This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Assess and monitor SAP security
1. Invest
in
security
to
secure
investments
Assess
and
Monitor
SAP
Security
with
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presentaAons
key
security
conferences
worldwide
• 25
Awards
and
nominaAons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. ERPScan
and
SAP
“We
would
like
to
thank
the
world-‐class
security
experts
of
ERPScan
for
the
highly
qualified
job
performed
to
help
us
assess
the
security
of
our
pre-‐release
products”.
Senior
Director,
Head
of
Global
Security
Alliance
Management
Product
Security,
Technology
and
Innova8on
PlaWorm
SAP
Labs,
Palo
Alto,
USA
3
4. Business
applicaAon
security
All
business
processes
are
generally
contained
in
ERP
systems.
Any
informa8on
an
aYacker,
be
it
a
cybercriminal,
industrial
spy
or
compe8tor,
might
want
is
stored
in
a
company’s
ERP.
This
informa8on
can
include
financial,
customer
or
public
rela8ons,
intellectual
property,
personally
iden8fiable
informa8on
and
more.
Industrial
espionage,
sabotage
and
fraud
or
insider
embezzlement
may
be
very
effec8ve
if
targeted
at
a
vic8ms
ERP
system
and
cause
significant
damage
to
the
business.
4
5. Big
companies
Portal
HR
Logis8cs
Warehouse
ERP
Billing
Suppliers
Customers
Banks
Insurance
Partners
Branches
BI
Industry
CRM
SRM
5
6. SAP
Вставьте
рисунок
на
слайд,
скруглите
верхний
левый
и
нижний
правый
угол
(Формат
–
Формат
рисунка),
добавьте
контур
(оранжевый,
толщина
–
3)
• The
most
popular
business
applica8on
• More
than
250000
customers
worldwide
• 83%
Forbes
500
companies
run
SAP
• Main
system
–
ERP
•
PlaWorms
- NetWeaver
ABAP
- NetWeaver
J2EE
- BusinessObjects
- SAP
HANA
6
7. SAP
Security
threads
Espionage
• Financial
Data,
Financial
Planning
(FI)
• HR
data,
personal,
contact
details
(HR)
• Customer
Lists
• Corporate
Secrets
(PLM)
• Supplier
tenders
(SRM)
• Customer
Lists
(CRM)
Cyber
criminals
need
only
to
gain
access
to
one
of
the
described
systems
to
successfully
steal
cri8cal
informa8on.
7
8. SAP
Security
threads
Sabotage
• Denial
of
Service
– Incurs
huge
costs
• Data
modifica8on
to
cause
damage
–
Delete
cri8cal
informa8on
• SCADA
Connec8ons
– Common
to
see
connec8ons
between
ERP
and
SCADA/MES/SmartGrid
8
9. SAP
Security
threads
Fraud
• Manipulate
automated
transac8on
systems
• Generate
false
payments
• Move
money
• Salary
modifica8on
• Material
management
fraud
• Mistaken
transac8ons
Associa8on
of
Cer8fied
Fraud
Examiners
es8mates
that
corpora8ons
average
lose
6%
of
revenue
to
fraud
(2013)
9
10. 0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
By
April
2014
-‐
2974
SAP
Security
notes
10
SAP
Security
notes
13. What
can
be
next?
• Just
imagine
what
could
be
done
by
breaking:
• One
ERP
system
• All
Business
applica8ons
of
a
company
• All
ERP
Systems
on
par8cular
country
13
14. Ease
of
development
It
is
very
easy
by
the
way
• Price
of
vulnerability
is
low
• Patching
is
nightmare
• Genera8ng
exploit
is
easy
• Interconnec8on
is
high
• Availability
via
internet
14
15. 35%
23%
19%
11%
6%
5%
NetWeaver
ABAP
versions
by
popularity
7.0
EHP
0
(Nov
2005)
7.0
EHP
2
(Apr
2010)
7.0
EHP
1
(Oct
2008)
7.3
(Jun
2011)
6.2
(Dec
2003)
6.4
(Mar
2004)
The
most
popular
release
(35%,
previously
45%)
is
sAll
NetWeaver
7.0,
and
it
was
released
in
2005!
15
SAP
NetWeaver
ABAP
-‐
versions
16. Systems
are
highly
interconnected
• Systems
are
highly
connected
with
each
other
by
trust
rela8onship
• Even
between
companies
they
are
connected
by
XI/PI
systems
• Remember
also
SSRF?
(AYack
on
SAP
XI
from
BlackHat)
• hYp://cwe.mitre.org/data/defini8ons/918.html
• Second
place
in
Top
10
web
applica8on
techniques
2012
• Allows
to
bypass
firewall
restric8ons
and
directly
connect
to
protected
systems
via
connected
systems
16
18. Business
applicaAons
on
the
Internet
• Companies
have
Portals,
SRMs,
CRMs
remotely
accessible
• Companies
connect
different
offices
by
ESB
• SAP
users
are
connected
to
SAP
via
SAPRouter
• Administrators
open
management
interfaces
to
the
Internet
for
remote
control
18
19. Business
applicaAons
on
the
Internet
SAP
HTTP
Services
can
be
easily
found
on
the
Internet:
• inurl:/irj/portal
• inurl:/IciEventService sap
• inurl:/IciEventService/IciEventConf
• inurl:/wsnavigator/jsps/test.jsp
• inurl:/irj/go/km/docs/
19
20. SAP
Router
• Special
applica8on
proxy
• Transfers
requests
from
Internet
to
SAP
(and
not
only)
• Can
work
through
VPN
or
SNC
• Almost
every
company
uses
it
for
connec8ng
to
SAP
to
download
updates
• Usually
listens
to
port
3299
• Internet
accessible
(Approximately
5000
IP’s
)
• hYp://www.easymarketplace.de/saprouter.php
20
21. • Absence
of
ACL
–
15%
–
Possible
to
proxy
any
request
to
any
internal
address
• Informa8on
disclosure
about
internal
systems
–
19%
– Denial
of
service
by
specifying
many
connec8ons
to
any
of
the
listed
SAP
servers
– Proxy
requests
to
internal
network
if
there
is
absence
of
ACL
• Insecure
configura8on,
authen8ca8on
bypass
–
5%
• Heap
corrupAon
vulnerability
–
85%
SAP
Router:
known
issues
21
22. Port
scan
results
• Are
you
sure
that
only
the
necessary
SAP
services
are
exposed
to
the
Internet?
• We
were
not
• In
2011,
we
ran
a
global
project
to
scan
all
of
the
Internet
for
SAP
services
• It
is
not
completely
finished
yet,
but
we
have
the
results
for
the
top
1000
companies
• We
were
shocked
when
we
saw
them
first
22
23. Port
scan
results
0
5
10
15
20
25
30
35
SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
hYpd
SAP
Message
Server
SAP
Router
Exposed
services
2011
Exposed
services
2013
Listed
services
should
not
be
accessible
from
the
Internet
23
24. Why?
Why
not
many
Public
examples
of
breaches
if
situa8on
is
so
bad
24
25. Examples
• Fraud
–
very
popular
inside
companies
but
you
see
only
some
incidents
(nobody
want
to
share)
• Sabotage
–
at
this
moment
maybe
easies
to
DDOS
then
DOS
but
will
see
• Espionage
–
here
what
we
dont
see
many,
because
it
is
designed
to
be
unseen.
You
never
know
how
about
it
especially
if
you
don’t
enable
logging
25
26. SAP
Security
Forensics
• There
is
not
so
many
info
on
public
• Companies
are
not
interested
in
publica8on
of
compromise
• But
main
problem
is
here:
– How
can
you
be
sure
that
there
were
no
compromise?
– Only
10%
of
systems
have
Security
Audit
Log
enabled
– Only
few
of
them
analyze
those
logs
– And
much
less
do
central
storage
and
correla8on
*
Based
on
the
assessment
of
over
250
servers
of
companies
that
allowed
us
to
share
results.
26
27. Percent
of
enabled
log
opAons
• ICM
log
icm/HTTP/logging_0
70%
• Security
audit
log
in
ABAP
10%
• Table
access
logging
rec/client
4%
• Message
Server
log
ms/audit
2%
• SAP
Gateway
access
lo
2%
*
Based
on
the
assessment
of
over
250
servers
of
companies
that
allowed
us
to
share
results.
27
28. SAP
Security
Problems
• How
to
protect
ourselves
from
fraud
and
cyber-‐ac8vi8es?
• How
to
automate
security
checks
for
big
landscapes?
• How
to
decrease
costs?
• How
to
priori8ze
updates?
28
29. 3
areas
of
SAP
Security
2002
• Business
logic
security
(SOD)
• Prevents
a>acks
or
mistakes
made
by
insiders.
•
Solu8on:
GRC
2008
• ABAP
Code
security
• Prevents
a>acks
or
mistakes
made
by
developers
• Solu8on:
Code
audit
2010
• Applica3on
pla4orm
security.
• Prevents
unauthorized
access
both
within
corporate
network
and
from
remote
a>ackers.
• Solu3on?
29
30. Long-‐awaited
product
The
only
solu8on
in
the
market
to
assess
3
8ers
of
SAP
Security
30
31. JAVA
Output
Connectors
Security
audit
module
ABAP
code
scan
module
Control
SOD
module
31
ERPScan
security
Monitoring
Suite
32. Анализ
безопасности
ABAP
кода
Connectors
ABAP
JAVA
Metrics
Risk
assessment
Compliance
Reports
Output
interfaces
Users
Projects
Inventory
Control
funcAons
MisconfiguraAons
VulnerabiliAes
CriAcal
access
Audit
ABAP
code
scan
VulnerabiliAes
Backdoors
Efficiency
Router
HANA
SoD
Role
opAmizaAon
SoD
Monitoring
CriAcal
privileges
Oracle
32
ERPScan
in
details
33. Audit
Module
• System
enumera8on
• Anonymous
scan
(pentest)
• Exploita8on
• Whitebox
scan
• Configura8on
analysis
• Access
Control
• Search
for
vulnerabili8es
• Compliance
SAP,ISACA,DSAG,EAS-‐SEC,
PCIDSS,
Industry(OilAndGas)
Incredible
Speed
Our
completely
revised
engine
can
now
analyze
an
SAP
system
with
5000
users
for
cri8cal
access
and
SOD
matrix
in
5-‐10
minutes
on
good
PC!
33
38. Monitor
• Compare
results
from
different
scans
• Obtain
high-‐level
stats
• Monitor
security
events
built-‐in
monitoring
capability
helps
you
to
effec8vely
manage
the
dynamics
between
different
scans.
You
can
schedule
monitoring
for
the
most
cri8cal
parameters
of
SAP
systems.
38
39. Prevent
from
cybercriminals
Business
benefits:
Stay
secure
Prevent
from
insiders
Prevent
from
developer
mistakes
by
conEnuously
monitoring
key
security
areas
and
automaEc
vulnerability
assessment.
By
using
our
SOD
module
and
analyzing
all
criEcal
privileges
and
their
segregaEons.
by
code
review
of
custom
transacEons
and
reports
39
40. Easy
implementa8on
Business
benefits:
Save
Ame
Fast
scans
Scalability
in
less
than
one
hour
you
can
start
work
aHer
installing
system
as
a
soHware,
virtual
appliance
or
SAAS.
with
our
new
engine
you
can
analyze
more
than
7000
parameters
in
5
minutes
you
can
effecEvely
monitor
huge
amount
of
systems
from
various
locaEons
and
easily
manage
them
from
every
place
using
web-‐browser
40
41. Save
on
Compliance
Save
on
manual
assessment
Save
on
SAP
security
educa8on
with
integrated
compliance
modules
on
key
recommendaEons
from
SAP
,ISACA,DSAG
and
OWASP
with
automaEc
monitoring
all
security-‐related
opEons
by
using
integrated
Built-‐in
knowledge
base
about
SAP
Security
with
detailed
informaEon
and
remediaEon
steps
41
Business
benefits:
Decrease
expanses
42. Geung
beNer
every
day
More
than
7300
configura8on
checks
More
than
2600
vulnerability
checks
More
than
110
issues
in
ABAP
Analysis
of
misconfigura8ons,
vulnerabili8es
and
cri8cal
authoriza8ons
for
ABAP,
JAVA,
HANA
42
46. About
us
•
Leading
SAP
AG
partner
in
discovering
and
solving
security
vulnerabili8es
•
Found
more
than
250
(120
published)
security
vulnerabiliAes
in
SAP
•
Frequent
speakers
in 50+ top
security
conferences:
BlackHat,
RSA
•
Leads
EAS-‐SEC
project
focused
on
technical
aspects
of
ERP
security
The
company
experEse
is
based
on
research
conducted
by
the
ERPScan
research
center
46
47. And
also
We
devote
a>enEon
to
the
requirements
of
our
customers
and
prospects,
and
constantly
improve
our
product.
If
you
presume
that
our
scanner
lacks
a
parEcular
funcEon,
you
can
e-‐mail
us
or
give
us
a
call.
We
will
be
glad
to
consider
your
suggesEons
for
the
next
releases
or
monthly
updates.
web:
erpscan.com
e-‐mail:
info@erpscan.com,
sales@erpscan.com
47