Invest in security to secure investments
13 Real ways to destroy business by breaking company’s SAP Applica<ons and a guide to avoid them Alexander Polyakov CTO ERPScan, President EAS-‐SEC
SAP Security made easy. How to keep your SAP systems secure
About ERPScan
• The only 360-‐degree SAP Security solu<on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaAons key security conferences worldwide • 25 Awards and nominaAons • Research team -‐ 20 experts with experience in different areas
of security • Headquartered in Palo Alto (US) and Amsterdam (EU)
2
• Working together since 2007
Senior Director, Head of Global Security Alliance Management Product Security, Technology and Innova<on PlaWorm SAP Labs, Palo Alto, USA
3
“We would like to thank the world-‐class security experts of ERPScan for the highly
qualified job performed to help us assess the security of our pre-‐release products”.
ERPScan and SAP
• How to protect ourselves from fraud and cyber-‐a^acks? • How to automate security monitoring for big landscapes and get
smart reports ? • How to priori<ze updates? • How to comply with regula<ons? • How to iden<fy and test most cri<cal vulnerabili<es in SAP • How to address industry-‐specific solu<ons’ security?
4
Client needs
2007 – Architecture vulnerabili<es in RFC protocol
2008 – A^acks via SAPGUI
2009 – SAP backdoors
2010 – A^acks via SAP WEB applica<ons
2010 – Stuxnet for SAP
2011 – Architecture and program vulnerabili<es in ABAP
2011 – Vulnerabili<es in J2EE engine
2012 – Vulnerabili<es in SAP solu<ons (SolMan ,Portal, XI) and Services Dispatcher, Message Server
2012 – Vulnerabili<es in Protocols -‐ XML , DIAG
2013 – SAP Forensics and An<-‐forensics
2014 – SAP BusinessObjects, SAP HANA and other specific plaWorms
5
How to prevent?
New threats
0
10
20
30
40
50
2006 2007 2008 2009 2010 2011 2012 2013 2014
Research talks
about SAP security in technical conferences
• 3000+ Vulnerabili<es in all SAP Products • 2368 Vulnerabili<es were found in SAP NetWeaver ABAP based
systems • 1050 Vulnerabili<es were found in basic components which are
the same for every system • About 350 Vulnerabili<es were found in ECC modules.
6
By November 2014 – 3200+ notes
SAP vulnerabiliAes
1 1 13 10 10 27 14 77
130
833
731
641
363
364
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
7
Public vulnerabiliAes
8
Incidents
• Espionage – Thek of financial informa<on – Corporate trade secret thek – Thek of supplier and customer lists – Stealing HR data Employee Data Thek
• Sabotage – Denial of service – Tampering with financial reports – Access to technology network (SCADA) by trust rela<ons
• Fraud – False transac<ons – Modifica<on of master data
9
Why should we care
• Manipulate data about quan<ty of material resources (S) • Blocking of materials for pos<ng (S) • Changing the goods’ price (F,S) • Changing tolerance limits for opera<ons (F,S) • Money stealing (F) • Changing credit limits • Modifica<on of price by changing condi<ons (F,S) • Stealing credit card data (E) • Modifica<on of financial reports (S)
Risks: (S-‐sabotage, F – fraud, E-‐ espionage)
10
Other risks
• SAP is owned and managed by business • Businesses rarely care about security (only SOD ) • CISO’s some<mes don’t even know about SAP • CISO’s care about infrastructure security • But if breach will happen it will be their responsibility
11
Our mission is to close this gap.
Problem
SAP Security
• Complexity Complexity kills security. Many different vulnerabili<es in all levels, from network to applica<on
• CustomizaAon Cannot be installed out of the box. They have many (up to 50%) custom codes and business logic
• Risky Rarely updated because administrators are scared they can be broken during updates; also, it is down<me
• Unknown SAP is Mostly available inside the company (closed world). Research and Pentest community is not familiar with it
h^p://erpscan.com/wp-‐content/uploads/pres/Forgo^en%20World%20-‐%20Corporate%20Business%20Applica<on%20Systems%20Whitepaper.pdf
12
Myths
13
Myth 1: SAP Systems applica<ons are only available internally what means no threat from the Internet
Myth 2: SAP security is a vendor’s problem
Myth 3: SAP applica<on internals are very specific and are not known for hackers
Myth 4 SAP security is all about SOD
14
Business logic security (SOD) Prevents a/acks or mistakes made by insiders
Custom Code security Prevents a/acks or mistakes made by developers
ApplicaAon pla\orm security
Prevents unauthorized access both within corporate network and from remote a/ackers
3 areas of SAP Security
SAP Security
• Current security solu<ons like VA, SIEM, AST embody very li^le SAP coverage
• Solu<ons focused on SAP Security are more effec<ve but only cover any one of listed fields each and they are not “CISO-‐oriented”
• We see solu<on – PlaWorm for everybody – Coverage of all aspects – Complimentary to SAP offerings or extend them
15
The only award-‐winning solu<on in the market to assess 3 <ers of SAP Security
16
ERPScan
Architecture
17
JAVA
Presenta<on
Connectors
Vulnerability Management
module
Source code security module
Control SOD
module
ERP CRM SRM HANA BOBJ Mobile
SAP Admin CISO Risk
Manager ABAP
Developer Pentester
…
API API
SIEM
IT GRC
ITSM
Ticke<ng
18
Connectors
ABAP JAVA
Security Metrics Export Comparison Reports PresentaAon level
Project management
Risk Management
Control funcAons
Pentest
Patches
ExploitaAon
Vulnerability Management Source Code Security
VulnerabiliAes
Backdoors
SAP Router SOAP HTTP
SegregaAon of DuAes Role opAmizaAon
SoD
Task Management
CriAcal privileges
HANA
Whitebox
Compliance
ABAP
JAVA
By System
By Module
By Industry
ABAP
JAVA
HANA
Mobile
Sta<s<cs (Trends)
Template management Landscape management
No<fica<on Management
Business Objects
BOBJ Oracle DB
Passwords Database
SUP
In details
How to automate security monitoring for big landscapes?
19
• Case: CISO of large Oil company • Need: To automate monitoring and get high-‐level reports for
100+ systems. • Solu<on:
– Configure weekly scans covering most cri<cal assets – Export results to IBM Qradar for correla<on and a consolidated summary
of relevant indicators at a glance. – Configure PPTX presenta<ons email with the ‘high-‐level overview’.
20
• Case: BASIS team of every organiza<on • Need: To minimize down<me of systems during updates and
priori<ze updates. • Solu<on:
– Scan for missing SAP security notes – Scan for remotely exploitable vulnerabili<es (blackbox) – System correlate this data, an you can filter results by 10+ different criteria's to understand
risk
How to prioriAze updates?
21
• Need: To comply with industry regula<ons and chose step by step approach for be^er technical compliance
• Solu<on: – Scan to address PCI DSS, SOX or NERC CIP regula<ons – Step by step technical compliance approach EAS-‐SEC, SAP Guidelines ,ISACA,DSAG
– Add Industry-‐related checks and guidelines (Oil and Gas, Banking, Retail), make your own template
We have included templates for all of them
How to comply with regulaAons
How to idenAfy and test most criAcal vulnerabiliAes in SAP?
22
• Case: Security consul<ng company • Need: To provide SAP Security assessment and penetra<on
tes<ng services with minimum <me • Solu<on:
– Vulnerability management module – Blackbox pentes<ng, exploits, business-‐focused payloads
• Advanced user management • Mul<ple scans’ comparison and efficiency analysis • Customizable Templates and Landscapes • Ability to assign tasks to users • Ability to manage risks • Largest Built-‐in knowledge base
23
Matching requirements of Enterprise customers
24
• Only 360-‐degree approach can help in maximizing security • Specific checks for Industry modules and solu<ons • Fast release cycles to address client needs • Combina<on of modules gives you more visibility 1+1+1=4
Strength
Each SAP landscape is unique and we pay close a/en@on to the requirements of our customers and prospects. ERPScan development team constantly addresses these specific needs and is ac@vely involved in product advancement. If you wish to know whether our scanner addresses a par@cular aspect, or simply have a feature wish list, please e-‐mail us or give us a call. We will be glad to consider your sugges@ons for the next releases or monthly updates.
25
About
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com [email protected]
Top Related