EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Similar documents
EAS- SEC: Framework for Securing Enterprise Business ApplicaCons

Invest in security to secure investments. Implemen'ng SAP security in 5 steps. Alexander Polyakov. CTO, ERPScan

Alexander Polyakov. CTO at ERPScan

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Invest in security to secure investments Oracle PeopleSo, applica.ons are under a3acks!

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

About ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008

Roadmap. How to implement GDPR in SAP?

A GLOBAL SURVEY Authors:

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

SAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin

Invest in security to secure investments. Breaking SAP Portal. Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan

Onapsis: The CISO Imperative Taking Control of SAP

ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES

Exploiting new default accounts in SAP systems

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Rootkits and Trojans on Your SAP Landscape

SAP Security In-Depth

Top 10 Web Application Vulnerabilities

SCALE 15x (c) 2017 Ty Shipman

SAP Audit Guide for Basis

Easy and quick vulnerability hun5ng in Windows. Cesar Cerrudo CTO at IOAc5ve Labs

Symantec Data Loss Preven2on 12.5 Demo Presenta2on

Processed on SAP Solution Manager SSM Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2010_1 SP8 Fax

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Exploiting new default accounts in SAP systems

A crushing blow at the heart of SAP s J2EE Engine.

SAP NetWeaver Performance and Availability

Pattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

GDPR ESSENTIALS END-USER COMPLIANCE TRAINING. Copyright 2018 Logical Operations, Inc. All rights reserved.

Click to edit Master text styles

SAP Security anno Tim Lynen, Manager axl & trax 2017

Application security : going quicker

ThinManager and FactoryTalk View SE. John Ter8n; ESE, Inc.

Attacks based on security configurations

Attacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. DeepSec, Austria. November 18th,

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Security and Risk Management

Going Without CPU Patches on Oracle E-Business Suite 11i?

16th Annual Karnataka Conference

How to read security test report?

Insurance Industry - PCI DSS

New PCI DSS Version 3.0: Can it Reduce Breaches? Dharshan Shanthamurthy, CEO, SISA Informa2on Security Inc. Core Competencies C11

Forgotten World: Corporate Business Application Systems

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)

Layer Seven Security ADVISORY

McAfee Database Security

In The Middle of Printers The (In)Security of Pull Prin8ng Solu8ons. Jakub Kałużny. SecuRing

SAP* Administration-Practical Guide

Database Machine Administration v/s Database Administration: Similarities and Differences

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

Cyber Security and Power System Communica4ons Essen4al Parts of a Smart Grid Infrastructure. Talal El Awar

Layer Seven Security ADVISORY

SSRF VS. BUSINESS- CRITICAL

Reinvent Your 2013 Security Management Strategy

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

SAP MONITORING WITH PANDORA FMS

RAD, Rules, and Compatibility: What's Coming in Kuali Rice 2.0

Effective Strategies for Managing Cybersecurity Risks

You ve got mail Owning an SAP running business via

Integrigy Consulting Overview

Strengthening Cybersecurity Workforce Development December 2017

Security Operations & Analytics Services

SAP NetWeaver 04 Security Guide. Network and Communication Security

Automating the Top 20 CIS Critical Security Controls

Common Event Format Configuration Guide. ABAP-Experts.com // NCMI GmbH SecurityBridge Date: Thursday, January 12, 2017

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY. SAP Security Notes

MIS 5121:Business Processes, ERP Systems & Controls Week 13: Special System Access. Edward Beaver ff

SECURITY RISK METRICS: THE VIEW FROM THE TRENCHES. Alain Mayer CTO, RedSeal Systems

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

PBXact UC. March

Improve Internal Controls with Governance, Risk, and Compliance Solutions

Host Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Bill Wear. VirtualVault Product Manager. Internet Banking Case Study

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CCW Workshop Technical Session on Mobile Cloud Compu<ng

Objec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:

Sql Injection Attacks And Defense

Intercepting SNC-protected traffic

Who s Really Attacking Your!

MESC Conference Security and Privacy for Medicaid Information Systems. Scott Glover Deloitte & Touche, LLP

Composite Compliance: Demonstra1ng Suitability of Cloud Layering for Sensi1ve and Regulated Workloads

SECURITY AND DATA REDUNDANCY. A White Paper

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

The Realities of Data Security and Compliance: Compliance Security

Planning Guide. System Landscape Directory

Invest in security to secure investments A crushing blow at the heart of SAP s J2EE Engine. Version 1.1

Sales Presenta+on OS7200 PABX. Compiled by Nicholas Naidoo for SVA Holdings (Pty) Ltd

Transcription:

Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan

About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presenta;ons key security conferences worldwide 25 Awards and nomina;ons Research team - 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2

SAP in Internet 3

SAP Security notes by year 900 800 700 600 500 400 300 200 100 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 More than 2600 in total 4

SAP on the Internet Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible Companies connect different offices (by SAP XI) Companies are connected to SAP (through SAP Router) SAP GUI users are connected to the Internet Administrators open management interfaces to the Internet for remote control Almost all business applica;ons have web access now 5

SAP Router Special applica8on proxy Transfers requests from Internet to SAP (and not only) Can work through VPN or SNC Almost every company uses it for connec8ng to SAP to download updates Usually listens to port 3299 About 5000 Routers in Internet 6

SAP Router vulnerability Remote Code Execu8on vulnerability CVSS 9.3 Nominated for top 5 server- side vulnerabili8es 2013 7

SAP Router 85% * Vulnerable SAP Routers 8

SAP Malware 9

Why security? Espionage Stealing financial informa8on Stealing corporate secrets Stealing supplier and customer lists Stealing HR data Sabotage Denial of service Modifica8on of financial reports Access to technology network (SCADA) by trust rela8ons Fraud False transac8ons Modifica8on of master data 10

3 areas of SAP Security 2002 Business logic security (SOD) Prevents a3acks or mistakes made Solu8on: GRC 2008 ABAP Code security Prevents a3acks or mistakes made by developers Solu8on: Code audit 2010 Applica3on pla4orm security Prevents unauthorized access both insiders and remote a3ackers Solu8on: Vulnerability Assessment and Monitoring 11

Compliance SAP NetWeaver ABAP Security configura8on ISACA (ITAF) DSAG NIST SOX ISO PCI- DSS OWASP WASC SANS 25 CWE 12

SAP Security Guidelines Guidelines made by SAP First official SAP guide for technical security od ABAP stack Secure Configura8on of SAP NetWeaver Applica8on Server Using ABAP First version - 2010 year, version 1.2 2012 year For rapid assessment of most common technical misconfigura8ons in plaform Consists of 9 areas and 82 checks Ideas as a second step and give more details to some of EAS- SEC standard areas hgp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f- 509d- 2d10-6fa7-9d3608950fee?overridelayout=true 13

ISACA Assurance (ITAFF) Guidelines made by ISACA Checks cover configura8on and access control areas First most full compliance There were 3 versions published in 2002 2006 2009 (some areas are outdated ) Technical part covered less than access control and miss cri8cal areas Most advantage is a big database of access control checks Consists of 4 parts and about 160 checks Ideal as a third step and detailed coverage of access control 14

DSAG Set of recommenda8ons from Deutsche SAP Uses Group Checks cover all security areas from technical configura8on and source code to access control and management procedures Currently biggest guideline about SAP Security Last version in Jan 2011 Consists of 8 areas and 200+ checks Ideal as a final step for securing SAP but consists of many checks which needs addi8onal decision making which is highly depends on installa8on. hgp://www.dsag.de/fileadmin/media/leifaeden/110818_leifaden_datenschutz_englisch_final.pdf 15

EAS- SEC for NetWeaver (EASSEC- AIVA- ABAP) Enterprise Applica:on Systems Vulnerability Assessment for NetWeaver ABAP Developed by ERPScan: First standard of series EAS- SEC Rapid assessment of SAP security in 9 areas Contains 33 most cri;cal checks Ideal as a first step Also contain informa8on for next steps Categorized by priority and cri8cality 16

EASSEC- AIVA- 2013 EASSSEC- AIVA Access Cri;cality Easy to exploit % of vulnerable systems 1. Lack of patch management Anonymous High High 99% 2. Default Passwords for applica;on access Anonymous High High 95% 3. Unnecessary enabled func;onality Anonymous High High 90% 4. Open remote management interfaces Anonymous High Medium 90% 5. Insecure configura;on Anonymous Medium Medium 90% 6. Unencrypted communica;on Anonymous Medium Medium 80% 7. Access control and SOD User High Medium 99% 8. Insecure trust rela;ons User High Medium 80% 9. Logging and Monitoring Administrator High Medium 98% 17

Lack of patch management [EASAI- NA- 01] Component updates [EASAI- NA- 02] Kernel updated What next: Other components should be be updated separately SAP Router, SAP Gui, SAP NetWEaver J2EE, SAP BusinessObjects. And also OS and Database. 18

Default passwords [EASAI- NA- 03] Default password check for user SAP* [EASAI- NA- 04] Default password check for user DDIC [EASAI- NA- 05] Default password check for user SAPCPIC [EASAI- NA- 06] Default password check for user MSADM [EASAI- NA- 07] Default password check for user EARLYWATCH What next: Couple of addi:onal SAP components also use their own default passwords. For example services SAP SDM and SAP ITS in their old versions has default passwords. ARer you check all default passwords you can start with bruteforcing for simple passwords. 19

Unnecessary enabled func;onality [EASAI- NA- 08] Access to RFC- func8ons using SOAP interface [EASAI- NA- 09] Access to RFC- func8ons using FORM interface [EASAI- NA- 10] Access to XI service using SOAP interface What next: You should analyze about 1500 other services which are remotely enabled if they are really needed and also disable unused transac:ons, programs and reports. 20

Open remote management interfaces [EASAI- NA- 11] Unauthorized access to SAPControl service [EASAI- NA- 12] Unauthorized access to SAPHostControl service [EASAI- NA- 13] Unauthorized access to Message Server service [EASAI- NA- 14] Unauthorized access to Oracle database What next: Full list of SAP services you can get from document TCP/IP Ports Used by SAP Applica:ons.Also you should take care about 3 rd party services which can be enabled on this server. 21

Insecure configura;on [EASAI- NA- 15] Minimum password length [EASAI- NA- 16] User locking policy [EASAI- NA- 17] Password compliance to current standards [EASAI- NA- 18] Access control to RFC (reginfo.dat) [EASAI- NA- 19] Access control to RFC (secinfo.dat) What next: First of all you can look at (Secure Configura:on of SAP NetWeaver Applica:on Server Using ABAP) document for detailed configura:on checks. ARerwards you can pass throught detailed documents for each and every SAP service and module hgp://help.sap.com/saphelp_nw70/helpdata/en/8c/ 2ec59131d7f84ea514a67d628925a9/frameset.htm 22

Access control and SOD conflicts [EASAI- NA- 20] Users with SAP_ALL profile [EASAI- NA- 21] Users which can run any program [EASAI- NA- 22] Users which can modify cri8cal table USR02 [EASAI- NA- 23] Users which can execute any OS command [EASAI- NA- 24] Disabled authoriza8on checks What next: There are at leas about 100 cri:cal transac:ons only in BASIS and approximately the same number in each other module. Detailed informa:on can be found in ISACA guidelines. ARer that you can start with Segrega:on of Du:es. 23

Unencrypted connec;ons [EASAI- NA- 25] Use of SSL for securing HTTP connec8ons [EASAI- NA- 26] Use of SNC for securing SAP Gui connec8ons [EASAI- NA- 27] Use of SNC for securing RFC connec8ons What next: Even if you use encryp:on you should check how is it configured for every type of encryp:on and for every service because there are different complex configura:ons for each of encryp:on type. For example latest a3acks on SSL like BEAST and CRIME require companies to use more complex SSL configura:on. 24

Insecure trusted connec;ons [EASAI- NA- 28] RFC connec8ons with stored authen8ca8on data [EASAI- NA- 29] Trusted systems with lower security What next: Check other ways to get access to trusted systems such as database links o use of the same OS user or just use of the same passwords for different systems. 25

Logging and Monitoring [EASAI- NA- 30] Logging of security events [EASAI- NA- 31] Logging of HTTP requests [EASAI- NA- 32] Logging of table changes [EASAI- NA- 33] Logging of access to Gateway What next: There are about 30 different types of log files in SAP. The next step arer properly enabling main of them you should properly configure complex op:ons such as what exact tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a3acks should be collected and so on. Next step is to enable their centralized collec:on and storage and then add other log events. 26

Next Steps Release similar compliance guidelines for other applica8ons Update eas- sec.org Spread this ini8a8ve 27

Ques;ons? The only solu8on in the market to assess 3 8ers of SAP Security 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback