About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Transcription

1

2 About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

3 Agenda 3 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?

4 Introduction Building a business case for SAP Vulnerability Management

5 Business Applications Under Attack 5 All business processes are generally automated by ERP systems Information valuable to cybercriminals, industrial spies and competitors is stored in a company s ERP. This information includes: financial reports, customer data, public relation materials, intellectual property documents, personally identifiable information. Industrial espionage, sabotage and fraud or insider embezzlement procedures will be merely untraceable being executed in cybersecurity space of ERP system.

6 Problem 6 SAP is owned and managed by business Businesses rarely care about security (only SoD) CISO s sometimes don t even know about SAP CISO s care about infrastructure security But if a breach happens, they ll be blamed for lack of care Our mission is to close this gap

7 SAP Security Notes vulnerability risk level number of vulnerabilities

8 Latest news 8

9 SAP Cybersecurity Framework 9

10 Vulnerability Management Data Flows 10

11 Building business case Present SAP specific cybersecurity risks 2. Implement SAP Vulnerability Management Process 3. Develop metrics and demonstrate results

12 SAP Security Risks Security controls (ensuring CIA) unreliability caused by o o Weak passwords Lack of authorization checks 2. Execution of fraudulent business transactions caused by o o Unnecessary functionality enabled SAP application vulnerabilities 3. Compliance violation caused by o Specific configuration requirements

13 SAP Vulnerabilities 13 Vulnerability Type Misconfigurations Application Vulnerabilities Code Vulnerabilities Access Control Vulnerabilities Examples Allow Dynamic Query is enabled for migrated data servers Remote command execution in SAP HANA TREXNet protocol without authorization Hardcoded s, code injection and missing authorization checks Fraud scenario Redirected Payment : change a vendor bank, wait for payment or make a payment and then change a vendor bank back

14 Vulnerability Management 14

15 Vulnerability Management Metrics 15 SAP systems exposure response (mitigation) time labor and monetary costs state of compliance to standards

16 Agenda 16 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?

17 How to start off Roles, responsibilities and process

18 Vulnerability Management Identify Assets and Schedule Vulnerability Assessments: o Inventory of Assets o Scan Profiles o Scan Plan 2. Scan Vulnerabilities o Vulnerability Reports 3. Analyze Vulnerabilities and Recommend Remediations o Vulnerability Risk Assessment o Remediation Plan 4. Test and Deploy Remediations o Remediation Completion Report 5. Verify Remediations and Report o Executive Report

19 1.1 Inventory of Assets 19 System ID Purpose Interconnected Systems System Criticality Responsibili ty System Type Application Servers Clients Platform DM0 Supply chain management Internal: ERP, Internet: no; ICS: no; Partners: Partner1, Partner2 Mobile: no High John F. K. PROD :PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP) ERP Enterprise Resource Planning Internal: HR1, HR2 Internet: no ICS: MES System Partners: no Mobile: no Low Mike. PROD :PRD SAP ECC 6.0 NetWeaver AS 7.3 ABAP CRM Customer Relationship management Internal: ERP Internet: yes ICS: no Partners: no Mobile: no Very High PROD :PRD SAP CRM 6.0 NetWeaver AS ABAP 7.0

20 1.1 Inventory of Assets. Demo 20

21 1.2 Scan Profiles 21 Technical Compliance of SAP system is its state of meeting the ITrelated requirements PCI DSS 3.2 ISO 27001:2013 Technical Check 1 DSAG Authority Document Control Technical Check 2 SAP security guidelines ISACA security guidelines Technical Check n

22 1.2 Scan Profiles. Demo 22

23 1.3 Scan Plan 23 Asset Date Time Frequency DM :00 Quarterly: Q1, Q2, Q3, Q4 EPR :00 Quarterly: Q1, Q2, Q3, Q4 CRM :00 Quarterly: Q1, Q2, Q3, Q4

24 3. Analyze Vulnerabilities and Recommend Remediations 24 Constraints and requirements (example): Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patch Tasks: 1. Prioritizing vulnerabilities 2. Filtering vulnerabilities Outcome: Remediation Plan

25 3.1 Requirements and constraints System ID DM0 ERP Relevant Adversaries Internal attacker without rights in the system Internal attacker with rights Vulnerability Types Vulnerability Risk Level All except Medium and code and higher access control Allowed Remediation Types All except patch install All High All except configuration changes Maximum Level of Remediation Effort High and lower Maximum period of downtime Applicable Authority Documents Results of Filtering 2 hours 678 (66%) from 1023 vulnerabilities were filtered out: High risk: 5 Medium risk: 73 Low risk: 600 Any 8 hours NERC-CIP 215 (17%) from 1500 vulnerabilities were filtered out: High risk: 215 Medium risk: 30 Low risk: CRM External attacker All All All Any 1 hour PCI DSS (52%) from 600 vulnerabilities were filtered out: High risk: 15 Medium risk: 100 Low risk: 200

26 3.2 Prioritization 26 Check ID Vulnerability Description Vulnerability Type Vulnerability Risk External Usage Count of SAP systems with the vulnerability High Medium Low Vulnerability Priority SSEA_ SSCA_00130 SSCA_00223 SSCA_01082 SSCA_00009 SSCA_00143 External RFC server registration SSL encryption for ICM connections Central application server that maintains the system log Use of a weak password hashing (H version of hashing) Minimum number of letters in a password Enable login with external identity by RFC Misconfiguration High Yes Misconfiguration Medium Yes Misconfiguration Medium Yes Misconfiguration Medium No Misconfiguration Medium No Misconfiguration Medium No

27 3.3 Filtration. DM0. Constraints 27 Characteristic Values Constraint Rationale Results of Filtering Vulnerability Type Application vulnerability Misconfiguration Code vulnerability Access control Application vulnerabilities and misconfigurations Code vulnerabilities are irrelevant due to the lack of custom development 78 (8%) from 1023 vulnerabilities were filtered out: High risk: 5 Medium risk: 73 Vulnerability risk Very High High Medium Low Medium and higher 600 (59%) from 1023 vulnerabilities were filtered out: Low risk: 600 Maximum Level of Remediation Effort Less than 30 hours Allowed Remediation Types All except patch install

28 3.3 Filtration. DM0. Relevant vulnerabilities 28 Vulnerability Type & Risk High Medium Low Misconfiguration Application Vulnerability Code Access Control % reduction

29 3.4 Remediation Plan. DM0 29 Remediation Priority Vulnerability Vulnerability Risk Remediation Type Remediation 1 SSEA_ : External RFC server registration An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information High Update configuration Effort level: medium (~2d, downtime 4h) To resolve this issue, it is recommended to configure the RFC server correctly Links: RFC/ICF Security Guide 2 SSCA_00130: SSL encryption for ICM connections Medium Update configuration Set the icm/server_port_nn parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack. Effort level: easy (~4h, downtime 2h) 3 SSCA_00223: Central application server that maintains the system log Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks. Medium Update configuration Effort level: easy (~4h, downtime 2h) The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges. Links: BOOK "Security, Audit and Control Features (SAP ERP 3rd edition)" p. 413 check DOC rslg/collect_daemon/host - Central Log Host

30 Outcomes 30 Inventory of Assets Scan Profiles Scan Plan Remediation Plan Executive Report List of assets in scope of the vulnerability management, technical details and descriptions List of security checks related to applicable information security standards and regulations List of assets and time at which vulnerability scans should be performed Description of SAP landscape, threat map, recommended remediations and action plans for each SAP system Report on performance SAP VM: security, compliance and remediation metrics

31 Agenda 31 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?

32 How to talk to the board?

33 What boards need to know? 33 Do we comply with security requirements? How protected are our most important assets against a cyber-attack? How high is a residual cyber risk, we have? What work related to remediation of cyber risk is in progress? What should we do next?

34 Executive Report. Summary 34 Title: SAP Vulnerability Management 2015 Dates: Goal: initial assessment of 40 SAP systems Conclusion: 1. Technical compliance increased in average by 10% 2. Vulnerability ratio (amount of vulnerabilities on host) decreased in average by 30% 3. Overall efforts amounted to 400 man/hours 4. There are still 100 vulnerabilities on high critical SAP systems, 50 on medium and 15 on low 5. Future goals: increase technical compliance on 10% for every standard and remediate all vulnerabilities with high risk 6. With current productivity, it will take 5 month of work for 2 employees

35 1. Technical Compliance. Authority Documents 35 RATIO OF SUCCESSFUL CHECKS BY STANDARD CIS CSC 50% 35% ISO 27001: % 50% PCI DSS 30% 40% -5% NIST 53 20%

36 1. Technical compliance. ISO27001: RATIO OF SUCCESSFUL CHECKS BY CONTROL CATEGORY Total Checks A.12 OPERATIONAL SECURITY 12, 65% 20% 18 A.9 ACCESS CONTROL 45, 45% 30% 100 A.13 COMMUNICATION SECURITY 14, 50% 5% 28 A.16 INFORMATION SECURITY INCEDENT MANAGEMENT 6, 45% 5% 13 A.6 ORGANIZATION OF INFORMATION SECURITY 23, 30% 10% 77 A.10 CRYPTOGRAPHY 22, 30% 10% 73 A.8 ASSET MANAGEMENT 25, 35% 5% 71 A.18 COMPLIANCE 23, 20% 15% 115 A.5 INFORMATION SECURITY POLICIES 17, 35% 0 49 A.7 HUMAN RESOURCES SECURITY 30, 20% 10% 150 A.15 SUPPLIER RELATIONSHIPS 15, 20% 10% 75 A.11 PHYSICAL AND ENVIRONMENTAL SECURITY A.17 INFORMATION SECUITY ASPECTS OF BUSINESS A.14 SYSTEM ACQUISITION, DEVELOPMENT AND 10, 20% 10% 20, 30% 0 34, 15% 0%

37 2. Security. Remediations by Risk Level 37 Vulnerability Risk Level Change High Medium Low

38 2. Security. Remediations by Vulnerability Type 38 Vulnerability Type Change Misconfiguration Application Vulnerability Code Access Control 5 4 1

39 Executive Report Future Plans 1. Current threat map 2. Remediation priorities Grouped by system Grouped by vulnerability 3. Productivity analysis 4. Goals 5. Conclusion

40 3. Future plans. Threat Map 40

41 3. Future Plans. Remediation priorities for SAP systems (TOP 10) 41 Priority SID Criticality Connectivity Total remediation efforts Total downtime Count of Vulnerabilities with different Risk Levels High Medium Low 1 PLM High SCADA ~ 500 hours 5 hours CR1 Low WEB ~ 150 hours ERP Medium - ~ 10 hours HR1 Low ERP, PLM FIN Low PLM DL0 Medium DL1 Medium DL2 Medium DL3 Medium DL4 Medium

42 3. Future Plans. Remediation priorities for vulnerabilities (TOP 5) 42 Priority Vulnerability Description Vulnerability Risk Remediati on Type Remediati on Effort Criticality of SAP systems with the vulnerability High Medium Low SAP Gateway authorization bypass Verb Tampering vulnerability Default password for user SAP* XSS vulnerability in config servlet MMC Server information disclosure High High Configure ACL change configuration Very High Low Very High User settings Medium Medium High Apply sapnote change configuration High High

43 3. Future Plans. Productivity analysis 43 Remediation Type Implemented remediations by Effort Amount Productivity by Effort Amount (Hours per a remediation) High Medium Low High Medium Low SAP Note installation h 5h Update a configuration setting 10 20h Install a kernel patch h Execute SQL command 10 20h Disable SAP Service 5 25 Total h 500h 45h

44 3. Future Plans. Compliance Goals Increase technical compliance by 10% for every standard 2. The goal implies: 10 high effort amount remediations 50 middle effort amount remediations 150 low effort amount remediations 3. Overall effort projection is 4 month for 2 employees

45 3. Future Plans. Security Goals Completely patch all TOP 10 SAP Systems: PLM, HR1, ERP, SCM, FIN, DL0, DL1, DL2, DL3, DL4 2. Remediate all vulnerabilities with high risks 3. The goals implies: 20 high effort remediation's 35 middle effort remediation's 100 low effort amount remediations 4. Overall effort projection is 3 month for 2 employees

46 3. Future Plans. Conclusion Technical compliance increased in average by 10% 2. Vulnerability ratio decreased in average by 30% 3. Overall efforts amounted to 400 man/hours 4. There are still 100 vulnerabilities on high critical SAP systems, 50 on medium and 15 on low 5. Future goals are to increase technical compliance on 10% for every standard and remediate all vulnerabilities with high risks 6. Maintaining the current productivity, it will take 7 months for 2 employees to do

47 Final Takeaways Operating SAP brings new risks 2. Vulnerabilities the raw data of security 3. Manage vulnerabilities to reach desired level of security

48 Thank you 48 Michael Rakutko Head of Professional Services USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA HQ Netherlands: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam