GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation

Preventing Cyber
Attacks: How to
Address 11 Risks That
Could Leave Your SAP
System Vulnerable

Mariano Nunez
Onapsis

© Copyright 2013
Wellesley Information Services, Inc.
All rights reserved.

What We’ll Cover …

• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up

1

Cyber Attacks on SAP Systems: Why?

• In 2012, Cybercrime costs rose nearly 40 percent and attack
frequency doubled (Ponemon Institute)
 Industrial espionage

 State-sponsored attacks

• Why would someone attack our ERP platform?
 It runs our business-critical processes

 It stores our most sensitive information

 Our organization is highly dependent on it

• Therefore, by nature, they are the perfect target for espionage,
sabotage, and financial fraud attacks
2

Espionage, Sabotage, and Financial Fraud

• Espionage
 How much would the information stored in our SAP systems be
worth to our biggest competitor?

• Sabotage
 How much money would we lose if our SAP system is taken
offline continuously, for several hours or even days?

• Financial fraud
 What would be the economic impact if someone is able to
manipulate all our financial information and processes without
any kind of restrictions or controls?
3

Common (Dangerous) Misconceptions

• “Our SAP system is only accessible internally (trusted networks)”
 We better check! Attackers can find SAP systems online using
simple Google queries and public search engines:

63,100 results

4,470 results
 Internet is NOT the only untrusted network!
 Outsourced contractors doing remote SAP administration

 Our own end-user network! (Malicious employees, spear-
phishing attacks, etc.)
4

Common (Dangerous) Misconceptions (cont.)

• “Our SAP system has never been hacked”
 Can we really be sure?

 Do we have the Security Audit Log enabled?

 Do we have all the “other” logs enabled?

 If so, are we reviewing them periodically?

• “SAP systems are intrinsically insecure/secure”
 SAP systems are no different than any other software

 Most of the most-commonly-found security gaps can be
mitigated if customers followed the SAP security guidelines
and implemented SAP Security Notes promptly

5


• “We only need to audit/secure our Production systems”
 “A chain is as strong as its weakest link”

 Think like an attacker: How would you try to break in?

 Go after the usually-audited, probably-more-secure
Production system? OR …
 Break into a Development environment, and then “jump to”
Production (shared passwords, RFC pivoting, etc.)?

6


• “The risk of our SAP system being attacked is low”
 We are not fighting against “script kiddies,” but malicious
organizations with vast resources and capabilities
 Information about SAP vulnerabilities has been in the public
domain for 10+ years!

7


• “The risk of our SAP system being attacked is low” (cont.)
 In October 2012, hacktivist group Anonymous claimed intent to
exploit SAP systems
 It was the first time this kind of news hit the headlines

 Anonymous claimed to have broken into the Greek Ministry
of Finance (to be confirmed) and mentioned:

“We have new guns in our arsenal.
A sweet 0day SAP exploit is in our hands
and oh boy we’re gonna sploit the hell out of it.”

8


• Introduction
• Wrap-up

9

Towards a Holistic SAP Security Approach

• “SAP Security” used to be a synonym of “Segregation of Duties
controls” for several years (a.k.a., user roles and profiles)
 Auditing & Enforcing SoD controls is a critical piece of the SAP
platform’s security. The only problem is that it is not enough.

• An SAP system can be divided in several layers:

SAP Business Logic
SAP Solution
SAP Application Layer

Database
Base Infrastructure
Operating System

10

The SAP Application Layer

• SoD controls are only protecting the Business Logic layer!

• The SAP Application Layer (SAP NetWeaver®/BASIS) is critical,
and has been traditionally overlooked
 Handles critical tasks and components such as authentication,
authorization, interfacing, audit logging, etc.

Successful attacks to this layer would
result in a complete compromise of the
SAP system (SAP_ALL or equivalent)

11

The Evolution of SAP Security Notes

• Vulnerabilities discovered in SAP applications are patched by
SAP and released to customers as SAP Security Notes
• Each Security Note solves one or more vulnerabilities
SAP Security Notes per year

In September 2010, SAP started releasing Security
Notes periodically (2nd Tuesday of every month)
12

Anatomy of an SoD Violation Attack

3 - Access
with Valid SAP
User

4 - High-
• Context: Privileges
Obtained
• Attacker needs a valid user account
5 - Access to
• This user must have high privileges Sensitive
• Probability of detection: Med-High Info/Process
13

Anatomy of an SAP Application Layer Attack

1-
Vulnerability
Identified

2-
Vulnerability
Exploited

• Context:
• Exploitation usually does not 4 - High-
require valid user account Privileges
(anonymous!) Obtained
• Usually exploitation  high- 5 - Access to
privileges Sensitive
• Probability of detection: Low Info/Process
14


• Introduction
• Wrap-up

15

The BIZEC TEC/11

• BIZEC is a non-profit organization with the mission of analyzing
current and future threats affecting ERP systems
• Current initiatives covering SAP solutions:
 APP/11: The most common ABAP security issues

 TEC/11: The most common SAP Application Layer security
issues

• In this presentation, we will cover BIZEC TEC/11

16

11 Risks Affecting the SAP Application Layer

• BIZEC TEC-01: MISSING SAP SECURITY NOTES

 Risk:
 The SAP platform is running based on technological
components whose versions are affected by reported
security vulnerabilities and the respective SAP Security
Notes have not been applied

 Business Impact:
 Attackers would be able to exploit reported security
vulnerabilities and perform unauthorized activities over the
business information processed by the affected SAP system
17

11 Risks Affecting the SAP Application Layer (cont.)

• BIZEC TEC-02: STANDARD USERS WITH DEFAULT PASSWORDS

 Risk:
 Users created automatically during the SAP system
installation, or other administrative procedures, are
configured with default, publicly-known passwords

 Attackers would be able to log in to the affected SAP system
using a standard SAP user account. As these accounts are
usually highly privileged, the business information would be
exposed to espionage, sabotage, and fraud attacks.
18


• BIZEC TEC-03: DANGEROUS SAP WEB APPLICATIONS

 Risk:
 The SAP Application Server is providing Web applications
with reported security vulnerabilities or sensitive
functionality (XSS, SQL Injection, Invoker Servlet detour,
Verb Tampering, XXE Tunneling, etc.)

 Attackers would be able to exploit vulnerabilities in such
Web applications, enabling them to perform unauthorized
activities over the business information processed by the
affected SAP system
19


• BIZEC TEC-04: UNSECURED SAP GATEWAY

 Risk:
 The SAP Application Server’s Gateway is not restricting the
starting, registration, or cancellation of external RFC servers

 Attackers would be able to obtain full control of the SAP
system. Furthermore, they would be able to intercept and
manipulate interfaces used for transmitting sensitive
business information.

20


• BIZEC TEC-05: UNSECURED SAP/ORACLE AUTHENTICATION

 Risk:
 The SAP ABAP Application Server authenticates to the
Oracle database through the external OS authentication
scheme, and the Oracle’s listener has not been secured

 Attackers would be able to obtain full control of the affected
SAP system’s database, enabling them to create, visualize,
modify and/or delete any business information processed by
the system
21


• BIZEC TEC-06: INSECURE RFC INTERFACES

 Risk:
 The SAP environment is using insecure RFC connections
from systems of lower security-classification level to
systems with higher security-classification levels

 Attackers would be able to perform RFC pivoting attacks by
first compromising an SAP system with low security-
classification and, subsequently, abusing insecure interfaces
to compromise SAP systems with higher security-
classification levels (i.e., from DEV  PRD)
22


• BIZEC TEC-07: UNSECURED SAP MESSAGE SERVER

 Risk:
 The SAP System’s Message Server is not restricting the
registration of SAP Application Servers, therefore allowing
access to unauthorized systems

 Attackers would be able to register malicious SAP
Application Servers and perform man-in-the-middle attacks,
being able to obtain valid user access credentials and
sensitive business information. Attacks against user
workstations would also be possible.
23


• BIZEC TEC-08: INSECURE SAP ADMINISTRATION AND
MONITORING SERVICES

 Risk:
 The SAP platform is not protected against unauthorized
access to sensitive administration or monitoring services,
such as the SAP Management Console, the P4 interface,
SDM, Solution Manager, Transport Management System, etc.

 Attackers would be able to access administration or
monitoring services and perform unauthorized activities over
the affected SAP systems, possibly leading to espionage
and/or sabotage attacks 24


• BIZEC TEC-09: INSECURE SAP NETWORK FILTERING

 Risk:
 The SAP platform network is not properly isolated from
untrusted networks, both external and internal, and intrusion
detection/prevention systems have not been implemented

 Attackers would be able to access sensitive SAP network
services and possibly exploit vulnerabilities and unsafe
configurations in them, leading to the execution of
unauthorized activities over the affected SAP platform
25


• BIZEC TEC-10: INSECURE SAPROUTER IMPLEMENTATION

 Risk:
 The SAProuter Route Permission Table is not properly
configured to allow connections only from/to authorized
systems, restricting the use of native protocols and/or
logging features are not properly configured

 Attackers would be able to access SAP and non-SAP
systems from untrusted networks, potentially launching
attacks to the reachable systems
26


• BIZEC TEC-11: UNENCRYPTED COMMUNICATIONS

 Risk:
 The confidentiality and integrity of communications in the
SAP landscape is not enforced. These communications
comprise SAP-to-SAP connections as well as interactions
between SAP servers and external systems, such as user
workstations and third-party systems.

 Attackers would be able to access sensitive technical and
business information being transferred to/from the SAP
environment
27


• Introduction
• Wrap-up

28

From the Trenches

• It is critical to provide innovative solutions that help customers
continuously assess and protect their SAP systems,
complementing their existing SoD efforts

• A quick look: SAP Penetration Tests
 The goal of these projects are to identify existing vulnerabilities
and understand the involved business impact of a cyber attack
 Done without SAP user credentials

 Were performed remotely (VPN)

 Only informed of the IP addresses of the SAP systems (in
order to save time)

29

From the Trenches – The Results

• Over 95% of the evaluated systems were exposed to espionage,
sabotage, and fraud attacks

• Less than 5% of them had the Security Audit features enabled

• None of them had the latest SAP Security Notes applied

• In most cases, the attack vectors that lead to the initial
compromise resulted from the exploitation of vulnerabilities that
have been publicly known for more than 5 years

30


• Introduction
• Wrap-up

31

Protecting Our SAP Platform

• The good news is that it is possible to significantly reduce the
probability of successful cyber attacks to our SAP platforms

• From a ROI perspective, it is better to focus on mitigating the
threats that would result in the initial compromise. Once an
attacker has full control, it is very difficult to stop him.

• SAP is doing a great job and has significantly boosted its
initiatives into proving more open and detailed Standards and
Guidelines, specifically focused in the aspects we covered in this
presentation

32

Protecting Our SAP Platform (cont.)

• We have to approach the security of the SAP platform holistically:
 All the layers (OS, DB, SAP Application Layer, SAP Business
Logic) must be protected. Failing to secure one would
jeopardize the security of the entire system.

• We have to secure the entire Platform:
 Every Landscape in the organization

 Every System in each Landscape (not just PRD)

 Every Client in each System (not just the Production one)

 Every Application Server in each System (not just the CI)
 Every security-relevant parameter of the 1,500+ available (ABAP
systems)

33

Tips for Mitigating the 11 Risks

• Please bear in mind that these are only high-level guidelines!
Mitigating each of these risks requires a deeper analysis.

• BIZEC TEC-01: MISSING SAP SECURITY NOTES
 Design and implement an SAP Security Patching Strategy,
defining a process to:
1. Identify which SAP Security Notes do affect your platform

2. Prioritize them according to risk (and remediation effort)

3. Implement them in QA environments and roll out to PRD

Define an “SAP Security Patching” SLA with your
contractors or internal teams to ensure protection
34

Tips for Mitigating the 11 Risks (cont.)

• BIZEC TEC-02: STANDARD USERS WITH DEFAULT PASSWORDS
 Secure all the default and standard users in ALL the clients of
your SAP systems

• BIZEC TEC-03: DANGEROUS SAP WEB APPLICATIONS
 Evaluate which Web Applications your Business really needs.
Disable any unnecessary ones. Deploy an IDS/IPS.

• BIZEC TEC-04: UNSECURED SAP GATEWAY
 Monitor existing connections to the Gateway for a period of
time. Create initial secinfo and reginfo files. Only allow required
interfaces from trusted systems.
35


• BIZEC TEC-05: UNSECURED SAP/ORACLE AUTHENTICATION
 Configure the Oracle listener to accept connections from SAP
instances and trusted systems. Firewall the SAP network!

• BIZEC TEC-06: INSECURE RFC INTERFACES
 Analyze your RFC Destinations and check for stored logon
credentials, encryption, profiles at target systems, etc.

• BIZEC TEC-07: UNSECURED SAP MESSAGE SERVER
 Configure the Message Server’s ACL to only accept
connections from the System’s instances. Configure separate
ports for internal and user connections.
36


• BIZEC TEC-08: INSECURE SAP ADMINISTRATION AND
MONITORING SERVICES
 Disable/restrict access to administration services from
untrusted systems

• BIZEC TEC-09: INSECURE SAP NETWORK FILTERING
 Implement external and internal DMZs for the SAP platform.
Deploy SAP-specialized Intrusion Detection and Prevention
solutions.

37


• BIZEC TEC-10: INSECURE SAPROUTER IMPLEMENTATION
 Ensure the Route Permission Table only allows connections
from/to authorized systems and ports. Do not use “P”, but “S”
rules. Enable logging.

• BIZEC TEC-11: UNENCRYPTED COMMUNICATIONS
 Implement SNC between SAP clients and SAP servers, and
between SAP servers and untrusted networks

38

Where Do I Start?

• Implementing a Sustainable SAP Security Strategy
 Performing an SAP Application Security Assessment to
understand the current exposure is a good start
 However, as you know, security is not a state, but a process

 Highest ROI will come from establishing a continuous
assessment and remediation strategy

Assessing the SAP platform at least once a month,
after each SAP Security Patch Day

39

Where Do I Start? (cont.)

• Therefore, these activities must be run periodically. The most
cost-effective solution is through automation.

• But … who ensures these products are actually used, properly
configured, and follow-up on the findings?
 Your internal SAP Security Teams, or

 Your IT Security Teams, or

 Your Trusted Advisory/Compliance Partner who can deliver an
end-to-end Continuous SAP Application Security Compliance
solution
40


• Introduction
• Wrap-up

41

Where to Find More Information

• Onapsis Resources:
 Other SAP Security Presentations

 www.onapsis.com/research-presentations.php

 Onapsis SAP Security In-Depth Publications

 www.onapsis.com/research-publications.php

 Onapsis Bizploit – Opensource GPL Project

 www.onapsis.com/bizploit

• BIZEC:
 BIZEC TEC/11 Risks (Version 2.0, 2012).

 www.bizec.org/wiki/BIZEC_TEC11

42

Where to Find More Information (cont.)

• Great SAP Resources:
 Secure Configuration of SAP NetWeaver Application Server
Using ABAP (SAP AG, 2012).
 http://scn.sap.com/docs/DOC-17149

 Protecting SAP Applications Based on Java and ABAP Against
Common Attacks (SAP AG, 2011).
 http://bit.ly/VagxSI *

 Bjoern Brencher, “SAP Runs SAP – Remote Function Call:
Gateway Hacking and Defense” (SAP TechEd, 2012).
 SAP Security Web site – www.sap.com/security

* Requires login credentials to the SAP Service Marketplace
43

7 Key Points to Take Home

• Our SAP platforms are natural targets for cyber attackers
• Segregation of Duties controls are critical for the security of our
SAP systems, but they are not enough
• If the SAP Application Layer is not properly secured, cyber
attackers that do not even have a user would be able to perform
espionage, sabotage, and financial fraud attacks
• Review if your Platform is exposed to the 11 presented risks and
mitigate them as soon as possible
• Secure systems beyond PRD and implement a sustainable
strategy
• As Internal or External Auditors, we must address the SAP
Application Layer risks. Otherwise, we may be signing-off blindly.
• If our XYZ-compliant SAP system gets hacked through a 5-year-
old vulnerability, we are clearly doing something wrong 44

Your Turn!

Visit us at Exhibit hall
for further
discussions and live
demos!

Mariano Nunez
Email: mnunez@onapsis.com
Twitter: @marianonunezdc

Please remember to complete your session evaluation
45

PwC Contacts

Alliance Director:
Cynthia McConathy Cynthia.McConathy@us.pwc.com

East:
Bob Clark, Philadelphia clark@us.pwc.com
Sachin Mandal, New York sachin.mandal@us.pwc.com
Greg Pillay, Florida gregory.k.pillay@us.pwc.com

MidWest
Sean Donahue, Milwaukee sean.p.donahue@us.pwc.com
Dave Erickson, Chicago dave.erickson@us.pwc.com
Mickey Roach, Dallas mickey.roach@us.pwc.com
Tammy Wojtasiak, Minneapolis tamara.wojtasiak@us.pwc.com

West
Jamie Draper, San Francisco james.draper@us.pwc.com

46

Disclaimer

SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

47

GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (14)

Semelhante a GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation

Semelhante a GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation (20)

Último

Último (20)

GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation