Embed Size (px)
Citation preview
May 7 – 9, 2019
Securing SAP Systems from Cyber Attacks Cheryl Bogenschutz, Sr. Director, Advisory Services, itelligence Inc.
Emery Streit, Practice Manager, SAP Solution Manager, itelligence Inc.
Session ID # 82900
About the Speakers
Cheryl Bogenschutz• Sr. Director, Advisory Services,
itelligence, inc.• Cheryl has been in IT leadership / CIO
positions, for over 30 years focused on strategic initiatives to leverage technology to transform business processes impacting the way the company, and sometimes the industry operates
• Cheryl is an Adjunct Professor at the University of Cincinnati where she leads the CIO Forum Masters course
Emery Streit• Practice Manager, SAP Solution Manager,
itelligence, inc.• Emery has over 20 years of IT experience
with specific focus on IT Service Management and ITIL processes. Currently responsible for collaborating with customers on understanding the value and usage of SAP Solution Manager and its associated Application Lifecycle Management processes.
• Emery is an avid drone photographer and spends a lot of his free time with his DJI Mavic 2 Pro.
Key Outcomes/Objectives
1. Understand Potential Risks to SAP Systems
2. Identify Vulnerabilities within your SAP Systems
3. Understand SAP Patch Management to enhance ongoing protection
Agenda
• Highlight real security concerns for SAP systems
• Understand potential vulnerabilities to your SAP systems
• How to monitor and leverage SAP Security Patch Management through SAP Solution Manager
• SAP Solution Manager Options
Real SAP System Security Concerns
• Hackers are actively attacking ERP applications • Malware developed to attack the internal, “behind-the-
firewall” ERP applications • Nation-state sponsored actors have targeted ERP
applications for cyber-espionage and sabotage • Dramatic increase in exploits for SAP applications in dark
web and cyber-crime forums• Attack vectors mainly leverage known ERP vulnerabilities
vs. zero- days
Real SAP System Security Concerns
• Invoker Servlet vulnerability
– Gain Remote Access
– No Need for Valid SAP User
– Attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system
4/2
5/2
019
7
The Department of Homeland Security issued an alert warning of rising hacker threats to ERP applications.
The report found “…100 percent increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017."
The report also found over 4,000 security patches for vulnerabilities in SAP applications. In fact, the researchers found about 50 exploits for SAP products that are being traded on the dark web. An attacker can exploit these vulnerabilities to obtain access to sensitive information.
"Our recommendation to all of our
customers is to implement SAP
security patches as soon as they are
available - typically on the second
Tuesday of every month - to protect
SAP infrastructure from attacks.”
-SAP spokesman
Real SAP System Security Concerns
Why the increase in SAP Security Concerns?
• Company competitive proprietary data
• Customer information
• Employee or Consumer's PII (personally identifiable information)
• Physical assets are increasingly online
Understanding the SAP Security Risks/Impact
• Full control over SAP systems bypassing any other SAP security controls
• Manipulation of data and data theft
• No traceability due to missing audit trail
• Unavailability of data and systems
Where are SAP System Security Vulnerabilities
• New Technology
• Cloud
• Patching
• Standard Security
• RFC’s / Interfaces / Entire Landscapes
• IoT
Understand SAP System Security Vulnerabilities
• Over 4,000 SAP security patches released to date
– Each security patch provides mitigation for one or more vulnerabilities.
• Organizations need a well-defined process in place to manage on-going mitigation
• Vulnerabilities exist despite being patched
Applying Intelligence/Process to SAP Security Patch Management
• Review, Assess and Categorize Software Vulnerabilities and SAP Patches
– Common Vulnerability Scoring System (CVSS)
– Software Patch Priority
– Vulnerability Type
– Software Correction Type
SAP System Vulnerability Scoring System
• CVSS – Common Vulnerability Scoring System– Provides Standardized Vulnerability Severity Scores
– Open Framework
– Helps with Prioritization
– SAP Supports Base Score – intrinsic and fundamental characteristics of a vulnerability
– Organizations should also provide risk assessments
What Makes up an SAP Patch CVSS Score?
• CVSS – Common Vulnerability Scoring System (0 – 10)– Attack Vector (AV) – Network, Adjacent, Local, Physical– Attack Complexity (AC) – Low, High– Privileges Required (PR) – None, Low, High– User Interaction (UI) – None, Required– Scope (S) – Unchanged, Changed– Confidentiality Impact (C) – None, Low, High– Integrity Impact (I) – None, Low, High– Availability Impact (A) – None, Low, High
How urgent is the SAP Software correction?
• Software Patch Priority
– Hot News (CVSS – 9.0 – 10.0)
– Correction with High Priority (CVSS – 7.0 – 8.9)
– Correction with Medium Priority (CVSS – 4.0 – 6.9)
– Correction with Low priority (CVSS – 0.1 – 3.9)
What Type of SAP Software Vulnerability?
• Vulnerability Type (Examples)– Cross-Site Scripting– Implementation Flaw– Information Disclosure– Authorization Check– Denial of Service– Buffer Overflow– SQL Injection
What type of SAP Patch?
• Correction Type
– Automatic ABAP Correction
– Manual ABAP Correction
– Kernel/JAVA/HANA New Install Notes
– Notes on Other Components
– Other Manual Instructions
SAP Security Notes per Month
4/2
5/2
019
© 2
016
itel
ligen
ce
19
• Solution Manager is the only tool that is integrated with all aspects of Application Lifecycle Management
• Modules work hand-in-hand together and Process Management is the foundation
• Solution Manager has a tight technical integration with the managed systems
BusinessProcess
Monitoring
CustomCodeMgmt
AppOperations
Test Suite
ITSM
DataVolume Mgmt.
Change ControlMgmt
LandscapeMgmt
ProcessMgmt
What is SAP Solution Manager – Unique Integration
Solution Manager Functionality
Single Source of Truth for Process and Technical Documentation. Define template for usage.
Process Management
Lorem ipsum dolor sit
amet, consectetur
Example 1
Lorem ipsum dolor sit
amet, consectetur
Example 1
Application Operations Business Process Ops
Change Control Mgt
Proactively identifies problems in your environment through monitoring and alerting.
Monitor key business processes to ensure smooth operations and process improvement.
Tools to ensure quality transport and deployment control. Governance of approval and release processes.
Testing and Change Impact Analysis tool to facilitate testing and identify impacted code due to a transport or upgrade.
Test Suite / BPCA / SEA
Lorem ipsum dolor sit
amet, consectetur
Example 1
Lorem ipsum dolor sit
amet, consectetur
Example 1
IT Service Management Data Volume Mgt
Custom Code Mgt
ITIL compliant Incident and Problem Management ticketing tool.
Detailed analysis and transparency of your data footprint and consumption rates.
Detailed analysis and transparency of custom code. Ensures quality and criticality are appropriate.
4/2
5/2
019
21
SAP Patch Day System Recommendations
• Assessment of
impact of relevant
SAP Notes is
provided
• Notes are applied to
the SAP system
SAP releases security
patches on the
second Tuesday
every month
System Recommendations identifies relevant patches and
urgent SAP Notes based on actual status of system and
already implemented SAP Notes
Select system(s) to check for security patches
Implementation Tools
SAP Security Patch Management Service
System Recommendations – Unique Integration
4/2
5/2
019
© 2
016
itel
ligen
ce
22
Uses ChaRM to seamlessly pass to
change management process
Uses BPCA to calculate impact and
do test scope optimization on each
note
Uses Usage Logging data to display
whether the note is changing objects in
use
Integrated with Managed System to
seamlessly download and implemet into
the managed system
SAP Solution Manager System Recommendations
SAP Solution Manager Tools to Ensure Security Patches are Applied• Configuration Validation –
Based on Target Systems• Cross-System BW
reporting based on System Recommendations
• Validate if selected notes have reached production systems
• Measure quality of patch processes
SAP Solution Manager Interface Monitoring
• Cross-system Connection Monitoring – RFC, HTTP, HTTPS, IDOC, Web Services
• Automatically Generate Topology for Vulnerability Discovery
• Continuously collect metrics on availability, usage (destinations), configuration and performance
• Standard handling processes through Guided Procedures.
SAP Solution Manager Security Optimization Report• Self Service• Authentication
Configuration• Authorization Auditing
– Basis Authorizations– Change Management
Authorizations– User Authorizations
Solution Manager Options
27
Networking
Storage
Servers
Virtualization
O/S
Data
Application
On-Premise1:1 Customer
Networking
Storage
Servers
Virtualization
O/S
Data
Application
Hosted1:1 Customer
Networking
Storage
Servers
Virtualization
O/S
Data
Application
SMaaMS1:M Customers
Managed b
y c
usto
mer
Managed b
y c
usto
mer
Managed b
y p
rovid
er
Managed b
y p
rovid
er
Solution Manager as a Managed Service
© 2
016
itel
ligen
ce
28
On-premise or
3rd Party Hosted
SAP Cloud
SAPSAP S/4HANA(On-Premise)
S/4HANACloud
itelligence Cloud
Web services
4/2
5/2
019
29
• Subscription to access a fully configured, cloud-based Solution Manager operated by certified consultants from itelligence (Run SAP Partner)
• Regular updates. Always current Solution Manager
• Value Added Reporting
• Application Lifecycle Management Roadmap Session
• Further Support from Process Consultants
• Leverage some or allfunctions with self or full service
Solution Manager as a Managed Service - Subscription
• Description: SMaaMS platform checks all relevant security notes/patches for customer systems, assesses impact and easily applies them to keep customer systems up-to-date.
• Customer Benefits:– Increase system security by keeping up to date with SAP Security patches– Reduce risk of compromised data through SAP specific vulnerabilities– Detailed recommendations based actual system usage and already implemented SAP notes
• Process: Every 2nd Tuesday of the month, SAP will release Security Notes. Utilizing Solution Manager as a Service, Consultants can: – Review released SAP security notes and patches– Run change impact analysis and provide transactions and programs to be tested– Apply agreed upon SAP Software Corrections to agreed upon environment– Provide advice on non SAP Software Corrections
• Requirements:– Customer must be on an active SAP Maintenance contract– Customer must connect to the itelligence Solution Manager as a Service platform
Example Security Patch Management Service
4/2
5/2
019
© 2
016
itel
ligen
ce
30
4/2
5/2
019
31
• Visit our AddStore at
http://goo.gl/3CGDCX
• Request a webinar or contact
Solution Manager as a Service – How to get started
SAP Security Patch Webinar Additional Information• ASUG presents a Security Patch Day Webcast Every Month
with SAP Security Expert Frank Buchholz!• Planned Dates for 2019 SAP Security Patch Days
– https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
• Summary of the critical security issues from past webinars delivered by our security expert since 2014 here: (https://support.sap.com/content/dam/support/en_us/library/ssp/offerings-and-programs/support-services/sap-security-optimization-services-portfolio/SAP_Security_Notes_Webinar.pdf)
SAP Security Patch Webinar Additional Information• Available for US customers via the Americas SAP User Group (ASUG)
– First need to register with the ASUG here: https://www.asug.com/events#!/events/cal?keyword=Security&categories=webinar&startDate=2017-12-31&endDate=2018-02-11&period=month
– Once registered you can join the ASUG Security SIG: https://discuss.asug.com/community/sig_communities/business_integration__technology_&_infrastructure/security_sig
– Please check the ASUG Security SIG events calendar for dial-in details.
• Learn more on the Learning Hub - Only customers with one of the following maintenance agreements are eligible to access the support edition: SAP Enterprise Support, Cloud Edition, SAP Product Support for Large Enterprises (PSLE) and SAP Premium Engagement customers.
• You need to register for access to SAP relaunched learning platform SAP Learning Hub: https://support.sap.com/en/offerings-programs/enterprise-support/enterprise-support-academy/learn.html to gain access to all learning resources here: https://support.sap.com/en/offerings-programs/enterprise-support/enterprise-support-academy/learn.html
• A valid S-user is required to attend Expert Webinar sessions
References
• SAP Security Notes & News - https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
• SAP Security Patch Process -https://support.sap.com/content/dam/support/en_us/library/ssp/offerings-and-programs/support-services/sap-security-optimization-services-portfolio/AGS_Security_Patch_Process.pdf
• Common Vulnerability Scoring System Standards -https://www.first.org/cvss/specification-document
• Onapsis and Digital Shadows Research Report -https://www.onapsis.com/research/reports/erp-security-threat-report
• National Cybersecuity and Communications Integration Center Official Alert -https://www.us-cert.gov/ncas/alerts/TA16-132A
• Invoker Servlet -https://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513597ec/frameset.htm
Take the Session Survey.
We want to hear from you! Be sure to complete the session evaluation on the SAPPHIRE NOW and ASUG Annual Conference mobile app.
Access the slides from 2019 ASUG Annual Conference here:
http://info.asug.com/2019-ac-slides
Presentation Materials
Q&AFor questions after this session, contact us at [email] and [email].
Let’s Be Social.Stay connected. Share your SAP experiences anytime, anywhere.
Join the ASUG conversation on social media: @ASUG365 #ASUG
