About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
Agenda 3 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?
Introduction Building a business case for SAP Vulnerability Management
Business Applications Under Attack 5 All business processes are generally automated by ERP systems Information valuable to cybercriminals, industrial spies and competitors is stored in a company s ERP. This information includes: financial reports, customer data, public relation materials, intellectual property documents, personally identifiable information. Industrial espionage, sabotage and fraud or insider embezzlement procedures will be merely untraceable being executed in cybersecurity space of ERP system.
Problem 6 SAP is owned and managed by business Businesses rarely care about security (only SoD) CISO s sometimes don t even know about SAP CISO s care about infrastructure security But if a breach happens, they ll be blamed for lack of care Our mission is to close this gap
SAP Security Notes 7 900 800 vulnerability risk level 834 731 700 600 number of vulnerabilities 641 500 400 363 384 302 315 300 200 100 0 131 78 1 1 13 10 10 27 14 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Latest news 8
SAP Cybersecurity Framework 9
Vulnerability Management Data Flows 10
Building business case 11 1. Present SAP specific cybersecurity risks 2. Implement SAP Vulnerability Management Process 3. Develop metrics and demonstrate results
SAP Security Risks 12 1. Security controls (ensuring CIA) unreliability caused by o o Weak passwords Lack of authorization checks 2. Execution of fraudulent business transactions caused by o o Unnecessary functionality enabled SAP application vulnerabilities 3. Compliance violation caused by o Specific configuration requirements
SAP Vulnerabilities 13 Vulnerability Type Misconfigurations Application Vulnerabilities Code Vulnerabilities Access Control Vulnerabilities Examples Allow Dynamic Query is enabled for migrated data servers Remote command execution in SAP HANA TREXNet protocol without authorization Hardcoded emails, code injection and missing authorization checks Fraud scenario Redirected Payment : change a vendor bank, wait for payment or make a payment and then change a vendor bank back
Vulnerability Management 14
Vulnerability Management Metrics 15 SAP systems exposure response (mitigation) time labor and monetary costs state of compliance to standards
Agenda 16 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?
How to start off Roles, responsibilities and process
Vulnerability Management 18 1. Identify Assets and Schedule Vulnerability Assessments: o Inventory of Assets o Scan Profiles o Scan Plan 2. Scan Vulnerabilities o Vulnerability Reports 3. Analyze Vulnerabilities and Recommend Remediations o Vulnerability Risk Assessment o Remediation Plan 4. Test and Deploy Remediations o Remediation Completion Report 5. Verify Remediations and Report o Executive Report
1.1 Inventory of Assets 19 System ID Purpose Interconnected Systems System Criticality Responsibili ty System Type Application Servers Clients Platform DM0 Supply chain management Internal: ERP, Internet: no; ICS: no; Partners: Partner1, Partner2 Mobile: no High John F. K. PROD 10.0.0.1 10.0.0.2 100:PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP) ERP Enterprise Resource Planning Internal: HR1, HR2 Internet: no ICS: MES System Partners: no Mobile: no Low Mike. PROD 10.0.16.6 200:PRD SAP ECC 6.0 NetWeaver AS 7.3 ABAP CRM Customer Relationship management Internal: ERP Internet: yes ICS: no Partners: no Mobile: no Very High PROD 10.0.34.5 210:PRD SAP CRM 6.0 NetWeaver AS ABAP 7.0
1.1 Inventory of Assets. Demo 20
1.2 Scan Profiles 21 Technical Compliance of SAP system is its state of meeting the ITrelated requirements PCI DSS 3.2 ISO 27001:2013 Technical Check 1 DSAG Authority Document Control Technical Check 2 SAP security guidelines ISACA security guidelines Technical Check n
1.2 Scan Profiles. Demo 22
1.3 Scan Plan 23 Asset Date Time Frequency DM0 01.02.2017 01:00 Quarterly: Q1, Q2, Q3, Q4 EPR 08.02.2017 01:00 Quarterly: Q1, Q2, Q3, Q4 CRM 15.02.2017 01:00 Quarterly: Q1, Q2, Q3, Q4
3. Analyze Vulnerabilities and Recommend Remediations 24 Constraints and requirements (example): Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patch Tasks: 1. Prioritizing vulnerabilities 2. Filtering vulnerabilities Outcome: Remediation Plan
3.1 Requirements and constraints System ID DM0 ERP Relevant Adversaries Internal attacker without rights in the system Internal attacker with rights Vulnerability Types Vulnerability Risk Level All except Medium and code and higher access control Allowed Remediation Types All except patch install All High All except configuration changes Maximum Level of Remediation Effort High and lower Maximum period of downtime Applicable Authority Documents Results of Filtering 2 hours 678 (66%) from 1023 vulnerabilities were filtered out: High risk: 5 Medium risk: 73 Low risk: 600 Any 8 hours NERC-CIP 215 (17%) from 1500 vulnerabilities were filtered out: High risk: 215 Medium risk: 30 Low risk: 100 25 CRM External attacker All All All Any 1 hour PCI DSS 3.0 315 (52%) from 600 vulnerabilities were filtered out: High risk: 15 Medium risk: 100 Low risk: 200
3.2 Prioritization 26 Check ID Vulnerability Description Vulnerability Type Vulnerability Risk External Usage Count of SAP systems with the vulnerability High Medium Low Vulnerability Priority SSEA_1000003 SSCA_00130 SSCA_00223 SSCA_01082 SSCA_00009 SSCA_00143 External RFC server registration SSL encryption for ICM connections Central application server that maintains the system log Use of a weak password hashing (H version of hashing) Minimum number of letters in a password Enable login with external identity by RFC Misconfiguration High Yes 5 3 2 69 Misconfiguration Medium Yes 3 5 3 44 Misconfiguration Medium Yes 4 2 3 38 Misconfiguration Medium No 2 5 3 38 Misconfiguration Medium No 4 3 1 38 Misconfiguration Medium No 2 4 4 36
3.3 Filtration. DM0. Constraints 27 Characteristic Values Constraint Rationale Results of Filtering Vulnerability Type Application vulnerability Misconfiguration Code vulnerability Access control Application vulnerabilities and misconfigurations Code vulnerabilities are irrelevant due to the lack of custom development 78 (8%) from 1023 vulnerabilities were filtered out: High risk: 5 Medium risk: 73 Vulnerability risk Very High High Medium Low Medium and higher 600 (59%) from 1023 vulnerabilities were filtered out: Low risk: 600 Maximum Level of Remediation Effort Less than 30 hours Allowed Remediation Types All except patch install
3.3 Filtration. DM0. Relevant vulnerabilities 28 Vulnerability Type & Risk High Medium Low Misconfiguration 52 74 0 Application Vulnerability 130 90 0 Code 0 0 0 Access Control 0 0 0 66% reduction
3.4 Remediation Plan. DM0 29 Remediation Priority Vulnerability Vulnerability Risk Remediation Type Remediation 1 SSEA_1000003: External RFC server registration An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information High Update configuration Effort level: medium (~2d, downtime 4h) To resolve this issue, it is recommended to configure the RFC server correctly Links: RFC/ICF Security Guide 2 SSCA_00130: SSL encryption for ICM connections Medium Update configuration Set the icm/server_port_nn parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack. Effort level: easy (~4h, downtime 2h) 3 SSCA_00223: Central application server that maintains the system log Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks. Medium Update configuration Effort level: easy (~4h, downtime 2h) The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges. Links: BOOK "Security, Audit and Control Features (SAP ERP 3rd edition)" p. 413 check.4.10.2 DOC rslg/collect_daemon/host - Central Log Host
Outcomes 30 Inventory of Assets Scan Profiles Scan Plan Remediation Plan Executive Report List of assets in scope of the vulnerability management, technical details and descriptions List of security checks related to applicable information security standards and regulations List of assets and time at which vulnerability scans should be performed Description of SAP landscape, threat map, recommended remediations and action plans for each SAP system Report on performance SAP VM: security, compliance and remediation metrics
Agenda 31 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?
How to talk to the board?
What boards need to know? 33 Do we comply with security requirements? How protected are our most important assets against a cyber-attack? How high is a residual cyber risk, we have? What work related to remediation of cyber risk is in progress? What should we do next?
Executive Report. Summary 34 Title: SAP Vulnerability Management 2015 Dates: 01.01.2015 31.12.2015 Goal: initial assessment of 40 SAP systems Conclusion: 1. Technical compliance increased in average by 10% 2. Vulnerability ratio (amount of vulnerabilities on host) decreased in average by 30% 3. Overall efforts amounted to 400 man/hours 4. There are still 100 vulnerabilities on high critical SAP systems, 50 on medium and 15 on low 5. Future goals: increase technical compliance on 10% for every standard and remediate all vulnerabilities with high risk 6. With current productivity, it will take 5 month of work for 2 employees
1. Technical Compliance. Authority Documents 35 RATIO OF SUCCESSFUL CHECKS BY STANDARD 01.01.2015 31.12.2015 CIS CSC 50% 35% ISO 27001:2013 25% 50% PCI DSS 30% 40% -5% NIST 53 20%
1. Technical compliance. ISO27001:2013 36 RATIO OF SUCCESSFUL CHECKS BY CONTROL CATEGORY Total Checks A.12 OPERATIONAL SECURITY 12, 65% 20% 18 A.9 ACCESS CONTROL 45, 45% 30% 100 A.13 COMMUNICATION SECURITY 14, 50% 5% 28 A.16 INFORMATION SECURITY INCEDENT MANAGEMENT 6, 45% 5% 13 A.6 ORGANIZATION OF INFORMATION SECURITY 23, 30% 10% 77 A.10 CRYPTOGRAPHY 22, 30% 10% 73 A.8 ASSET MANAGEMENT 25, 35% 5% 71 A.18 COMPLIANCE 23, 20% 15% 115 A.5 INFORMATION SECURITY POLICIES 17, 35% 0 49 A.7 HUMAN RESOURCES SECURITY 30, 20% 10% 150 A.15 SUPPLIER RELATIONSHIPS 15, 20% 10% 75 A.11 PHYSICAL AND ENVIRONMENTAL SECURITY A.17 INFORMATION SECUITY ASPECTS OF BUSINESS A.14 SYSTEM ACQUISITION, DEVELOPMENT AND 10, 20% 10% 20, 30% 0 34, 15% 0% 50 67 227 01.01.2015 31.12.2015
2. Security. Remediations by Risk Level 37 Vulnerability Risk Level 01.01.2015 31.12.2015 Change High 15 10 5 Medium 20 7 13 Low 50 30 20
2. Security. Remediations by Vulnerability Type 38 Vulnerability Type 01.01.2015 31.12.2015 Change Misconfiguration 100 77 23 Application Vulnerability 20 14 6 Code 0 0 0 Access Control 5 4 1
Executive Report 39 3. Future Plans 1. Current threat map 2. Remediation priorities Grouped by system Grouped by vulnerability 3. Productivity analysis 4. Goals 5. Conclusion
3. Future plans. Threat Map 40
3. Future Plans. Remediation priorities for SAP systems (TOP 10) 41 Priority SID Criticality Connectivity Total remediation efforts Total downtime Count of Vulnerabilities with different Risk Levels High Medium Low 1 PLM High SCADA ~ 500 hours 5 hours 10 7 4 2 CR1 Low WEB ~ 150 hours 9 6 3 3 ERP Medium - ~ 10 hours 8 5 2 4 HR1 Low ERP, PLM 9 6 3 5 FIN Low PLM 8 5 2 6 DL0 Medium - 8 5 2 7 DL1 Medium - 8 5 2 8 DL2 Medium - 8 5 2 9 DL3 Medium - 8 5 2 10 DL4 Medium - 8 5 2
3. Future Plans. Remediation priorities for vulnerabilities (TOP 5) 42 Priority Vulnerability Description Vulnerability Risk Remediati on Type Remediati on Effort Criticality of SAP systems with the vulnerability High Medium Low 1 2 3 4 5 SAP Gateway authorization bypass Verb Tampering vulnerability Default password for user SAP* XSS vulnerability in config servlet MMC Server information disclosure High High Configure ACL change configuration Very High 3 30 10 Low 2 10 10 Very High User settings Medium 3 9 30 Medium High Apply sapnote change configuration High 10 50 10 High 3 50 3 42
3. Future Plans. Productivity analysis 43 Remediation Type Implemented remediations by Effort Amount Productivity by Effort Amount (Hours per a remediation) High Medium Low High Medium Low SAP Note installation 50 5 500h 5h Update a configuration setting 10 20h Install a kernel patch 20 200h Execute SQL command 10 20h Disable SAP Service 5 25 Total 25 50 25 225h 500h 45h
3. Future Plans. Compliance Goals 44 1. Increase technical compliance by 10% for every standard 2. The goal implies: 10 high effort amount remediations 50 middle effort amount remediations 150 low effort amount remediations 3. Overall effort projection is 4 month for 2 employees
3. Future Plans. Security Goals 45 1. Completely patch all TOP 10 SAP Systems: PLM, HR1, ERP, SCM, FIN, DL0, DL1, DL2, DL3, DL4 2. Remediate all vulnerabilities with high risks 3. The goals implies: 20 high effort remediation's 35 middle effort remediation's 100 low effort amount remediations 4. Overall effort projection is 3 month for 2 employees
3. Future Plans. Conclusion 46 1. Technical compliance increased in average by 10% 2. Vulnerability ratio decreased in average by 30% 3. Overall efforts amounted to 400 man/hours 4. There are still 100 vulnerabilities on high critical SAP systems, 50 on medium and 15 on low 5. Future goals are to increase technical compliance on 10% for every standard and remediate all vulnerabilities with high risks 6. Maintaining the current productivity, it will take 7 months for 2 employees to do
Final Takeaways 47 1. Operating SAP brings new risks 2. Vulnerabilities the raw data of security 3. Manage vulnerabilities to reach desired level of security
Thank you 48 Michael Rakutko Head of Professional Services m.rakutko@erpscan.com USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 HQ Netherlands: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam www.erpscan.com inbox@erpscan.com