SlideShare a Scribd company logo

Attacks Based on Security Configurations

Onapsis Inc.
Onapsis Inc.

Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels. Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk. During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.

Technology
1 of 43
Download to read offline
Attacks based on security configurations March 18th, 2014 BIZEC Workshop Juan Perez-Etchegoyen jppereze@onapsis.com SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
2www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Disclaimer This publication is copyright 2014 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
3www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Agenda  Introduction  Configurations  Attacks  Recommendations  Conclusions SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
4www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Who is Onapsis Inc.?  Company focused in protecting ERP systems from cyber-attacks (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).  Working with Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).  ERP security professional services.  Trainings on ERP security. Who are we?  Juan Perez-Etchegoyen (JP), CTO at Onapsis.  Discovered several vulnerabilities in SAP and Oracle ERPs...  Speakers/Trainers at the most important Security Conferences SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
5www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Introduction SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
6www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved A Cyber-criminal & SAP systems ● If an attacker is after an SAP system, he’s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
7www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved What is his goal? The SAP Production System SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING HUMAN RESOURCES SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
8www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Where an attacker would probably hit… • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
9www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Where an attacker would probably hit… • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Successful attacks to this layer would result in a complete compromise of the SAP system (SAP_ALL or equivalent) usually even withouth requiring a username or password
10www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Configurations and SAP systems SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
11www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Netweaver framework can be tuned… SAP Systems can be configured through different mechanisms: • Customizing (IMG) • UME Settings (JAVA only) • ACL settings • Profile Parameters • Transport profile • User parameters • RFC Destinations • … reginfo secinfo Webdispatcher Management Console Message Server ICM ACL SAPGui ACL SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
12www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Profile parameters • Conceptually each parameter is a key-value pair • Depending on the kernel version, there are close to 1500 parameters • Around 10% of them are security-relevant • Parameters are configured within profiles: • Default • Instance • Start* • Dynamic parameters do not require a system restart • Some examples: • rdisp/wp_no_dia = 10 • rsau/enable = 1 • login/min_password_lng = 8 • login/password_downwards_compatibility = 1 Non dynamic No security-relevant Non dynamic Security-relevant Non dynamic Security-relevant Dynamic Security-relevant SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
13www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Challenges? SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
14www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Challenges • Each profile parameter seems to be defining simple concepts but • It could be challenging to understand • Many times little documentation is available • For some situations… • parameters are related so behavior depends on many values • parameters take precedence • profiles take precedence • (kerneldefault.pflinstance profiledynamic configuration) • parameters could change from App. Server to App. Server • parameters configuration depend on files/tables contents • parameters are created and destroyed within new kernel versions • Default values? SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
15www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack scenarios SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
16www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 Emergency mechanism SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
17www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 – Emergency mechanism An emergency mechanism to connect to the SAP systems: • Enabled by a profile parameter login/no_automatic_user_sapstar • User SAP* does not exist in the database • Connection with full authorizations • Default credentials SAP*:PASS • Cross-client issue (could be affecting only one client) • Cross-App-Srv issue (could affect a single application server) The connection to the system will be successful based on a profile parameter and the user master record. Impact: Full SAP system compromise. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
18www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Demo
19www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) Server 4 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
20www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) Server 4 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Protection / Countermeasure  Do not delete the user SAP* from any client  Secure the user SAP* for all the clients in the SAP system (including standard)  configure login/no_automatic_user_sapstar to 1. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
21www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #2 Load Balancing SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
22www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #2 – Load Balancing The load balance on SAP systems is driven by new application servers registering on the Message Server, which is restricted by: • Parameter ms/acl_info • Contents of ms_acl_info file. The registration of a new application server will be successful based mainly on the contents of the acl file. Impact: Full SAP system compromise. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
23www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Demo SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
24www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved DemoProtection / Countermeasure  Create and maintain the acl to restrict which SAP Application Servers are allowed to register in the Message Server. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
25www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 Password policies SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
26www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 – Password policies The ability for a user to connect to the system if password policies are enhanced will depend on: • Type of connection (DIAG/RFC) • User Type (service,system,dialog…) • Parameter rfc/reject_expired_passwd • Parameter login/password_compliance_to_current_policy The connection to the system will be successful based on two profile parameters, the user and the protocol. Impact: Effectiveness on brute-force attacks SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
27www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 # Parameters Dialg Serv Systm Comm 1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 Yes Yes No No 2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 Yes Yes Yes Yes 3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes No No 4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes Yes Yes SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
28www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 No Yes Yes No 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Yes Yes Yes Yes SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
29www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 No Yes Yes No 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Yes Yes Yes Yes Protection / Countermeasure  Secure both profile parameters according to business requirements without disrupting any pre-established interface. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
30www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #4 Interfaces SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
31www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #4 – Interfaces The ability for a user to register, start and connect to an interface on the SAP system will depend on: • Parameters gw/reg_info, gw/sec_info, gw/acl_mode, gw/sim_mode, gw/reg_no_conn_info … • Contents of reginfo and secinfo files. The registration of an interface will be successful based on several profile parameters and the proper acl file. Impact: Potential full SAP system compromise. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
32www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #4 acl file gw/acl_mode start/register File exists and is empty 0 or 1 No servers allowed File does not exists 0 Unrestricted File does not exists 1 Only local and internal File properly defined 0 or 1 Only servers defined in ACL SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage If gw/sim_mode is enabled and no explicit denial is included in the ACL, everything is accepted. Simplified version of the configuration options
33www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Demo SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
34www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved - So we have the same scenario, legitimate client and External RFC Server, the SAP R/3 Server and the SAP Gateway RESPONSE - Here we go again, blocking valid connections to the innocent External RCF Server - Now, the same malicious client/server connects with the SAP R/3 Gateway, and register itself with the same ID as the original external server. - This time, every RFC call received is Logged/Modified, and forwarded to the original external server. RCF Call ` SAP FE SAP GW RCF Modified Call Evil Twin: MITM Attacks Modified RESPONSESAP R/3 External RFC Server External RFC Malicius Server Attack #4 SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
35www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved - Yes, again the same scenario: the valid client, the valid External RFC Server, the SAP R/3 Server and the SAP Gateway RESPONSE - Here we are again, blocking valid connections to the innocent External RCF Server. - Again, the same malicious client/server connects with the SAP R/3 server, and register itself with the ID of the original external server. RCF Call ` SAP FE External RFC Server SAP GW Attacking the R/3 with a Registered Server Poisoned RCF Callback External RFC Malicius Server SAP R/3SAP R/3 - But now, when a RFC call is received, we perform a callback… - SAP R/3 Application Server OWNED!! Attack #4 SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
36www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attacking the R/3 with a Registered ServerAttack #4 - Yes, again the same scenario: the valid client, the valid External RFC Server, the SAP R/3 Server and the SAP Gateway RESPONSE - Here we are again, blocking valid connections to the innocent External RCF Server. - Again, the same malicious client/server connects with the SAP R/3 server, and register itself with the ID of the original external server. RCF Call ` SAP FE External RFC Server SAP GW Poisoned RCF Callback External RFC Malicius Server SAP R/3SAP R/3 - But now, when a RFC call is received, we perform a callback… - SAP R/3 Application Server OWNED!! Protection / Countermeasure  Create and maintain the proper acl files to restrict which servers can be registered and started and who can connect to those servers.  Maintain profile parameters according to your security policies. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
37www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Wrapping up... SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
38www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved The BIZEC TEC/11, lists the most common and critical issues affecting the business runtime. ● BIZEC TEC-01: Vulnerable Software in Use ● BIZEC TEC-02: Standard Users with Default Passwords ● BIZEC TEC-03: Unsecured SAP Gateway ● BIZEC TEC-04: Unsecured SAP/Oracle authentication ● BIZEC TEC-05: Insecure RFC interfaces ● BIZEC TEC-06: Insufficient Security Audit Logging ● BIZEC TEC-07: Unsecured SAP Message Server ● BIZEC TEC-08: Dangerous SAP Web Applications ● BIZEC TEC-09: Unprotected Access to Administration Services ● BIZEC TEC-10: Insecure Network Environment ● BIZEC TEC-11: Unencrypted Communications Bizec Attack #1 Attack #4 Attack #2 SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
39www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved General recommendations • Use RZ10 and keep track of profiles and parameter values through the database. • Specify values in the default profile whenever possible, to define a value for all App. Servers. • Pay attention to the values defined on the Instance profiles, as those will override the default profile. • Keep special attention on the dynamic parameters, as the modification of those could remain unnoticed. • Keep track of the profile parameters that are security-relevant, as those could have a big impact on the security. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
40www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Conclusions ● Configurations are complex on SAP systems and can have a huge impact on its security. ● Complex situations could expose the system. ● Proper controls in place and monitoring of all SAP configurations can help reducing the risk. ● Holistic security at the SAP Application Layer involves every landscape, every system, every instance and every client. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
41www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved References ● SAP Runs SAP – Remote Function Call: Gateway Hacking and Defense (Björn Brencher, SAP) ●Secure Configuration of SAP NetWeaver Application Server Using ABAP ●http://www.bizec.org/wiki/BIZEC_TEC11 ●http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profile- parameters ●https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000 a114084/content.htm ● Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan Santarsieri…) SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
42www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Questions? jppereze@onapsis.com Stay tuned! @onapsis @jp_pereze SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
43www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Thank you! www.onapsis.com Follow us! @onapsis SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage

Recommended

Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 

Recommended

Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 

More Related Content

What's hot

A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 

What's hot (20)

A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 

Similar to Attacks Based on Security Configurations

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...PeterSmetny1
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
SAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence OverviewSAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence OverviewSAP Technology
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Symmetry™
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksVirtual Forge
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Technology
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 

Similar to Attacks Based on Security Configurations (20)

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
SAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence OverviewSAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence Overview
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
ImmixVegas
ImmixVegasImmixVegas
ImmixVegas
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New Risks
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheet
 
Isms5
Isms5Isms5
Isms5
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
SAP Cloud Strategy
SAP Cloud StrategySAP Cloud Strategy
SAP Cloud Strategy
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Attacks Based on Security Configurations

  • 1. Attacks based on security configurations March 18th, 2014 BIZEC Workshop Juan Perez-Etchegoyen jppereze@onapsis.com SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 2. 2www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Disclaimer This publication is copyright 2014 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
  • 3. 3www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Agenda  Introduction  Configurations  Attacks  Recommendations  Conclusions SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 4. 4www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Who is Onapsis Inc.?  Company focused in protecting ERP systems from cyber-attacks (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).  Working with Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).  ERP security professional services.  Trainings on ERP security. Who are we?  Juan Perez-Etchegoyen (JP), CTO at Onapsis.  Discovered several vulnerabilities in SAP and Oracle ERPs...  Speakers/Trainers at the most important Security Conferences SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 5. 5www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Introduction SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 6. 6www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved A Cyber-criminal & SAP systems ● If an attacker is after an SAP system, he’s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 7. 7www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved What is his goal? The SAP Production System SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING HUMAN RESOURCES SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 8. 8www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Where an attacker would probably hit… • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 9. 9www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Where an attacker would probably hit… • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Successful attacks to this layer would result in a complete compromise of the SAP system (SAP_ALL or equivalent) usually even withouth requiring a username or password
  • 10. 10www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Configurations and SAP systems SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 11. 11www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Netweaver framework can be tuned… SAP Systems can be configured through different mechanisms: • Customizing (IMG) • UME Settings (JAVA only) • ACL settings • Profile Parameters • Transport profile • User parameters • RFC Destinations • … reginfo secinfo Webdispatcher Management Console Message Server ICM ACL SAPGui ACL SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 12. 12www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Profile parameters • Conceptually each parameter is a key-value pair • Depending on the kernel version, there are close to 1500 parameters • Around 10% of them are security-relevant • Parameters are configured within profiles: • Default • Instance • Start* • Dynamic parameters do not require a system restart • Some examples: • rdisp/wp_no_dia = 10 • rsau/enable = 1 • login/min_password_lng = 8 • login/password_downwards_compatibility = 1 Non dynamic No security-relevant Non dynamic Security-relevant Non dynamic Security-relevant Dynamic Security-relevant SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 13. 13www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Challenges? SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 14. 14www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Challenges • Each profile parameter seems to be defining simple concepts but • It could be challenging to understand • Many times little documentation is available • For some situations… • parameters are related so behavior depends on many values • parameters take precedence • profiles take precedence • (kerneldefault.pflinstance profiledynamic configuration) • parameters could change from App. Server to App. Server • parameters configuration depend on files/tables contents • parameters are created and destroyed within new kernel versions • Default values? SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 15. 15www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack scenarios SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 16. 16www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 Emergency mechanism SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 17. 17www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 – Emergency mechanism An emergency mechanism to connect to the SAP systems: • Enabled by a profile parameter login/no_automatic_user_sapstar • User SAP* does not exist in the database • Connection with full authorizations • Default credentials SAP*:PASS • Cross-client issue (could be affecting only one client) • Cross-App-Srv issue (could affect a single application server) The connection to the system will be successful based on a profile parameter and the user master record. Impact: Full SAP system compromise. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 18. 18www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Demo
  • 19. 19www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) Server 4 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 20. 20www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) Server 4 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Protection / Countermeasure  Do not delete the user SAP* from any client  Secure the user SAP* for all the clients in the SAP system (including standard)  configure login/no_automatic_user_sapstar to 1. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 21. 21www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #2 Load Balancing SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 22. 22www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #2 – Load Balancing The load balance on SAP systems is driven by new application servers registering on the Message Server, which is restricted by: • Parameter ms/acl_info • Contents of ms_acl_info file. The registration of a new application server will be successful based mainly on the contents of the acl file. Impact: Full SAP system compromise. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 23. 23www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Demo SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 24. 24www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved DemoProtection / Countermeasure  Create and maintain the acl to restrict which SAP Application Servers are allowed to register in the Message Server. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 25. 25www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 Password policies SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 26. 26www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 – Password policies The ability for a user to connect to the system if password policies are enhanced will depend on: • Type of connection (DIAG/RFC) • User Type (service,system,dialog…) • Parameter rfc/reject_expired_passwd • Parameter login/password_compliance_to_current_policy The connection to the system will be successful based on two profile parameters, the user and the protocol. Impact: Effectiveness on brute-force attacks SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 27. 27www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 # Parameters Dialg Serv Systm Comm 1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 Yes Yes No No 2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 Yes Yes Yes Yes 3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes No No 4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes Yes Yes SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 28. 28www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 No Yes Yes No 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Yes Yes Yes Yes SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 29. 29www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 No Yes Yes No 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Yes Yes Yes Yes Protection / Countermeasure  Secure both profile parameters according to business requirements without disrupting any pre-established interface. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 30. 30www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #4 Interfaces SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 31. 31www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #4 – Interfaces The ability for a user to register, start and connect to an interface on the SAP system will depend on: • Parameters gw/reg_info, gw/sec_info, gw/acl_mode, gw/sim_mode, gw/reg_no_conn_info … • Contents of reginfo and secinfo files. The registration of an interface will be successful based on several profile parameters and the proper acl file. Impact: Potential full SAP system compromise. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 32. 32www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attack #4 acl file gw/acl_mode start/register File exists and is empty 0 or 1 No servers allowed File does not exists 0 Unrestricted File does not exists 1 Only local and internal File properly defined 0 or 1 Only servers defined in ACL SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage If gw/sim_mode is enabled and no explicit denial is included in the ACL, everything is accepted. Simplified version of the configuration options
  • 33. 33www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Demo SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 34. 34www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved - So we have the same scenario, legitimate client and External RFC Server, the SAP R/3 Server and the SAP Gateway RESPONSE - Here we go again, blocking valid connections to the innocent External RCF Server - Now, the same malicious client/server connects with the SAP R/3 Gateway, and register itself with the same ID as the original external server. - This time, every RFC call received is Logged/Modified, and forwarded to the original external server. RCF Call ` SAP FE SAP GW RCF Modified Call Evil Twin: MITM Attacks Modified RESPONSESAP R/3 External RFC Server External RFC Malicius Server Attack #4 SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 35. 35www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved - Yes, again the same scenario: the valid client, the valid External RFC Server, the SAP R/3 Server and the SAP Gateway RESPONSE - Here we are again, blocking valid connections to the innocent External RCF Server. - Again, the same malicious client/server connects with the SAP R/3 server, and register itself with the ID of the original external server. RCF Call ` SAP FE External RFC Server SAP GW Attacking the R/3 with a Registered Server Poisoned RCF Callback External RFC Malicius Server SAP R/3SAP R/3 - But now, when a RFC call is received, we perform a callback… - SAP R/3 Application Server OWNED!! Attack #4 SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 36. 36www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Attacking the R/3 with a Registered ServerAttack #4 - Yes, again the same scenario: the valid client, the valid External RFC Server, the SAP R/3 Server and the SAP Gateway RESPONSE - Here we are again, blocking valid connections to the innocent External RCF Server. - Again, the same malicious client/server connects with the SAP R/3 server, and register itself with the ID of the original external server. RCF Call ` SAP FE External RFC Server SAP GW Poisoned RCF Callback External RFC Malicius Server SAP R/3SAP R/3 - But now, when a RFC call is received, we perform a callback… - SAP R/3 Application Server OWNED!! Protection / Countermeasure  Create and maintain the proper acl files to restrict which servers can be registered and started and who can connect to those servers.  Maintain profile parameters according to your security policies. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 37. 37www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Wrapping up... SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 38. 38www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved The BIZEC TEC/11, lists the most common and critical issues affecting the business runtime. ● BIZEC TEC-01: Vulnerable Software in Use ● BIZEC TEC-02: Standard Users with Default Passwords ● BIZEC TEC-03: Unsecured SAP Gateway ● BIZEC TEC-04: Unsecured SAP/Oracle authentication ● BIZEC TEC-05: Insecure RFC interfaces ● BIZEC TEC-06: Insufficient Security Audit Logging ● BIZEC TEC-07: Unsecured SAP Message Server ● BIZEC TEC-08: Dangerous SAP Web Applications ● BIZEC TEC-09: Unprotected Access to Administration Services ● BIZEC TEC-10: Insecure Network Environment ● BIZEC TEC-11: Unencrypted Communications Bizec Attack #1 Attack #4 Attack #2 SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 39. 39www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved General recommendations • Use RZ10 and keep track of profiles and parameter values through the database. • Specify values in the default profile whenever possible, to define a value for all App. Servers. • Pay attention to the values defined on the Instance profiles, as those will override the default profile. • Keep special attention on the dynamic parameters, as the modification of those could remain unnoticed. • Keep track of the profile parameters that are security-relevant, as those could have a big impact on the security. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 40. 40www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Conclusions ● Configurations are complex on SAP systems and can have a huge impact on its security. ● Complex situations could expose the system. ● Proper controls in place and monitoring of all SAP configurations can help reducing the risk. ● Holistic security at the SAP Application Layer involves every landscape, every system, every instance and every client. SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 41. 41www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved References ● SAP Runs SAP – Remote Function Call: Gateway Hacking and Defense (Björn Brencher, SAP) ●Secure Configuration of SAP NetWeaver Application Server Using ABAP ●http://www.bizec.org/wiki/BIZEC_TEC11 ●http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profile- parameters ●https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000 a114084/content.htm ● Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan Santarsieri…) SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 42. 42www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Questions? jppereze@onapsis.com Stay tuned! @onapsis @jp_pereze SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 43. 43www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved Thank you! www.onapsis.com Follow us! @onapsis SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage