Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation

2,093 views

Published on

Presented by Mariano Nunez, CEO of Onapsis

Published in: Technology
  • Incredibly useful presentation. Could you please send a pdf document so that I can print and keep it or provide save capability.

    Thank you
    JR
    SAP Security Admin
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation

  1. 1. Preventing CyberAttacks: How toAddress 11 Risks ThatCould Leave Your SAPSystem VulnerableMariano NunezOnapsis © Copyright 2013 Wellesley Information Services, Inc. All rights reserved.
  2. 2. What We’ll Cover …• Introduction• Why Segregation of Duties is not enough• 11 risks that could render your platform vulnerable• From the trenches – The current state of SAP security• Protecting our SAP platform• Wrap-up 1
  3. 3. Cyber Attacks on SAP Systems: Why?• In 2012, Cybercrime costs rose nearly 40 percent and attack frequency doubled (Ponemon Institute)  Industrial espionage  State-sponsored attacks• Why would someone attack our ERP platform?  It runs our business-critical processes  It stores our most sensitive information  Our organization is highly dependent on it• Therefore, by nature, they are the perfect target for espionage, sabotage, and financial fraud attacks 2
  4. 4. Espionage, Sabotage, and Financial Fraud• Espionage  How much would the information stored in our SAP systems be worth to our biggest competitor?• Sabotage  How much money would we lose if our SAP system is taken offline continuously, for several hours or even days?• Financial fraud  What would be the economic impact if someone is able to manipulate all our financial information and processes without any kind of restrictions or controls? 3
  5. 5. Common (Dangerous) Misconceptions• “Our SAP system is only accessible internally (trusted networks)”  We better check! Attackers can find SAP systems online using simple Google queries and public search engines: 63,100 results 4,470 results  Internet is NOT the only untrusted network!  Outsourced contractors doing remote SAP administration  Our own end-user network! (Malicious employees, spear- phishing attacks, etc.) 4
  6. 6. Common (Dangerous) Misconceptions (cont.)• “Our SAP system has never been hacked”  Can we really be sure?  Do we have the Security Audit Log enabled?  Do we have all the “other” logs enabled?  If so, are we reviewing them periodically?• “SAP systems are intrinsically insecure/secure”  SAP systems are no different than any other software  Most of the most-commonly-found security gaps can be mitigated if customers followed the SAP security guidelines and implemented SAP Security Notes promptly 5
  7. 7. Common (Dangerous) Misconceptions (cont.)• “We only need to audit/secure our Production systems”  “A chain is as strong as its weakest link”  Think like an attacker: How would you try to break in?  Go after the usually-audited, probably-more-secure Production system? OR …  Break into a Development environment, and then “jump to” Production (shared passwords, RFC pivoting, etc.)? 6
  8. 8. Common (Dangerous) Misconceptions (cont.)• “The risk of our SAP system being attacked is low”  We are not fighting against “script kiddies,” but malicious organizations with vast resources and capabilities  Information about SAP vulnerabilities has been in the public domain for 10+ years! 7
  9. 9. Common (Dangerous) Misconceptions (cont.)• “The risk of our SAP system being attacked is low” (cont.)  In October 2012, hacktivist group Anonymous claimed intent to exploit SAP systems  It was the first time this kind of news hit the headlines  Anonymous claimed to have broken into the Greek Ministry of Finance (to be confirmed) and mentioned: “We have new guns in our arsenal. A sweet 0day SAP exploit is in our hands and oh boy we’re gonna sploit the hell out of it.” 8
  10. 10. What We’ll Cover …• Introduction• Why Segregation of Duties is not enough• 11 risks that could render your platform vulnerable• From the trenches – The current state of SAP security• Protecting our SAP platform• Wrap-up 9
  11. 11. Towards a Holistic SAP Security Approach• “SAP Security” used to be a synonym of “Segregation of Duties controls” for several years (a.k.a., user roles and profiles)  Auditing & Enforcing SoD controls is a critical piece of the SAP platform’s security. The only problem is that it is not enough.• An SAP system can be divided in several layers: SAP Business Logic SAP Solution SAP Application Layer Database Base Infrastructure Operating System 10
  12. 12. The SAP Application Layer• SoD controls are only protecting the Business Logic layer!• The SAP Application Layer (SAP NetWeaver®/BASIS) is critical, and has been traditionally overlooked  Handles critical tasks and components such as authentication, authorization, interfacing, audit logging, etc. Successful attacks to this layer would result in a complete compromise of the SAP system (SAP_ALL or equivalent) 11
  13. 13. The Evolution of SAP Security Notes• Vulnerabilities discovered in SAP applications are patched by SAP and released to customers as SAP Security Notes• Each Security Note solves one or more vulnerabilities SAP Security Notes per year In September 2010, SAP started releasing Security Notes periodically (2nd Tuesday of every month) 12
  14. 14. Anatomy of an SoD Violation Attack 3 - Access with Valid SAP User 4 - High-• Context: Privileges Obtained• Attacker needs a valid user account 5 - Access to• This user must have high privileges Sensitive• Probability of detection: Med-High Info/Process 13
  15. 15. Anatomy of an SAP Application Layer Attack 1- Vulnerability Identified 2- Vulnerability Exploited• Context:• Exploitation usually does not 4 - High- require valid user account Privileges (anonymous!) Obtained• Usually exploitation  high- 5 - Access to privileges Sensitive• Probability of detection: Low Info/Process 14
  16. 16. What We’ll Cover …• Introduction• Why Segregation of Duties is not enough• 11 risks that could render your platform vulnerable• From the trenches – The current state of SAP security• Protecting our SAP platform• Wrap-up 15
  17. 17. The BIZEC TEC/11• BIZEC is a non-profit organization with the mission of analyzing current and future threats affecting ERP systems• Current initiatives covering SAP solutions:  APP/11: The most common ABAP security issues  TEC/11: The most common SAP Application Layer security issues• In this presentation, we will cover BIZEC TEC/11 16
  18. 18. 11 Risks Affecting the SAP Application Layer• BIZEC TEC-01: MISSING SAP SECURITY NOTES  Risk:  The SAP platform is running based on technological components whose versions are affected by reported security vulnerabilities and the respective SAP Security Notes have not been applied  Business Impact:  Attackers would be able to exploit reported security vulnerabilities and perform unauthorized activities over the business information processed by the affected SAP system 17
  19. 19. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-02: STANDARD USERS WITH DEFAULT PASSWORDS  Risk:  Users created automatically during the SAP system installation, or other administrative procedures, are configured with default, publicly-known passwords  Business Impact:  Attackers would be able to log in to the affected SAP system using a standard SAP user account. As these accounts are usually highly privileged, the business information would be exposed to espionage, sabotage, and fraud attacks. 18
  20. 20. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-03: DANGEROUS SAP WEB APPLICATIONS  Risk:  The SAP Application Server is providing Web applications with reported security vulnerabilities or sensitive functionality (XSS, SQL Injection, Invoker Servlet detour, Verb Tampering, XXE Tunneling, etc.)  Business Impact:  Attackers would be able to exploit vulnerabilities in such Web applications, enabling them to perform unauthorized activities over the business information processed by the affected SAP system 19
  21. 21. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-04: UNSECURED SAP GATEWAY  Risk:  The SAP Application Server’s Gateway is not restricting the starting, registration, or cancellation of external RFC servers  Business Impact:  Attackers would be able to obtain full control of the SAP system. Furthermore, they would be able to intercept and manipulate interfaces used for transmitting sensitive business information. 20
  22. 22. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-05: UNSECURED SAP/ORACLE AUTHENTICATION  Risk:  The SAP ABAP Application Server authenticates to the Oracle database through the external OS authentication scheme, and the Oracle’s listener has not been secured  Business Impact:  Attackers would be able to obtain full control of the affected SAP system’s database, enabling them to create, visualize, modify and/or delete any business information processed by the system 21
  23. 23. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-06: INSECURE RFC INTERFACES  Risk:  The SAP environment is using insecure RFC connections from systems of lower security-classification level to systems with higher security-classification levels  Business Impact:  Attackers would be able to perform RFC pivoting attacks by first compromising an SAP system with low security- classification and, subsequently, abusing insecure interfaces to compromise SAP systems with higher security- classification levels (i.e., from DEV  PRD) 22
  24. 24. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-07: UNSECURED SAP MESSAGE SERVER  Risk:  The SAP System’s Message Server is not restricting the registration of SAP Application Servers, therefore allowing access to unauthorized systems  Business Impact:  Attackers would be able to register malicious SAP Application Servers and perform man-in-the-middle attacks, being able to obtain valid user access credentials and sensitive business information. Attacks against user workstations would also be possible. 23
  25. 25. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-08: INSECURE SAP ADMINISTRATION AND MONITORING SERVICES  Risk:  The SAP platform is not protected against unauthorized access to sensitive administration or monitoring services, such as the SAP Management Console, the P4 interface, SDM, Solution Manager, Transport Management System, etc.  Business Impact:  Attackers would be able to access administration or monitoring services and perform unauthorized activities over the affected SAP systems, possibly leading to espionage and/or sabotage attacks 24
  26. 26. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-09: INSECURE SAP NETWORK FILTERING  Risk:  The SAP platform network is not properly isolated from untrusted networks, both external and internal, and intrusion detection/prevention systems have not been implemented  Business Impact:  Attackers would be able to access sensitive SAP network services and possibly exploit vulnerabilities and unsafe configurations in them, leading to the execution of unauthorized activities over the affected SAP platform 25
  27. 27. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-10: INSECURE SAPROUTER IMPLEMENTATION  Risk:  The SAProuter Route Permission Table is not properly configured to allow connections only from/to authorized systems, restricting the use of native protocols and/or logging features are not properly configured  Business Impact:  Attackers would be able to access SAP and non-SAP systems from untrusted networks, potentially launching attacks to the reachable systems 26
  28. 28. 11 Risks Affecting the SAP Application Layer (cont.)• BIZEC TEC-11: UNENCRYPTED COMMUNICATIONS  Risk:  The confidentiality and integrity of communications in the SAP landscape is not enforced. These communications comprise SAP-to-SAP connections as well as interactions between SAP servers and external systems, such as user workstations and third-party systems.  Business Impact:  Attackers would be able to access sensitive technical and business information being transferred to/from the SAP environment 27
  29. 29. What We’ll Cover …• Introduction• Why Segregation of Duties is not enough• 11 risks that could render your platform vulnerable• From the trenches – The current state of SAP security• Protecting our SAP platform• Wrap-up 28
  30. 30. From the Trenches• It is critical to provide innovative solutions that help customers continuously assess and protect their SAP systems, complementing their existing SoD efforts• A quick look: SAP Penetration Tests  The goal of these projects are to identify existing vulnerabilities and understand the involved business impact of a cyber attack  Done without SAP user credentials  Were performed remotely (VPN)  Only informed of the IP addresses of the SAP systems (in order to save time) 29
  31. 31. From the Trenches – The Results• Over 95% of the evaluated systems were exposed to espionage, sabotage, and fraud attacks• Less than 5% of them had the Security Audit features enabled• None of them had the latest SAP Security Notes applied• In most cases, the attack vectors that lead to the initial compromise resulted from the exploitation of vulnerabilities that have been publicly known for more than 5 years 30
  32. 32. What We’ll Cover …• Introduction• Why Segregation of Duties is not enough• 11 risks that could render your platform vulnerable• From the trenches – The current state of SAP security• Protecting our SAP platform• Wrap-up 31
  33. 33. Protecting Our SAP Platform• The good news is that it is possible to significantly reduce the probability of successful cyber attacks to our SAP platforms• From a ROI perspective, it is better to focus on mitigating the threats that would result in the initial compromise. Once an attacker has full control, it is very difficult to stop him.• SAP is doing a great job and has significantly boosted its initiatives into proving more open and detailed Standards and Guidelines, specifically focused in the aspects we covered in this presentation 32
  34. 34. Protecting Our SAP Platform (cont.)• We have to approach the security of the SAP platform holistically:  All the layers (OS, DB, SAP Application Layer, SAP Business Logic) must be protected. Failing to secure one would jeopardize the security of the entire system.• We have to secure the entire Platform:  Every Landscape in the organization  Every System in each Landscape (not just PRD)  Every Client in each System (not just the Production one)  Every Application Server in each System (not just the CI)  Every security-relevant parameter of the 1,500+ available (ABAP systems) 33
  35. 35. Tips for Mitigating the 11 Risks• Please bear in mind that these are only high-level guidelines! Mitigating each of these risks requires a deeper analysis.• BIZEC TEC-01: MISSING SAP SECURITY NOTES  Design and implement an SAP Security Patching Strategy, defining a process to: 1. Identify which SAP Security Notes do affect your platform 2. Prioritize them according to risk (and remediation effort) 3. Implement them in QA environments and roll out to PRD Define an “SAP Security Patching” SLA with your contractors or internal teams to ensure protection 34
  36. 36. Tips for Mitigating the 11 Risks (cont.)• BIZEC TEC-02: STANDARD USERS WITH DEFAULT PASSWORDS  Secure all the default and standard users in ALL the clients of your SAP systems• BIZEC TEC-03: DANGEROUS SAP WEB APPLICATIONS  Evaluate which Web Applications your Business really needs. Disable any unnecessary ones. Deploy an IDS/IPS.• BIZEC TEC-04: UNSECURED SAP GATEWAY  Monitor existing connections to the Gateway for a period of time. Create initial secinfo and reginfo files. Only allow required interfaces from trusted systems. 35
  37. 37. Tips for Mitigating the 11 Risks (cont.)• BIZEC TEC-05: UNSECURED SAP/ORACLE AUTHENTICATION  Configure the Oracle listener to accept connections from SAP instances and trusted systems. Firewall the SAP network!• BIZEC TEC-06: INSECURE RFC INTERFACES  Analyze your RFC Destinations and check for stored logon credentials, encryption, profiles at target systems, etc.• BIZEC TEC-07: UNSECURED SAP MESSAGE SERVER  Configure the Message Server’s ACL to only accept connections from the System’s instances. Configure separate ports for internal and user connections. 36
  38. 38. Tips for Mitigating the 11 Risks (cont.)• BIZEC TEC-08: INSECURE SAP ADMINISTRATION AND MONITORING SERVICES  Disable/restrict access to administration services from untrusted systems• BIZEC TEC-09: INSECURE SAP NETWORK FILTERING  Implement external and internal DMZs for the SAP platform. Deploy SAP-specialized Intrusion Detection and Prevention solutions. 37
  39. 39. Tips for Mitigating the 11 Risks (cont.)• BIZEC TEC-10: INSECURE SAPROUTER IMPLEMENTATION  Ensure the Route Permission Table only allows connections from/to authorized systems and ports. Do not use “P”, but “S” rules. Enable logging.• BIZEC TEC-11: UNENCRYPTED COMMUNICATIONS  Implement SNC between SAP clients and SAP servers, and between SAP servers and untrusted networks 38
  40. 40. Where Do I Start?• Implementing a Sustainable SAP Security Strategy  Performing an SAP Application Security Assessment to understand the current exposure is a good start  However, as you know, security is not a state, but a process  Highest ROI will come from establishing a continuous assessment and remediation strategy Assessing the SAP platform at least once a month, after each SAP Security Patch Day 39
  41. 41. Where Do I Start? (cont.)• Therefore, these activities must be run periodically. The most cost-effective solution is through automation.• But … who ensures these products are actually used, properly configured, and follow-up on the findings?  Your internal SAP Security Teams, or  Your IT Security Teams, or  Your Trusted Advisory/Compliance Partner who can deliver an end-to-end Continuous SAP Application Security Compliance solution 40
  42. 42. What We’ll Cover …• Introduction• Why Segregation of Duties is not enough• 11 risks that could render your platform vulnerable• From the trenches – The current state of SAP security• Protecting our SAP platform• Wrap-up 41
  43. 43. Where to Find More Information• Onapsis Resources:  Other SAP Security Presentations  www.onapsis.com/research-presentations.php  Onapsis SAP Security In-Depth Publications  www.onapsis.com/research-publications.php  Onapsis Bizploit – Opensource GPL Project  www.onapsis.com/bizploit• BIZEC:  BIZEC TEC/11 Risks (Version 2.0, 2012).  www.bizec.org/wiki/BIZEC_TEC11 42
  44. 44. Where to Find More Information (cont.)• Great SAP Resources:  Secure Configuration of SAP NetWeaver Application Server Using ABAP (SAP AG, 2012).  http://scn.sap.com/docs/DOC-17149  Protecting SAP Applications Based on Java and ABAP Against Common Attacks (SAP AG, 2011).  http://bit.ly/VagxSI *  Bjoern Brencher, “SAP Runs SAP – Remote Function Call: Gateway Hacking and Defense” (SAP TechEd, 2012).  SAP Security Web site – www.sap.com/security * Requires login credentials to the SAP Service Marketplace 43
  45. 45. 7 Key Points to Take Home• Our SAP platforms are natural targets for cyber attackers• Segregation of Duties controls are critical for the security of our SAP systems, but they are not enough• If the SAP Application Layer is not properly secured, cyber attackers that do not even have a user would be able to perform espionage, sabotage, and financial fraud attacks• Review if your Platform is exposed to the 11 presented risks and mitigate them as soon as possible• Secure systems beyond PRD and implement a sustainable strategy• As Internal or External Auditors, we must address the SAP Application Layer risks. Otherwise, we may be signing-off blindly.• If our XYZ-compliant SAP system gets hacked through a 5-year- old vulnerability, we are clearly doing something wrong 44
  46. 46. Your Turn!Visit us at Exhibit hallfor furtherdiscussions and livedemos! Mariano Nunez Email: mnunez@onapsis.com Twitter: @marianonunezdc Please remember to complete your session evaluation 45
  47. 47. PwC ContactsAlliance Director:Cynthia McConathy Cynthia.McConathy@us.pwc.comEast: Bob Clark, Philadelphia clark@us.pwc.com Sachin Mandal, New York sachin.mandal@us.pwc.com Greg Pillay, Florida gregory.k.pillay@us.pwc.comMidWest Sean Donahue, Milwaukee sean.p.donahue@us.pwc.com Dave Erickson, Chicago dave.erickson@us.pwc.com Mickey Roach, Dallas mickey.roach@us.pwc.com Tammy Wojtasiak, Minneapolis tamara.wojtasiak@us.pwc.comWest Jamie Draper, San Francisco james.draper@us.pwc.com 46
  48. 48. DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product andservice names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP. 47

×