity and availability requirements on the data layer
Classify data assets according to its value to organization
Protect data-in-transit using SNC and SSL/TLS
Protect data-at-rest by encryption, secure storage location and tokenization
1
2
3
Data Security. Data Inventory 21
Information Asset Data Asset Type Location Protection
Requirements
Current Level of Protection
At Rest (description)
In Transit (description)
Payment Cards Details
Payments Table
Oracle DB Table
DataSource=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)));
GDPR, PCI DSS -
Payment Cards Details
Payments Transaction
SAP Transaction TR12 GDPR, PCI DSS SAP
Authorizations
Could be exported to NAS
Payment Reports Reports .XLSX
Electronic sheets, files on NAS
nas:\\finance\reports PCI DSS
Stored on NAS, protected by AD politics.
-
GDPR Security Tasks 22
• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects
• Restrict access to personal data• Implement and describe security controls
to demonstrate compliance• Manage personal data lifecycle
• Monitor personal data access• Detect SAP security threats• Implement SAP incident response capabilities
GDPR Explained: What are the security requirements?Source: erpscan.com/press-center/blog/gdpr-explained-security-requirements/
SAP HANA Encryption 23
Implementation: Outcomes:
24Secure Architecture
• SAP SecurityArchitecture
• SAP Security Controls
• SAP Technical Solutions
To ensure security through-out all SAP components, connections, infrastructure facilities and enterprise security controls
Protect SAP perimeter
Secure SAP communications
Integrate SAP security and enterprise security
1
2
3
Secure Architecture. System Schema 25
Secure Communications 26
Secure Architecture 27
Further ActionsHow to use SAP Cybersecurity Framework?
How secure we are? Do we meet GDPR requirements? Carry out SAP security audit!
For Industry 29
How to get budget and implement security processes?Assess your SAP security capabilities &
Make business case for SAP security initiative!
How to ensure business systems follow business rules?Profile and enhance SoD rules!
For Consulting
1. Include SAP systems in scope of your existing services• GDPR audit• ISMS implementation for SAP systems in scope• Threat detection and SAP – SIEM integration
2. Prove your selling proposition is unique with ROI of SAP security
3. Create a 360-degree image of an SAP security provider
30
31
Professional ServicesPredict SAP data breach
SAP Penetration Testing
SAP Security Audit
SAP Vulnerability Management as a Service
32
Thank you
Join our grouplinkedin.com/groups/13543110
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
Parmesh PillaiSenior Manager at Commercial [email protected]
Michael RakutkoHead of Professional [email protected]
33