Invest in security to secure investments. Implemen'ng SAP security in 5 steps. Alexander Polyakov. CTO, ERPScan

Transcription

1 Invest in security to secure investments Implemen'ng SAP security in 5 steps Alexander Polyakov. CTO, ERPScan

2 About ERPScan The only 360- degree SAP security solu'on: ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgments from SAP ( 150+ ) 60+ presenta=ons at key security conferences worldwide 25 awards and nomina=ons Research team 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2

3 Large enterprise sectors Oil & Gas Manufacturing Logis'cs Finance Nuclear Power Retail Telecommunica'on etc. 3

4 Business applica=ons The role of business applica'ons in a typical work environment The need to control them to op'mize business processes Scope for enormous reduc'on in resource overheads and other direct monetary impact Poten'al problems that one can t overlook The need to reflect on security aspects is it overstated? Why is it a REAL and existent risk? 4

5 What can the implica=ons be? Espionage The^ of financial informa'on Corporate secret and informa'on the^ Supplier and customer list the^ HR data the^ Sabotage Denial of service Tampering of financial records and accoun'ng data Access to technology network (SCADA) by trust rela'ons Fraud False transac'ons Modifica'on of master data 5

6 SAP The most popular business applica'on More than customers worldwide 83% Forbes 500 companies run SAP Main system ERP Main pla}orms SAP NetWeaver ABAP SAP NetWeaver J2EE SAP BusinessObjects SAP HANA SAP Mobile Pla}orm (SUP) Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат Формат рисунка), добавьте контур (оранжевый, толщина 3) 6

7 SAP security Complexity Complexity kills security. Many different vulnerabili'es in all levels, from network to applica'on Customiza=on Cannot be installed out of the box. A lot of (up to 50 %) custom code and business logic Risky Rarely updated because administrators are scared of crashes and down'me Unknown Mostly available inside the company (closed world) hƒp://erpscan.com/wp- content/uploads/pres/forgoƒen%20world%20- %20Corporate%20Business%20Applica'on%20Systems%20Whitepaper.pdf 7

8 Securing SAP Have budget Find people and tools Don t have budget Try to show business how cri'cal it is 8

9 Ask 3 rd par=es for Whitepapers Webinars from experts SAAS scanning of external- facing systems SAP penetra'on tes'ng Deep SAP security assessment 9

10 SAP security 1. Pentes'ng and Audit 10

11 Pentest Pentest anonymous scan for SAP vulnerabili=es and ways to exploit them Analysis of exposed services (more than 20 possible) BlackBox analysis of installed applica'ons and vulnerabili'es Exploita'on of found vulnerabili'es Privilege escala'on Presenta'on report for management ü Pentest can be a star'ng point for an SAP security project ü Pentest can also be a final test a^er implementa'on 11

12 Analysis of running services Scan an external company network for SAP services Scan internal SAP systems from the user or guest network Scan internal SAP systems from the admin network 12

13 Remotely exposed services Exposed services 2011 Exposed services SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hƒpd SAP Message Server SAP Router 13

14 Internal access Only these services should be open for user access Dispatcher or Message Server Gateway (for some users) ICM (for some users, if used) 14

15 Pentest JAVA Examples of vulnerabili=es Auth bypass in CTC Anonymous user crea'on Anonymous file read Informa'on disclosure Unauthorized access to KM documents 15

16 Pentest ABAP Examples of vulnerabili=es: Reginfo/Secinfo bypass Oracle database access bypass Buffer overflows Informa'on disclosure about files in MMC Unauthorized access to log files Injec'on of OS commands in SAPHostControl Dangerous web services Informa'on disclosure of parameters in Message Server HTTP 16

17 Full SAP security assessment BlackBox vulnerability scan Penetra'on tes'ng WhiteBox configura'on scan Configura'on analysis Access control checks SAP Security Notes analysis Password complexity checks (bruteforce) 17

18 Configura=on analysis Authen'ca'on (Password policies, SSO, users by different criteria) Access control (Access to different web services, tables, transac'ons, insecure test services, unnecessary transac'ons and web applica'ons) Encryp'on (SSL and SNC encryp'on) Monitoring (security audit log, system log and others) Insecure configura'on(all other security checks for par'cular services: Gateway, Message Server, ITS, SAPGUI, Web Dispatcher, MMC, Host Control, Portal) 18

19 Access control Users with cri'cal profiles Users with cri'cal roles Users with access to cri'cal tables Users with access to transport Users with access to development Users with access to user administra'on Users with access to system administra'on Users with access to HR func'ons Users with access to CRM func'ons Specific access control checks for industry solu'ons 19

20 Vulnerability scan Check for latest component versions Check for missing SAP Security Notes Correlate patches with SAP Security Notes Exploit vulnerabili'es to check if they really exist Risk management 20

21 SAP security 2. Compliance 21

22 Compliance First of all, choose the one you want Technical EAS- SEC SAP NetWeaver ABAP Security Configura'on ISACA (ITAF) DSAG Industry PCI DSS NERC CIP 22

23 SAP security Why do we need a new guide? 23

24 3 areas of Business Applica=on Security Business logic security (SoD) Prevents a4acks or mistakes made by insiders Custom code security Prevents a4acks or mistakes made by developers Applica=on pla^orm security Prevents unauthorized access both by insiders and remote a4ackers 24

25 Security guidelines For web, we have OWASP, WASC For network and OS, we have NIST, SANS But what about Enterprise Business Applica'ons? 25

26 Why? (1) Ques'ons like "why?" and "what for?" are the alpha and omega of every research The most frequent ques'on we were asked: Guys, you are awesome! You are doing a great job so far, finding so many problems in our installacons. It's absolutely fantascc, but we don t know where to start solving them. Could you provide us with top 10/20/50/100/[your favorite number] most criccal bugs in every area? 26

27 Why? (2) We had to do something completely different from just Top 10 most cri'cal bugs Even if you patch all vulnerabili'es, lots of problems could s'll remain: access control, configura'on, logs The number one challenge is to understand all security areas of EAS and to have the opportunity to select several most cri'cal issues for every area 27

28 Why? (3) We started to analyze the exis'ng guidelines and standards High level policies: NIST,SOX,ISO,PCI- DSS Technical guides: OWASP, WASC, SANS 25, CWE SAP guides: o Configura'on of SAP NetWeaver Applica'on Server Using ABAP by SAP o ISACA Assurance (ITAF) by ISACA o DSAG by German SAP User Group Those standards are great, but, unfortunately, all of them have at least one big disadvantage 28

29 SAP security guidelines Guidelines made by SAP First official SAP guide for technical security of ABAP stack Secure Configura'on of SAP NetWeaver Applica'on Server Using ABAP First version in 2010, version 1.2 in

30 SAP security guidelines For rapid assessment of the most common technical pla}orm misconfigura'ons Consists of 9 areas and 82 checks Ideal as a second step, gives more details for some standard EAS- SEC areas h4p:// f0d2445f- 509d- 2d10-6fa7-9d fee?overridelayout=true 30

31 SAP security guidelines Advantages: Very brief but quite comprehensive (only 9 pages) Covers applica'on pla}orm issues Applicable for every ABAP based pla}orm (either ERP or Solu'on Manager or HR) Disadvantages: 82 checks is s'll a lot for a first brief look on secure configura'on Doesn t cover access control issues and logging and misses some things even in pla}orm security Gives people false sense of security if they cover all checks. But it wouldn t be completely true 31

32 ISACA Assurance (ITAFF) Guidelines made by ISACA Checks cover configura'on and access control areas The first most complete compliance There were 3 versions published in 2002, 2006, 2009 (some areas are outdated now) 32

33 ISACA Assurance (ITAFF) Technical part covers incomplete access control info and misses some cri'cal areas The biggest advantage is the big database of access control checks Consists of 4 parts and more than 160 checks Ideal as a third- step- guide and very useful for its detailed coverage of access control 33

34 ISACA Assurance (ITAFF) Advantages: Detailed coverage of access control checks Disadvantages: Outdated Technical part is missing Too many checks, can t be easily used by a non- SAP specialist Can t be applied to any system without prior understanding of the business processes Is officially available only as part of the book, or you should be at least an ISACA member to get it 34

35 DSAG Set of recommenda'ons from Deutsche SAP Uses Group Checks cover all security areas, from technical configura'on and source code to access control and management procedures Currently the biggest guideline about SAP security 35

36 DSAG Last version in Jan 2011 Consists of 8 areas and 200+ checks Ideal as a final step for securing SAP but consists of many checks which needs addi'onal decision making (highly depends on the installa'on) h4p:// _Lei[aden_Datenschutz_Englisch_final.pdf 36

37 DSAG Advantages: Ideal as a final step for securing SAP. Great for SAP security administrators, covers almost all areas Disadvantages: Same as ISACA: too big for a starter, and no help at all for security people who are not familiar with SAP Can t be directly applied to every system without prior understanding of business processes. Many checks are recommenda'ons, and the users should think for themselves if they are applicable in each case 37

38 Compliance 38

39 EAS- SEC The authors' efforts were: to make this list as brief as possible to cover the most cri'cal threats for each area to make it easily used not only by SAP/ERP security experts but by every security specialist to provide comprehensive coverage of all cri'cal SAP security areas At the same 'me, to develop the most complete guide would be a never- ending story So we implemented the 80/20 rule for SAP security 39

40 EAS- SEC Developed by ERPScan First release 2010 Second edi'on 2013 (hƒp://eas- sec.org ) 3 main areas Implementa'on assessment Code review Awareness Rapid assessment of Business Applica'on security 40

41 EASSEC Implementa=on Assessment EASSEC- PVAG Access Cri=cality Easy to % of exploit vulnerable systems 1. Lack of patch management Anonymous High High 99% 2. Default passwords for applica'on access Anonymous High High 95% 3. Unnecessary enabled func'onality Anonymous High High 90% 4. Open remote management interfaces Anonymous High Medium 90% 5. Insecure configura'on Anonymous Medium Medium 90% 6. Unencrypted communica'on Anonymous Medium Medium 80% 7. Access control and SOD User High Medium 99% 8. Insecure trust rela'ons User High Medium 80% 9. Logging and monitoring Administrator High Medium 98% 41

42 EAS- SEC for SAP NetWeaver ABAP Enterprise ApplicaCon Systems ApplicaCon ImplementaCon NetWeaver ABAP Developed by ERPScan: First standard in the EAS- SEC series Published in 2013 hƒp://erpscan.com/publica'ons/the- sap- netweaver- abap- pla}orm- vulnerability- assessment- guide/ Rapid assessment of SAP security in 9 areas Contains 33 most cri'cal checks Ideal as a first step Also contains informa'on for next steps Categorized by priority and cri'cality 42

43 EAS- SEC for NetWeaver (EASSEC- PVAG- ABAP) Enterprise ApplicaCon Systems Vulnerability Assessment for NetWeaver ABAP First standard in the EAS- SEC series Rapid assessment of SAP security in 9 areas Contains 33 most cri'cal checks Ideal as a first step Also contains informa'on for next steps Categorized by priority and cri'cality 43

44 Lack of patch management [EASAI- NA- 01] Component updates [EASAI- NA- 02] Kernel updated What s next: Other components should be be updated separately SAProuter, SAP GUI, SAP NetWeaver J2EE, SAP BusinessObjects. Also, OS and database 44

45 Default passwords [EASAI- NA- 03] Default password check for user SAP* [EASAI- NA- 04] Default password check for user DDIC [EASAI- NA- 05] Default password check for user SAPCPIC [EASAI- NA- 06] Default password check for user MSADM [EASAI- NA- 07] Default password check for user EARLYWATCH What s next: A couple of addiconal SAP components, like old versions of SAP SDM and SAP ITS, have default passwords. Ajer you check all default passwords, you can start bruteforcing for simple passwords 45

46 Unnecessary enabled func=onality [EASAI- NA- 08] Access to RFC- func'ons using SOAP interface [EASAI- NA- 09] Access to RFC- func'ons using FORM interface [EASAI- NA- 10] Access to XI service using SOAP interface What s next: Analyze about 1500 other services which are remotely enabled to see if they are really needed. Disable unused transaccons, programs and reports 46

47 Open remote management interfaces [EASAI- NA- 11] Unauthorized access to SAPControl service [EASAI- NA- 12] Unauthorized access to SAPHostControl service [EASAI- NA- 13] Unauthorized access to Message Server service [EASAI- NA- 14] Unauthorized access to Oracle database What s next: Full list of SAP services is available here: TCP/IP Ports Used by SAP ApplicaCons. Also, take care of 3 rd party services which can be enabled on this server 47

48 Insecure configura=on [EASAI- NA- 15] Minimum password length [EASAI- NA- 16] User locking policy [EASAI- NA- 17] Password compliance to current standards [EASAI- NA- 18] Access control to RFC (reginfo.dat) [EASAI- NA- 19] Access control to RFC (secinfo.dat) What s next: First of all, look to Secure ConfiguraCon of SAP NetWeaver ApplicaCon Server Using ABAP for detailed configuracon checks. Ajerwards, pass through detailed documents for each and every SAP service and module h4p://help.sap.com/saphelp_nw70/helpdata/en/8c/ 2ec59131d7f84ea514a67d628925a9/frameset.htm 48

49 Access control and SoD conflicts [EASAI- NA- 20] Users with SAP_ALL profile [EASAI- NA- 21] Users which can run any program [EASAI- NA- 22] Users which can modify cri'cal table USR02 [EASAI- NA- 23] Users which can execute any OS command [EASAI- NA- 24] Disabled authoriza'on checks What s next: There are at least 100 criccal transaccons only in BASIS and approximately the same number in any other module. Detailed informacon can be found in ISACA guidelines. Ajer that, you can start SegregaCon of DuCes 49

50 Unencrypted connec=ons [EASAI- NA- 25] Use of SSL for securing HTTP connec'ons [EASAI- NA- 26] Use of SNC for securing SAP GUI connec'ons [EASAI- NA- 27] Use of SNC for securing RFC connec'ons What s next: Even if you use encrypcon, check how it is configured for every encrypcon type and for every service because there are different complex configuracons for each encrypcon type. For example, the latest a4acks on SSL (BEAST and CRIME) require companies to use more complex SSL configuracons 50

51 Insecure trusted connec=ons [EASAI- NA- 28] RFC connec'ons with stored authen'ca'on data [EASAI- NA- 29] Trusted systems with lower security What s next: Check other ways to get access to trusted systems, such as database links, use of the same OS user, or use of similar passwords for different systems 51

52 Logging and monitoring [EASAI- NA- 30] Logging of security events [EASAI- NA- 31] Logging of HTTP requests [EASAI- NA- 32] Logging of table changes [EASAI- NA- 33] Logging of access to Gateway What s next: There are about 30 different types of log files in SAP. Upon properly enabling the main ones, you should properly configure complex opcons, such as which specific tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a4acks should be collected. Next step is to enable their centralized colleccon and storage and then add other log events 52

53 Results 53

54 Awareness SAP Security in Figures 2011 SAP Security in Figures vulnerabili'es in SAP SAP Security in Figures 2014 (coming soon) 54

55 SAP security 3. Internal security and SoD 55

56 Internal security Simple steps and sta's'cs Cri'cal access Segrega'on of Du'es Op'miza'on and maintenance 56

57 Simple steps Analyze sta's'cs Number of users in a role o 0 Role is not used o >100 Divide into different roles, check for cri'cal authoriza'ons Number of authoriza'ons in a role Number of authoriza'on objects in a role 57

58 Cri=cal access There are different areas: HR, Basis, Fixed Assets, Material Management Each of those roles has a list of cri'cal transac'ons and authoriza'ons (available in ISACA guidelines) First of all, decrease the number of cri'cal roles For example, users who can only modify the table USR02 can do everything they want! 58

59 Example of ac=ons and transac=ons 59

60 Cri=cal access op=miza=on Obtain the list of roles with cri'cal access to par'cular transac'ons Minimize roles Obtain the list of users with cri'cal access to par'cular transac'ons Sort them by type/locking status/etc. Exclude administrators and superusers (and minimize them) Minimize users 60

61 SoD analysis Use default templates or customize them Obtain the list of business roles in a company Obtain the list of ac'ons in a par'cular role Assign transac'ons and authoriza'on objects to ac'ons Create or modify matrix (add risk values) 61

62 Business roles and ac=ons 62

63 Risk values 63

64 Analyzing SoD results Result: List of users with cri'cal conflicts List of roles with cri'cal conflicts Solving: Obtain roles with maximum number of segrega'ons Op'mize them Obtain users with maximum number of segrega'ons Op'mize them 64

65 Op=miza=on You will get thousands of conflicts the first 'me How to solve them quickly: Exclude all administrators (SAP_ALL) Look at HOW exactly rights are assigned (all * values should be excluded) Look at the history of executed transac'ons 65

66 SAP security 4. Source code security 66

67 ABAP SAP uses ABAP, JAVA, and XSJX (for HANA) ABAP, as any other language, can have vulnerabili'es It can also be used for wri'ng backdoors Development inside the company is almost uncontrolled Developer access to system == god in SAP 67

68 Source code review EASAD- 9 standard from a series of standards designed for Enterprise Applica'on Systems Security Assessment (EAS- SEC) Full name: Enterprise Applica'on Systems Applica'on Development Describes 9 areas of source code issues for business languages Universal categories for different languages and systems (SAP, Oracle, Dynamix, Infor, ) Categorized based on cri'cality and exploita'on probability 68

69 EASAD 9 categories 1. Code injec'ons 2. Cri'cal calls 3. Missing authoriza'on checks 4. Path traversal 5. Modifica'on of displayed content 6. Backdoors 7. Covert channels 8. Informa'on disclosure 9. Obsolete statements 69

70 SAP security 5. Log management 70

71 SAP aeacks 71

72 Aeacks It is very hard to make everything secure, so you need addi'onal monitoring ACFE published a report about 7 % revenue losses from fraud in the USA Examples that we saw: Salary modifica'on Material management fraud Mistakes 72

73 Backdoors in custom source code 73

74 SAP forensics Real aƒacks exist But there is not so much public info Companies are not interested in the publica'on of compromise But the main problem is here: How can you be sure there was no compromise? Only 10% of systems have Security Audit Log enabled Only a few of them analyze those logs And much fewer do central storage and correla'on 74

75 Log sta=s=cs Web access 70% Security audit log 10% Table logging 4% Message Server 2% SAP Gateway 2% 75

76 Log types SAP Web Dispatcher Security log SAP Web Dispatcher HTTP log SAProuter log SAP Gateway log SAP Message Server log SAP Message Server HTTP Log SAP security audit log ABAP user changes log ABAP table changes log ABAP document changes log Trace files 76

77 SAP Security Logs Name Default Central storage SAP Web Dispatcher Security Log Enabled No SAP Web Dispatcher HTTP log Disabled No SAProuter log Disabled No SAP Gateway log Disabled No SAP Message Server log Disabled No SAP Message Server HTTP log Disabled No SAP security audit log Disabled CCMS? ABAP user changes log Enabled No ABAP table changes log Disabled No ABAP document changes log Disabled No Trace files Disabled No Developer trace Enabled No 77

78 Defense EAS- SEC: Recourse which combines Guidelines for assessing enterprise applica'on security Guidelines for assessing custom code Surveys about enterprise applica'on security 78

79 Conclusion Cri'cal networks are complex System is as secure as its most insecure component Holis'c approach Check out eas- sec.org Check out erpscan.com 79