Embed Size (px)
Citation preview
Invest in security to secure investments
What CISO’s should know about SAP Security
Alexander Polyakov CTO ERPScan
Agenda
• SAP: Intro • SAP security vulnerabiliAes • SAP security myths • Demo • Problem • SoluAon • Sap security in figures report • Future trends and predicAons • Conclusions
2
Business applica0on security
All business processes are generally contained in ERP systems. Any informaAon an aJacker, be it a cybercriminal, industrial spy
or compeAtor, might want is stored in the company’s ERP. This informaAon can include financial, customer or public
relaAons, intellectual property, personally idenAfiable informaAon and more. Industrial espionage, sabotage and fraud or insider
embezzlement may be very effecAve if targeted at the vicAm’s ERP system and cause significant damage to the business.
3
SAP
• The most popular business applicaAon • More than 248000 customers worldwide • 86% of Forbes 500 run SAP
4
Business applica0on security
• Complexity Complexity kills security. Many different vulnerabiliAes in all levels, from network to applicaAon
• Customiza0on Cannot be installed out of the box. They have many (up to 50%) custom codes and business logic
• Risky Rarely updated because administrators are scared they can be broken during updates; also, it is downAme
• Unknown Mostly available inside the company (closed world)
hJp://erpscan.com/wp-‐content/uploads/pres/ForgoJen%20World%20-‐%20Corporate%20Business%20ApplicaAon%20Systems%20Whitepaper.pdf
5
Why security?
• Espionage – Stealing financial informaAon – Stealing corporate secrets – Stealing supplier and customer lists – Stealing HR data
• Sabotage – Denial of service – ModificaAon of financial reports – Access to technology network (SCADA) by trust relaAons
• Fraud – False transacAons – ModificaAon of master data
6
SAP Security Problems
7
Myth 1: Business applicaAons are only available internally what means no threat from the Internet
Myth 2: ERP security is a vendor’s problem
Myth 3: Business applicaAon internals are very specific and are not known for hackers
Myth 4 ERP security is all about SOD
Myth 1
Current point of view This myth is popular for internal corporate systems and people think that these
systems are only available internally
Real life Yes maybe at the mainframe era you can use SAP only internally but not
now in the era of global communicaAons. You need connecAon with • Another offices
• Customers and suppliers
• For SAP systems you need connecAon with SAP network
8
Even if you do not have direct connec8on there are user worksta8ons connected to the internet
Myth 1
9
Myth 2
10
Vendor is NOT responsible for any damage within the vulnerabili8es in their products
Myth 2
• Vendor problems – Program errors
– Architecture errors
• User problems – ImplementaAon architecture errors
– Defaults and misconfiguraAons
– Human factor
– Patch management
– Policies and procedures
11
Even if so>ware is secure it should be securely implemented
Myth 3
Current point of view Business applica8on internals are very specific and are not known for hackers
Real life:
• Popular products “reviewed” by hackers, and thus more secure
• Business applicaAons became more and more popular on the Internet
• And also popular for hackers and researchers • Unfortunately, their security level is sAll like 3-‐5 years ago • Now they look as a defenseless child in a big city
12
Myth 4
Current point of view: Many people especially ERP people think that security is all about SOD
Real life:
• Making AD access control don't give you secure infrastructure
• Buying new engine for car every year will not help you if you simply puncture a wheel
• And also remind Sachar Paulus interview that says: “other threat comes from people connec6ng their ERP systems to the Internet”
13
Myth 4
14
ERP system with secure SOD and nothing else it is much of spending all money on video systems, biometric access control
and leaving the back door open for housekeepers
SAP Security
15
DEMO 1
SAP Security
16
Problem
• How to protect ourselves from fraud and cyber-‐acAviAes? • How to automate security checks for big landscapes? • How to decrease costs? • How to prioriAze updates?
SAP Security Problems
17
18
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
SAP Security talks
2007 – Architecture vulnerabiliAes in RFC protocol
2008 – AJacks via SAPGUI
2009 – SAP backdoors
2010 – AJacks via SAP WEB applicaAons
2010 – Stuxnet for SAP
2011 – Architecture and program vulnerabiliAes in ABAP and J2EE
2012 – VulnerabiliAes in SAP soluAons (SolMan ,Portal, XI), Services (Dispatcher, Message Server ) and Protocols (XML , DIAG)
2013 – SAP Forensics and AnA-‐forensics
19
How to get this informa0on?
ISACA Assurance (ITAFF)
20
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By January, 2013, a total of 2520 notes
Only one vulnerability is enough to get access to ALL business-‐cri8cal DATA
SAP Security notes
21
Disclosed vulnerabili0es
22
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
• * This aJack has not been confirmed by the customer nor by the police authoriAes in Greece invesAgaAng the case. SAP does not have any indicaAon that it happened.
And…
SAP Security
23
Solu8ons
24
• Business logic security (SOD) Prevents aKacks or mistakes made by insiders • SoluAon: GRC 2002 • ABAP Code security Prevents aKacks or mistakes made by developers SoluAon: Code audit 2008 • Applica6on pla=orm security • Prevents unauthorized access both within corporate network and from remote aKackers • Solu6on?
2010
• Forensics • What if missed something on listed areas? 2013
First of all chose one that you want
• EAS-‐SEC • SAP NetWeaver ABAP Security configuraAon
• ISACA (ITAF) • DSAG
25
Compliance
• Guidelines made by SAP • First official SAP guide for technical security od ABAP stack • Secure ConfiguraAon of SAP NetWeaver® ApplicaAon Server
Using ABAP • First version -‐ 2010 year, version 1.2 – 2012 year • For rapid assessment of most common technical
misconfiguraAons in plarorm • Consists of 9 areas and 82 checks • Ideas as a second step and give more details to some of EAS-‐SEC
standard areas
26
SAP Security Guidelines
• Network access control • WorkstaAon security
• Password apolicies • Network security • HTTP security • Unnecessary web-‐applicaAons • RFC-‐connecAons • SAP Gateway security • SAP Message Server security
27
SAP Security Guidelines
• Guidelines made by ISACA
• Checks cover configuraAon and access control areas • First most full compliance
• There were 3 versions published in 2002 2006 2009 (some areas are outdated )
• Technical part covered less than access control and miss criAcal areas
• Most advantage is a big database of access control checks
• Consists of 4 parts and about 160 checks • Ideal as a third step and detailed coverage of access control
28
ISACA Assurance (ITAFF)
• Set of recommendaAons from Deutsche SAP Uses Group
• Checks cover all security areas from technical configuraAon and source code to access control and management procedures
• Currently biggest guideline about SAP Security • Last version in Jan 2011 • Consists of 8 areas and 200+ checks • Ideal as a final step for securing SAP but consists of many checks
which neds addiAonal decision making which is highly depends on installaAon.
hJp://www.dsag.de/fileadmin/media/Leiraeden/110818_Leiraden_Datenschutz_Englisch_final.pdf
29
DSAG
Enterprise Applica8on Systems Applica8on Implementa8on – NetWeaver ABAP
• Developed by ERPScan: First standard of series EAS-‐SEC • Will be published in September
• Rapid assessment of SAP security in 9 areas
• Contains 33 most criAcal checks
• Ideal as a first step • Also contain informaAon for next steps
• Categorized by priority and criAcality
30
EAS-‐SEC for NetWeaver (EASAI-‐NA)
31
EASAI-‐NA Access CriAcality Easy to
exploit % of vulnerable systems
1. Lack of patch management Anonymous High High 99%
2. Default Passwords for applicaAon access Anonymous High High 95%
3. Unnecessary enabled funcAonality Anonymous High High 90%
4. Open remote management interfaces Anonymous High Medium 90%
5. Insecure configuraAon Anonymous Medium Medium 90%
6. Unencrypted communicaAon Anonymous Medium Medium 80%
7. Access control and SOD User High Medium 99%
8. Insecure trust relaAons User High Medium 80%
9. Logging and Monitoring Administrator High Medium 98%
EASAI-‐NA-‐2013
SAP Security
32
SAP Security in Figures 2013
Security notes by year
33
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
More than 2600 in total
Security notes by cri0cality
34
0
20
40
60
80
100
2012 2011 2010 2009
High priority vulnerabili0es
0
2
4
6
8
10
12
2012 2011 2010 2009
Low priority vulnerabili0es
0 200 400 600 800 1000 1200 1400 1600 1800 2000
1 -‐ HotNews
2 -‐ CorrecAon with high priority
3 -‐ CorrecAon with medium priority
4 -‐ CorrecAon with low priority
6 -‐ RecommendaAons/addiAonal info
By the end of April 2013
Security notes by type
35
25%
22%
20%
9%
7%
5%
4% 4%
3% 1%
Top 10 vulnerabili0es by type
1 -‐ XSS
2 -‐ Missing authorisaAon check
3 -‐ Directory traversal
4 -‐ SQL InjecAon
5 -‐ InformaAon disclosure
Acknowledgments
Number of vulnerabiliAes found by external researchers: • 2010 -‐ 58 • 2011 -‐ 107 • 2012 -‐ 89 • 2013 -‐ 52
The record of vulnerabili8es found by external researchers was
cracked in January 2013: 76%
36
0
10
20
30
40
50
60
70
2010 2011 2012 2013
Percentage of vulnerabili0es found by external researchers:
Acknowledgments
• More interest from other companies * Number of vulnerabili8es that were sent to SAP but were
rejected because they were already found before by other company of SAP internal code review.
37
0
1
2
3
4
5
6
7
2010 2011 2012
Number of already patched issues per year
SAP security talks at conferences
38
0
5
10
15
20
25
30
35
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Talks about:
• Common: SAP Backdoors, SAP Rootkits, SAP Forensics • Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI,
SAP Portal, SAP SoluAon Manager, SAP TMS, SAP Management Console, SAP ICM/ITS
• Protocols: DIAG, RFC, SOAP (MMC), Message Server, P4 • Languages: ABAP Buffer Overflow, ABAP SQL InjecAon, J2EE
Verb Tampering, J2EE Invoker Servlet • Overview: SAP Cyber-‐aJacks, Top 10 InteresAng Issues, Myths
about ERP
39
Almost all every part of SAP was hacked
Top 5 SAP vulnerabili0es 2012
1. SAP NetWeaver DilbertMsg servlet SSRF (June) 2. SAP HostControl command injecAon (May) 3. SAP SDM Agent command injecAon (November) 4. SAP Message Server buffer overflow (February) 5. SAP DIAG buffer overflow (May)
40
SAP NetWeaver DilbertMsg servlet SSRF
41
Espionage: Cri0cal Sabotage: CriAcal Fraud: Medium Availability: Anonymously through the Internet Ease of exploitaAon: Medium Future impact: High (New type of aJack) CVSSv2: 7.3 Advisory: hJp://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐
authenAcaAon-‐bypass/
Patch: Sap Note 1707494
Authors: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan)
SAP HostControl command injec0on
42
Espionage: Cri0cal
Sabotage: CriAcal
Fraud: CriAcal
Availability: Anonymously through the Internet
Ease of exploitaAon: Easy (a Metasploit module exists)
Future impact: Low (Single issue)
CVSSv2: 10
Advisory: hJp://www.contexAs.com/research/blog/sap-‐parameter-‐injecAon-‐no-‐space-‐arguments/
Patch: SAP note 1341333
Author: ContexAs
SAP J2EE file read/write
43
Espionage: Cri0cal
Sabotage: CriAcal
Fraud: CriAcal
Availability: Anonymously
Ease of exploitaAon: Medium
Future impact: Low
CVSSv2: 10
Advisory: hJps://service.sap.com/sap/support/notes/1682613
Patch: SAP Note 1682613
Author: Juan Pablo
SAP Message Server buffer overflow
44
Espionage: Cri0cal
Sabotage: CriAcal
Fraud: CriAcal
Availability: Anonymous
Ease of exploitaAon: Medium. Good knowledge of exploit wriAng for mulAple plarorms is necessary
CVSSv2: 10.0
Advisory: hJp://www.zerodayiniAaAve.com/advisories/ZDI-‐12-‐112/
Patch: SAP Notes 1649840 and 1649838
Author: MarAn Gallo
SAP DIAG Buffer overflow
45
Espionage: Cri0cal
Sabotage: CriAcal
Fraud: CriAcal
Availability: Low. Trace must be on
Ease of exploitaAon: Medium
CVSSv2: 9.3
Advisory: hJp://www.coresecurity.com/content/sap-‐netweaver-‐dispatcher-‐mulAple-‐vulnerabiliAes
Patch: SAP Note 1687910
Author: MarAn Gallo
SAP Security
46
SAP and Internet
SAP on the Internet
• Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible
• Companies connect different offices (by SAP XI) • Companies are connected to SAP (through SAP Router) • SAP GUI users are connected to the Internet • Administrators open management interfaces to the Internet for
remote control
47
Almost all business applica8ons have web access now
Google search for web-‐based SAPs
• As a result of the scan, 695 unique servers with different SAP web applicaAons were found (14% more than in 2011)
• 22% of previously found services were deleted • 35% growth in the number of new services
48
Shodan scan
49
41%
34%
20%
6%
SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web ApplicaAon Server
Other (BusinessObjects,SAP HosAng, etc)
94% 72%
30%
-‐20%
-‐55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth by applica0on server
A total of 3741 server with different SAP web applica8ons were found
Internet Census 2012 scan
• Not so legal project by Carna Botnet • As the result 3326 IP’s with SAP Web applicaAons
50
NO SSL 32%
SSL 68%
SAP NetWeaver ABAP -‐ versions
• 7.3 growth by 250% • 7.2 growth by 70% • 7.0 loss by 22% • 6.4 loss by 45%
51
35%
23%
19%
11% 6% 5%
NetWeaver ABAP versions by popularity
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
The most popular release (35%, previously 45%) is s8ll NetWeaver 7.0, and it was released in 2005! But security is gecng beKer.
NetWeaver ABAP – informa0on disclosure
• InformaAon about the ABAP engine version can be easily found by reading an HTTP response
• Detailed info about the patch level can be obtained if the applicaAon server is not securely configured
• An aJacker can get informaAon from some pages like /sap/public/info
52
6% (was 59%) of servers s8ll have this issue
SAP NetWeaver ABAP – cri0cal services
• Execute dangerous RFC funcAons using HTTP requests • NetWeaver ABAP URL – /sap/bc/soap/rfc • There are several criAcal funcAons, such as:
- Read data from SAP tables - Create SAP users - Execute OS commands, Make financial transacAons, etc.
• By default, any user can have access to this interface and execute the RFC_PING command. So there are 2 main risks:
• If there is a default username and password, the aJacker can execute numerous dangerous RFC funcAons
• If a remote aJacker obtains any exisAng user credenAals, they can execute a denial of service aJack with a malformed XML packet
53
6% (was 40%) of ABAP systems on the Internet have SOAP RFC service
Preven0on
54
• Install SAP note 1394100 • Install SAP note 931252 • Disable applicaAons that are not necessary hJp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true
SAP NetWeaver J2EE -‐ versions
• 7.31 growth from 0 to 3% • 7.30 growth from 0 to 9% • 7.02 growth by 67% • 7.0 loss by 23% • 6.4 loss by 40%
55
44%
25%
10%
9% 9% 3%
NetWeaver JAVA versions by popularity
NetWeaver 7.00
NetWeaver 7.01
NetWeaver 7.02
NetWeaver 7.30
NetWeaver 6.40
NetWeaver 7.31
The most popular release (44%, previously 57%) is s8ll NetWeaver 7.0, and it was released in 2005!
But security is gecng beKer.
NetWeaver J2EE – informa0on disclosure
• InformaAon about the J2EE engine version can be easily found by reading an HTTP response.
• Detailed info about the patch level can be obtained if the applicaAon server is not securely configured and allows an aJacker to get informaAon from some pages: – /rep/build_info.jsp 26% (61% last year) – /bcb/bcbadmSystemInfo.jsp 1.5% (17% last year) – /AdapterFramework/version/version.jsp 2.7% (a new issue)
56
Preven0on
57
• Install SAP note 1503856 • Install SAP note 1548548 • Install SAP note 1679897 hJp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true
SAP NetWeaver J2EE – cri0cal services
• NetWeaver J2EE URL: /ctc/ConfigTool (and 30 others) • Can be exploited without authenAcaAon • There are several criAcal funcAons, such as:
• Create users • Assign a role to a user • Execute OS commands • Remotely turn J2EE Engine on and off
• Was presented by us at BlackHat 2011
58
It was found that 50% (was 61%) of J2EE systems on the Internet have the CTC service enabled
Preven0on
59
• Install SAP note 1589525
60
From Internet to Intranet
SAP Router
• Special applicaAon proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connecAng to SAP to
download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hJp://www.easymarketplace.de/saprouter.php
61
Almost every third company have SAP router accessible from internet by default port.
SAP Router: known issues
• Absence of ACL – 15% – Possible to proxy any request to any internal address
• InformaAon disclosure about internal systems – 19% – Denial of service by specifying many connecAons to any of the listed SAP
servers – Proxy requests to internal network if there is absence of ACL
• Insecure configuraAon, authenAcaAon bypass – 5% • Heap corrupAon vulnerability
62
Port scan results
• Are you sure that only the necessary SAP services are exposed to the Internet?
• We were not • In 2011, we ran a global project to scan all of the Internet for
SAP services • It is not completely finished yet, but we have the results for the
top 1000 companies • We were shocked when we saw them first
63
Port scan results
64
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hJpd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Listed services should not be accessible from the Internet
65
0
2
4
6
8
10
12
14
16
18
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server hJpd
Exposed cri0cal SAP Services
Exposed services South Africa Ряд2
South Africa vs Average
• SAP HostControl is a service which allows remote control of SAP systems
• There are some funcAons that can be used remotely without authenAcaAon
• Issues: – Read developer traces with passwords – Remote command injecAon
• About every 120th (was 20th) company is vulnerable REMOTELY • About 35% assessed systems locally
66
SAP HostControl service
Preven0on
67
• Sap note 927637 - Web service authentication in sapstartsrv as of Release 7.00
• Sap note 1439348 - Extended security settings for sapstartsrv
• SAP MMC allows remote control of SAP systems • There are some funcAons that can be used remotely without
authenAcaAon • Issues:
– Read developer traces with passwords – Read logs with JsessionIDs – Read informaAon about parameters
• About every 40th (was 11th) company is vulnerable REMOTELY • About 80% systems locally
68
SAP Management console
SAP Message Server
• SAP Message Server – load balancer for App servers • Usually, this service is only available inside the company • By default, the server is installed on the 36NN port • Issue:
– Memory corrupAon – InformaAon disclose – Unauthorized service registraAon (MITM)
• About every 60th (was every 10th) company is vulnerable REMOTELY
• About 50% systems locally
69
SAP Message Server HTTP
• HTTP port of SAP Message Server • Usually, this service is only available inside the company • By default, the server is installed on the 81NN port • Issue: unauthorized read of profile parameters • About every 60th (was every 10th) company is vulnerable
REMOTELY • About 90% systems locally
70
Preven0on
71
• Install SAP note 916398
• SAP Dispatcher -‐ client-‐server communicaAons • It allows connecAng to SAP NetWeaver using the SAP GUI
applicaAon through DIAG protocol • Should not be available from the Internet in any way • Issues:
– There are a lot of default users that can be used to connect and fully compromise the system remotely
– Also, there are memory corrupAon vulnerabiliAes in Dispatcher
• About every 20th (was 6th) company is vulnerable REMOTELY
72
Sap Dispatcher service
Preven0on
73
• Install SAP note 1741793
But who actually tried to exploit it?
74
Alacks
• Exploit market interest – Companies like ZDI buy exploits for SAP – Only in 2012 ZDI publish 5 criAcal SAP issues – Companies who trade 0-‐days say that there is interest from both sides
• Anonymous aJacks • Insider aJacks
– Salary modificaAon – Material management fraud – Mistaken transacAons
• Evil subcontractors and ABAP backdoors
75
What has happened already?
• Autocad virus (Industrial espionage) – hJp://www.telegraph.co.uk/technology/news/9346734/Espionage-‐
virus-‐sent-‐blueprints-‐to-‐China.html
• Internet-‐Trading virus (Fraud) – Ranbys modificaAon for QUICK – hJp://www.welivesecurity.com/2012/12/19/win32spy-‐ranbyus-‐
modifying-‐java-‐code-‐in-‐rbs/
• News resources hacking (Sabotage) – hJp://www.bloomberg.com/news/2013-‐04-‐23/dow-‐jones-‐drops-‐
recovers-‐a�er-‐false-‐report-‐on-‐ap-‐twiJer-‐page.html
76
What can be
Just imagine what could be done by breaking: • One SAP system • All SAP Systems of a company • All SAP Systems on parAcular country • Everything
77
SAP strategy in app security
• Now security is the number 1 priority for SAP • Implemented own internal security process SDLC • Security summits for internal teams • Internal trainings with external researchers • Strong partnership with research companies • Investments in the automaAc and manual security assessment
of new and old so�ware
78
Future threads and predic0ons
• Old issues are being patched, but a lot of new systems have vulnerabiliAes
• Number of vulnerabiliAes per year going down compared to 2010, but they are more criAcal
• Number of companies who find issues in SAP is growing • SAll there are many uncovered areas in SAP security • SAP forensics can be a new research area because it is not easy
to find evidence now, even if it exists
79
Forensics as a new trend for 2013
• If there are no aJacks, it doesn’t mean anything • Companies don’t like to share informaAon about data
compromise • Companies don’t have ability to idenAfy aJack • Only 10% of systems use security audit at SAP • Only 2% of systems analyze them • Only 1% do correlaAon and deep analysis
* Based on the assessment of over 250 servers of companies that allowed us to share results
80
Forensics as a new trend for 2013
• ICM log icm/HTTP/logging_0 70% • Security audit log in ABAP 10% • Table access logging rec/client 4% • Message Server log ms/audit 2% • SAP Gateway access log 2%
* Based on the assessment of over 250 servers of companies that allowed us to share results.
81
SAP Security tools
82
* We did not compare the quality of the tools and their coverage. For example, SIEM capabiliAes for SAP can be found in many SIEM soluAons, but they cover 10% of all log file types. The same applies to Vulnerability assessment: we collected tools that have general scan capabiliAes including SAP as well as only SAP related. SAP checks in those tools can amount to 10 to 7000.
1
SoD 10+
VA and
configura0on monitoring
8
ABAP code security
3
SIEM 6
3
2
1 1
2
1 2 1
Conclusion
• -‐ The interest in SAP plarorm security has been growing exponenAally, and not only among whitehats
• + SAP security in default configuraAon is ge�ng much beJer now
• -‐ SAP systems can become a target not only for direct aJacks (for example APT) but also for mass exploitaAon
• + SAP invests money and resources in security, provides guidelines, and arranges conferences
• -‐ unfortunately, SAP users sAll pay liJle aJenAon to SAP security
• + I hope that this talk and the report that will be published next month will prove useful in this area
83
Conclusion
Issues are everywhere but the risks and price for miAgaAon are different
84
Conclusion
It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
SAP guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segrega0on of du0es
85
I'd like to thank SAP's Product Security Response Team for the great coopera8on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aKacks and demos, follow us at @erpscan and aKend future presenta8ons:
• Tomorrow! • September 21 HackerHalted Conference (Atlanta, USA) • October 7-‐8 HackerHalted Conference (Reykjavik, Iceland) • October 30-‐31 RSA Europe (Amsterdam, Netherlands) • November 7-‐8 ZeroNights (Moscow, Russia)
Future work
86
