Delta g ric_consulting_presentation_erpscan_2015

…Your SAP/Oracle Landscape Security Assurance
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting
undetected on our systems for extended periods of time. The threat is real.
You are compromised; you just don’t know it.” – Gartner, Inc., 2012

www.deltagricconsulting.com
© 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved.
Agenda
Our Story
2
Who We Are
&
Who We Represent
ERPScan Clients /
Our Value
Associated
Challenges
SAP/Oracle Security
Why Us? Contact Us

Protecting your Business Critical Applications
from Cyber-Attacks
Until now there were NO solutions capable of performing integral
assessment procedures in Oracle (PeopleSoft) applications.
More importantly, no solution in the market covers all three areas
of SAP Security/Cyber Security under one umbrella allowing you
also to correlate data from different areas thus giving a customer
360-degree view on SAP Security

4
The wide-spread myth that ERP security is limited to SOD matrix has been dispelled lately and seems more like an ancient legend now.
Within the last 7 years SAP security experts have spoken a great deal about various attacks on SAP from RFC interface, SAPROUTER, SAP
WEB and SAP GUI client workstations. Also, the programs developed in SAP’s own language – ABAP, which exists in almost every
company to customize ERP solutions, can store program vulnerabilities left by unqualified developers or special backdoors which can
help insiders to gain illicit access to business data. Interest in the topic has been growing exponentially: in 2007, there would be 1
report on SAP at the technical conferences dedicated to hacking and security, whereas in 2012 there were more than 30 of them
already. A variety of hack tools has been released that prove the possibility of SAP attacks and simplify them for cybercriminals.
According to the statistics of vulnerabilities found in business applications, there were more than 100 vulnerabilities patched in SAP
products in 2009, while it grew to more than 500 in 2010. By January, 2013, there are more than 2500 SAP security notes about
vulnerabilities in various SAP components.
Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about
implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the
security of business applications like SAP & Oracle.
Executive Summary
Tunde Ogunkoya [MBA, GRCP, SAP GRC AC10.0, OWASP]
Consulting Partner, DeltaGRiC Africa

5
Who we are
DeltaGRiC Consulting,
In Africa, we are the first of our kind, DeltaGRiC
Consulting is the first and yet the ONLY Consultancy
in the SAP Africa Eco-System that focuses on helping
organizations detect cyber security risks and
compliance violations affecting SAP and Oracle
(PeopleSoft) business platforms using ERPScan
Monitoring Suite (Exclusively)
We are an SAP Extended Business Member ; we
Design, implementation, Support, as well as Audit
of SAP solutions.
DeltaGRiC Consulting is a Technology Start-Up focusing on providing Advisory on Business Critical Application Security services
to African Businesses running on SAP and/or Oracle PeopleSoft platforms.
We are a niche trailblazer representing ERPScan in Africa; deploying the Industry's most respected solution; ERPScan
Monitoring Suite: A robust security assessment engine from ERPScan supporting all SAP Platforms including SAP NetWeaver
ABAP, SAP NetWeaver J2EE, SAP HANA, SAP Business Objects, SAP Mobile Platform and Oracle database checks associated
with SAP Security. Our Security assessment Engine also supports security checks for Oracle PeopleSoft application stack
including Oracle WebLogic and Oracle Database.
We are an SAP Extended Business Member in the SAP Africa Ecosystem.

6
Our Coverage
West, East, Central , South Africa
We operate across West, East, Central, South Africa and the rest of SADC via our Johannesburg and Lagos Offices
delivering professional Services to all forms of customers : SME and Large Enterprises alike.
West Africa
Lagos Hub
24 Mabinuori Shangisha, Magodo
Estates, Lagos Nigeria40%
South Africa
Johannesburg Office
1 Maxwell Drive,
Sunninghill, Johannesburg – South Africa40%
East Africa
Remotely working with
SAP Partners like AltTab
10%

7
Vision & Mission
What drives Us
Vision
To be the preferred partner of choice for customers in the area of SAP and Oracle Security in Africa by adding value to both new
& existing SAP and Oracle (PeopleSoft) customers across West, East, South and Central Africa in this specialized and niche
Security/Cyber Security domain.
Mission
To assist all SAP and Oracle customers continue to run optimally with a solid Security posture without fear of being hacked for
espionage, Financial fraud or Denial of Service purposes.
Core Values
We are the shield that is missing in the SAP/Oracle Security market space.
Innovation, Integrity and Quality are our Mantra

8
Our Story
From GRC to Applications Cyber Security Niche
Our Incorporation
2013 – Lagos, NG

9
Johannesburg Office
2015 – Representing ERPScan in Africa

10
What We DoFrom Consulting to implementation to Vulnerability Assessment to Forensics
We pay an enormous lot of attention to gaps in security so that our clients are always one step ahead of the bad guys
•Assist customers identify
gaps in their SAP/Oracle
Enterprise Security program
•Provide an in-depth view of
application configuration
settings or best practices on
SAP/Oracle
•Advise customers on
needed components to
reduce attack surface
•Go beyond traditional SOD
and integrate into SIEM
•Periodical deep
Vulnerability Assessment of
SAP and PeopleSoft
.
Enterprise Application
Security
•Achieve organizational
improvements and
transformation
•Increase business
profitability
•Optimize the investment
and lifecycle of your business
Critical Applications like SAP
•Consolidate cross-
functional information to
increase access to data.
Applications Consulting
We act as trusted advisors to
businesses of all sizes and
type. We assist organizations
with their technology
sourcing needs for effective
Cost optimization, thereby
helping them develop an
appropriate IT strategy that
caters to ALL their Business
Critical Application needs
Software Advisory
Basics and advanced technical
aspects of SAP security.
understanding of the architecture
of a typical SAP system along with
every component that could pose
attacks. Complete description of
SAP Gateway, Message Server, RFC
security, ITS, ABAP code
vulnerabilities, JAVA engine
attacks, authorizations, database
security, SAP GUI security etc
• How to conduct security
assessment of SAP systems;
• How to secure SAP systems
from attacks;
Practical experience from world
renowned experts;.
Security Training

11
Who We Represent
ERPScan – Industry's most respected Solution in SAP/Oracle Security
• Anonymous scan (pentest)
• System enumeration / monitoring
• Misconfiguration analysis
• Vulnerability assessment
• Access control
• ABAP code security assessment
• SoD (segregation of duties)
• Compliance to SAP, ISACA, DSAG and
OWASP-EAS
• Risk assessment and prioritization
Award Wining Solution
 The first and continue to be leading in
business application security research
 Reveal 3 most critical issues in SAP
 Leaders by the number of founded
vulnerabilities in SAP (over 500 CVE’s)
 60+ Innovative Presentations in
security conference
 Award-winning research papers “SAP
Security in figures”
 2nd Place on Top Web Hacking
Techniques 2012
 2007 reported vulnerabilities in SAP
and Oracle;
 2008 Acknowledged for
vulnerabilities in SAP and Oracle;
 2009 World-first public presentation
about SAP Frontend security;
 2010 World-first public presentation
include attacks on Oracle JDE;
 2010 reported vulnerabilities World-first
vulnerabilities in SAP BusnessObjects;
 2011 World-first public presentation about
SAP J2EE security;
 2011 World-first product to analyze SAP
J2EE Platform security;
 2012 World-First public presentation about
Oracle PeopleSoft attacks;
 2013 World-first Product to combine
vulnerability, Code and SOD checks in one
platform;
 2013 Invented new type of attack against
SAP and other applications– SSRF;
 2013 World-first vulnerabilities published in
SAP Mobile applications;
 2014 World-first Training about Business
Application Security;
 2015 World-first product to analyze Oracle
PeopleSoft Platform security;
 2015 World-first public presentation about
SAP Mobile Platform security

12
Who We Represent
ERPScan – Industry's most respected Solution in SAP/Oracle Security
• Anonymous scan (pentest)
• System enumeration / monitoring
• Misconfiguration analysis
• Vulnerability assessment
• Access control
• ABAP code security assessment
• SoD (segregation of duties)
• Compliance to SAP, ISACA, DSAG and
OWASP-EAS
• Risk assessment and prioritization
Award Wining Solution

13
References Using ERPScan
SAP
TNK-BP, Oil & Gas Industry
Tyumenskaya Neftyanaya Kompaniya,
Tyumen Oil Company
Listed as 235th in Fortune Global 500. Major vertically integrated
Russian oil company headquartered in Moscow. It was Russia's third-
largest oil producer and among the ten largest private oil companies in
the world on basis of its volume of Oil extraction. In 2013 it was
acquired by Russian oil company Rosneft
Brief
SAP Vulnerability Module, Source Code Module & SOD
Project Scope

14
SAP
KazTransOIl
KazTransOil is the national oil transporter in Kazakhstan accounting to 80 % of all oil
transported in the country. The company operates more than 6.400 km of oil pipelines
and 3.140 km of water pipelines.
KazTransOil is responsible for:
• Provision of services on oil and petroleum products transportation (pumping,
transshipment, unloading, loading, storage, blending) via main pipelines,
• Organization of transportation and transit of Kazakh oil via pipeline networks of other
states (operator’s activity on unified routing),
• Operation and technical maintenance of main pipelines, that belong to other legal
entities, Provision of services on water delivery via main pipeline and distribution
networks
• Provision of services on production, transfer and distribution of heating energy,
transfer and distribution of power,
• Implementation of other kinds of activity provided by the Charter
Brief
SAP Vulnerability Management, SAP Source Code Security Management,
SOD
Project Scope
KT-Oil, Oil& Gas Industry

15
SAP & Oracle
Arabtec, Engineering & Construction Industry
Arabtec
Arabtec Construction PJSC is the largest construction company in the
Persian Gulf by market value
Arabtec has executed a number of high-profile construction projects,
including the Burj Khalifa (the tallest building in the world), the fit out of
Burj Al Arab (fourth tallest hotel in the world that was constructed by Al
Habtoor Engineering Enterprises in partnership with Murray and
Roberts ), Terminal 1 of Dubai International Airport and passenger
terminal of Dubai World Central International Airport. Major high-
profile projects under execution include the underground cycle works
for Lakhta Center in St. Petersburg (the tallest building in Europe),
Infinity Tower and Dubai Sports City.
Brief
SAP Vulnerability Management, SAP Source Code Security, SOD , PeopleSoft
Assesment, Oracle DB
Project Scope

16
SAP & Oracle
Edeka – Retail Industry
Edeka
The Edeka Group is the largest German supermarket corporation,
currently holding a market share of 26%. Founded in 1898, it consists
today of several cooperatives of independent supermarkets all
operating under the umbrella organization Edeka Zentrale AG & Co KG,
with headquarters in Hamburg. There are approximately 4,100 stores
with the Edeka nameplate that range from small corner stores to
hypermarkets. On November 16, 2007, Edeka reached an agreement
with Tengelmann (known for A&P in the US) to purchase a 70% majority
stake in Tengelmann's Plus discounter store division
Brief
SAP Vulnerability Management, SAP Source Code Security, SOD , PeopleSoft
Assesment, Oracle DB
Project Scope

17
SAP & Legacy system
UkrSibbank, Financial Services Industry
Urksibbank BNP Paribas
group
UkrSibbank is a commercial bank based in Ukraine. It was registered on
June 18, 1990, and is the third largest bank in the country. It operates
more than 700 branches across the country and offers retail banking
services to individuals and organizations.
BNP Paribas takes the lead among foreign banks present in Ukraine in
terms of assets, net profits and market capitalization . follows a
balanced development strategy in retail and corporate banking.
Brief
SAP Vulnerability Management, SAP Source Code Security, SOD, Legacy
System
Project Scope

In 2006 –2010, according to ACFE, losses of companies to internal
fraud constituted 7% of yearly income (!)
18
Associated Challenges
SAP Security Problems
• Manager and not CISO frequently
bears responsibility for SAP security
• Lack of qualified specialists
• Great range of advanced
configuration
• Customizable configuration
• Automated scan of a large
landscape
Problems
SAPExternal Audit
costs
Compliance
Costs
Employees
training costs
Losses to
Insiders -
Losses to
hackers –
External

19
SAP Security Problems
SAP Cyber-Security GAP
Management often has a
false sense of confidence
that they have SAP covered,
while cybersecurity teams
feel they have little to no
visibility into SAP. It was also
apparent that the SAP
cyber-security gap is
becoming more ambiguous
because of asset mapping
issues – who houses the
“crown jewels” are being
secured on a daily basis..
SAP Patch Management Debacle
On average all companies are
working with an 18-month window
of vulnerability timeline. This
window starts with the time a
vulnerability is found to when a
patch is issued by SAP and finally
deployed by the organization itself.
Deployment is still the biggest
problem organizations face. In fact -
SAP has issued over 3300 patches in
total with 391 issued in 2014 alone.
That is 30+ per month on average.
With approximately 46% of patches
ranked as “critical” it’s difficult for
an organization to prioritize their
patches without disruption to the
business.
Misconfiguration
Companies are having a very
difficult time keeping track of
how systems are configured let
alone understanding their
entire SAP landscape. An
organization’s “Crown Jewels”
reside within SAP and
misconfigured SAP systems and
portals are open targets for
any adversary. Even if systems
have the latest patch installed,
a misconfiguration will allow
hackers to access key
information and business
processes. In most cases, an
attacker’s presence will go
unnoticed for months.
HANA / IoT
Organizations are moving to the new de-
facto database server HANA for new SAP
solutions. This changes everything as
organizations cannot view SAP as a
“legacy” system. Organizations have also
been told that with HANA they will be
more secure, however the fact is that
since 2014 there’s been a 450% increase
in new security patches and with 82%
considered “high priority”. Additionally as
organizations continue to advance their
SAP systems with rapid application
development, mobile deployments and
connecting a multitude of different
devices (think vending machines, water
meters, etc) to SAP via open APIs an
organization’s SAP attack surface is
expanding at a rapid pace let alone the
complexity of managing security risks.

Possible Exposed SAP Servers
in Africa
South Africa, Kenya, Nigeria
ShodanHQ Search: SAP
Google Search: SAP inurl:cmd=login
Google Search: peoplesoft inurl:cmd=login
Our Findings:
• Almost 5000 SAProuters were found on
Shodan and 85% of them vulnerable to
remote code execution
• Almost 30% growth of web-based SAP
solutions (90% growth of SAP Portal).
• Most popular release (35%) is still
NetWeaver 7.0, and it was released in
2005.
• One third of Internet-facing SAP web
services does not use SSL at all.
• 42%, of 549 PeopleSoft servers are
vulnerable to TokenChpoken attacks (18
Fortune 500 companies, and 25
enterprises included in Forbes’ Global
2000 list. One of the world’s largest
pharmaceutical companies is also at risk.)
• Number of internet-exposed services is 3-
5 times lower (depends on the service)
but still relevant.
May, 2015

Continuous Public Publishing
of Vulnerabilities
Global Security Researchers
BUT
No Pentest Information Available
CVE?
CVSS ??
Risk Prioritization
• CVE’s common identifiers enable
data exchange between security
products and provide a baseline
index point for evaluating coverage
of tools and services
• CVSS, is a vulnerability scoring
system designed to provide an open
and standardized method for rating
IT vulnerabilities. CVSS helps
organizations prioritize and
coordinate a joint response to
security vulnerabilities by
communicating the base, temporal
and environmental properties of a
vulnerability

22
SAP Security Successful Attacks
2012 2014 2015

ERPScan for
Enhance Security and Decrease TCO
All 3 Areas of SAP Security
Benefits Highlight
• Unique. The only award-winning
solution to address 360-degree sap
security protection.
• Enterprise. Continuous monitoring of
vast landscapes (fast
implementation, easy to use,
scalable). Detailed largest database
of 7500+ SAP Security Checks.
• Industry-specific. Include specific
checks for different Systems and
industry solutions such as Oil and
Gas, Retail, Banking and more.
• Cloud and SAAS support. Can be
implemented as a virtual appliance,
in cloud or as SAAS.
• Agent-less. Doesn’t require any
agents or modification of SAP
Platforms.

24
Our FlagShip Solution
ERPScan Monitoring Solution for SAP
Conduct complex security assessment,
scanning SAP servers for software
vulnerabilities and misconfigurations. It
also performs assessment for
compliance to current standards and
best practices including SAP best
practices and ISACA guidelines
The compliance block includes:
1. DSAG compliance guideline
2. OWASP-EAS for SAP guideline
3. Password Bruteforce
4. Blackbox pentest
5. Whitebox Security Assessment
Vulnerability Management
With the help of this module, it is easy
to find users which have the rights to
execute critical actions that can lead to
fraud
Retrieves history of executed
transactions to understand if access is
really needed by user. It will help to
easily remove up to 70% of users that
don’t need a specific kind of access.
Segregation of Duties
It is a SAST tool developed especially for
ABAP language, able to find critical issues
and backdoors in custom source code.
predefined lists for different business areas
like BASIS, HR, FI, and others, and you can
also customize your own lists.
Identification of Backdoors
Scanning for Transport request,
development request and dictionary
objects
Source Code Security
The Only Solution in the Market that addresses all three sides of SAP Security:
Vulnerability Management, Source Code Security, SOD

25
Oracle(PeopleSoft) Security Successful Attacks
2
5

ERPScan for
Enhance Security and Decrease OPEX
Until now, NO other Solution
Benefits Highlight
• Unique. The only award-winning
solution to address Oracle security
protection.
• Enterprise. Continuous monitoring of
vast landscapes with Topological
maps
• Comprehensive Coverage Industry-
specific. and Largest database of
Oracle PeopleSoft Critical issues and
0-day .
• Cloud and SAAS support. Can be
implemented as a virtual appliance,
in cloud or as SAAS.
• Agent-less. Doesn’t require any
agents or modification of Oracle
PeopleSoft

27
Business Benefits of ERPScan
What you stand to gain
Prevent cybercriminals; by
continuous monitoring of key security
areas and automatic vulnerability
assessment
Prevent Insider Attacks; by using our
SoD module which analyzes all critical
privileges and their segregation
Prevent Development Mistakes; by
code review of custom transactions
and reports
Stay Secure
Compliance Cost; with integrated compliance
modules including key recommendations from
SAP, ISACA, DSAG and OWASP
Cost from Manual Assessment; with automatic
monitoring of all security-related options
Training Cost on SAP Security; by using
integrated knowledge base on SAP security
with detailed description and remediation steps
Decrease Expenses
Easy Implementation; in less than one hour,
you can start working after installing system
as software, virtual appliance or SAAS.
Fast Scans; with our new engine, you can
analyze more than 7000 parameters in 5
minutes
Scalability; you can effectively monitor huge
amount of systems from various locations
and easily manage them from every place
using a web browser
Save Time
ERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company
operates globally. Named as an ‘Emerging vendor’ in Security by CRN and distinguished by more than 25 other awards -
ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities.
ERPScan consultants work with SAP SE in Walldorf supporting in improving security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure
ERP systems and business-critical applications from both, cyber-attacks as well as internal fraud.

28
Advantage By Role
Solution is Role Centric As well
• Fraud risk mitigation
• Compliance (SOX)
• Large knowledge
database
• Financial department
control
CFO
• Resource inventory
• Critical SAP systems
security control
• Lower yearly audit
costs
• Compliance
• Also, excellent
translation from SAP
language to IS
language
CTO
• Whole landscape
security controlled
• Routine automated
• Large knowledge
database
• Compliance
• Integrate into SIEM –
IBM Qradar, SAP
ITSM
CISO / CRO
• Time Saver
• Competence Booster
• Routine Automated
• Always a Step ahead
of Rivals
External Consultant

29
Why Work with Us?
Beyond Implementation; Specialized Focus in Cyber Risk on SAP/Oracle
We are the ONLY Consultancy that focuses on helping organizations detect cyber security risks and compliance violations
affecting SAP and Oracle (PeopleSoft) business platforms using ERPScan Monitoring Suite.; Industry's most respected
Security Assessment Tool for SAP and Oracle Landscapes.
We operate in the SAP Ecosystem as an EBM - SAP Extended Business Member, This means we have access to SAP by
combining our sales, development, and implementation skills and solutions with SAP Channel Partner to add more value to
YOU
We are the first in SAP Africa EcoSystem
Innovative Offering
ONLY consultancy outfit within the
SAP Ecosystem in Africa to deliver
Cyber Security as a niche offering.
Team-Skill Matrix
Ex-SAP, Oracle Stints, OWASP , GRCP,
SAP GRC, Industry domain Knowledge,
Cyber Security, Malware Underground
Economy
Robust Support
• Follow the Sun
• Follow the Moon
• Never keep you hanging
Strategic Partnership
• SAP Extended Business Member
• ERPScan Exclusively for West, East ,
Central, South Africa and SADC

30
Contact Us
Nigeria | South Africa | Kenya
XtraSpace Flexi Offices, 24 Mabinuori, Shangisha
1 Maxwell Drive, Magodo Estates
Sunninghill, JHB, South Africa Lagos - Nigeria
T: +27 11 052 2846 | DL: +27 11 083 9828 |+1 408 641 4307
info@deltagricconsulting.com
Thank You

Delta g ric_consulting_presentation_erpscan_2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Delta g ric_consulting_presentation_erpscan_2015

Similar to Delta g ric_consulting_presentation_erpscan_2015 (20)

Recently uploaded

Recently uploaded (20)

Delta g ric_consulting_presentation_erpscan_2015