Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Assess and monitor SAP security

411 views

Published on

Published in: Software
  • Be the first to comment

  • Be the first to like this

Assess and monitor SAP security

  1. 1. Invest  in  security   to  secure  investments   Assess  and  Monitor  SAP   Security  with  ERPScan  
  2. 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaAons  key  security  conferences  worldwide   •  25  Awards  and  nominaAons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  3. 3. ERPScan  and  SAP   “We  would  like  to  thank  the  world-­‐class  security  experts  of   ERPScan  for  the  highly  qualified  job  performed  to  help  us  assess   the  security  of  our  pre-­‐release  products”.   Senior  Director,  Head  of  Global  Security  Alliance  Management   Product  Security,  Technology  and  Innova8on  PlaWorm   SAP  Labs,  Palo  Alto,  USA   3  
  4. 4. Business  applicaAon  security       All  business  processes  are  generally  contained  in  ERP  systems.    Any  informa8on  an  aYacker,  be  it  a  cybercriminal,  industrial  spy   or  compe8tor,  might  want  is  stored  in  a  company’s  ERP.     This  informa8on  can  include  financial,  customer  or  public   rela8ons,  intellectual  property,  personally  iden8fiable  informa8on   and  more.  Industrial  espionage,  sabotage  and  fraud  or  insider   embezzlement  may  be  very  effec8ve  if  targeted  at  a  vic8ms  ERP   system  and  cause  significant  damage  to  the  business.   4  
  5. 5. Big  companies     Portal   HR   Logis8cs   Warehouse   ERP   Billing   Suppliers   Customers   Banks   Insurance  Partners   Branches   BI   Industry   CRM   SRM   5  
  6. 6. SAP                         Вставьте  рисунок  на  слайд,  скруглите  верхний  левый  и  нижний  правый  угол   (Формат  –  Формат  рисунка),  добавьте  контур  (оранжевый,  толщина  –  3)   •  The  most  popular  business  applica8on   •  More  than  250000  customers  worldwide     •  83%  Forbes  500  companies  run  SAP   •  Main  system  –  ERP   •   PlaWorms   -  NetWeaver  ABAP   -  NetWeaver  J2EE   -  BusinessObjects   -  SAP  HANA   6  
  7. 7. SAP  Security  threads   Espionage     •  Financial  Data,  Financial  Planning  (FI)     •  HR  data,  personal,  contact  details  (HR)     •  Customer  Lists     •  Corporate  Secrets  (PLM)     •  Supplier  tenders  (SRM)     •  Customer  Lists  (CRM)       Cyber  criminals  need  only  to  gain  access  to  one  of  the   described  systems  to  successfully  steal  cri8cal  informa8on.   7  
  8. 8. SAP  Security  threads   Sabotage       •  Denial  of  Service   –  Incurs  huge  costs   •  Data  modifica8on  to  cause  damage   –   Delete  cri8cal  informa8on   •  SCADA  Connec8ons   –  Common  to  see  connec8ons  between  ERP  and  SCADA/MES/SmartGrid   8  
  9. 9. SAP  Security  threads   Fraud   •  Manipulate  automated  transac8on  systems   •  Generate  false  payments   •  Move  money   •  Salary  modifica8on   •  Material  management  fraud   •  Mistaken  transac8ons                Associa8on  of  Cer8fied  Fraud  Examiners  es8mates  that   corpora8ons  average  lose  6%  of  revenue  to  fraud  (2013)   9  
  10. 10. 0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   By  April  2014    -­‐  2974  SAP  Security  notes   10   SAP  Security  notes  
  11. 11. DEMO   11  
  12. 12. ANacks?   12  
  13. 13. What  can  be  next?   •  Just  imagine  what  could  be  done  by  breaking:   •  One  ERP  system   •  All  Business  applica8ons  of  a  company   •  All  ERP  Systems  on  par8cular  country   13  
  14. 14. Ease  of  development   It  is  very  easy  by  the  way     •  Price  of  vulnerability  is  low   •  Patching  is  nightmare   •  Genera8ng  exploit  is  easy   •  Interconnec8on  is  high   •  Availability  via  internet   14  
  15. 15. 35%   23%   19%   11%   6%   5%   NetWeaver  ABAP    versions  by  popularity   7.0  EHP  0      (Nov  2005)   7.0  EHP  2      (Apr    2010)     7.0  EHP  1      (Oct  2008)   7.3                              (Jun  2011)   6.2                              (Dec    2003)   6.4                            (Mar  2004)   The  most  popular  release  (35%,  previously  45%)  is     sAll  NetWeaver  7.0,  and  it  was  released  in  2005!   15   SAP  NetWeaver  ABAP  -­‐    versions  
  16. 16. Systems  are  highly  interconnected     •  Systems  are  highly  connected  with  each  other  by  trust   rela8onship     •  Even  between  companies  they  are  connected  by  XI/PI  systems   •  Remember  also  SSRF?    (AYack  on  SAP  XI  from  BlackHat)   •  hYp://cwe.mitre.org/data/defini8ons/918.html   •  Second  place  in  Top  10  web  applica8on  techniques  2012   •  Allows  to  bypass  firewall  restric8ons  and  directly  connect  to   protected  systems  via  connected  systems   16  
  17. 17. DEMO   17  
  18. 18. Business  applicaAons  on  the  Internet   •  Companies  have  Portals,  SRMs,  CRMs  remotely  accessible   •  Companies  connect  different  offices  by  ESB   •  SAP  users  are  connected  to  SAP  via  SAPRouter   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control     18  
  19. 19. Business  applicaAons  on  the  Internet   SAP  HTTP  Services  can  be  easily  found  on  the  Internet:   •  inurl:/irj/portal •  inurl:/IciEventService sap •  inurl:/IciEventService/IciEventConf •  inurl:/wsnavigator/jsps/test.jsp •  inurl:/irj/go/km/docs/ 19  
  20. 20. SAP  Router   •  Special  applica8on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec8ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299     •  Internet  accessible    (Approximately  5000  IP’s  )   •  hYp://www.easymarketplace.de/saprouter.php   20  
  21. 21. •  Absence  of  ACL  –  15%   –   Possible  to  proxy  any  request  to  any  internal  address     •  Informa8on  disclosure  about  internal  systems  –  19%   –  Denial  of  service  by  specifying  many  connec8ons  to  any  of  the  listed  SAP   servers   –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL   •  Insecure  configura8on,  authen8ca8on  bypass  –  5%     •  Heap  corrupAon  vulnerability  –  85%   SAP  Router:  known  issues   21  
  22. 22. Port  scan  results   •  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed   to  the  Internet?   •  We  were  not   •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for   SAP  services   •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the   top  1000  companies   •  We  were  shocked  when  we  saw  them  first   22  
  23. 23. Port  scan  results   0   5   10   15   20   25   30   35   SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server   hYpd   SAP  Message  Server     SAP  Router   Exposed  services  2011   Exposed  services  2013   Listed  services  should  not  be  accessible  from  the  Internet   23  
  24. 24. Why?     Why  not  many  Public  examples  of  breaches  if   situa8on  is  so  bad   24  
  25. 25. Examples   •  Fraud  –  very  popular  inside  companies  but  you  see  only  some   incidents  (nobody  want  to  share)   •  Sabotage  –  at  this  moment  maybe  easies  to  DDOS  then  DOS  but   will  see   •  Espionage  –  here  what  we  dont  see  many,  because  it  is   designed  to  be  unseen.  You  never  know  how  about  it  especially   if  you  don’t  enable  logging       25  
  26. 26. SAP  Security  Forensics   •  There  is  not  so  many  info  on  public   •  Companies  are  not  interested  in  publica8on  of  compromise   •  But  main  problem  is  here:   –  How  can  you  be  sure  that  there  were  no  compromise?   –  Only  10%  of  systems  have  Security  Audit  Log  enabled   –  Only  few  of  them  analyze  those  logs   –  And  much  less  do  central  storage  and  correla8on   *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.   26  
  27. 27. Percent  of  enabled  log  opAons   •  ICM  log  icm/HTTP/logging_0      70%     •  Security  audit  log  in  ABAP      10%   •  Table  access  logging  rec/client          4%   •  Message  Server  log  ms/audit        2%   •  SAP  Gateway  access  lo            2%   *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.   27  
  28. 28. SAP  Security  Problems   •  How  to  protect  ourselves  from  fraud  and  cyber-­‐ac8vi8es?   •  How  to  automate  security  checks  for  big  landscapes?   •  How  to  decrease  costs?   •  How  to  priori8ze  updates?             28  
  29. 29. 3  areas  of  SAP  Security   2002   • Business  logic  security  (SOD)   • Prevents  a>acks    or  mistakes  made  by  insiders.   •   Solu8on:  GRC   2008   • ABAP  Code  security   • Prevents  a>acks  or  mistakes  made  by  developers   • Solu8on:  Code  audit   2010   • Applica3on  pla4orm  security.     • Prevents  unauthorized  access  both  within  corporate  network  and  from  remote   a>ackers.     • Solu3on?   29  
  30. 30. Long-­‐awaited  product         The  only  solu8on  in  the  market  to  assess  3  8ers  of  SAP  Security   30  
  31. 31. JAVA   Output       Connectors   Security  audit   module   ABAP  code  scan   module   Control   SOD   module   31    ERPScan  security  Monitoring  Suite  
  32. 32. Анализ  безопасности  ABAP  кода               Connectors   ABAP   JAVA   Metrics   Risk  assessment   Compliance   Reports   Output  interfaces   Users  Projects  Inventory   Control  funcAons   MisconfiguraAons   VulnerabiliAes   CriAcal  access   Audit   ABAP  code  scan   VulnerabiliAes   Backdoors   Efficiency   Router  HANA   SoD   Role  opAmizaAon   SoD   Monitoring   CriAcal  privileges   Oracle   32   ERPScan  in  details  
  33. 33. Audit  Module   •  System  enumera8on     •  Anonymous  scan  (pentest)   •  Exploita8on     •  Whitebox  scan   •  Configura8on  analysis   •  Access  Control   •  Search  for  vulnerabili8es   •  Compliance  SAP,ISACA,DSAG,EAS-­‐SEC,  PCIDSS,   Industry(OilAndGas)   Incredible  Speed    Our  completely  revised  engine  can  now  analyze   an  SAP  system  with  5000  users  for  cri8cal  access  and  SOD  matrix  in   5-­‐10  minutes  on  good  PC!     33  
  34. 34. 34  
  35. 35. DEMO  ABAP  code  audit  module   ABAP  Source  code  checks      (120  different  issues)     1. Cri8cal  kernel  calls   2. Missing  Auth  in   1. Transac8on  calls   2. Report  calls   3. Table  Reads   3. SQL  Injec8ons   4. Backdoors   5. Access  to  OS   6. Missing  comments   +  Preconfigured  cri8cal  func8ons     +  Improved  datafow  analysis   +  Customizable  cri8cal  func8ons     35  
  36. 36. DEMO  SOD   •  Cri8cal  authoriza8ons  by  business  area   –  BASIS  (ISACA  list)   –  Revenue  (ISACA  list)   –  Fixed  Assets  (mixed  list)   –  HR  (mixed  list)   •  SOD     –  Predefined  matrix   –  Custom  matrix   •  Role  Op8miza8on   +  Industry  Solu8ons     36  
  37. 37. Monitor   37  
  38. 38. Monitor   •  Compare  results  from  different  scans   •  Obtain  high-­‐level  stats   •  Monitor  security  events     built-­‐in  monitoring  capability      helps  you  to  effec8vely  manage  the  dynamics  between  different   scans.  You  can  schedule  monitoring  for  the  most  cri8cal   parameters  of  SAP  systems.   38  
  39. 39. Prevent  from  cybercriminals   Business  benefits:  Stay  secure   Prevent  from  insiders   Prevent  from  developer  mistakes     by  conEnuously  monitoring  key  security  areas  and   automaEc  vulnerability  assessment.   By  using  our  SOD  module  and  analyzing  all  criEcal   privileges  and  their  segregaEons.   by  code  review  of  custom  transacEons  and  reports   39  
  40. 40. Easy  implementa8on   Business  benefits:  Save  Ame   Fast  scans   Scalability   in  less  than  one  hour  you  can  start  work  aHer  installing   system  as  a  soHware,  virtual  appliance  or  SAAS.   with  our  new  engine  you  can  analyze  more  than  7000   parameters  in  5  minutes   you  can  effecEvely  monitor  huge  amount  of  systems   from  various  locaEons  and  easily  manage  them  from   every  place  using  web-­‐browser   40  
  41. 41. Save  on  Compliance   Save  on  manual  assessment   Save  on  SAP  security  educa8on   with  integrated  compliance  modules  on  key   recommendaEons  from  SAP  ,ISACA,DSAG  and  OWASP   with  automaEc  monitoring  all  security-­‐related  opEons   by  using  integrated    Built-­‐in  knowledge  base  about  SAP   Security    with  detailed  informaEon  and  remediaEon   steps   41   Business  benefits:  Decrease  expanses  
  42. 42. Geung  beNer  every  day   More  than  7300  configura8on  checks     More  than  2600  vulnerability  checks     More  than  110  issues  in  ABAP     Analysis  of  misconfigura8ons,  vulnerabili8es  and   cri8cal  authoriza8ons  for  ABAP,  JAVA,  HANA   42  
  43. 43. Sponsoring  and  PresenAng   43  
  44. 44. ERPScan  featured  in     44  
  45. 45. Awards   45  
  46. 46. About  us     •   Leading  SAP  AG  partner  in  discovering  and  solving  security  vulnerabili8es   •     Found  more  than  250  (120  published)  security  vulnerabiliAes  in  SAP       •     Frequent  speakers  in 50+ top  security  conferences:  BlackHat,  RSA   •     Leads  EAS-­‐SEC  project  focused  on  technical  aspects  of  ERP  security     The  company  experEse  is  based  on  research  conducted  by   the    ERPScan  research  center       46  
  47. 47. And  also     We  devote  a>enEon  to  the  requirements  of  our  customers  and   prospects,  and  constantly  improve  our  product.  If  you  presume   that  our  scanner  lacks  a  parEcular  funcEon,  you  can  e-­‐mail  us   or  give  us  a  call.  We  will  be  glad  to  consider  your  suggesEons   for  the  next  releases  or  monthly  updates.   web:  erpscan.com   e-­‐mail:  info@erpscan.com,  sales@erpscan.com   47  

×