Invest in security to secure investments. Implemen'ng SAP security in 5 steps. Alexander Polyakov. CTO, ERPScan
|
|
- Tracy Spencer
- 5 years ago
- Views:
Transcription
1 Invest in security to secure investments Implemen'ng SAP security in 5 steps Alexander Polyakov. CTO, ERPScan
2 About ERPScan The only 360- degree SAP security solu'on: ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgments from SAP ( 150+ ) 60+ presenta=ons at key security conferences worldwide 25 awards and nomina=ons Research team 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2
3 Large enterprise sectors Oil & Gas Manufacturing Logis'cs Finance Nuclear Power Retail Telecommunica'on etc. 3
4 Business applica=ons The role of business applica'ons in a typical work environment The need to control them to op'mize business processes Scope for enormous reduc'on in resource overheads and other direct monetary impact Poten'al problems that one can t overlook The need to reflect on security aspects is it overstated? Why is it a REAL and existent risk? 4
5 What can the implica=ons be? Espionage The^ of financial informa'on Corporate secret and informa'on the^ Supplier and customer list the^ HR data the^ Sabotage Denial of service Tampering of financial records and accoun'ng data Access to technology network (SCADA) by trust rela'ons Fraud False transac'ons Modifica'on of master data 5
6 SAP The most popular business applica'on More than customers worldwide 83% Forbes 500 companies run SAP Main system ERP Main pla}orms SAP NetWeaver ABAP SAP NetWeaver J2EE SAP BusinessObjects SAP HANA SAP Mobile Pla}orm (SUP) Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат Формат рисунка), добавьте контур (оранжевый, толщина 3) 6
7 SAP security Complexity Complexity kills security. Many different vulnerabili'es in all levels, from network to applica'on Customiza=on Cannot be installed out of the box. A lot of (up to 50 %) custom code and business logic Risky Rarely updated because administrators are scared of crashes and down'me Unknown Mostly available inside the company (closed world) hƒp://erpscan.com/wp- content/uploads/pres/forgoƒen%20world%20- %20Corporate%20Business%20Applica'on%20Systems%20Whitepaper.pdf 7
8 Securing SAP Have budget Find people and tools Don t have budget Try to show business how cri'cal it is 8
9 Ask 3 rd par=es for Whitepapers Webinars from experts SAAS scanning of external- facing systems SAP penetra'on tes'ng Deep SAP security assessment 9
10 SAP security 1. Pentes'ng and Audit 10
11 Pentest Pentest anonymous scan for SAP vulnerabili=es and ways to exploit them Analysis of exposed services (more than 20 possible) BlackBox analysis of installed applica'ons and vulnerabili'es Exploita'on of found vulnerabili'es Privilege escala'on Presenta'on report for management ü Pentest can be a star'ng point for an SAP security project ü Pentest can also be a final test a^er implementa'on 11
12 Analysis of running services Scan an external company network for SAP services Scan internal SAP systems from the user or guest network Scan internal SAP systems from the admin network 12
13 Remotely exposed services Exposed services 2011 Exposed services SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hƒpd SAP Message Server SAP Router 13
14 Internal access Only these services should be open for user access Dispatcher or Message Server Gateway (for some users) ICM (for some users, if used) 14
15 Pentest JAVA Examples of vulnerabili=es Auth bypass in CTC Anonymous user crea'on Anonymous file read Informa'on disclosure Unauthorized access to KM documents 15
16 Pentest ABAP Examples of vulnerabili=es: Reginfo/Secinfo bypass Oracle database access bypass Buffer overflows Informa'on disclosure about files in MMC Unauthorized access to log files Injec'on of OS commands in SAPHostControl Dangerous web services Informa'on disclosure of parameters in Message Server HTTP 16
17 Full SAP security assessment BlackBox vulnerability scan Penetra'on tes'ng WhiteBox configura'on scan Configura'on analysis Access control checks SAP Security Notes analysis Password complexity checks (bruteforce) 17
18 Configura=on analysis Authen'ca'on (Password policies, SSO, users by different criteria) Access control (Access to different web services, tables, transac'ons, insecure test services, unnecessary transac'ons and web applica'ons) Encryp'on (SSL and SNC encryp'on) Monitoring (security audit log, system log and others) Insecure configura'on(all other security checks for par'cular services: Gateway, Message Server, ITS, SAPGUI, Web Dispatcher, MMC, Host Control, Portal) 18
19 Access control Users with cri'cal profiles Users with cri'cal roles Users with access to cri'cal tables Users with access to transport Users with access to development Users with access to user administra'on Users with access to system administra'on Users with access to HR func'ons Users with access to CRM func'ons Specific access control checks for industry solu'ons 19
20 Vulnerability scan Check for latest component versions Check for missing SAP Security Notes Correlate patches with SAP Security Notes Exploit vulnerabili'es to check if they really exist Risk management 20
21 SAP security 2. Compliance 21
22 Compliance First of all, choose the one you want Technical EAS- SEC SAP NetWeaver ABAP Security Configura'on ISACA (ITAF) DSAG Industry PCI DSS NERC CIP 22
23 SAP security Why do we need a new guide? 23
24 3 areas of Business Applica=on Security Business logic security (SoD) Prevents a4acks or mistakes made by insiders Custom code security Prevents a4acks or mistakes made by developers Applica=on pla^orm security Prevents unauthorized access both by insiders and remote a4ackers 24
25 Security guidelines For web, we have OWASP, WASC For network and OS, we have NIST, SANS But what about Enterprise Business Applica'ons? 25
26 Why? (1) Ques'ons like "why?" and "what for?" are the alpha and omega of every research The most frequent ques'on we were asked: Guys, you are awesome! You are doing a great job so far, finding so many problems in our installacons. It's absolutely fantascc, but we don t know where to start solving them. Could you provide us with top 10/20/50/100/[your favorite number] most criccal bugs in every area? 26
27 Why? (2) We had to do something completely different from just Top 10 most cri'cal bugs Even if you patch all vulnerabili'es, lots of problems could s'll remain: access control, configura'on, logs The number one challenge is to understand all security areas of EAS and to have the opportunity to select several most cri'cal issues for every area 27
28 Why? (3) We started to analyze the exis'ng guidelines and standards High level policies: NIST,SOX,ISO,PCI- DSS Technical guides: OWASP, WASC, SANS 25, CWE SAP guides: o Configura'on of SAP NetWeaver Applica'on Server Using ABAP by SAP o ISACA Assurance (ITAF) by ISACA o DSAG by German SAP User Group Those standards are great, but, unfortunately, all of them have at least one big disadvantage 28
29 SAP security guidelines Guidelines made by SAP First official SAP guide for technical security of ABAP stack Secure Configura'on of SAP NetWeaver Applica'on Server Using ABAP First version in 2010, version 1.2 in
30 SAP security guidelines For rapid assessment of the most common technical pla}orm misconfigura'ons Consists of 9 areas and 82 checks Ideal as a second step, gives more details for some standard EAS- SEC areas h4p:// f0d2445f- 509d- 2d10-6fa7-9d fee?overridelayout=true 30
31 SAP security guidelines Advantages: Very brief but quite comprehensive (only 9 pages) Covers applica'on pla}orm issues Applicable for every ABAP based pla}orm (either ERP or Solu'on Manager or HR) Disadvantages: 82 checks is s'll a lot for a first brief look on secure configura'on Doesn t cover access control issues and logging and misses some things even in pla}orm security Gives people false sense of security if they cover all checks. But it wouldn t be completely true 31
32 ISACA Assurance (ITAFF) Guidelines made by ISACA Checks cover configura'on and access control areas The first most complete compliance There were 3 versions published in 2002, 2006, 2009 (some areas are outdated now) 32
33 ISACA Assurance (ITAFF) Technical part covers incomplete access control info and misses some cri'cal areas The biggest advantage is the big database of access control checks Consists of 4 parts and more than 160 checks Ideal as a third- step- guide and very useful for its detailed coverage of access control 33
34 ISACA Assurance (ITAFF) Advantages: Detailed coverage of access control checks Disadvantages: Outdated Technical part is missing Too many checks, can t be easily used by a non- SAP specialist Can t be applied to any system without prior understanding of the business processes Is officially available only as part of the book, or you should be at least an ISACA member to get it 34
35 DSAG Set of recommenda'ons from Deutsche SAP Uses Group Checks cover all security areas, from technical configura'on and source code to access control and management procedures Currently the biggest guideline about SAP security 35
36 DSAG Last version in Jan 2011 Consists of 8 areas and 200+ checks Ideal as a final step for securing SAP but consists of many checks which needs addi'onal decision making (highly depends on the installa'on) h4p:// _Lei[aden_Datenschutz_Englisch_final.pdf 36
37 DSAG Advantages: Ideal as a final step for securing SAP. Great for SAP security administrators, covers almost all areas Disadvantages: Same as ISACA: too big for a starter, and no help at all for security people who are not familiar with SAP Can t be directly applied to every system without prior understanding of business processes. Many checks are recommenda'ons, and the users should think for themselves if they are applicable in each case 37
38 Compliance 38
39 EAS- SEC The authors' efforts were: to make this list as brief as possible to cover the most cri'cal threats for each area to make it easily used not only by SAP/ERP security experts but by every security specialist to provide comprehensive coverage of all cri'cal SAP security areas At the same 'me, to develop the most complete guide would be a never- ending story So we implemented the 80/20 rule for SAP security 39
40 EAS- SEC Developed by ERPScan First release 2010 Second edi'on 2013 (hƒp://eas- sec.org ) 3 main areas Implementa'on assessment Code review Awareness Rapid assessment of Business Applica'on security 40
41 EASSEC Implementa=on Assessment EASSEC- PVAG Access Cri=cality Easy to % of exploit vulnerable systems 1. Lack of patch management Anonymous High High 99% 2. Default passwords for applica'on access Anonymous High High 95% 3. Unnecessary enabled func'onality Anonymous High High 90% 4. Open remote management interfaces Anonymous High Medium 90% 5. Insecure configura'on Anonymous Medium Medium 90% 6. Unencrypted communica'on Anonymous Medium Medium 80% 7. Access control and SOD User High Medium 99% 8. Insecure trust rela'ons User High Medium 80% 9. Logging and monitoring Administrator High Medium 98% 41
42 EAS- SEC for SAP NetWeaver ABAP Enterprise ApplicaCon Systems ApplicaCon ImplementaCon NetWeaver ABAP Developed by ERPScan: First standard in the EAS- SEC series Published in 2013 hƒp://erpscan.com/publica'ons/the- sap- netweaver- abap- pla}orm- vulnerability- assessment- guide/ Rapid assessment of SAP security in 9 areas Contains 33 most cri'cal checks Ideal as a first step Also contains informa'on for next steps Categorized by priority and cri'cality 42
43 EAS- SEC for NetWeaver (EASSEC- PVAG- ABAP) Enterprise ApplicaCon Systems Vulnerability Assessment for NetWeaver ABAP First standard in the EAS- SEC series Rapid assessment of SAP security in 9 areas Contains 33 most cri'cal checks Ideal as a first step Also contains informa'on for next steps Categorized by priority and cri'cality 43
44 Lack of patch management [EASAI- NA- 01] Component updates [EASAI- NA- 02] Kernel updated What s next: Other components should be be updated separately SAProuter, SAP GUI, SAP NetWeaver J2EE, SAP BusinessObjects. Also, OS and database 44
45 Default passwords [EASAI- NA- 03] Default password check for user SAP* [EASAI- NA- 04] Default password check for user DDIC [EASAI- NA- 05] Default password check for user SAPCPIC [EASAI- NA- 06] Default password check for user MSADM [EASAI- NA- 07] Default password check for user EARLYWATCH What s next: A couple of addiconal SAP components, like old versions of SAP SDM and SAP ITS, have default passwords. Ajer you check all default passwords, you can start bruteforcing for simple passwords 45
46 Unnecessary enabled func=onality [EASAI- NA- 08] Access to RFC- func'ons using SOAP interface [EASAI- NA- 09] Access to RFC- func'ons using FORM interface [EASAI- NA- 10] Access to XI service using SOAP interface What s next: Analyze about 1500 other services which are remotely enabled to see if they are really needed. Disable unused transaccons, programs and reports 46
47 Open remote management interfaces [EASAI- NA- 11] Unauthorized access to SAPControl service [EASAI- NA- 12] Unauthorized access to SAPHostControl service [EASAI- NA- 13] Unauthorized access to Message Server service [EASAI- NA- 14] Unauthorized access to Oracle database What s next: Full list of SAP services is available here: TCP/IP Ports Used by SAP ApplicaCons. Also, take care of 3 rd party services which can be enabled on this server 47
48 Insecure configura=on [EASAI- NA- 15] Minimum password length [EASAI- NA- 16] User locking policy [EASAI- NA- 17] Password compliance to current standards [EASAI- NA- 18] Access control to RFC (reginfo.dat) [EASAI- NA- 19] Access control to RFC (secinfo.dat) What s next: First of all, look to Secure ConfiguraCon of SAP NetWeaver ApplicaCon Server Using ABAP for detailed configuracon checks. Ajerwards, pass through detailed documents for each and every SAP service and module h4p://help.sap.com/saphelp_nw70/helpdata/en/8c/ 2ec59131d7f84ea514a67d628925a9/frameset.htm 48
49 Access control and SoD conflicts [EASAI- NA- 20] Users with SAP_ALL profile [EASAI- NA- 21] Users which can run any program [EASAI- NA- 22] Users which can modify cri'cal table USR02 [EASAI- NA- 23] Users which can execute any OS command [EASAI- NA- 24] Disabled authoriza'on checks What s next: There are at least 100 criccal transaccons only in BASIS and approximately the same number in any other module. Detailed informacon can be found in ISACA guidelines. Ajer that, you can start SegregaCon of DuCes 49
50 Unencrypted connec=ons [EASAI- NA- 25] Use of SSL for securing HTTP connec'ons [EASAI- NA- 26] Use of SNC for securing SAP GUI connec'ons [EASAI- NA- 27] Use of SNC for securing RFC connec'ons What s next: Even if you use encrypcon, check how it is configured for every encrypcon type and for every service because there are different complex configuracons for each encrypcon type. For example, the latest a4acks on SSL (BEAST and CRIME) require companies to use more complex SSL configuracons 50
51 Insecure trusted connec=ons [EASAI- NA- 28] RFC connec'ons with stored authen'ca'on data [EASAI- NA- 29] Trusted systems with lower security What s next: Check other ways to get access to trusted systems, such as database links, use of the same OS user, or use of similar passwords for different systems 51
52 Logging and monitoring [EASAI- NA- 30] Logging of security events [EASAI- NA- 31] Logging of HTTP requests [EASAI- NA- 32] Logging of table changes [EASAI- NA- 33] Logging of access to Gateway What s next: There are about 30 different types of log files in SAP. Upon properly enabling the main ones, you should properly configure complex opcons, such as which specific tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a4acks should be collected. Next step is to enable their centralized colleccon and storage and then add other log events 52
53 Results 53
54 Awareness SAP Security in Figures 2011 SAP Security in Figures vulnerabili'es in SAP SAP Security in Figures 2014 (coming soon) 54
55 SAP security 3. Internal security and SoD 55
56 Internal security Simple steps and sta's'cs Cri'cal access Segrega'on of Du'es Op'miza'on and maintenance 56
57 Simple steps Analyze sta's'cs Number of users in a role o 0 Role is not used o >100 Divide into different roles, check for cri'cal authoriza'ons Number of authoriza'ons in a role Number of authoriza'on objects in a role 57
58 Cri=cal access There are different areas: HR, Basis, Fixed Assets, Material Management Each of those roles has a list of cri'cal transac'ons and authoriza'ons (available in ISACA guidelines) First of all, decrease the number of cri'cal roles For example, users who can only modify the table USR02 can do everything they want! 58
59 Example of ac=ons and transac=ons 59
60 Cri=cal access op=miza=on Obtain the list of roles with cri'cal access to par'cular transac'ons Minimize roles Obtain the list of users with cri'cal access to par'cular transac'ons Sort them by type/locking status/etc. Exclude administrators and superusers (and minimize them) Minimize users 60
61 SoD analysis Use default templates or customize them Obtain the list of business roles in a company Obtain the list of ac'ons in a par'cular role Assign transac'ons and authoriza'on objects to ac'ons Create or modify matrix (add risk values) 61
62 Business roles and ac=ons 62
63 Risk values 63
64 Analyzing SoD results Result: List of users with cri'cal conflicts List of roles with cri'cal conflicts Solving: Obtain roles with maximum number of segrega'ons Op'mize them Obtain users with maximum number of segrega'ons Op'mize them 64
65 Op=miza=on You will get thousands of conflicts the first 'me How to solve them quickly: Exclude all administrators (SAP_ALL) Look at HOW exactly rights are assigned (all * values should be excluded) Look at the history of executed transac'ons 65
66 SAP security 4. Source code security 66
67 ABAP SAP uses ABAP, JAVA, and XSJX (for HANA) ABAP, as any other language, can have vulnerabili'es It can also be used for wri'ng backdoors Development inside the company is almost uncontrolled Developer access to system == god in SAP 67
68 Source code review EASAD- 9 standard from a series of standards designed for Enterprise Applica'on Systems Security Assessment (EAS- SEC) Full name: Enterprise Applica'on Systems Applica'on Development Describes 9 areas of source code issues for business languages Universal categories for different languages and systems (SAP, Oracle, Dynamix, Infor, ) Categorized based on cri'cality and exploita'on probability 68
69 EASAD 9 categories 1. Code injec'ons 2. Cri'cal calls 3. Missing authoriza'on checks 4. Path traversal 5. Modifica'on of displayed content 6. Backdoors 7. Covert channels 8. Informa'on disclosure 9. Obsolete statements 69
70 SAP security 5. Log management 70
71 SAP aeacks 71
72 Aeacks It is very hard to make everything secure, so you need addi'onal monitoring ACFE published a report about 7 % revenue losses from fraud in the USA Examples that we saw: Salary modifica'on Material management fraud Mistakes 72
73 Backdoors in custom source code 73
74 SAP forensics Real aƒacks exist But there is not so much public info Companies are not interested in the publica'on of compromise But the main problem is here: How can you be sure there was no compromise? Only 10% of systems have Security Audit Log enabled Only a few of them analyze those logs And much fewer do central storage and correla'on 74
75 Log sta=s=cs Web access 70% Security audit log 10% Table logging 4% Message Server 2% SAP Gateway 2% 75
76 Log types SAP Web Dispatcher Security log SAP Web Dispatcher HTTP log SAProuter log SAP Gateway log SAP Message Server log SAP Message Server HTTP Log SAP security audit log ABAP user changes log ABAP table changes log ABAP document changes log Trace files 76
77 SAP Security Logs Name Default Central storage SAP Web Dispatcher Security Log Enabled No SAP Web Dispatcher HTTP log Disabled No SAProuter log Disabled No SAP Gateway log Disabled No SAP Message Server log Disabled No SAP Message Server HTTP log Disabled No SAP security audit log Disabled CCMS? ABAP user changes log Enabled No ABAP table changes log Disabled No ABAP document changes log Disabled No Trace files Disabled No Developer trace Enabled No 77
78 Defense EAS- SEC: Recourse which combines Guidelines for assessing enterprise applica'on security Guidelines for assessing custom code Surveys about enterprise applica'on security 78
79 Conclusion Cri'cal networks are complex System is as secure as its most insecure component Holis'c approach Check out eas- sec.org Check out erpscan.com 79
EAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationEAS- SEC: Framework for Securing Enterprise Business ApplicaCons
SAP in Internet EAS- SEC: Framework for Securing Enterprise Business ApplicaCons Alexander Polyakov CTO ERPScan erpscan.com ERPScan invest in security to secure investments 1 SAP in Internet erpscan.com
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationAlexander Polyakov. CTO at ERPScan
Invest in security to secure investments Top 10 most interes.ng SAP vulnerabili.es and a9acks + bonus Alexander Polyakov. CTO at ERPScan 1 About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationAbout ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008
1 2 About ERPScan 3 ERPScan and Oracle ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008 Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle
More informationInvest in security to secure investments Oracle PeopleSo, applica.ons are under a3acks!
Invest in security to secure investments Oracle PeopleSo, applica.ons are under a3acks! Alexey Tyurin About ERPScan The only 360- degree SAP Security solu9on - ERPScan Security Monitoring Suite for SAP
More informationA GLOBAL SURVEY Authors:
SAP SECURITY IN FIGURES: A GLOBAL SURVEY 2007 2013 Authors: Alexander Polyakov Alexey Tyurin Other contributors: Kirill Nikitenkov Evgeny Neyolov Alina Oprisko Dmitry Shimansky A GLOBAL SURVEY 2007 2013
More informationInvest in security to secure investments A crushing blow at the heart of SAP s J2EE Engine. Version 1.1
Invest in security to secure investments A crushing blow at the heart of SAP s J2EE Engine. Version 1.1 Alexander Polyakov, Dmitriy Chastuhin ERPScan Me CTO of the ERPScan company Head of DSecRG (research
More informationRoadmap. How to implement GDPR in SAP?
Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions Introduction
More informationERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES ROADMAP How to implement GDPR in SAP? 1. GDPR security requirements 2. How to discover personal data? 3. How
More informationSAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin
SAP, dos, dos, race conditions => rce Dmitry Chastuhin, Dmitry Yudin 1 About us Yet another security researcher Business application security expert ERPScan Wiem, jak korzystać z tłumaczami 2 About us
More informationTop 10 Web Application Vulnerabilities
Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Introduction Who is ERP-SEC Company specialized in securing SAP systems and infrastructures SAP Security Research: Reported and credited for > 60 vulnerabilities
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationHow to read security test report?
How to read security test report? Ainārs Galvāns Security Tester Exigen Services Latvia www.exigenservices.lv Defini@ons (wikipedia) Term Threat Vulnerability Informa@on assurance Defini+on A threat is
More informationArchitecture Figure 3.
The popularity of SAP EP and its availability on the Internet makes it a desirable entry point for hackers who are choosing the spot to attack companies of various size and industry. Let s take a look
More informationAttacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. DeepSec, Austria. November 18th,
Attacks to SAP Web Applications Your crown jewels online Mariano Nuñez Di Croce mnunez@onapsis.com November 18th, 2011 DeepSec, Austria Disclaimer This publication is copyright 2011 Onapsis SRL All rights
More informationSAP Security In-Depth
SAP Security In-Depth by Mariano Nunez Vol. 5 / May 2012 Abstract "SAP platforms are only accessible internally". While that was true in many organizations more than a decade ago, today, driven by modern
More informationProcessed on SAP Solution Manager SSM Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2010_1 SP8 Fax
SERVICE REPORT SAP Security Optimization Self-Service SAP System ID SAP Product PRD SAP ERP Release 6.0 DB System ORACLE 1x.x.x.x Customer AAA Sample Co., Ltd Processed on SAP Solution Manager SSM Service
More informationInception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright
More informationRootkits and Trojans on Your SAP Landscape
Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the
More informationDatabase Machine Administration v/s Database Administration: Similarities and Differences
Database Machine Administration v/s Database Administration: Similarities and Differences IOUG Exadata Virtual Conference Vivek Puri Manager Database Administration & Engineered Systems The Sherwin-Williams
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Agenda Introduction Something about SAP security Unknown default accounts Impact Exploitation: combination with other vulnerabilities Research Solutions Concluding
More informationThreat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012
Threat modeling Tuomas Aura T- 110.4206 Informa1on security technology Aalto University, autumn 2012 Threats Threat = something bad that can happen Given an system or product Assets: what is there to protect?
More informationSCALE 15x (c) 2017 Ty Shipman
Please view my linked-in page (under See more) to get a copy of this presenta
More informationStrengthening Cybersecurity Workforce Development December 2017
Strengthening Cybersecurity Workforce Development December 2017 Agenda 1. Introduc3ons SANS GIAC Team 2. Goal: 2017 Execu3ve Order 3. SANS GIAC NICE Workforce Framework (NCWF) Mapping Overview 4. Workforce
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationNew PCI DSS Version 3.0: Can it Reduce Breaches? Dharshan Shanthamurthy, CEO, SISA Informa2on Security Inc. Core Competencies C11
New PCI DSS Version 3.0: Can it Reduce Breaches? Dharshan Shanthamurthy, CEO, SISA Informa2on Security Inc. Core Competencies C11 SISA Informa2on Security Formal Risk Assessment Specialists Authors of
More informationHalkyn Consulting Ltd 15 Llys y Nant, Pentre Halkyn HOLYWELL, Flintshire, CH8 8LN
Halkyn Consulting Ltd 15 Llys y Nant, Pentre Halkyn HOLYWELL, Flintshire, CH8 8LN http://www.halkynconsulting.co.uk info@halkynconsulting.co.uk Password Security By T Wake CISSP CISM CEH 20/06/2011 Contents
More informationAssessing Medical Device. Cyber Risks in a Healthcare. Environment
Assessing Medical Device Medical Devices Security Cyber Risks in a Healthcare Phil Englert Director Technology Operations Environment Catholic Health Ini
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationOnapsis: The CISO Imperative Taking Control of SAP
Onapsis: The CISO Imperative Taking Control of SAP Cyberattacks @onapsis 2016 Key SAP Cyber-Security Trends Over 95% of the SAP systems we have assessed, were exposed to vulnerabilities that could lead
More informationIntegrigy Consulting Overview
Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications
More informationInvest in security to secure investments. Breaking SAP Portal. Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan
Invest in security to secure investments Breaking SAP Portal Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationPattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Sicurezza Informa1ca, 2015-2016 Department of Electrical and Electronic Engineering University of Cagliari,
More informationEasy and quick vulnerability hun5ng in Windows. Cesar Cerrudo CTO at IOAc5ve Labs
Easy and quick vulnerability hun5ng in Windows Cesar Cerrudo CTO at IOAc5ve Labs 1 Who am I? CTO at IOAc5ve Labs Leading efforts to produce cufng edge research I have been working on security for +9 years
More informationCloud Adop)on, Risks & Security & GDPR An Ac)on Guide
April 2016 Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide Nigel Hawthorn, Skyhigh Networks Cloud Adop)on and Risk Agenda Skyhigh Networks An Introduc)on European Cloud Adop)on and Risk Report Q1
More informationMIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)
MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD) Edward Beaver Edward.Beaver@temple.edu ff Video: Record the Class Discussion v Something
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes October 2015 SAP released a batch of emergency fixes for the Download Manager (SDM) application through Notes 2235412 and 2233617 in October. The Notes
More informationMonitoring SAP ENCYCLOPEDIA ... ENCYCLOPEDIA. Monitoring Secrets for SAP. ArgSoft Intellectual Property Holdings, Limited
Monitoring Secrets for SAP ENCYCLOPEDIA ENCYCLOPEDIA Monitoring SAP.... 1991-2010 Contents Argent for SAP Overview 3 Introduction 3 Monitoring With Argent for SAP 4 SAP Instance 4 SAP Processes 4 Work
More informationBusiness Case Components
How to Build A SOC Agenda Mission Business Case Components Regulatory requirements SOC Terminology Technology Components Events categories Staff Requirements Organiza>on s Considera>ons Training Requirements
More informationSECURITY AND DATA REDUNDANCY. A White Paper
SECURITY AND DATA REDUNDANCY A White Paper Security and Data Redundancy Whitepaper 2 At MyCase, Security is Our Top Priority. Here at MyCase, we understand how important it is to keep our customer s data
More informationAttacks based on security configurations
SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen jppereze@onapsis.com March 18 th, 2014 BIZEC Workshop Disclaimer This publication is
More informationMobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom
More informationSECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS
SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.
More informationSAP Audit Guide for Basis
SAP Audit Guide for Basis This audit guide is designed to assist the review of middleware components that support the administration and integration of SAP applications, commonly referred to as SAP Basis.
More informationHow NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity
How NSFOCUS Protected the G20 Summit Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity SPONSORED BY Rosefelt is responsible for developing NSFOCUS threat intelligence and web
More informationSAP Security anno Tim Lynen, Manager axl & trax 2017
SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017 Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A Introduction
More informationA crushing blow at the heart of SAP s J2EE Engine.
Invest in security to secure investments A crushing blow at the heart of SAP s J2EE Engine. Alexander Polyakov CTO ERPScan Me CTO of the ERPScan company Head of DSecRG (research subdivision) Architect
More informationXerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers
Xerox FreeFlow Print Server Security White Paper Secure solutions for you and your customers Executive Summary Why is security more important than ever? New government regulations have been implemented
More informationMcAfee Database Security
McAfee Database Security Sagena Security Day 6 September 2012 September 20, 2012 Franz Hüll Senior Security Consultant Agenda Overview database security DB security from McAfee (Sentrigo) VMD McAfee Vulnerability
More informationDevice Discovery for Vulnerability Assessment: Automating the Handoff
Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are
More informationIn The Middle of Printers The (In)Security of Pull Prin8ng Solu8ons. Jakub Kałużny. SecuRing
In The Middle of Printers The (In)Security of Pull Prin8ng Solu8ons Jakub Kałużny SecuRing #whoami IT Security Consultant at SecuRing Consul8ng all phases of SDLC Previously worked for ESA and online money
More informationCompliance Audit Readiness. Bob Kral Tenable Network Security
Compliance Audit Readiness Bob Kral Tenable Network Security Agenda State of the Market Drifting Out of Compliance Continuous Compliance Top 5 Hardest To Sustain PCI DSS Requirements Procedural support
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationAZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments
AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new
More informationTenable for Palo Alto Networks
How-To Guide Tenable for Palo Alto Networks Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with Palo Alto Networks next-generation firewalls (NGFW).
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationClick to edit Master text styles
Frederik Weidemann TITEL bearbeiten Dr. Markus Schumacher Five years of ABAP TM -Code-Reviews A retrospective 2011 2012 Virtual Forge GmbH www.virtualforge.com All rights reserved. TITEL About bearbeiten
More informationCyber Security and Power System Communica4ons Essen4al Parts of a Smart Grid Infrastructure. Talal El Awar
Cyber Security and Power System Communica4ons Essen4al Parts of a Smart Grid Infrastructure Author: Goran N. Ericsson, Senior Member, IEEE Talal El Awar Submi.ed in Par3al Fulfillment of the Course Requirements
More informationE-BOOK / JAVA ENTERPRISE FOR SAP
28 October, 2017 E-BOOK / JAVA ENTERPRISE FOR SAP Document Filetype: PDF 137.98 KB 0 E-BOOK / JAVA ENTERPRISE FOR SAP Enterprise Java for SAP. [Austin Sincock] -- Annotation Employees of a company using
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationTopics. Ensuring Security on Mobile Devices
Ensuring Security on Mobile Devices It is possible right? Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that
More informationSAP* Administration-Practical Guide
Sebastian Schreckenbach SAP* Administration-Practical Guide., Galileo Press i Bonn 1.1 Tasks of a System Administrator 23 1.2 Guiding Principles for System Administrators 25 1.3 Definitions 32 1.4 Summary
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationSql Injection Attacks And Defense
We have made it easy for you to find a PDF Ebooks without any digging. And by having access to our ebooks online or by storing it on your computer, you have convenient answers with sql injection attacks
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 01 In July, SAP released a crucial update for a vulnerability in the Archiving Workbench originally patched in February 011. Note 1561545 contains
More informationCyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory
CyberArk Solutions for Secured Remote Interactive Access Addressing NERC Remote Access Guidance Industry Advisory Table of Contents The Challenges of Securing Remote Access.......................................
More informationVirtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC
Virtualization Security & Audit John Tannahill, CA, CISM, CGEIT, CRISC jtannahi@rogers.com Session Overview Virtualization Concepts Virtualization Technologies Key Risk & Control Areas Audit Programs /
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationSAP NetWeaver Performance and Availability
SAP NetWeaver Performance and SAP NetWeaver Performance and During the discovery process, the mapping of monitored elements is created, based on your SAP landscape. If you have both J2EE and R/3 stacks
More informationCyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory
CyberArk Solutions for Secured Remote Interactive Access Addressing NERC Remote Access Guidance Industry Advisory Table of Contents The Challenges of Securing Remote Access 3 Using CyberArk s Privileged
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationPRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,
PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT Eoin Woods, Endava @eoinwoodz BACKGROUND Eoin Woods CTO at Endava (technology services, ~4000 people) 10 years in product development - Bull, Sybase,
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationHow were the Credit Card Numbers Published on the Web? February 19, 2004
How were the Credit Card Numbers Published on the Web? February 19, 2004 Agenda Security holes? what holes? Should I worry? How can I asses my exposure? and how can I fix that? Q & A Reference: Resources
More informationCompu&ng Services Strengthening Authen&ca&on. October 2016
Compu&ng Services Strengthening Authen&ca&on October 2016 ID and password pair is the sole means of authen4ca4ng access AUTHENTICATION Current State o Email o File storage o Enterprise applica1ons (including
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More information16th Annual Karnataka Conference
16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu OWASP Top 10 An Overview The Open Web Application Security
More informationIs Your z/os System Secure?
Ray Overby Key Resources, Inc. Info@kr-inc.com (312) KRI-0007 A complete z/os audit will: Evaluate your z/os system Identify vulnerabilities Generate exploits if necessary Require installation remediation
More informationYou ve got mail Owning an SAP running business via
You ve got mail Owning an SAP running business via email Agenda Introduction State of SAP security Mail & SAP Vulnerabilities Solutions Introduction Company specialised in securing SAP systems and infrastructures
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationThe Realities of Data Security and Compliance: Compliance Security
The Realities of Data Security and Compliance: Compliance Security Ulf Mattsson, CTO, Protegrity Ulf.mattsson @ protegrity.com Bio - A Passion for Sailing and International Travel 2 Ulf Mattsson 20 years
More informationCOSC 310: So*ware Engineering. Dr. Bowen Hui University of Bri>sh Columbia Okanagan
COSC 310: So*ware Engineering Dr. Bowen Hui University of Bri>sh Columbia Okanagan 1 Admin A2 is up Don t forget to keep doing peer evalua>ons Deadline can be extended but shortens A3 >meframe Labs This
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationTrust Eleva,on Architecture v03
Trust Eleva,on Architecture v03 DISCUSSION DRAFT 2015-01- 27 Andrew Hughes 1 Purpose of this presenta,on To alempt to explain the Trust Eleva,on mechanism as a form of ALribute Based Access Control To
More informationObjec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:
Objec&ves Security: Ø Injec&on a6acks Ø Cross-site scrip&ng Ø Insecure direct object reference Group photo Review: Security Why has the Web become such a huge target? How can you protect against security
More informationInternet Scanner 7.0 Service Pack 2 Frequently Asked Questions
Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)
More informationSQL Injec*on. By Robin Gonzalez
SQL Injec*on By Robin Gonzalez Some things that can go wrong Excessive and Unused Privileges Privilege Abuse Input Injec>on Malware Week Audit Trail Other things that can go wrong Storage Media Exposure
More informationVANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER
VANGUARD INSURANCE INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationCipherCloud CASB+ Connector for ServiceNow
ServiceNow CASB+ Connector CipherCloud CASB+ Connector for ServiceNow The CipherCloud CASB+ Connector for ServiceNow enables the full suite of CipherCloud CASB+ capabilities, in addition to field-level
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More information