iViZ - Guest Webinar Series
Hosted By: Bikash Barai, (CEO & Co-Founder, iViZ Security)
Guest Speaker: Alexander Polyakov, ...
iViZ - Guest Webinar Series2
If I Want a Perfect Cyberweapon I'll Target ERP
Alexander Polyakov
CTO
ERPScan
iViZ - Guest Webinar Series
Alexander Polyakov
• CTO of the ERPScan company
• EAS-SEC.org project leader
• Business applic...
iViZ - Guest Webinar Series
Intro
• I hate “CYBER” talks and this buzz
• I usually do more technical presentations
• But I...
iViZ - Guest Webinar Series
Agenda
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол
(Формат – Форма...
iViZ - Guest Webinar Series
Big companies
• Oil and Gas
• Manufacturing
• Logistics
• Financials
• Nuclear
• Retail
• Tele...
iViZ - Guest Webinar Series
How do they look like
7
Portal
HR
Logistics
Warehouse
ERP
Billing
Suppliers
Customers
Banks
In...
iViZ - Guest Webinar Series
If business applications are popular?
SAP
• More than 246000 customers worldwide
• 86% of Forb...
iViZ - Guest Webinar Series
What can happen
• Espionage
– Stealing financial information
– Stealing corporate secrets
– St...
iViZ - Guest Webinar Series
Autocad virus (Industrial espionage)
• Autocad virus
• Stealing critical documents
• Send them...
iViZ - Guest Webinar Series
Peoplesoft vulnerabilities (Sabotage)
• Presented on BlackHat USA
• Old and New issues
• Old o...
iViZ - Guest Webinar Series
US Department of Energy Breach
• Sabotage
• Real example of stealing
• 14000 of records
• Targ...
iViZ - Guest Webinar Series
Istanbul Provincial Administration
• Unauthorized disclosure of federal employee Personally
Id...
iViZ - Guest Webinar Series
Potential Anonymous attack
14
Now, it adds, “We gained full access to the Greek Ministry of
Fi...
iViZ - Guest Webinar Series
Fraud
• Invoice company for a greater number of hours than worked
• Ghost employees of the ven...
iViZ - Guest Webinar Series
Fraud
• The Association of Certified Fraud Examiners (ACFE) survey
showed that U.S. organizati...
iViZ - Guest Webinar Series
Fraud
• PWC Survey: 3000 org in 54 countries – 30%were victims of
economic crime in prev 12 mo...
iViZ - Guest Webinar Series
• Internet-Trading virus (Fraud)
– Ranbys modification for QUIK
– troyan-spy.win32.broker.j. f...
iViZ - Guest Webinar Series
Project Mayhem (Fraud)
• hacker could manipulate financial data and change entries to
move fun...
iViZ - Guest Webinar Series
Fraud in Oil And Gas
FRAUD and other infractions in Nigeria’s critical oil and gas industry ar...
iViZ - Guest Webinar Series
what can happen
21
iViZ - Guest Webinar Series
Ho to make it more “Cyber/Danger”
• Breach + Worm
• Multiple attacks on same type
• Against on...
iViZ - Guest Webinar Series
What can be next?
• Just imagine what could be done by breaking:
• One ERP system
• All Busine...
iViZ - Guest Webinar Series
How Easy is That
24
iViZ - Guest Webinar Series
Ease of development
• Price of vulnerability is low
• Patching is nightmare
• Vaporization is ...
iViZ - Guest Webinar Series
Price of vulnerability
• Price for typical vulnerabilities in flash and browsers going
higher....
iViZ - Guest Webinar Series
SAP Security notes by year
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006...
iViZ - Guest Webinar Series
Patching is nightmare
• You need to stop business process
• Sometimes you need to update multi...
iViZ - Guest Webinar Series
Microsoft Dynamics authentication
• Dynamics security – only visual restrictions of the fat cl...
iViZ - Guest Webinar Series
Oracle JD Edwards authentication
• All the security of JD Edwards relies on the visual restric...
iViZ - Guest Webinar Series
SAP SDM authentication
• Authentication is done by providing hash of password
• It means that ...
iViZ - Guest Webinar Series 32
iViZ - Guest Webinar Series
SAP LogViewer standalone
33
iViZ - Guest Webinar Series
Special payload is not needed
• Remember Verb Tampering User creation
• Just one request and y...
iViZ - Guest Webinar Series
Systems are highly connected
• Systems are highly connected with each other by trust
relations...
iViZ - Guest Webinar Series
Business applications on the Internet
• Companies have Portals, SRMs, CRMs remotely accessible...
iViZ - Guest Webinar Series
Business applications on the Internet
SAP HTTP Services can be easily found on the Internet:
•...
iViZ - Guest Webinar Series
Shodan scan
38
-80%
-60%
-40%
-20%
0%
20%
40%
60%
80%
100%
120%
Growth by application server
A...
iViZ - Guest Webinar Series
SAP Router
• Special application proxy
• Transfers requests from Internet to SAP (and not only...
iViZ - Guest Webinar Series
• Absence of ACL – 15%
– Possible to proxy any request to any internal address
• Information d...
iViZ - Guest Webinar Series
Demo
41
iViZ - Guest Webinar Series
Port scan results
• Are you sure that only the necessary SAP services are exposed
to the Inter...
iViZ - Guest Webinar Series
SecStore.properties
43
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Messag...
iViZ - Guest Webinar Series
Why?
Why not many Public examples of breaches if
situation is so bad
44
iViZ - Guest Webinar Series
Examples
• Fraud – very popular inside companies but you see only some
incidents
• Sabotage – ...
iViZ - Guest Webinar Series
SAP Security Forensics
• There is not so many info on public
• Companies are not interested in...
iViZ - Guest Webinar Series
Percent of enabled log options
• ICM log icm/HTTP/logging_0 70%
• Security audit log in ABAP 1...
iViZ - Guest Webinar Series
Weapons
48
iViZ - Guest Webinar Series
Weapons
• DOS for Bank
• Fraud oil then manipulate prices and economy
• Multiple money transfe...
iViZ - Guest Webinar Series
SAP Worm
50erpscan.com
iViZ - Guest Webinar Series
EAS-SEC
• EAS-SEC: Recourse which combine
– Guidelines for assessing enterprise application se...
iViZ - Guest Webinar Series
EAS-SEC Guidelines
• 1.Lack of patch management
• 2.Default passwords
• 3.Unnecessary enabled ...
iViZ - Guest Webinar Series
Conclusion
53
Regular security assessments
Segregation of duties
Guides
Security assessments
C...
iViZ - Guest Webinar Series
Conclusion
Issues are everywhere
but the risks
and price for mitigation are
different
54
iViZ - Guest Webinar Series
Questions?
55
Upcoming SlideShare
Loading in …5
×

Webinar PPT on Cyber Attacks on ERP Systems and SAP Security

1,300 views
1,094 views

Published on

This Presentation explains about
1. High level statistics of vulnerabilities in ERP systems
2. ERP Trojans and overview of Shiz remote access trojan (RAT)
3. Overview on security strategies for ERP systems

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,300
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
70
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • SAP security. What goals do the attackers have most often? First of all, it's Espionage. Some kind of stealing information: Stealing financial information, Stealing corporate secrets, Stealing supplier and customer lists, Stealing HR data. Second, Fraud:…And finally sabotage:… It’s possible because SAP system is the place where all data from other system is stored and processed. That’s why it is possible to attack other systems after compromising SAP.
  • Let’s look at some interesting features:There are two server modes:Standalone - Server is started by a Java process and not by the Java Control FrameworkIntegrated –Server is started by the Java Control Framework, which means that it is started and stopped automatically with the J2EE Engine.The SDM Server accepts only one user at a time. If somebody has already connected to it, you will receive an error message.The SDM Server recognizes only one user, and this user is admin. Becauseof SDM works with Java stack, when we speak about users it is important to know what is user management in Java.
  • Ok, let’s look at the SDM client. This is a Java application. The SDM Repository stores information about the registered Software Component Archives (SCAs) and Software Deployment Archives (SDAs). In terms of deployment, we can call those Software Deployment Units, but I will use the word “applications” for better understanding.So, it allows to browse all deployed applications by target systems, check configurations, etc.Regarding Deployment and Undeployment tabs, these obviously allow to deploy new applications and delete old ones. It takes you through the individual steps, from selecting the application, to actually deploying the software in the target directory.And the last, Log Viewer. It allows to see some servers logs.There are not many screenshots, but later I will show video demonstration.
  • So, what is important to summarize? Let’s see what we have and what we can do.SAP widely uses Java services. Most of all SAP web services are based on Java application server.Login names and passwords are similar among these services.Anybody who has the password of this user can perform any activity in the SDM. It is not easy to trace which user has performed a particular activity.If your logon fails three times, the SDM Server stops automatically. You can then restart the SDM Server again.So everything mentioned above is very critical and if an attacker manages to break into SDM, he has great opportunities for backdooring almost everything related to Java in the SAP infrastructure.
  • SDM is a thick client. What is the main difference between web and thick client applications? There are many tools for intercepting and modifying traffic of web (like Burp, WebInspect, etc.) and so few for thick clients. So, we see how difficult it is to intercept thick client applications due to the complexity and nature of these applications. They often use custom protocols, do not have proxy settings, are based on different technologies.Theoretically, we can decompile Java files, perform source code review and then use this info and also alter the code and re-compile the client for performing custom attacks. But often it is very hard to do, because re-compiling the code generates a lot of errors, plus, SAP uses their own version of Java, and of course there are many dependencies.
  • So Java has always been used in enterprise applications. SAP supports Java too and has their own Java application server that includes SAP’s own Java Virtual Machine.Java 6 contains the Attach API feature that allows seamless, inter-process modification of a running JVM. The Attach API is an extension that provides a way for a Java process to “attach” to another JVM at runtime. This can be used to load Java agents onto remote virtual machines. Those agents can then redefine classes or retrieve information about the JVM to which it’s attached.There is a freetool called JavaSnoop developed by Aspect Security, it allows doing some things that we need with a thick client Java application.It can use the Attach API and the Instrumentation class to jump into another JVM on the machine and install various “hooks” throughout class methods on that system. These hooks are then used by the agent to communicate with theGUI that allows to “intercept” of functions calls within the JVM. That’s how we can modify input and output Java functions.
  • Ok. Let’s discuss some attacks on SDM. If an attacker uses an incorrect password 3 times, the SDM server will shutdown automatically. Also, if you send this request, you can shutdown the SDM server manually. That’s how u can DOS the SDM server very easily
  • After observing the authentication scheme, it appears that SDM is sending to the server not the password but the hash of this password. So it is a vulnerability. SDM calculates the hash locally and sends it to the server for authentication. On the server this hash will be compared with the hash from SDM config file and if they are similar – access is granted. It is like storing plain text password in text config file and sending plain text password from the client too.So we just can use a random password, intercept the call of function which calculates hash on the client and replace it with known hash.And what? We do not even need the password!
  • There is a part of client code creating hashing string and sending it. This function call we will intercept
  • After some experiments we found that SDM stores user’s password hash in config file sdmrepository.sdc .For an attacker, there are 2 ways to get this hash.According to our experience, admins do not carefully restrict access to the file system. Any operating system users who can access the installation directory of the central instance can potentially edit the config file. It is possible to replace this string with known hash and you will know the password.More interesting way. SAP is such a complex system that at any moment there are some vulnerabilities which allow to read system files. It could be injection of XML External Entities, Server Side Request Forgery, or even Verb Tampering.
  • But an easier way to compromise SAP SDM is also possible – it has default password for some cases
  • OK. Now we know how we can attack SAP SDM:…
  • How we can read SDMconfig file? So, we can use one of the vulnerabilities, which was described in one of our previous talks.
  • What is it? SAP Log Vieweris a service which allows an SAP administrator to collect SAP logs and trace files from different machines.It uses these ports: 26000, 1099, 5465You can: View log on local server, View log on remote server, Register file as log fileAnd what is important is that u can do all this stuff without auth.
  • So, the attack is pretty easy.
  • That’s how config file in SAP Log Viewer looks
  • Ok. Now we have a hash of password. We can use it for authent. on SDM serverAs I said before we hooked call function which calculates hash, pasted hash from config file, aand profit, we have successfully logged into SDM
  • When we got access to the SDM interface, it is possible to do everything available in Software Deployment manager. Here you see information about repositories, about components and its settings.
  • Here is the wizard of choosing the file for deployment. Initially, it is allowed to deploy only applications from the specified server directory - inBox. But it if we intercept the call function which is responsible for directory listing, we will bypass directory restriction. It could help us to understand folder structure on the server and plan further attacks.Another bug exists in the Log Viewer tab, where it is possible to choose a certain log file, so we can bypass predefined list of logs and read any file on the server. But the most interesting thing is deployment functionality
  • Here you seeundeploying features. If the attacker is familiar with SAP applications, he can undeploy some important applications. It could be considered as selective DoS, because users will not have the opportunity to do their job and some business processes will be stopped.
  • But the key feature is deploying applications. It is possible to place backdoors into already existing applications, and almost always it will be impossible to detect. For demonstration reasons, we just created a simple JSP shell, but in preferences we set up a URL which looks like a standard SAP application. So, it doesn’t look suspicious and it is difficult to detect too.
  • Look at these pictures. On the picture above is a standard SAP application with specified URL. It is not deployed yet in this SAP system, but many administrators are familiar with this service. So if they will start looking for suspicious files which could be shells, they will not pay attention to it.So we are deploying our evil code, in this case a simple JSP shell, which can execute many operating system commands.
  • So, we got access to Software Deployment Manager, we have a shell on the Java application server. So what? If we can execute operating system commands, we should collect information about infrastructure, environment, etc.
  • Another funny trick is searching for passwords in this database or other key words.
  • Another funny trick is searching for passwords in this database or other key words.
  • Another funny trick is searching for passwords in this database or other key words.
  • Webinar PPT on Cyber Attacks on ERP Systems and SAP Security

    1. 1. iViZ - Guest Webinar Series Hosted By: Bikash Barai, (CEO & Co-Founder, iViZ Security) Guest Speaker: Alexander Polyakov, (CTO & Co-Founder, ERP Scan) Hosted By: Guest Speaker: 1 Alexander Polyakov (CTO & Co-Founder, ERP Scan) Bikash Barai (CEO & Co-Founder, iViZ Security) Cyber Attacks on ERP Systems and SAP Security
    2. 2. iViZ - Guest Webinar Series2 If I Want a Perfect Cyberweapon I'll Target ERP Alexander Polyakov CTO ERPScan
    3. 3. iViZ - Guest Webinar Series Alexander Polyakov • CTO of the ERPScan company • EAS-SEC.org project leader • Business application security expert • R&D Professional of the year by Network Product Guide • Organizer of ZeroNights conference a.polyakov@erpscan.com Twitter: @sh2kerr 3
    4. 4. iViZ - Guest Webinar Series Intro • I hate “CYBER” talks and this buzz • I usually do more technical presentations • But I we talk about it why do we skip this area? • I’m about Business Applications and ERP systems 4
    5. 5. iViZ - Guest Webinar Series Agenda Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3) 5 • Intro • Big companies and critical systems • What was happen • How easy is that • What can happen • Forensics • What we can do • Conclusions
    6. 6. iViZ - Guest Webinar Series Big companies • Oil and Gas • Manufacturing • Logistics • Financials • Nuclear • Retail • Telecommunication • etc 6
    7. 7. iViZ - Guest Webinar Series How do they look like 7 Portal HR Logistics Warehouse ERP Billing Suppliers Customers Banks InsurancePartners Branches BI Industry CRM SRM
    8. 8. iViZ - Guest Webinar Series If business applications are popular? SAP • More than 246000 customers worldwide • 86% of Forbes 500 Oracle • 100% of Fortune 100 Microsoft • More than 300,000 businesses worldwide choose Microsoft Dynamics ERP and CRM software 8
    9. 9. iViZ - Guest Webinar Series What can happen • Espionage – Stealing financial information – Stealing corporate secrets – Stealing supplier and customer lists – Stealing HR data • Sabotage – Denial of service – Modification of financial reports – Access to technology network (SCADA) by trust relations • Fraud – False transactions – Modification of master data 9
    10. 10. iViZ - Guest Webinar Series Autocad virus (Industrial espionage) • Autocad virus • Stealing critical documents • Send them potentially to china – http://www.telegraph.co.uk/technology/news/9346734/Espi onage-virus-sent-blueprints-to-China.html 10
    11. 11. iViZ - Guest Webinar Series Peoplesoft vulnerabilities (Sabotage) • Presented on BlackHat USA • Old and New issues • Old one was a buffer overflow in a login page • Over 500 systems can be found by Googling • New issues were from information disclose to unauthorized system access • Potential to steal 20mil customer data 11
    12. 12. iViZ - Guest Webinar Series US Department of Energy Breach • Sabotage • Real example of stealing • 14000 of records • Target: HR system (Maybe Peoplesoft) • unauthorized disclosure of federal employee Personally Identifiable Information 12
    13. 13. iViZ - Guest Webinar Series Istanbul Provincial Administration • Unauthorized disclosure of federal employee Personally Identifiable Information • Erase people debts 13
    14. 14. iViZ - Guest Webinar Series Potential Anonymous attack 14 Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.” * This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened.
    15. 15. iViZ - Guest Webinar Series Fraud • Invoice company for a greater number of hours than worked • Ghost employees of the vendor • Vendor employees billed at amounts higher than contract rate • Vendor employees billed at higher job classification than actual work performed (skilled vs. non-skilled labor rates) • Invoice company for incorrect equipment or materials charges • Vendor charges for equipment not needed or used for the job performed • Vendor charges for materials not used or materials are for the personal benefit of company employee • Vendor charges for equipment or material at higher prices than allowed by the contract • Invoice company incorrectly for other services • Vendor charges for services performed where work is not subject to audit clause • Vendor charges include material purchases from or for work performed by related companies at inflated prices http://www.padgett-cpa.com/insights/articles/fraud-risks-oil-and-gas-industry 15
    16. 16. iViZ - Guest Webinar Series Fraud • The Association of Certified Fraud Examiners (ACFE) survey showed that U.S. organizations lose an estimated 7% of annual revenues to fraud. • Real examples that we met: – Salary modification – Material management fraud – Mistaken transactions 16
    17. 17. iViZ - Guest Webinar Series Fraud • PWC Survey: 3000 org in 54 countries – 30%were victims of economic crime in prev 12 month • Average loss per organization for fraud $500k + collateral damage • asset misappropriation -83% • accounting fraud – 33% 17
    18. 18. iViZ - Guest Webinar Series • Internet-Trading virus (Fraud) – Ranbys modification for QUIK – troyan-spy.win32.broker.j. for QUIK (stealing keys) – http://www.welivesecurity.com/2012/12/19/win32spy- ranbyus-modifying-java-code-in-rbs/ – http://www.securitylab.ru/news/439695.php 18
    19. 19. iViZ - Guest Webinar Series Project Mayhem (Fraud) • hacker could manipulate financial data and change entries to move funds to an outside account. – alter the remittance address on vendor records, – create a new vendor and manual check entry, – change general ledger accounting records, – increase customer credit limit – credit the balance in a customer account in order to get a refund. 19
    20. 20. iViZ - Guest Webinar Series Fraud in Oil And Gas FRAUD and other infractions in Nigeria’s critical oil and gas industry are enough to derail any stable economy, going by the report of the Petroleum Revenue Special Task Force by a former chairman of the Economic and Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu. 20
    21. 21. iViZ - Guest Webinar Series what can happen 21
    22. 22. iViZ - Guest Webinar Series Ho to make it more “Cyber/Danger” • Breach + Worm • Multiple attacks on same type • Against one country 22
    23. 23. iViZ - Guest Webinar Series What can be next? • Just imagine what could be done by breaking: • One ERP system • All Business applications of a company • All ERP Systems on particular country 23
    24. 24. iViZ - Guest Webinar Series How Easy is That 24
    25. 25. iViZ - Guest Webinar Series Ease of development • Price of vulnerability is low • Patching is nightmare • Vaporization is easy • Interconnection is high • Availability via internet 25
    26. 26. iViZ - Guest Webinar Series Price of vulnerability • Price for typical vulnerabilities in flash and browsers going higher. • Security of applications and OS is growing • It is much easier to find architecture issue in ERP • 2000 vulnerabilities closed only by SAP during 3 years • And this issue will work for years 26
    27. 27. iViZ - Guest Webinar Series SAP Security notes by year 0 100 200 300 400 500 600 700 800 900 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 27
    28. 28. iViZ - Guest Webinar Series Patching is nightmare • You need to stop business process • Sometimes you need to update multiple parts • Examples of huge architectural issues from: – Microsoft Dynamics – Oracle JDE – SAP SDM 28
    29. 29. iViZ - Guest Webinar Series Microsoft Dynamics authentication • Dynamics security – only visual restrictions of the fat client • All users have the rights to the companies’ databases • The only obstruction: impossible to connect to the SQL server directly • Reverse engineering to understand the password “encryption” algorithm • Create a tool • Every user can became Administrator • NO PATCH! Only new architecture can help (but there is no such) 29
    30. 30. iViZ - Guest Webinar Series Oracle JD Edwards authentication • All the security of JD Edwards relies on the visual restrictions of the fat client • In fact, all users have the rights to the companies data because client connected using special account JDE • Then depending on user and password security is checking on Fat client • User can connect directly to database using JDE account and modify his rights on table level • Every user can became Administrator • NO PATCH! Only move to 3-tier architecture 30
    31. 31. iViZ - Guest Webinar Series SAP SDM authentication • Authentication is done by providing hash of password • It means that it is possible to do PassTheHash • First of all hash can be simply sniffed so it is like authenticating using clear password. • Secondly hashes are stored in OS file so they can be accessed by using other vulnerabilities. • After getting a hash it is possible to upload any backdoor into SAP • To patch it you need to modify client and server at one time. • Install SAP Note 1724516 31
    32. 32. iViZ - Guest Webinar Series 32
    33. 33. iViZ - Guest Webinar Series SAP LogViewer standalone 33
    34. 34. iViZ - Guest Webinar Series Special payload is not needed • Remember Verb Tampering User creation • Just one request and you inside the system • Second request and you are admin • Then you can do whatever u want with simple HTTP requests • If it is only technical system you can jump to connected system 34
    35. 35. iViZ - Guest Webinar Series Systems are highly connected • Systems are highly connected with each other by trust relationship • Even between companies they are connected by ESB systems • Remember also SSRF? • http://cwe.mitre.org/data/definitions/918.html • Second place in Top 10 web application techniques 2012 • Allows to bypass firewall restrictions and directly connect to protected systems via connected systems 35
    36. 36. iViZ - Guest Webinar Series Business applications on the Internet • Companies have Portals, SRMs, CRMs remotely accessible • Companies connect different offices by ESB • SAP users are connected to SAP via SAPRouter • Administrators open management interfaces to the Internet for remote control 36
    37. 37. iViZ - Guest Webinar Series Business applications on the Internet SAP HTTP Services can be easily found on the Internet: • inurl:/irj/portal • inurl:/IciEventService sap • inurl:/IciEventService/IciEventConf • inurl:/wsnavigator/jsps/test.jsp • inurl:/irj/go/km/docs/ 37
    38. 38. iViZ - Guest Webinar Series Shodan scan 38 -80% -60% -40% -20% 0% 20% 40% 60% 80% 100% 120% Growth by application server A total of 3741 server with different SAP web applications were found
    39. 39. iViZ - Guest Webinar Series SAP Router • Special application proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connecting to SAP to download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • http://www.easymarketplace.de/saprouter.php 39
    40. 40. iViZ - Guest Webinar Series • Absence of ACL – 15% – Possible to proxy any request to any internal address • Information disclosure about internal systems – 19% – Denial of service by specifying many connections to any of the listed SAP servers – Proxy requests to internal network if there is absence of ACL • Insecure configuration, authentication bypass – 5% • Heap corruption vulnerability – many! SAP Router: known issues 40
    41. 41. iViZ - Guest Webinar Series Demo 41
    42. 42. iViZ - Guest Webinar Series Port scan results • Are you sure that only the necessary SAP services are exposed to the Internet? • We were not • In 2011, we ran a global project to scan all of the Internet for SAP services • It is not completely finished yet, but we have the results for the top 1000 companies • We were shocked when we saw them first 42
    43. 43. iViZ - Guest Webinar Series SecStore.properties 43 0 5 10 15 20 25 30 35 SAP HostControl SAP Dispatcher SAP MMC SAP Message Server httpdSAP Message Server SAP Router Listed services should not be accessible from the Internet
    44. 44. iViZ - Guest Webinar Series Why? Why not many Public examples of breaches if situation is so bad 44
    45. 45. iViZ - Guest Webinar Series Examples • Fraud – very popular inside companies but you see only some incidents • Sabotage – at this moment maybe easies to DDOS then DOS but will see • Espionage – here what we dont see many, because it is designed to be unseen. You never know how about it especially if you don’t enable logging 45
    46. 46. iViZ - Guest Webinar Series SAP Security Forensics • There is not so many info on public • Companies are not interested in publication of compromise • But main problem is here: – How can you be sure that there were no compromise? – Only 10% of systems have Security Audit Log enabled – Only few of them analyze those logs – And much less do central storage and correlation * Based on the assessment of over 250 servers of companies that allowed us to share results. 46
    47. 47. iViZ - Guest Webinar Series Percent of enabled log options • ICM log icm/HTTP/logging_0 70% • Security audit log in ABAP 10% • Table access logging rec/client 4% • Message Server log ms/audit 2% • SAP Gateway access lo 2% * Based on the assessment of over 250 servers of companies that allowed us to share results. 47
    48. 48. iViZ - Guest Webinar Series Weapons 48
    49. 49. iViZ - Guest Webinar Series Weapons • DOS for Bank • Fraud oil then manipulate prices and economy • Multiple money transfer fraud 49
    50. 50. iViZ - Guest Webinar Series SAP Worm 50erpscan.com
    51. 51. iViZ - Guest Webinar Series EAS-SEC • EAS-SEC: Recourse which combine – Guidelines for assessing enterprise application security – Guidelines for assessing custom code – Surveys about enterprise application security 51
    52. 52. iViZ - Guest Webinar Series EAS-SEC Guidelines • 1.Lack of patch management • 2.Default passwords • 3.Unnecessary enabled functionality • 4.Remotely enabled administrative services • 5.Insecure configuration • 6.Unencrypted communications • 7.Internal access control and SoD • 8. Insecure trust relations • 9. Monitoring of security events 52
    53. 53. iViZ - Guest Webinar Series Conclusion 53 Regular security assessments Segregation of duties Guides Security assessments Code review Continuous Monitoring of all areas Segregation of duties
    54. 54. iViZ - Guest Webinar Series Conclusion Issues are everywhere but the risks and price for mitigation are different 54
    55. 55. iViZ - Guest Webinar Series Questions? 55

    ×