Embed Size (px)
Citation preview
2Aboutthecompany
Cybersecuritysolutionsadaptedtoprotect enterprisebusinessapplications(SAP&Oracle).
Whatwedo?
Agenda
BuildingabusinesscaseforSAPVulnerabilityManagement
Howtostartoff:roles,responsibilitiesandprocess?
HowtotalktotheboardaboutSAPsecurity?
3
IntroductionBuildingabusinesscaseforSAPVulnerabilityManagement
BusinessApplicationsUnderAttackAllbusinessprocessesaregenerallyautomatedbyERPsystems
• Informationvaluabletocybercriminals,industrialspiesandcompetitorsisstoredinacompany’sERP.
• Thisinformationincludes:financialreports,customerdata,publicrelationmaterials,intellectualpropertydocuments,personallyidentifiableinformation.
• Industrialespionage,sabotageandfraudorinsiderembezzlementprocedureswillbemerelyuntraceablebeingexecutedincybersecurityspaceofERPsystem.
5
Problem
• SAPisownedandmanagedbybusiness• Businessesrarelycareaboutsecurity(onlySoD)• CISO’ssometimesdon’tevenknowaboutSAP• CISO’scareaboutinfrastructuresecurity• Butif abreachhappens,they’llbeblamedforlackofcare
6
Ourmissionistoclosethisgap
SAPSecurityNotes 7
1 1 13 10 10 27 14
78
131
834
731
641
363384
302 315
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
vulnerabilityrisklevel
numberofvulnerabilities
Latest news 8
SAPCybersecurityFramework 9
VulnerabilityManagement– DataFlows 10
Buildingbusinesscase
1.PresentSAPspecificcybersecurityrisks
2.ImplementSAPVulnerabilityManagementProcess
3.Developmetricsanddemonstrateresults
11
SAPSecurityRisks
1. Securitycontrols(ensuringCIA)unreliabilitycausedbyo Weakpasswordso Lackofauthorizationchecks
2. Executionoffraudulentbusinesstransactionscausedbyo Unnecessaryfunctionalityenabledo SAPapplicationvulnerabilities
3. Complianceviolationcausedbyo Specificconfigurationrequirements
12
SAPVulnerabilities 13
VulnerabilityType Examples
Misconfigurations “AllowDynamicQuery”isenabledformigrateddataservers
ApplicationVulnerabilities RemotecommandexecutioninSAPHANATREXNet protocolwithoutauthorization
CodeVulnerabilities Hardcodedemails,codeinjectionandmissingauthorizationchecks
AccessControlVulnerabilities
Fraudscenario“RedirectedPayment”:changeavendorbank,waitforpaymentormakeapaymentandthenchangeavendorbankback
14VulnerabilityManagement
VulnerabilityManagementMetrics
• SAPsystemsexposure
• response(mitigation)time
• laborandmonetarycosts
• stateofcompliancetostandards
15
Agenda
BuildingabusinesscaseforSAPVulnerabilityManagement
Howtostartoff:roles,responsibilitiesandprocess?
HowtotalktotheboardaboutSAPsecurity?
16
HowtostartoffRoles,responsibilitiesandprocess
VulnerabilityManagement1. IdentifyAssetsandScheduleVulnerabilityAssessments:
o InventoryofAssetso ScanProfileso ScanPlan
2. ScanVulnerabilitieso Vulnerability Reports
3. AnalyzeVulnerabilitiesandRecommendRemediationso VulnerabilityRiskAssessmento RemediationPlan
4. TestandDeployRemediationso RemediationCompletionReport
5. VerifyRemediationsandReporto ExecutiveReport
18
1.1InventoryofAssets 19
SystemID Purpose InterconnectedSystems
SystemCriticality
Responsibility
SystemType
ApplicationServers Clients Platform
DM0 Supplychainmanagement
• Internal:ERP,• Internet:no;• ICS:no;• Partners:Partner1,
Partner2• Mobile: no
High JohnF.K. PROD 10.0.0.110.0.0.2
100:PRD SAPSCM5.0(NetWeaverAS7.1ABAP)
ERP EnterpriseResourcePlanning
• Internal:HR1,HR2• Internet:no• ICS:MESSystem• Partners:no• Mobile:no
Low Mike. PROD 10.0.16.6 200:PRD SAPECC6.0NetWeaverAS7.3ABAP
CRM CustomerRelationshipmanagement
• Internal:ERP• Internet:yes• ICS:no• Partners:no• Mobile:no
VeryHigh PROD 10.0.34.5 210:PRD SAPCRM6.0NetWeaverASABAP7.0
1.1InventoryofAssets.Demo 20
1.2ScanProfiles
TechnicalComplianceofSAPsystemisitsstateofmeetingtheIT-relatedrequirements
AuthorityDocument Control
TechnicalCheckn
TechnicalCheck1
TechnicalCheck2
21
PCIDSS 3.2ISO27001:2013
DSAG
SAPsecurityguidelines
ISACAsecurityguidelines
1.2ScanProfiles.Demo 22
231.3ScanPlan
Asset Date Time Frequency
DM0 01.02.2017 01:00 Quarterly:Q1,Q2,Q3,Q4
EPR 08.02.2017 01:00 Quarterly:Q1,Q2,Q3,Q4
CRM 15.02.2017 01:00 Quarterly:Q1,Q2,Q3,Q4
3.AnalyzeVulnerabilitiesandRecommendRemediations 24
• Constraintsandrequirements(example):• Duration:notmorethan60days
• Vulnerabilityrisklevel:mediumandhigher
• Allowedremediationtypes:Nokernelpatch
• Tasks:1. Prioritizingvulnerabilities
2. Filteringvulnerabilities
• Outcome:• RemediationPlan
253.1RequirementsandconstraintsSystem
IDRelevant
AdversariesVulnerability
TypesVulnerabilityRiskLevel
AllowedRemediation
Types
MaximumLevelof
RemediationEffort
Maximumperiodofdowntime
ApplicableAuthorityDocuments
ResultsofFiltering
DM0 Internalattackerwithoutrightsinthesystem
Allexceptcodeandaccesscontrol
Mediumandhigher
Allexceptpatchinstall
Highandlower
2hours 678(66%)from1023vulnerabilitieswerefilteredout:• High risk: 5• Medium risk: 73• Low risk: 600
ERP Internalattackerwithrights
All High Allexceptconfigurationchanges
Any 8hours NERC-CIP 215(17%)from1500vulnerabilitieswerefilteredout:• High risk: 215• Medium risk: 30• Lowrisk:100
CRM Externalattacker
All All All Any 1hour PCIDSS3.0
315(52%)from600vulnerabilitieswerefilteredout:• High risk: 15• Medium risk: 100• Lowrisk:200
263.2Prioritization
CheckID VulnerabilityDescription
VulnerabilityType
VulnerabilityRisk
ExternalUsage
CountofSAPsystemswiththevulnerability Vulnerability
PriorityHigh Medium Low
SSEA_1000003 ExternalRFCserverregistration
Misconfiguration High Yes 5 3 2 69
SSCA_00130 SSLencryptionforICMconnections
Misconfiguration Medium Yes 3 5 3 44
SSCA_00223 Centralapplicationserverthatmaintainsthesystemlog
Misconfiguration Medium Yes 4 2 3 38
SSCA_01082 Useofaweakpasswordhashing(Hversionofhashing)
Misconfiguration Medium No 2 5 3 38
SSCA_00009 Minimumnumberoflettersinapassword
Misconfiguration Medium No 4 3 1 38
SSCA_00143 EnableloginwithexternalidentitybyRFC
Misconfiguration Medium No 2 4 4 36
273.3Filtration.DM0.ConstraintsCharacteristic Values Constraint Rationale ResultsofFiltering
VulnerabilityType • Applicationvulnerability• Misconfiguration• Codevulnerability• Accesscontrol
Applicationvulnerabilitiesandmisconfigurations
Codevulnerabilitiesareirrelevantduetothelackofcustomdevelopment
78(8%)from1023vulnerabilitieswerefilteredout:• High risk: 5• Medium risk: 73
Vulnerabilityrisk • VeryHigh• High• Medium• Low
Mediumandhigher 600 (59%) from 1023vulnerabilities werefiltered out:• Low risk: 600
MaximumLevelofRemediationEffort
Lessthan30hours
AllowedRemediationTypes
Allexceptpatchinstall
28
VulnerabilityType&Risk High Medium Low
Misconfiguration 52 74 0
ApplicationVulnerability 130 90 0
Code 0 0 0
AccessControl 0 0 0
3.3Filtration.DM0.Relevantvulnerabilities
66%reduction
293.4RemediationPlan.DM0Remediation
Priority Vulnerability VulnerabilityRisk
RemediationType Remediation
1 SSEA_1000003:ExternalRFCserverregistration
AnattackercanuseaninsecureRFCconfigurationforregisteringhisownRFCserver.Asresulthewillbeabletocontrolandinterceptclientrequestsaswellastocopyandchangeinformation
High Updateconfiguration
Effortlevel:medium(~2d,downtime4h)
Toresolvethisissue,itisrecommendedtoconfiguretheRFCservercorrectly
Links:RFC/ICFSecurityGuide
2 SSCA_00130:SSLencryptionforICMconnections
Noencryptionofnetworkconnectionmayleadtointerceptionoftransmitteddata,thustoanunauthorizedaccess.TheHTTPprotocoltransmitsallauthenticationdataasaplaintext,whichallowstointerceptiteasilywiththespoofingattack.
Medium Updateconfiguration
Effortlevel:easy(~4h,downtime2h)
Settheicm/server_port_NN parametertoPROT=HTTPSinsteadofPROT=HTTPtodecreasethepossibilityofanunauthorizedaccess
3 SSCA_00223:Centralapplicationserverthatmaintainsthesystemlog
Incorrectpermissionsonthisfileintheoperatingsystemcanallowanattackertomodifythecontentsofthefileinsuchawaytohidehistracks.
Medium Updateconfiguration
Effortlevel:easy(~4h,downtime2h)
Theadministratoroftheoperatingsystemmustcorrectlysettheaccessrightstothefileaccordingtotheprincipleofleastprivileges.
Links:• BOOK"Security,AuditandControlFeatures(SAPERP3rd
edition)"p.413check.4.10.2• DOCrslg/collect_daemon/host- CentralLogHost
Outcomes 30
InventoryofAssets Listofassetsinscopeofthevulnerabilitymanagement,technicaldetailsanddescriptions
ScanProfiles Listofsecuritychecksrelatedtoapplicableinformationsecuritystandardsandregulations
ScanPlan Listofassetsandtimeatwhichvulnerabilityscansshouldbeperformed
RemediationPlanDescriptionofSAPlandscape,threatmap,recommendedremediationsandactionplansforeachSAPsystem
ExecutiveReport ReportonperformanceSAPVM:security,complianceandremediationmetrics
Agenda
BuildingabusinesscaseforSAPVulnerabilityManagement
Howtostartoff:roles,responsibilitiesandprocess?
HowtotalktotheboardaboutSAPsecurity?
31
Howtotalktotheboard?
Whatboardsneedtoknow?
• Dowecomplywithsecurityrequirements?
• Howprotectedareourmostimportantassetsagainstacyber-attack?
• Howhighisaresidualcyberrisk,wehave?
• Whatworkrelatedtoremediationofcyberriskisinprogress?
• Whatshouldwedonext?
33
ExecutiveReport.Summary
Title:SAPVulnerabilityManagement2015Dates:01.01.2015– 31.12.2015
Goal:initialassessmentof40SAPsystems
Conclusion:
1. Technicalcomplianceincreasedinaverageby10%2. Vulnerabilityratio(amountofvulnerabilitiesonhost)decreasedinaverageby30%3. Overalleffortsamountedto400man/hours4. Therearestill100vulnerabilitiesonhighcriticalSAPsystems,50onmediumand15onlow5. Futuregoals:increasetechnicalcomplianceon10%foreverystandardandremediateall
vulnerabilitieswithhighrisk6. Withcurrentproductivity,itwilltake5monthofworkfor2employees
34
1.TechnicalCompliance.AuthorityDocuments
20%
30%
25%
50%
-5%
40%
50%
35%
NIST 53
PCI DSS
ISO27001:2013
CIS CSC
RATIOOFSUCCESSFULCHECKSBYSTANDARD01.01.2015 31.12.2015
35
1.Technicalcompliance.ISO27001:2013
34, 15% 20, 30%
10,20%
15,20%
30,20%17, 35%
23,20%25, 35%
22, 30% 23, 30%
6, 45% 14, 50%
45, 45% 12, 65%
0% 0
10% 10% 10%
015%
5% 10% 10%
5% 5%
30% 20%
A.14SYSTEMACQUISITION,DEVELOPMENTAND…
A.17INFORMATIONSECUITYASPECTSOFBUSINESS…
A.11PHYSICALANDENVIRONMENTALSECURITY
A.15SUPPLIERRELATIONSHIPS
A.7HUMANRESOURCESSECURITY
A.5INFORMATIONSECURITYPOLICIES
A.18COMPLIANCE
A.8ASSETMANAGEMENT
A.10CRYPTOGRAPHY
A.6ORGANIZATIONOFINFORMATIONSECURITY
A.16INFORMATIONSECURITYINCEDENTMANAGEMENT
A.13COMMUNICATIONSECURITY
A.9ACCESSCONTROL
A.12OPERATIONALSECURITY
RATIOOFSUCCESSFULCHECKSBYCONTROLCATEGORY
01.01.2015 31.12.2015
Total Checks
18
100
28
13
77
73
71
115
49
150
75
50
67
227
36
2.Security. RemediationsbyRiskLevel 37
VulnerabilityRiskLevel 01.01.2015 31.12.2015 Change
High 15 10 5
Medium 20 7 13
Low 50 30 20
382.Security.RemediationsbyVulnerabilityType
VulnerabilityType 01.01.2015 31.12.2015 Change
Misconfiguration 100 77 23
ApplicationVulnerability 20 14 6
Code 0 0 0
AccessControl 5 4 1
ExecutiveReport
1. Currentthreatmap
2. Remediationpriorities
• Groupedbysystem
• Groupedbyvulnerability
3. Productivityanalysis
4. Goals
5. Conclusion
39
3.FuturePlans
3.Futureplans.ThreatMap 40
3.FuturePlans.RemediationprioritiesforSAPsystems (TOP10)
Priority SID Criticality ConnectivityTotal
remediationefforts
Totaldowntime
CountofVulnerabilitieswithdifferentRisk
Levels
High Medium Low
1 PLM High SCADA ~ 500hours 5hours 10 7 4
2 CR1 Low WEB ~150 hours 9 6 3
3 ERP Medium - ~10 hours 8 5 2
4 HR1 Low ERP,PLM 9 6 3
5 FIN Low PLM 8 5 2
6 DL0 Medium - 8 5 2
7 DL1 Medium - 8 5 2
8 DL2 Medium - 8 5 2
9 DL3 Medium - 8 5 2
10 DL4 Medium - 8 5 2
41
3.FuturePlans.Remediationprioritiesforvulnerabilities(TOP5)
42
Priority VulnerabilityDescription VulnerabilityRisk
Remediation Type
RemediationEffort
CriticalityofSAPsystemswiththevulnerability
High Medium Low
1 SAP Gatewayauthorizationbypass High Configure
ACL VeryHigh 3 30 10
2 Verb Tamperingvulnerability High change
configuration Low 2 10 10
3 Default passwordforuserSAP* VeryHigh User settings Medium 3 9 30
4 XSSvulnerabilityinconfigservlet Medium Apply
sapnote High 10 50 10
5 MMC Serverinformationdisclosure High change
configuration High 3 50 3
42
3.FuturePlans.Productivityanalysis
Remediation TypeImplemented remediations
byEffortAmount
Productivity byEffortAmount
(Hoursperaremediation)
High Medium Low High Medium Low
SAPNoteinstallation 50 5 500h 5h
Updatea configurationsetting 10 20h
Installakernelpatch 20 200h
Execute SQLcommand 10 20h
DisableSAP Service 5 25
Total 25 50 25 225h 500h 45h
43
3.FuturePlans.ComplianceGoals
1. Increasetechnicalcomplianceby10%foreverystandard2. Thegoalimplies:
• 10higheffortamountremediations• 50middleeffortamountremediations• 150loweffortamountremediations
3. Overalleffortprojectionis4monthfor2employees
44
3.FuturePlans.SecurityGoals
1. CompletelypatchallTOP10SAPSystems:PLM,HR1,ERP,SCM,FIN,DL0,DL1,DL2,DL3,DL4
2. Remediateallvulnerabilitieswithhighrisks3. Thegoalsimplies:
• 20higheffortremediation's• 35middleeffortremediation's• 100loweffortamountremediations
4. Overalleffortprojectionis3monthfor2employees
45
3.FuturePlans.Conclusion
1. Technicalcomplianceincreasedinaverageby10%
2. Vulnerabilityratiodecreasedinaverageby30%
3. Overalleffortsamountedto400man/hours
4. Therearestill100vulnerabilitiesonhighcriticalSAPsystems,50 onmediumand15 onlow
5. Futuregoalsaretoincreasetechnicalcomplianceon10%foreverystandardandremediateallvulnerabilitieswithhighrisks
6. Maintainingthecurrentproductivity,itwilltake7monthsfor2employeestodo
46
FinalTakeaways
1. OperatingSAPbringsnewrisks
2. Vulnerabilities– therawdataofsecurity
3. Managevulnerabilitiestoreachdesiredlevelofsecurity
47
USA:228HamiltonAvenue,Fl.3,PaloAlto,CA.94301
HQNetherlands:Luna ArenA 238Herikerbergweg,1101CMAmsterdam
Thankyou
48
