95% of ERP systems are vulnerable to data breaches · 2019-10-25 · AUTHORIZATIONS • Complex ... SAP or Oracle EBS 77% of the world’s revenue touches these ERP systems ERP Cybersecurity

Onapsis Inc. | All Rights Reserved


95% of ERP systems are vulnerable to data breaches

Do you have the right compensating controls?

Sergio Abraham – [email protected]


Main questions we will answer throughout this presentation

• Why are ERP systems so complex?

• Why are ERP systems interesting for attackers/insiders?

• What is happening out there? + DEMO

• What are auditors doing today vs what should they be doing?

• How to approach ERP audit?


COMPLEX ARCHITECTURES AND TECHNOLOGIES

• Based on various interacting components and have independent configurations• Leverage proprietary protocols and components not well documented and

accessible• Very specific software and configuration vulnerabilities

PATCHING AND UPDATING • Mostly non-existent patching processes• Risk of patching is perceived as higher than the risk of the vulnerabilities itself• Applying and testing patches across all applications without business disruption

is a challenge

CUSTOMIZATIONS • Highly customized applications, no two are the same• Large organizations need to map customer business processes through custom

code• Sometimes up to millions of customized objects that run their business

operations

INTEGRATIONS • Many integration endpoints, sending data back and forth to other internal and external systems

• Integration is a key part of the landscape• No single product, but many different products (and vendors)

AUTHORIZATIONS • Complex authorization concepts• Users are diverse and need access to specific objects and tasks• Proper understanding of authorization concepts within each platform is required

CRITICAL INFORMATION AND PROCESSES

• There are strong change management processes that delay or even block security improvements

• Critical information is held and processed by these applications• Most organizations are also legally forced to protect this information from data

loss• Systems are subject to compliance mandates such as SOX, GDPR, PCI, etc.

BUSINESS-CRITICAL APPLICATIONS

Why are they unique?


92%

of the Global 2000 useSAP or Oracle EBS

77%

of the world’s revenue touches these ERP systems

ERP Cybersecurity – A Blindspot

4

88%

believe ERP to be a business-critical

application

1st public

exploit

targeting SAP

applications

Chinese breach

of USIS

targeted SAPSAP

NetWeaver

Portal public

exploit by

Chinese hacker

SAP

targeted

malware

discovered

1st DHS US-

CERT Alert for

SAP Business

Applications

Onapsis helps

Oracle secure

critical

vulnerability in

EBS

2nd DHS US-

CERT Alert

for SAP

Business

Applications

2012

2015

2014

2018

2016

2017

2013

HACKTIVIST

GROUPS

CYBER

CRIMINALS

CREATING

MALWARE

NATION-STATE

SPONSOREDINCREASED INTEREST

ON DARK WEB

UNITED STATES

DHS WARNING

3rd DHS US-

CERT Alert

for

10KBLAZE

exploits

2019

The Evolution of ERP Cyberattacks



Famous Vulnerabilities

10KBLAZE: A threat to the financial statements

"This risk to SAP customers can represent

a weakness in affected publicly-traded

organizations that may result in material

misstatements of the company's annual

financial statements (Form 10-K)”


How are ERP Applications involved in key breaches?


Key Findings from Threat Intelligence

Hacktivist groups are actively

attacking ERP applications to disrupt critical

business operations and

penetrate target organizations

Cybercriminals have evolved

malware to target internal, “behind-

the-firewall”ERP applications

Nation-state sponsored actors have targeted ERP

applications for cyber espionage

and sabotage

Dramatic increase in the interest in exploits for SAP

applications, including SAP HANA, in dark

web and cybercriminal

forums



Growing Interest in ERP applications

Cybercriminal forum with details on how to hack SAP applications

Evolution of mentions to SAP vulnerabilities with publicly available exploits


Growing Interest in ERP applications (contd)

User asking for SAP HANA exploits with responses and links to resources

Exploits available within reach (Google)


Example: Installing Malicious Code

Anatomy of an attack to ERP Applications

Commands used to exfiltrate SAP Credentials


Example: Routing Employee Payments

• Uptake in cyberattacks targeting employees portals• Modifying current employees bank accounts to route paycheck• Both internal and externally-facing

IMAGE: https://www.ncsecu.org/BranchServices/Switch.html


DEMOFOR ACCESS TO THESE VIDEOS, CONTACT

[email protected]


Tools, Techniques and Procedures

External Threats

Internet-Facing Applications being one of the most common entry mechanisms to the ERP environment.

Internal Threats

Internal Applications targeted through well-known exploits and vulnerabilities

• 10KBLAZE, Default Usernames and Passwords, Flawed Custom Reports

Unpatched vulnerabilities and misconfigurations still present in most environments

• 90% probability to finding critical misconfigurations (highlighted by the US-CERT)

Financial motivation remains being the ultimate goal of both attackers and insiders


How to Audit ERP systems?


Traditional Approaches – Blindspot still exists

Built-in ERP Tools Traditional Security Limited coverage

• Manual and complex• Cumbersome to manage• Built for ERP admins• Protects SAP business logic

layer -- SAP application layer remains exposed

• General purpose tools• Lacks visibility into application

layer• No expertise in ERP security

• Limited out-of-the-box policies• Hard to manage centrally• Limited coverage for SAP/Oracle• No team of security researchers


Traditional Approaches – Blindspot still exists

Business Application

Customizations

Application Technology

Database

Operating System

Technology Stack - The GAP in ERP Audits

Traditional Security Audit

Windows, Unix, etc

Oracle, HANA, SQLServer, etc

SAP Netweaver, Oracle WebLogic, etc

Custom reports and applications

Finance & Controlling, Sales & Distribution, etc

Customizations



Call to Action


Call to Action

• Make sure people in charge of protecting ERP systems have coverage for all the layers

• Compliance-related efforts must be addressed at each layer (SOX, GDPR, PCI, NIST, etc)

• While different layers have different risks and controls to be placed, they are very interrelated:o If you are analyzing a specific business risk, the analysis has to be performed

across the 5 layers

Your role as auditor


Risk Assessment at each layer


Database

Operating System

Risk Example: Payments are made to fictitious vendors

What type of access/misconfigurations/vulnerabilities at the OS would allow this?

What type of access/misconfigurations/vulnerabilities at the DB would allow this?

What misconfigurations/vulnerabilities exist in the technology that would allow this?

What custom applications do not have the proper validations to avoid this?

What standard applications and privileges would allow this?

Customizations



How to Audit ERP Systems?


Focusing on the Application...

● Authentication: Password policies and configurations

● Access Control: Authorizations analysis - Who has access to what?

● Segregation of Duties: Authorizations analysis - Conflicting Accesses

● User Behavior:

○ User monitoring - Who is doing what?

○ Fraud detection - Detection of fraudulent activities

○ Analytics (more advanced) - Analysis of Behavioral Patterns to

Detect Malicious Activities

Customizations






Customizations


● Security: Analysis of vulnerabilities in custom code. E.g.:

○ Authorizations By-Pass

○ Administrator Commands Execution

○ Unlimited Database Access

● Compliance to best practices

● Performance: How do custom reports affect overall system availability?

● Maintainability: Amount of custom code can be overkilling if not properly

designed and continuously reviewed

● Robustness: Prevention of operational errors

● Data Loss Prevention: Analysis of weaknesses that extract data from

the systems





Customizations


● Authentication: Password policies and configurations (some ERP systems have

different authentication mechanisms for each layer/segmentation)

● Configurations: What critical configurations must be enforced and monitored?

○ Wrong technical configurations can override business controls. You

should follow vendor-specific security best practices.

○ E.g.: 10KBLAZE is a combination of two different misconfigurations

● Security Patches: What critical patches must be implemented ASAP?

○ Missing patches equals known vulnerabilities present. Critical

vulnerabilities can override business controls.

○ E.g.: Employee payments without user or password

● Log Configuration Management: What logs have to be enabled and configured?

○ Missing logging features prevent from proper monitoring


Conclusion

• ERP systems support the most complex business processeso Therefore, ERP systems are the most complex applications

• Think about ERP systems as a matrix...o Top-Down: Several technology layers support business application

customization and extension▪ OS, DB, Application Technology, Customizations, Business Application

o Side-to-Side: Several segmentations support business complexity and operations▪ Application Servers, SAP Mandants/Clients, Oracle Nodes, Interfaces, etc

• As an Auditor, you should assess risks and test controls at each of those layers and segmentso Automation tools are essential to make this job efficient.

Just 1 (one) concept to remember...


Thanks!

Sergio Abraham – [email protected]

Documents

95% of ERP systems are vulnerable to data breaches · 2019-10-25 · AUTHORIZATIONS • Complex ... SAP or Oracle EBS 77% of the world’s revenue touches these ERP systems ERP Cybersecurity