Assess and monitor SAP security
Transcript of Assess and monitor SAP security
Invest in security to secure investments
Assess and Monitor SAP Security with ERPScan
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaAons key security conferences worldwide • 25 Awards and nominaAons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
ERPScan and SAP
“We would like to thank the world-‐class security experts of ERPScan for the highly qualified job performed to help us assess
the security of our pre-‐release products”.
Senior Director, Head of Global Security Alliance Management Product Security, Technology and Innova8on PlaWorm SAP Labs, Palo Alto, USA
3
Business applicaAon security
All business processes are generally contained in ERP systems. Any informa8on an aYacker, be it a cybercriminal, industrial spy
or compe8tor, might want is stored in a company’s ERP. This informa8on can include financial, customer or public
rela8ons, intellectual property, personally iden8fiable informa8on and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effec8ve if targeted at a vic8ms ERP
system and cause significant damage to the business.
4
Big companies
Portal
HR Logis8cs
Warehouse
ERP
Billing
Suppliers Customers
Banks Insurance Partners
Branches
BI
Industry
CRM
SRM
5
SAP
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)
• The most popular business applica8on • More than 250000 customers worldwide • 83% Forbes 500 companies run SAP • Main system – ERP • PlaWorms
- NetWeaver ABAP - NetWeaver J2EE - BusinessObjects - SAP HANA
6
SAP Security threads
Espionage • Financial Data, Financial Planning (FI) • HR data, personal, contact details (HR) • Customer Lists • Corporate Secrets (PLM) • Supplier tenders (SRM) • Customer Lists (CRM) Cyber criminals need only to gain access to one of the
described systems to successfully steal cri8cal informa8on.
7
SAP Security threads
Sabotage • Denial of Service
– Incurs huge costs • Data modifica8on to cause damage
– Delete cri8cal informa8on
• SCADA Connec8ons – Common to see connec8ons between ERP and SCADA/MES/SmartGrid
8
SAP Security threads
Fraud • Manipulate automated transac8on systems • Generate false payments • Move money • Salary modifica8on • Material management fraud • Mistaken transac8ons Associa8on of Cer8fied Fraud Examiners es8mates that
corpora8ons average lose 6% of revenue to fraud (2013)
9
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
By April 2014 -‐ 2974 SAP Security notes
10
SAP Security notes
DEMO
11
ANacks?
12
What can be next?
• Just imagine what could be done by breaking: • One ERP system • All Business applica8ons of a company • All ERP Systems on par8cular country
13
Ease of development
It is very easy by the way • Price of vulnerability is low • Patching is nightmare • Genera8ng exploit is easy • Interconnec8on is high • Availability via internet
14
35%
23%
19%
11%
6% 5%
NetWeaver ABAP versions by popularity
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
The most popular release (35%, previously 45%) is sAll NetWeaver 7.0, and it was released in 2005!
15
SAP NetWeaver ABAP -‐ versions
Systems are highly interconnected
• Systems are highly connected with each other by trust rela8onship
• Even between companies they are connected by XI/PI systems • Remember also SSRF? (AYack on SAP XI from BlackHat) • hYp://cwe.mitre.org/data/defini8ons/918.html • Second place in Top 10 web applica8on techniques 2012 • Allows to bypass firewall restric8ons and directly connect to
protected systems via connected systems
16
DEMO
17
Business applicaAons on the Internet
• Companies have Portals, SRMs, CRMs remotely accessible • Companies connect different offices by ESB • SAP users are connected to SAP via SAPRouter • Administrators open management interfaces to the Internet for
remote control
18
Business applicaAons on the Internet
SAP HTTP Services can be easily found on the Internet: • inurl:/irj/portal • inurl:/IciEventService sap • inurl:/IciEventService/IciEventConf • inurl:/wsnavigator/jsps/test.jsp • inurl:/irj/go/km/docs/
19
SAP Router
• Special applica8on proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connec8ng to SAP to
download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hYp://www.easymarketplace.de/saprouter.php
20
• Absence of ACL – 15% – Possible to proxy any request to any internal address
• Informa8on disclosure about internal systems – 19% – Denial of service by specifying many connec8ons to any of the listed SAP
servers – Proxy requests to internal network if there is absence of ACL
• Insecure configura8on, authen8ca8on bypass – 5% • Heap corrupAon vulnerability – 85%
SAP Router: known issues
21
Port scan results
• Are you sure that only the necessary SAP services are exposed to the Internet?
• We were not • In 2011, we ran a global project to scan all of the Internet for
SAP services • It is not completely finished yet, but we have the results for the
top 1000 companies • We were shocked when we saw them first
22
Port scan results
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hYpd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Listed services should not be accessible from the Internet
23
Why?
Why not many Public examples of breaches if situa8on is so bad
24
Examples
• Fraud – very popular inside companies but you see only some incidents (nobody want to share)
• Sabotage – at this moment maybe easies to DDOS then DOS but will see
• Espionage – here what we dont see many, because it is designed to be unseen. You never know how about it especially if you don’t enable logging
25
SAP Security Forensics
• There is not so many info on public • Companies are not interested in publica8on of compromise • But main problem is here:
– How can you be sure that there were no compromise? – Only 10% of systems have Security Audit Log enabled – Only few of them analyze those logs – And much less do central storage and correla8on
* Based on the assessment of over 250 servers of companies that allowed us to share results.
26
Percent of enabled log opAons
• ICM log icm/HTTP/logging_0 70% • Security audit log in ABAP 10% • Table access logging rec/client 4% • Message Server log ms/audit 2% • SAP Gateway access lo 2%
* Based on the assessment of over 250 servers of companies that allowed us to share results.
27
SAP Security Problems
• How to protect ourselves from fraud and cyber-‐ac8vi8es? • How to automate security checks for big landscapes? • How to decrease costs? • How to priori8ze updates?
28
3 areas of SAP Security
2002 • Business logic security (SOD) • Prevents a>acks or mistakes made by insiders. • Solu8on: GRC
2008 • ABAP Code security • Prevents a>acks or mistakes made by developers • Solu8on: Code audit
2010 • Applica3on pla4orm security. • Prevents unauthorized access both within corporate network and from remote a>ackers.
• Solu3on?
29
Long-‐awaited product
The only solu8on in the market to assess 3 8ers of SAP Security
30
JAVA
Output
Connectors
Security audit module
ABAP code scan module
Control
SOD module
31
ERPScan security Monitoring Suite
Анализ безопасности ABAP кода
Connectors
ABAP JAVA
Metrics
Risk assessment
Compliance
Reports
Output interfaces
Users Projects Inventory
Control funcAons
MisconfiguraAons VulnerabiliAes
CriAcal access
Audit ABAP code scan VulnerabiliAes Backdoors
Efficiency
Router HANA
SoD Role opAmizaAon SoD
Monitoring
CriAcal privileges
Oracle
32
ERPScan in details
Audit Module
• System enumera8on • Anonymous scan (pentest) • Exploita8on • Whitebox scan
• Configura8on analysis • Access Control • Search for vulnerabili8es
• Compliance SAP,ISACA,DSAG,EAS-‐SEC, PCIDSS, Industry(OilAndGas)
Incredible Speed Our completely revised engine can now analyze an SAP system with 5000 users for cri8cal access and SOD matrix in 5-‐10 minutes on good PC!
33
34
DEMO ABAP code audit module
ABAP Source code checks (120 different issues) 1. Cri8cal kernel calls 2. Missing Auth in
1. Transac8on calls 2. Report calls 3. Table Reads
3. SQL Injec8ons 4. Backdoors 5. Access to OS 6. Missing comments + Preconfigured cri8cal func8ons
+ Improved datafow analysis
+ Customizable cri8cal func8ons
35
DEMO SOD
• Cri8cal authoriza8ons by business area – BASIS (ISACA list) – Revenue (ISACA list) – Fixed Assets (mixed list) – HR (mixed list)
• SOD – Predefined matrix – Custom matrix
• Role Op8miza8on
+ Industry Solu8ons
36
Monitor
37
Monitor
• Compare results from different scans • Obtain high-‐level stats • Monitor security events
built-‐in monitoring capability helps you to effec8vely manage the dynamics between different scans. You can schedule monitoring for the most cri8cal parameters of SAP systems.
38
Prevent from cybercriminals
Business benefits: Stay secure
Prevent from insiders
Prevent from developer mistakes
by conEnuously monitoring key security areas and automaEc vulnerability assessment.
By using our SOD module and analyzing all criEcal privileges and their segregaEons.
by code review of custom transacEons and reports
39
Easy implementa8on
Business benefits: Save Ame
Fast scans
Scalability
in less than one hour you can start work aHer installing system as a soHware, virtual appliance or SAAS.
with our new engine you can analyze more than 7000 parameters in 5 minutes
you can effecEvely monitor huge amount of systems from various locaEons and easily manage them from
every place using web-‐browser
40
Save on Compliance
Save on manual assessment
Save on SAP security educa8on
with integrated compliance modules on key recommendaEons from SAP ,ISACA,DSAG and OWASP
with automaEc monitoring all security-‐related opEons
by using integrated Built-‐in knowledge base about SAP Security with detailed informaEon and remediaEon
steps
41
Business benefits: Decrease expanses
Geung beNer every day
More than 7300 configura8on checks More than 2600 vulnerability checks More than 110 issues in ABAP
Analysis of misconfigura8ons, vulnerabili8es and cri8cal authoriza8ons for ABAP, JAVA, HANA
42
Sponsoring and PresenAng
43
ERPScan featured in
44
Awards
45
About us
• Leading SAP AG partner in discovering and solving security vulnerabili8es • Found more than 250 (120 published) security vulnerabiliAes in SAP
• Frequent speakers in 50+ top security conferences: BlackHat, RSA
• Leads EAS-‐SEC project focused on technical aspects of ERP security
The company experEse is based on research conducted by the ERPScan research center
46
And also
We devote a>enEon to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a parEcular funcEon, you can e-‐mail us or give us a call. We will be glad to consider your suggesEons for the next releases or monthly updates.
web: erpscan.com e-‐mail: [email protected], [email protected]
47