This document discusses how hackers compromise SAP S/4HANA systems and how to protect yourself. It outlines 5 common ways that hackers attack S/4HANA, including social engineering, exploiting known vulnerabilities, phishing, exploiting custom development, and compromising basic security. It then provides 5 rules for protecting S/4HANA, which are hardening systems, managing users and roles, securing application development, establishing monitoring, and applying security patches. The document promotes a SAST security suite for comprehensively securing S/4HANA systems.
2. Why S/4HANA is important for Attackers
Content Considerations
S/4HANA contains business critical data espionage target
S/4HANA is central to business processes sabotage target
Technology Considerations
Fraud possibilities
IT / Security has little experience with HANA
Complexity of security requirements increases with S/4HANA!
- 2 -
3. SAP HANA – a new complexity
- 3 -
http://help.sap.com/saphelp_hanaplatform/helpdata/en/37/d2573cb24e4d75a23e8577fb4f73b7/content.htm
5. Social Engineering – the clever manipulation
of the natural human tendency to trust
Practical Example:
Call random numbers, pretend to be
IT support
Eventually someone will enter “your”
commands
Risk #1: Social Engineering
5
Social Engineering is the most effective way of hacking!
6. Many different ways using known exploits
in combination with hard-/software
No special knowledge needed
(but useful if present)
Practical Example:
Wi-Fi-Pineapple: easily available,
including “appstore”
Just enter the closest Starbucks….
Risk #2: The „Classical“ Hacker
6
Hackers don‘t need specific knowledge – everything is readily available on the internet!
7. Fraudulently obtaining private information
Usually with links to websites or malicious
documents attached
Practical Example:
E-Mail with Login-URL for HANA System
PHP-Script in the background catches
user name/password
Risk #3: Phishing
7
„Thanks to“ social media, targeted phishing becomes a real issue!
8. S/4HANA applications work via browser
ABAP is still in the game – combined
with other programming languages
Increased complexity in development
Practical Example:
Backdoor for specific users
Risk #4: Custom Development
8
Web applications must be secured on all levels!
Custom development needs to be scanned for security vulnerabilities!
9. Reality: SAP HANA runs in parallel to existing systems
SAP HANA includes separate security
functions
Basic security features to be considered
Practical Example:
e.g.: 10KBLAZE
(Message Server, SAP Gateway…)
Risk #5: 10KBLAZE – Basis Security
9
Increased system landscape complexity with HANA means more security settings to keep in
mind
!
11. Ensure OS system security
Validate all other (HANA) system security settings
Secure communications for all connections
Restrict access wherever necessary
Rule #1: System Hardening
11
Monitor all security settings – configuration drift is a real challenge!
12. Secure standard users (SYSTEM, <sid>adm, etc.)
Restrict authorizations
Use Single Sign-On
Strong Password Policies
Validate role concept for critical authorizaions and SoD conflicts
Rule #2: User and role management
12
Extensive privileges compromise the entire system!
13. Avoid http exposed packages
Ensure secure authentification methods
Follow development guidelines
Validate custom application security
Correct existing security weaknesses before migrating
Rule #3: Secure Application Development
13
Your code – your responsibility!
14. Enable audit log
Restrict audit authorizations
Secure access to audits and logs
Enrich SIEM systems with SAP log data
Rule #4: Establish Real-Time Monitoring
14
Real-Time Monitoring will not only identify threats, but will also help analyzing them!
15. Define risk tolerance for each system
Setting a Patch Management Policy
Implement patches as quickly as possible
Rule #5: Security Patches
15
As soon as patches are released, the hacking community knows about them!!
17. - 17 -
Maximum protection on all levels, thanks to SAST.
Hacker attacks
Espionage
Manipulation
Misuse of rights
Data theft
18. 4D SAST SOLUTIONS: Comprehensive protection in real-time!
Overview of our Suite
SECURITY INTELLIGENCEPLATFORM SECURITY IDENTITY AND USER ACCESS MANAGEMENT
SAST SUITE for SAP ERP or S/4HANA
Interface Management
System Security Validation Authorization Management
Role Management
User Access Management
Download Management
Password Self Service
Risk and Compliance Management
Security Radar
Management Dashboard
Safe Go-Live Management
Code Advisor
Self-Adjusting Authorizations
Code Remediator
Superuser Management
HCM Read Access Monitoring
- 18 -
19. SAST SUITE for S/4HANA
Security
Technical Security for
S/4HANA
Authorizations
Secure and efficient role
management
Custom Code
Cleansing and optimizing
custom code
- 19 -
20. SAST for S/4HANA
Technical Security
Close your security gaps in the areas: Application server, operating system
and databases
Best practice approach:
Check your current security level
Harden your system at all levels
Set up permanent security monitoring
- 20 -
The SAST SUITE for S/4HANA secures SAP systems and
monitors them continuously and comprehensively.
21. SAST for S/4HANA
Securing Roles and Authorizations
S/4HANA requires a new role concept compared to SAP ERP
Especially for Fiori Apps roles/authorizations need to be re-designed
With the SAST role templates, the process is significantly accelerated
Due to our "Safe Go Live" there are no restrictions in operations
- 21 -
The SAST SUITE for S/4HANA supports you in an effective
and efficient role management
22. SAST for S/4HANA
Securing Custom Code
Custom code analysis to identify existing weaknesses
Consider context information (usage statistics) to disable obsolete code
Reprogramming where appropriate
Identify and migrate/optimize "vital" applications
"Soft-Cleansing" enables code cleansing without restricting operations
- 22 -
The SAST SUITE for S/4HANA supports you in identifying
and eliminating security vulnerabilities.
Brücke zu S/4 weil Login webbasiert
Markus NW anmeldeseite mit PHP hinter
On Premise zu Cloud migrieren:
- Schnittstellen analysieren
- Schnittstellen umbauen
- viel Coding
- Firewall öffnen
SAP als Tunnel in die Cloud
- DMZ
- Cloud Connector
- Cloud Spezialisten