This document discusses how hackers compromise SAP S/4HANA systems and how to protect yourself. It outlines 5 common ways that hackers attack S/4HANA, including social engineering, exploiting known vulnerabilities, phishing, exploiting custom development, and compromising basic security. It then provides 5 rules for protecting S/4HANA, which are hardening systems, managing users and roles, securing application development, establishing monitoring, and applying security patches. The document promotes a SAST security suite for comprehensively securing S/4HANA systems.

1. How hackers are
compromising
S/4HANA and
how you can
protect yourself
SAST WEBINAR
September 2019

2. Why S/4HANA is important for Attackers
Content Considerations
 S/4HANA contains business critical data  espionage target
 S/4HANA is central to business processes  sabotage target
Technology Considerations
 Fraud possibilities
 IT / Security has little experience with HANA
Complexity of security requirements increases with S/4HANA!
- 2 -

3. SAP HANA – a new complexity
- 3 -
http://help.sap.com/saphelp_hanaplatform/helpdata/en/37/d2573cb24e4d75a23e8577fb4f73b7/content.htm

4. 5 ways to attack
S/4HANA


5.  Social Engineering – the clever manipulation
of the natural human tendency to trust
 Practical Example:
 Call random numbers, pretend to be
IT support
 Eventually someone will enter “your”
commands
Risk #1: Social Engineering
5
Social Engineering is the most effective way of hacking!

6.  Many different ways using known exploits
in combination with hard-/software
 No special knowledge needed
(but useful if present)
 Practical Example:
 Wi-Fi-Pineapple: easily available,
including “appstore”
 Just enter the closest Starbucks….
Risk #2: The „Classical“ Hacker
6
Hackers don‘t need specific knowledge – everything is readily available on the internet!

7.  Fraudulently obtaining private information
 Usually with links to websites or malicious
documents attached
 Practical Example:
 E-Mail with Login-URL for HANA System
 PHP-Script in the background catches
user name/password
Risk #3: Phishing
7
„Thanks to“ social media, targeted phishing becomes a real issue!

8.  S/4HANA applications work via browser
 ABAP is still in the game – combined
with other programming languages
 Increased complexity in development
 Practical Example:
 Backdoor for specific users
Risk #4: Custom Development
8
Web applications must be secured on all levels!
Custom development needs to be scanned for security vulnerabilities!

9.  Reality: SAP HANA runs in parallel to existing systems
 SAP HANA includes separate security
functions
 Basic security features to be considered
 Practical Example:
 e.g.: 10KBLAZE
(Message Server, SAP Gateway…)
Risk #5: 10KBLAZE – Basis Security
9
Increased system landscape complexity with HANA means more security settings to keep in
mind
!

10. 5 rules to
protect
S/4HANA


11.  Ensure OS system security
 Validate all other (HANA) system security settings
 Secure communications for all connections
 Restrict access wherever necessary
Rule #1: System Hardening
11
Monitor all security settings – configuration drift is a real challenge!

12. Secure standard users (SYSTEM, <sid>adm, etc.)
Restrict authorizations
Use Single Sign-On
Strong Password Policies
Validate role concept for critical authorizaions and SoD conflicts
Rule #2: User and role management
12
Extensive privileges compromise the entire system!

13. Avoid http exposed packages
Ensure secure authentification methods
Follow development guidelines
Validate custom application security
Correct existing security weaknesses before migrating
Rule #3: Secure Application Development
13
Your code – your responsibility!

14.  Enable audit log
 Restrict audit authorizations
 Secure access to audits and logs
 Enrich SIEM systems with SAP log data
Rule #4: Establish Real-Time Monitoring
14
Real-Time Monitoring will not only identify threats, but will also help analyzing them!

15. Define risk tolerance for each system
Setting a Patch Management Policy
Implement patches as quickly as possible
Rule #5: Security Patches
15
As soon as patches are released, the hacking community knows about them!!

16. Securing HANA
with SAST SUITE


17. - 17 -
Maximum protection on all levels, thanks to SAST.
Hacker attacks
Espionage
Manipulation



Misuse of rights
Data theft

18. 4D SAST SOLUTIONS: Comprehensive protection in real-time!
Overview of our Suite
SECURITY INTELLIGENCEPLATFORM SECURITY IDENTITY AND USER ACCESS MANAGEMENT
SAST SUITE for SAP ERP or S/4HANA
Interface Management
System Security Validation Authorization Management
Role Management
User Access Management
Download Management
Password Self Service
Risk and Compliance Management
Security Radar
Management Dashboard
Safe Go-Live Management
Code Advisor
Self-Adjusting Authorizations
Code Remediator
Superuser Management
HCM Read Access Monitoring
- 18 -

19. SAST SUITE for S/4HANA
Security
 Technical Security for
S/4HANA
Authorizations
 Secure and efficient role
management
Custom Code
 Cleansing and optimizing
custom code
- 19 -

20. SAST for S/4HANA
Technical Security
 Close your security gaps in the areas: Application server, operating system
and databases
 Best practice approach:
 Check your current security level
 Harden your system at all levels
 Set up permanent security monitoring
- 20 -
The SAST SUITE for S/4HANA secures SAP systems and
monitors them continuously and comprehensively.


21. SAST for S/4HANA
Securing Roles and Authorizations
 S/4HANA requires a new role concept compared to SAP ERP
 Especially for Fiori Apps roles/authorizations need to be re-designed
 With the SAST role templates, the process is significantly accelerated
 Due to our "Safe Go Live" there are no restrictions in operations
- 21 -
The SAST SUITE for S/4HANA supports you in an effective
and efficient role management


22. SAST for S/4HANA
Securing Custom Code
 Custom code analysis to identify existing weaknesses
 Consider context information (usage statistics) to disable obsolete code
 Reprogramming where appropriate
 Identify and migrate/optimize "vital" applications
 "Soft-Cleansing" enables code cleansing without restricting operations
- 22 -
The SAST SUITE for S/4HANA supports you in identifying
and eliminating security vulnerabilities.


23. QUESTIONS?
WE ANSWER. FOR SURE.
PATRICK BOCH
Product Manager SAST SOLUTIONS
Tel: +49 40 88173-2702
E-Mail: patrick.boch@akquinet.de
Web: www.sast-solutions.de
© Copyright AKQUINET AG. Alle Rechte vorbehalten. Die vorliegende Publikation ist urheberrechtlich geschützt.
Alle Rechte, insbesondere das Recht der Vervielfältigung und Verbreitung sowie die Übersetzung, bleiben vorbehalten. Kein Teil der Dokumentation darf in irgendeiner Form (durch Fotokopie, Mikrofilm oder ein anderes Verfahren) ohne vorherige schriftliche Zustimmung
von AKQUINET AG reproduziert oder unter Verwendung elektronischer Systeme verarbeitet, vervielfältigt oder verbreitet werden. Die in dieser Publikation erwähnten Bezeichnungen sind teilweise auch eingetragene Warenzeichen der jeweiligen Anbieter und unterliegen als
solche den gesetzlichen Bestimmungen. Die Informationen in dieser Publikation sind mit größter Sorgfalt zusammengestellt worden. Es kann jedoch keine Garantie für die Verwendbarkeit, Richtigkeit und Vollständigkeit übernommen werden.
Für Schäden, die aus der Anwendung der Informationen entstehen können, übernimmt die AKQUINET AG keine Haftung.