57
Invest in security to secure investments Securing SAP in 5 steps Alexander Polyakov CTO ERPScan

Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

  • Upload
    vobao

  • View
    237

  • Download
    2

Embed Size (px)

Citation preview

Page 1: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Invest  in  security  to  secure  investments  

   

Securing  SAP  in  5  steps    

Alexander  Polyakov  CTO  ERPScan  

Page 2: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

About  ERPScan  

•  The   only   360-­‐degree   SAP   Security   solu?on   -­‐   ERPScan   Security  Monitoring  Suite  for  SAP  

•  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )  •  60+  presenta@ons  key  security  conferences  worldwide  •  25  Awards  and  nomina@ons  •  Research  team  -­‐  20  experts  with  experience  in    different  areas  

of  security  •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)  

   

2  

Page 3: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Securing  SAP  

•  Have  budget    –  Find  people  and  tools  (later)  

•  Don’t  have  budget  –  Try  to  show  business  how  it  is  cri?cal  

 

3  

Page 4: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Ask  3rd  par@es  for    

•  Whitepapers    

•  Webinar  from  experts  

•  SAAS  scanning  of  external-­‐facing  systems  

•  Pentest  •  Full  SAP  Security  assessment  

4  

Page 5: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Security  

5  

1.  Pentes)ng  and  Audit  

Page 6: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Pentest  -­‐  Anonymous  scanning  for  SAP  vulnerabili?es  

 

•  Analysis  of  exposed  services  (more  than  20  possible)  

•  BlackBox  analysis  of  installed  applica?ons  and  vulnerabili?es  •  Exploita?on  of  founded  vulnerabili?es  •  Presenta?on  report  for  management  

 

 

6  

Pentest  

Page 7: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Scan  external  company  network  fro  SAP    

•  Scan  internal  SAP  systems  from  user  or  guest  network  

•  Scan  internal  SAP  systems  from  admin    

 

We  scan  external  systems  and  collect  info  from  2011    

7  

Analysis  of  running  services  

Page 8: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

8  

0  

5  

10  

15  

20  

25  

30  

35  

SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server  hUpd  

SAP  Message  Server     SAP  Router  

Exposed  services  2011  

Exposed  services  2013  

Remotely  exposed  services  

Page 9: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Only  those  services  should  be  open  for  local  access  –  Dispatcher  –  Message  Server    

–  HTTP  (ICM)  

9  

Internal  access  

Page 10: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Next  step  in  Blackbox  analysis  •  Can  be  used  as  a  star?ng  point  for  SAP  Security  project  •  Can  also  be  used  as  a  final  test  aZer  implementa?on      

10  

Pentest  

Page 11: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Examples  of  vulnerabili@es  

•  Auth  bypass  in  CTC  •  Anonymous  user  crea?on  •  Anonymous  file  read    •  Informa?on  disclosure  •  Unauthorized  access  to  KM  documents  

 

11  

Pentest  JAVA  

Page 12: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Examples  of  vulnerabili@es:  

•  Buffer  overflows    •  Informa?on  disclosure  about  files  in    MMC  

•  Unauthorized  access  to  log  files  •  Injec?on  of  OS  commands  in    SAPHostControl  

•  Dangerous  web  servies  •  Informa?on  disclosure  about  parameters  in  Message  Server  

HTTP  

12  

Pentest  ABAP  

Page 13: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Full  SAP  Security  assessment  

•  Configura?on  analysis    •  Access  control  checks  •  Vulnerability  scanning  

   

13  

Page 14: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Configura@on  analysis  

 •  Authen?ca?on  (Password  policies,  SSO,  users  by  different  

criteria's).  •  Access  control  (Access  to  different  web-­‐services,  tables,  

transac?ons,  insecure  test  services,  unnecessary  transac?ons  and  web-­‐applica?ons)  

•  Encryp?on  (SSL  and  SNC  encryp?on)  •  Monitoring  (Security  audit  log,  system  log  and  other)  •  Insecure  configura?on(  All  other  security  checks  for  

par?cular  services:  Gateway,  Message  Server,  ITS,  SAPGUI,  Web  Dispatcher,  MMC,  Host  Control,  Portal)  

14  

Page 15: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Access  control  

•  Users  with  cri?cal  profiles  •  Users  with  cri?cal  roles  •  Users  with  access  to  cri?cal  tables  •  Users  with  access  to  transport  •  Users  with  access  to  development  •  Users  with  access  to  user  administra?on  •  Users  with  access  to  system  administra?on  •  Users  with  access  to  HR  func?ons  •  Users  with  access  to  CRM  func?ons  •  …..  

15  

Page 16: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Vulnerability  scan  

 •  Check  for  latest  component  versions  •  Check  for  missing  Sapnotes    •  Exploit  vulnerabili?es  to  check  if  they  really  exist    

16  

Page 17: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Security  

17  

2.  Compliance  

Page 18: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

First  of  all  chose  one  that  you  want  

•  EAS-­‐SEC  •  SAP  NetWeaver  ABAP  Security  configura?on  

•  ISACA  (ITAF)  •  DSAG    

18  

Compliance  

Page 19: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Enterprise  Applica)on  Systems  Applica)on  Implementa)on  –  NetWeaver  ABAP  

•  Developed  by  ERPScan:  First  standard  of  series  EAS-­‐SEC  •  Will  be  published  in  September  

•  Rapid  assessment  of  SAP  security  in  9  areas  

•  Contains  33  most  cri?cal  checks  

•  Ideal  as  a  first  step  •  Also  contain  informa?on  for  next  steps  

•  Categorized  by  priority  and  cri?cality  

19  

EAS-­‐SEC  for  NetWeaver  (EASAI-­‐NA)  

Page 20: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

EASAI-­‐NA-­‐2013  

20  

 

                               EASAI-­‐NA      Access   Cri@cality       Easy  to  

exploit  %  of  vulnerable  systems  

1.  Lack  of  patch  management   Anonymous   High   High   99%  

2.  Default  Passwords  for  applica?on  access   Anonymous   High   High   95%  

3.  Unnecessary  enabled  func?onality   Anonymous   High   High   90%  

4.    Open  remote  management  interfaces   Anonymous   High   Medium   90%  

5.    Insecure  configura?on   Anonymous   Medium   Medium   90%  

6.  Unencrypted  communica?on     Anonymous   Medium   Medium   80%  

7.  Access  control  and  SOD   User   High   Medium   99%  

8.  Insecure  trust  rela?ons   User   High   Medium   80%  

9.  Logging  and  Monitoring   Administrator   High   Medium   98%  

Page 21: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐01]  Component  updates  •  [EASAI-­‐NA-­‐02]  Kernel  updated    

 

 

What  next:  Other  components  should  be  be  updated  separately  –  SAP  Router,  SAP  Gui,  SAP  NetWEaver  J2EE,  SAP  BusinessObjects.  And  also  OS  and  Database.  

21  

Lack  of  patch  management  

Page 22: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐03]  Default  password  check  for  user  SAP*  •  [EASAI-­‐NA-­‐04]  Default  password  check  for  user  DDIC  •  [EASAI-­‐NA-­‐05]  Default  password  check  for  user  SAPCPIC  •  [EASAI-­‐NA-­‐06]  Default  password  check  for  user  MSADM  •  [EASAI-­‐NA-­‐07]  Default  password  check  for  user  EARLYWATCH  

 What  next:  Couple  of  addi)onal  SAP  components  also  use  their  

own  default  passwords.  For  example  services  SAP  SDM  and  SAP  ITS  in  their  old  versions  has  default  passwords.  APer  you  check  all  default  passwords  you  can  start  with  bruteforcing  for  simple  passwords.    

22  

Default  passwords  

Page 23: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐08]  Access  to  RFC-­‐func?ons  using  SOAP  interface  •  [EASAI-­‐NA-­‐09]  Access  to  RFC-­‐func?ons  using  FORM  interface  •  [EASAI-­‐NA-­‐10]  Access  to  XI  service  using  SOAP  interface              What  next:  You  should  analyze  about  1500  other  services  which  

are  remotely  enabled  if  they  are  really  needed  and  also  disable  unused  transac)ons,  programs  and  reports.    

23  

Unnecessary  enabled  func@onality  

Page 24: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐11]  Unauthorized  access  to  SAPControl  service  •  [EASAI-­‐NA-­‐12]  Unauthorized  access  to  SAPHostControl  service  •  [EASAI-­‐NA-­‐13]  Unauthorized  access  to  Message  Server  service  •  [EASAI-­‐NA-­‐14]  Unauthorized  access  to  Oracle  database          What  next:  Full  list  of  SAP  services  you  can  get  from  document  

 TCP/IP  Ports  Used  by  SAP  Applica)ons  .Also  you  should  take  care  about  3rd  party  services  which  can  be  enabled  on  this  server.    

24  

Open  remote  management  interfaces  

Page 25: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐15]  Minimum  password  length  •  [EASAI-­‐NA-­‐16]  User  locking  policy  •  [EASAI-­‐NA-­‐17]  Password  compliance  to  current  standards  •  [EASAI-­‐NA-­‐18]  Access  control  to  RFC  (reginfo.dat)  •  [EASAI-­‐NA-­‐19]  Access  control  to  RFC  (secinfo.dat)      What  next:  First  of  all  you  can  look  at  (Secure  Configura)on  of  SAP  

NetWeaver®  Applica)on  Server  Using  ABAP)  document  for  detailed  configura)on  checks.  APerwards  you  can  pass  throught  detailed  documents  for  each  and  every  SAP  service  and  module    hUp://help.sap.com/saphelp_nw70/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm        

 

25  

Insecure  configura@on  

Page 26: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐20]  Users  with  SAP_ALL  profile  •  [EASAI-­‐NA-­‐21]  Users  which  can  run  any  program    •  [EASAI-­‐NA-­‐22]  Users  which  can  modify  cri?cal  table  USR02  •  [EASAI-­‐NA-­‐23]  Users  which  can  execute  any  OS  command  •  [EASAI-­‐NA-­‐24]  Disabled  authoriza?on  checks  

 What  next:    There  are  at  leas  about  100  cri)cal  transac)ons  only  

in  BASIS  and  approximately  the  same  number  in  each  other  module.  Detailed  informa)on  can  be  found  in  ISACA  guidelines  .  APer  that  you  can  start  with  Segrega)on  of  Du)es.  

26  

Access  control  and  SOD  conflicts  

Page 27: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐25]  Use  of    SSL  for  securing  HTTP  connec?ons  •  [EASAI-­‐NA-­‐26]  Use  of  SNC  for  securing  SAP  Gui  connec?ons    •  [EASAI-­‐NA-­‐27]  Use  of  SNC  for  securing  RFC  connec?ons        What  next:  Even  if  you  use  encryp)on  you  should  check  how  is  it  

configured  for  every  type  of  encryp)on  and  for  every  service  because  there  are  different  complex  configura)ons  for  each  of  encryp)on  type.  For  example  latest  a^acks  on  SSL  like  BEAST  and  CRIME  require  companies  to  use  more  complex  SSL  configura)on.    

27  

Unencrypted  connec@ons  

Page 28: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐28]  RFC  connec?ons  with  stored  authen?ca?on  data  •  [EASAI-­‐NA-­‐29]  Trusted  systems  with  lower  security    

 What  next:    Check  other  ways  to  get  access  to  trusted  systems  such  

as  database  links  o  use  of  the  same  OS  user  or  just  use  of  the  same  passwords  for  different  systems.      

28  

Insecure  trusted  connec@ons  

Page 29: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  [EASAI-­‐NA-­‐30]  Logging  of  security  events  •  [EASAI-­‐NA-­‐31]  Logging  of  HTTP  requests      •  [EASAI-­‐NA-­‐32]  Logging  of  table  changes  •  [EASAI-­‐NA-­‐33]  Logging  of  access  to  Gateway        What  next:  There  are  about  30  different  types  of  log  files  in  SAP.  The  next  

step  aPer  properly  enabling  main  of  them  you  should  properly  configure  complex  op)ons  such  as  what  exact  tables  to  monitor  for  changes,  what  kind  of  events  to  analyze  in  security  events  log,  what  types  of  Gateway  a^acks  should  be  collected  and  so  on.  Next  step  is  to  enable  their  centralized  collec)on  and  storage  and  then  add  other  log  events.    

29  

Logging  and  Monitoring  

Page 30: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Guidelines  made  by  SAP  •  First  official  SAP  guide  for  technical  security  od  ABAP  stack    •  Secure  Configura?on  of  SAP  NetWeaver®  Applica?on  Server  

Using  ABAP    •  First  version  -­‐    2010  year,  version  1.2    –  2012  year  •  For  rapid  assessment  of  most  common  technical  

misconfigura?ons  in  plavorm  •  Consists  of  9  areas  and  82  checks  •  Ideas  as  a  second  step  and  give  more  details  to  some  of  EAS-­‐SEC  

standard  areas    

hUp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-­‐509d-­‐2d10-­‐6fa7-­‐9d3608950fee?overridelayout=true  

30  

SAP  Security  Guidelines  

Page 31: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Network  access  control  •  Worksta?on  security  •  Password  policies  •  Network  security  •  HTTP  security  •  Unnecessary  web-­‐applica?ons  •  RFC-­‐connec?ons  •  SAP  Gateway  security  •  SAP  Message  Server  security    

31  

SAP  Security  Guidelines  

Page 32: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Guidelines  made  by  ISACA    

•  Checks  cover  configura?on  and  access  control  areas  •  First  most  full  compliance    

•  There  were  3  versions  published  in  2002  2006  2009  (some  areas  are  outdated  )    

•  Technical  part  covered  less  than  access  control  and  miss  cri?cal  areas  

•  Most  advantage  is  a  big  database  of  access  control  checks    

•  Consists  of  4  parts  and  about  160  checks    •  Ideal  as  a  third  step  and  detailed  coverage  of  access  control  

32  

ISACA  Assurance  (ITAFF)  

Page 33: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Set  of  recommenda?ons  from  Deutsche  SAP  Uses  Group  

•  Checks  cover  all  security  areas  from  technical  configura?on  and  source  code  to  access  control  and  management  procedures  

•  Currently  biggest  guideline  about  SAP  Security    •  Last  version  in  Jan  2011  •  Consists  of  8  areas  and  200+  checks    •  Ideal  as  a  final  step  for  securing  SAP  but  consists  of  many  checks  

which  neds  addi?onal  decision  making  which  is  highly  depends  on  installa?on.  

hUp://www.dsag.de/fileadmin/media/Leivaeden/110818_Leivaden_Datenschutz_Englisch_final.pdf  

33  

DSAG    

Page 34: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Security  

34  

3.  Internal  security  and  SOD  

Page 35: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Simple  steps  and  sta?s?cs  

•  Cri?cal  access  •  Segrega?on  of  Du?es  •  Op?miza?on  and  Maintenance  

35  

Internal  security  

Page 36: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Analyze  sta?s?cs  –  Number  of  users  in  Role  

o   0  –  Role  is  not  used    o  >100  –    Divide  to  different  roles  probably  and  check  for  cri?cal  authoriza?ons  

–  Number  of  authoriza?ons  in  role  

–  Number  of  authoriza?on  objects  in  role  

36  

Simple  steps  

Page 37: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  There  are  different  areas  such  as  HR,  Basis,  Fixed  Assets,  Material  management  

•  Each  of  those  roles  have  list  of  cri?cal  transac?ons  and  authoriza?ons  

•  Those  can  be  found  in  ISACA  guidelines  •  First  of  all  you  should  decrease  a  number  of  cri?cal  roles  •  For  example  users  which  can  only  modify  table  USR02  can  do  

everything  they  want!  

37  

Cri@cal  access  

Page 38: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

38  

Example  of  ac@ons  and  transac@ons  

Page 39: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Obtain  list  of  roles  with  cri?cal  access  to  par?cular  transac?ons    •  Minimize  roles    •  Obtaining  list  of  users  with  cri?cal  access  to  par?cular  

transac?ons    •  Sort  them  by  type/locking  status/etc  •  Exclude  administrators  and  superusers  (and  minimize  them)  

•  Minimize  users  

39  

Cri@cal  access  op@miza@on  

Page 40: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Use  default  templates  or  customize  them  •  Obtain  list  of  business  roles  in  a  company  •  Obtain  list  of  ac?ons  in  par?cular  role  •  Assign  transac?on  and  authoriza?on  objects  to  ac?on  •  Create  or  modify  matrix  (add  risk  values)      

40  

SOD  analysis  

Page 41: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

41  

Business  roles  and  ac@ons  

Page 42: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

42  

Risk  values  

Page 43: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  Result:  –  List  of  users  with  cri?cal  conflicts  –  List  of  roles  with  cri?cal  conflicts  

•  Solving:  –  Obtain  roles  with  maximum  number  of  segrega?ons  –  Op?mize  them  –  Obtain  users  with  maximum  number  of  segrega?ons  –  Op?mize  them  

43  

SOD  –  results  analysis  

Page 44: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

•  You  will  get  thousands  of  conflicts  within  first  ?me  •  How  to  solve  them  quickly:  

–  Exclude  all  administrators  –  Look  at  HOW  exactly  rights  are  assigned  (all  *  values  should  be  excluded)  –  Look  at  the  history  of  executed  transac?ons  

 

44  

Op@miza@on  

Page 45: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Security  

45  

4.  ABAP  Source  code  review  

Page 46: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

ABAP  

 

•  ABAP  –  as  any  other  language  can  have  a  vulnerabili?es  •  Also  it  can  be  used  for  wri?ng  backdoors  •  Development  inside  a  company  is  almost  without  any  control  

•  Developer  access  to  system  ==  god  in  SAP  

 

46  

Page 47: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Source  code  review  

 

•  EASAD-­‐9  standard  from  series  of  standards  designed  for  Enterprise  applica?on  systems  security  assessment      (EAS-­‐SEC)  

•  Full  name:  –  Enterprise  Applica?on  Systems    Applica?on  Development    

•  Describes  9  areas  or  source  code  issues  for  business  languages  •  Universal  categories  for  different  languages  and  systems  

(SAP,Oracle,Dynamix,1C,Infor…..)  

•  Categorized  based  on  cri?cality  and  probability  of  exploita?on  

 

47  

Page 48: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

EASAD  -­‐    9  categories  

1.  Code  injec?ons  2.  Cri?cal  calls  3.  Missing  authoriza?on  checks  4.  Path  traversal  5.  Modifica?on  of  displayed  content  6.  Backdoors  7.  Covert  channels  8.  Informa?on  disclosure  9.  Obsolete  statements  

 48  

Page 49: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Security  

49  

5.  Forensics  

Page 50: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Anonymous  Acack  (?)  

50  

Now,  it  adds,  “We  gained  full  access  to  the  Greek  Ministry  of  Finance.  Those  funky  IBM  servers  don't  look  so  safe  now,  do  they...”  Anonymous  claims  to  have  a  “sweet  0day  SAP  exploit”,  and  the  group  intends  to  “sploit  the  hell  out  of  it.”  

• This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened.

Page 51: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Internal  fraud  

•  It  is  very  hard  to  make  everything  secure  so  you  need  to  monitor  everything  addi?onally  

•  ACFE  published  report  about  7%  revenue  looses  from  fraud  only  in  USA.    

•  Examples  that  we  saw:  –  Salary  modifica?on  –  Material  management  fraud  –  Mistakes  

51  

Page 52: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Backdoors  in  source  code  

52  

Page 53: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Forensics  

•  Real  threats  exist  •  But  there  is  not  so  many  info  on  public  •  Companies  are  not  interested  in  publica?on  of  compromise  •  But  main  problem  is  here:  

–  How  can  you  be  sure  that  there  were  no  compromise?  –  Only  10%  of  systems  have  Security  Audit  Log  enabled  –  Only  few  of  them  analyze  those  logs  –  And  much  less  do  central  storage  and  correla?on  

53  

Page 54: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Log  sta@s@cs  

•  Web  access                                70%    •  Security  audit  log        10%  •  Table  logging                                4%  •  Message  Server          2%  •  SAP  Gateway          2%  

54  

Page 55: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

Log  sta@s@cs  

•  SAP  Web  Dispatcher  –  Security  log  •  SAP  Web  Dispatcher  –  HTTP  log  •  SAP  Router  log  •  SAP  Gateway  log  •  SAP  Message  Server  log  •  SAP  Message  server  HTTP  Log  •  SAP  Security  audit  log  •  ABAP    -­‐  user  changes  log  •  ABAP    -­‐  table  changes  log  •  ABAP    -­‐  document  changes  log  •  Trace  files  

55  

Page 56: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

SAP  Security  Logs  

56  

Name   Default   Central  storage  

SAP  Web  Dispatcher  –  Security  Log   Enabled   No  SAP  Web  Dispatcher  –  HTTP  log   Disabled   No  SAP  Router  log   Disabled   No  SAP  Gateway  log   Disabled   No  SAP  Message  Server  log   Disabled   No  SAP  Message  Server  HTTP  log   Disabled   No  SAP  Security  audit  log   Disabled   CCMS?  ABAP  User  changes  log   Enabled   No  ABAP  Table  changes  log   Disabled   No  

ABAP  Document  changes  log   Disabled   No  Trace  files   Disabled   No  Developer  trace   Enabled   No  

Page 57: Securing!SAP!in!5!steps! - SAP Cyber Security Solutions · • SAP!NetWeaver!ABAP!Security ... detailed#documents# ... changes,#whatkind#of#events#to#analyze#in#security#events#log

And  also    

We  devote  a^en)on  to  the  requirements  of  our  customers  and  prospects,  and  constantly  improve  our  product.  If  you  presume  that  our  scanner  lacks  a  par)cular  func)on,  you  can  e-­‐mail  us  or  give  us  a  call.  We  will  be  glad  to  consider  your  sugges)ons  

for  the  next  releases  or  monthly  updates.  

57  

web:  www.erpscan.com      www.dsecrg.com    e-­‐mail:  [email protected],  [email protected]