implementing sap security in 5 steps

Invest in security to secure investments

Implemen'ng SAP security in 5 steps

Alexander Polyakov. CTO, ERPScan

About ERPScan

•  The only 360-‐degree SAP security solu'on: ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgments from SAP ( 150+ ) •  60+ presenta=ons at key security conferences worldwide •  25 awards and nomina=ons •  Research team – 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

Large enterprise sectors

•  Oil & Gas •  Manufacturing •  Logis'cs •  Finance •  Nuclear Power •  Retail •  Telecommunica'on •  etc.

3

•  The role of business applica'ons in a typical work environment •  The need to control them to op'mize business processes •  Scope for enormous reduc'on in resource overheads and other

direct monetary impact •  Poten'al problems that one can’t overlook •  The need to reflect on security aspects – is it overstated? •  Why is it a REAL and existent risk?

4

Business applica=ons

•  Espionage –  The^ of financial informa'on –  Corporate secret and informa'on the^ –  Supplier and customer list the^ –  HR data the^

•  Sabotage –  Denial of service –  Tampering of financial records and accoun'ng data –  Access to technology network (SCADA) by trust rela'ons

•  Fraud –  False transac'ons – Modifica'on of master data

5

What can the implica=ons be?

SAP

Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)

6

•  The most popular business applica'on •  More than 263000 customers worldwide •  83% Forbes 500 companies run SAP •  Main system – ERP •  Main pla}orms

‒  SAP NetWeaver ABAP ‒  SAP NetWeaver J2EE ‒  SAP BusinessObjects ‒  SAP HANA ‒  SAP Mobile Pla}orm (SUP)

SAP security

•  Complexity Complexity kills security. Many different vulnerabili'es in all levels, from network to applica'on

•  Customiza=on Cannot be installed out of the box. A lot of (up to 50 %) custom code and business logic

•  Risky Rarely updated because administrators are scared of crashes and down'me

•  Unknown Mostly available inside the company (closed world)

h�p://erpscan.com/wp-‐content/uploads/pres/Forgo�en%20World%20-‐%20Corporate%20Business%20Applica'on%20Systems%20Whitepaper.pdf

7

Securing SAP

•  Have budget –  Find people and tools

•  Don’t have budget –  Try to show business how cri'cal it is

8

Ask 3rd par=es for

•  Whitepapers

•  Webinars from experts

•  SAAS scanning of external-‐facing systems

•  SAP penetra'on tes'ng •  Deep SAP security assessment

9

SAP security

10

1. Pentes'ng and Audit

Pentest – anonymous scan for SAP vulnerabili=es and ways to exploit them •  Analysis of exposed services (more than 20 possible) •  BlackBox analysis of installed applica'ons and vulnerabili'es •  Exploita'on of found vulnerabili'es •  Privilege escala'on •  Presenta'on report for management ü  Pentest can be a star'ng point for an SAP security project ü  Pentest can also be a final test a^er implementa'on

11

Pentest

Analysis of running services

•  Scan an external company network for SAP services

•  Scan internal SAP systems from the user or guest network

•  Scan internal SAP systems from the admin network

12

Remotely exposed services

13

0

5

10

15

20

25

30

35

SAP HostControl SAP Dispatcher SAP MMC SAP Message Server h�pd

SAP Message Server SAP Router

Exposed services 2011

Exposed services 2013

Internal access

•  Only these services should be open for user access –  Dispatcher or Message Server

–  Gateway (for some users)

–  ICM (for some users, if used)

14

Pentest JAVA

Examples of vulnerabili=es •  Auth bypass in CTC •  Anonymous user crea'on •  Anonymous file read •  Informa'on disclosure •  Unauthorized access to KM documents

15

Pentest ABAP

Examples of vulnerabili=es: •  Reginfo/Secinfo bypass •  Oracle database access bypass •  Buffer overflows •  Informa'on disclosure about files in MMC •  Unauthorized access to log files •  Injec'on of OS commands in SAPHostControl •  Dangerous web services •  Informa'on disclosure of parameters in Message Server HTTP

16

Full SAP security assessment

17

•  BlackBox vulnerability scan •  Penetra'on tes'ng •  WhiteBox configura'on scan

‒  Configura'on analysis ‒  Access control checks ‒  SAP Security Notes analysis ‒  Password complexity checks (bruteforce)

Configura=on analysis

18

•  Authen'ca'on (Password policies, SSO, users by different criteria)

•  Access control (Access to different web services, tables, transac'ons, insecure test services, unnecessary transac'ons and web applica'ons)

•  Encryp'on (SSL and SNC encryp'on) •  Monitoring (security audit log, system log and others) •  Insecure configura'on(all other security checks for par'cular

services: Gateway, Message Server, ITS, SAPGUI, Web Dispatcher, MMC, Host Control, Portal)

Access control

19

•  Users with cri'cal profiles •  Users with cri'cal roles •  Users with access to cri'cal tables •  Users with access to transport •  Users with access to development •  Users with access to user administra'on •  Users with access to system administra'on •  Users with access to HR func'ons •  Users with access to CRM func'ons •  …Specific access control checks for industry solu'ons

Vulnerability scan

20

•  Check for latest component versions •  Check for missing SAP Security Notes •  Correlate patches with SAP Security Notes •  Exploit vulnerabili'es to check if they really exist •  Risk management

SAP security

21

2. Compliance

Compliance

First of all, choose the one you want

•  Technical ‒  EAS-‐SEC ‒  SAP NetWeaver ABAP Security Configura'on

‒  ISACA (ITAF) ‒  DSAG

•  Industry ‒  PCI DSS ‒  NERC CIP

22

SAP security

23

Why do we need a new guide?

24

Business logic security (SoD) Prevents a4acks or mistakes made by insiders

Custom code security Prevents a4acks or mistakes made by developers

Applica=on pla^orm security Prevents unauthorized access both by insiders and remote a4ackers

3 areas of Business Applica=on Security

•  For web, we have OWASP, WASC

•  For network and OS, we have NIST, SANS •  But what about Enterprise Business Applica'ons?

25

Security guidelines

•  Ques'ons like "why?" and "what for?" are the alpha and omega of every research

•  The most frequent ques'on we were asked:

“Guys, you are awesome! You are doing a great job so far, finding so many problems in our installaCons. It's absolutely fantasCc, but we don’t know where to start solving them.

Could you provide us with top 10/20/50/100/[your favorite number] most criCcal bugs in every area?”

26

Why? (1)

•  We had to do something completely different from just Top 10 most cri'cal bugs

•  Even if you patch all vulnerabili'es, lots of problems could s'll remain: access control, configura'on, logs

•  The number one challenge is to understand all security areas of EAS and to have the opportunity to select several most cri'cal issues for every area

27

Why? (2)

Why? (3)

•  We started to analyze the exis'ng guidelines and standards –  High level policies: NIST,SOX,ISO,PCI-‐DSS –  Technical guides: OWASP, WASC, SANS 25, CWE –  SAP guides:

o  Configura'on of SAP NetWeaver® Applica'on Server Using ABAP by SAP o  ISACA Assurance (ITAF) by ISACA o  DSAG by German SAP User Group

•  Those standards are great, but, unfortunately, all of them have at least one big disadvantage

28

•  Guidelines made by SAP

•  First official SAP guide for technical security of ABAP stack

•  Secure Configura'on of SAP NetWeaver® Applica'on Server Using ABAP

•  First version in 2010, version 1.2 in 2012

29

SAP security guidelines

•  For rapid assessment of the most common technical pla}orm misconfigura'ons

•  Consists of 9 areas and 82 checks •  Ideal as a second step, gives more details for some standard

EAS-‐SEC areas h4p://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true

30


•  Advantages: –  Very brief but quite comprehensive (only 9 pages) –  Covers applica'on pla}orm issues

–  Applicable for every ABAP based pla}orm (either ERP or Solu'on Manager or HR)

•  Disadvantages: –  82 checks is s'll a lot for a first brief look on secure configura'on –  Doesn’t cover access control issues and logging and misses some things

even in pla}orm security –  Gives people false sense of security if they cover all checks. But it

wouldn’t be completely true

31


•  Guidelines made by ISACA

•  Checks cover configura'on and access control areas •  The first most complete compliance

•  There were 3 versions published in 2002, 2006, 2009 (some areas are outdated now)

32

ISACA Assurance (ITAFF)

•  Technical part covers incomplete access control info and misses some cri'cal areas

•  The biggest advantage is the big database of access control checks

•  Consists of 4 parts and more than 160 checks

•  Ideal as a third-‐step-‐guide and very useful for its detailed coverage of access control

33


•  Advantages: –  Detailed coverage of access control checks

•  Disadvantages: –  Outdated –  Technical part is missing

–  Too many checks, can’t be easily used by a non-‐SAP specialist

–  Can’t be applied to any system without prior understanding of the business processes

–  Is officially available only as part of the book, or you should be at least an ISACA member to get it

34


•  Set of recommenda'ons from Deutsche SAP Uses Group

•  Checks cover all security areas, from technical configura'on and source code to access control and management procedures

•  Currently the biggest guideline about SAP security

35

DSAG

•  Last version in Jan 2011 •  Consists of 8 areas and 200+ checks •  Ideal as a final step for securing SAP but consists of many checks

which needs addi'onal decision making (highly depends on the installa'on)

h4p://www.dsag.de/fileadmin/media/Lei[aeden/110818_Lei[aden_Datenschutz_Englisch_final.pdf

36

DSAG

•  Advantages: –  Ideal as a final step for securing SAP. –  Great for SAP security administrators, covers almost all areas

•  Disadvantages: –  Same as ISACA: too big for a starter, and no help at all for security people

who are not familiar with SAP

–  Can’t be directly applied to every system without prior understanding of business processes. Many checks are recommenda'ons, and the users should think for themselves if they are applicable in each case

37

DSAG

38

Compliance

•  The authors' efforts were: –  to make this list as brief as possible –  to cover the most cri'cal threats for each area –  to make it easily used not only by SAP/ERP security experts but by every

security specialist –  to provide comprehensive coverage of all cri'cal SAP security areas

•  At the same 'me, to develop the most complete guide would be a never-‐ending story

•  So we implemented the 80/20 rule for SAP security

39

EAS-‐SEC

•  Developed by ERPScan •  First release 2010 •  Second edi'on 2013 (h�p://eas-‐sec.org ) •  3 main areas

–  Implementa'on assessment

–  Code review –  Awareness

•  Rapid assessment of Business Applica'on security

40

EAS-‐SEC

41

EASSEC-‐PVAG Access Cri=cality Easy to

exploit % of vulnerable systems

1. Lack of patch management Anonymous High High 99%

2. Default passwords for applica'on access Anonymous High High 95%

3. Unnecessary enabled func'onality Anonymous High High 90%

4. Open remote management interfaces Anonymous High Medium 90%

5. Insecure configura'on Anonymous Medium Medium 90%

6. Unencrypted communica'on Anonymous Medium Medium 80%

7. Access control and SOD User High Medium 99%

8. Insecure trust rela'ons User High Medium 80%

9. Logging and monitoring Administrator High Medium 98%

EASSEC Implementa=on Assessment

EAS-‐SEC for SAP NetWeaver ABAP

Enterprise ApplicaCon Systems ApplicaCon ImplementaCon – NetWeaver ABAP –  Developed by ERPScan: First standard in the EAS-‐SEC series

–  Published in 2013 h�p://erpscan.com/publica'ons/the-‐sap-‐netweaver-‐abap-‐pla}orm-‐vulnerability-‐assessment-‐guide/

–  Rapid assessment of SAP security in 9 areas

–  Contains 33 most cri'cal checks

–  Ideal as a first step

–  Also contains informa'on for next steps

–  Categorized by priority and cri'cality

42

Enterprise ApplicaCon Systems Vulnerability Assessment – for NetWeaver ABAP –  First standard in the EAS-‐SEC series

–  Rapid assessment of SAP security in 9 areas

–  Contains 33 most cri'cal checks

–  Ideal as a first step

–  Also contains informa'on for next steps

–  Categorized by priority and cri'cality

43

EAS-‐SEC for NetWeaver (EASSEC-‐PVAG-‐ABAP)

•  [EASAI-‐NA-‐01] Component updates •  [EASAI-‐NA-‐02] Kernel updated What’s next: Other components should be be updated separately –

SAProuter, SAP GUI, SAP NetWeaver J2EE, SAP BusinessObjects. Also, OS and database

44

Lack of patch management

•  [EASAI-‐NA-‐03] Default password check for user SAP* •  [EASAI-‐NA-‐04] Default password check for user DDIC •  [EASAI-‐NA-‐05] Default password check for user SAPCPIC •  [EASAI-‐NA-‐06] Default password check for user MSADM •  [EASAI-‐NA-‐07] Default password check for user EARLYWATCH What’s next: A couple of addiConal SAP components, like old

versions of SAP SDM and SAP ITS, have default passwords. Ajer you check all default passwords, you can start bruteforcing for simple passwords

45

Default passwords

•  [EASAI-‐NA-‐08] Access to RFC-‐func'ons using SOAP interface •  [EASAI-‐NA-‐09] Access to RFC-‐func'ons using FORM interface •  [EASAI-‐NA-‐10] Access to XI service using SOAP interface What’s next: Analyze about 1500 other services which are

remotely enabled to see if they are really needed. Disable unused transacCons, programs and reports

46

Unnecessary enabled func=onality

•  [EASAI-‐NA-‐11] Unauthorized access to SAPControl service •  [EASAI-‐NA-‐12] Unauthorized access to SAPHostControl service •  [EASAI-‐NA-‐13] Unauthorized access to Message Server service •  [EASAI-‐NA-‐14] Unauthorized access to Oracle database What’s next: Full list of SAP services is available here:

TCP/IP Ports Used by SAP ApplicaCons. Also, take care of 3rd party services which can be enabled on this server

47

Open remote management interfaces

•  [EASAI-‐NA-‐15] Minimum password length •  [EASAI-‐NA-‐16] User locking policy •  [EASAI-‐NA-‐17] Password compliance to current standards •  [EASAI-‐NA-‐18] Access control to RFC (reginfo.dat) •  [EASAI-‐NA-‐19] Access control to RFC (secinfo.dat) What’s next: First of all, look to Secure ConfiguraCon of SAP

NetWeaver® ApplicaCon Server Using ABAP for detailed configuraCon checks. Ajerwards, pass through detailed documents for each and every SAP service and module h4p://help.sap.com/saphelp_nw70/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm

48

Insecure configura=on

•  [EASAI-‐NA-‐20] Users with SAP_ALL profile •  [EASAI-‐NA-‐21] Users which can run any program •  [EASAI-‐NA-‐22] Users which can modify cri'cal table USR02 •  [EASAI-‐NA-‐23] Users which can execute any OS command •  [EASAI-‐NA-‐24] Disabled authoriza'on checks What’s next: There are at least 100 criCcal transacCons only in

BASIS and approximately the same number in any other module. Detailed informaCon can be found in ISACA guidelines. Ajer that, you can start SegregaCon of DuCes

49

Access control and SoD conflicts

•  [EASAI-‐NA-‐25] Use of SSL for securing HTTP connec'ons •  [EASAI-‐NA-‐26] Use of SNC for securing SAP GUI connec'ons •  [EASAI-‐NA-‐27] Use of SNC for securing RFC connec'ons What’s next: Even if you use encrypCon, check how it is configured

for every encrypCon type and for every service because there are different complex configuraCons for each encrypCon type. For example, the latest a4acks on SSL (BEAST and CRIME) require companies to use more complex SSL configuraCons

50

Unencrypted connec=ons

•  [EASAI-‐NA-‐28] RFC connec'ons with stored authen'ca'on data •  [EASAI-‐NA-‐29] Trusted systems with lower security What’s next: Check other ways to get access to trusted systems,

such as database links, use of the same OS user, or use of similar passwords for different systems

51

Insecure trusted connec=ons

•  [EASAI-‐NA-‐30] Logging of security events •  [EASAI-‐NA-‐31] Logging of HTTP requests •  [EASAI-‐NA-‐32] Logging of table changes •  [EASAI-‐NA-‐33] Logging of access to Gateway What’s next: There are about 30 different types of log files in SAP.

Upon properly enabling the main ones, you should properly configure complex opCons, such as which specific tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a4acks should be collected. Next step is to enable their centralized collecCon and storage and then add other log events

52

Logging and monitoring

53

Results

•  SAP Security in Figures 2011 •  SAP Security in Figures 2013 •  3000 vulnerabili'es in SAP •  SAP Security in Figures 2014 (coming soon)

54

Awareness

SAP security

55

3. Internal security and SoD

Internal security

•  Simple steps and sta's'cs

•  Cri'cal access •  Segrega'on of Du'es •  Op'miza'on and maintenance

56

Simple steps

•  Analyze sta's'cs –  Number of users in a role

o  0 – Role is not used o  >100 – Divide into different roles, check for cri'cal authoriza'ons

–  Number of authoriza'ons in a role

–  Number of authoriza'on objects in a role

57

Cri=cal access

•  There are different areas: HR, Basis, Fixed Assets, Material Management

•  Each of those roles has a list of cri'cal transac'ons and authoriza'ons (available in ISACA guidelines)

•  First of all, decrease the number of cri'cal roles

•  For example, users who can only modify the table USR02 can do everything they want!

58

Example of ac=ons and transac=ons

59

Cri=cal access op=miza=on

•  Obtain the list of roles with cri'cal access to par'cular transac'ons

•  Minimize roles •  Obtain the list of users with cri'cal access to par'cular

transac'ons •  Sort them by type/locking status/etc. •  Exclude administrators and superusers (and minimize them)

•  Minimize users

60

SoD analysis

•  Use default templates or customize them •  Obtain the list of business roles in a company •  Obtain the list of ac'ons in a par'cular role •  Assign transac'ons and authoriza'on objects to ac'ons •  Create or modify matrix (add risk values)

61

Business roles and ac=ons

62

Risk values

63

Analyzing SoD results

•  Result: –  List of users with cri'cal conflicts –  List of roles with cri'cal conflicts

•  Solving: –  Obtain roles with maximum number of segrega'ons –  Op'mize them –  Obtain users with maximum number of segrega'ons –  Op'mize them

64

Op=miza=on

•  You will get thousands of conflicts the first 'me

•  How to solve them quickly: –  Exclude all administrators (SAP_ALL)

–  Look at HOW exactly rights are assigned (all * values should be excluded)

–  Look at the history of executed transac'ons

65

SAP security

66

4. Source code security

ABAP

•  SAP uses ABAP, JAVA, and XSJX (for HANA) •  ABAP, as any other language, can have vulnerabili'es •  It can also be used for wri'ng backdoors •  Development inside the company is almost uncontrolled

•  Developer access to system == god in SAP

67

Source code review

•  EASAD-‐9 standard from a series of standards designed for Enterprise Applica'on Systems Security Assessment (EAS-‐SEC)

•  Full name:

–  Enterprise Applica'on Systems Applica'on Development

•  Describes 9 areas of source code issues for business languages •  Universal categories for different languages and systems (SAP,

Oracle, Dynamix, Infor, …)

•  Categorized based on cri'cality and exploita'on probability

68

EASAD – 9 categories

1.  Code injec'ons 2.  Cri'cal calls 3.  Missing authoriza'on checks 4.  Path traversal 5.  Modifica'on of displayed content 6.  Backdoors 7.  Covert channels 8.  Informa'on disclosure 9.  Obsolete statements

69

SAP security

70

5. Log management

71

SAP aeacks

Aeacks

•  It is very hard to make everything secure, so you need addi'onal monitoring

•  ACFE published a report about 7 % revenue losses from fraud in the USA

•  Examples that we saw: –  Salary modifica'on –  Material management fraud –  Mistakes

72

Backdoors in custom source code

73

SAP forensics

•  Real a�acks exist •  But there is not so much public info •  Companies are not interested in the publica'on of compromise •  But the main problem is here:

–  How can you be sure there was no compromise? –  Only 10% of systems have Security Audit Log enabled –  Only a few of them analyze those logs –  And much fewer do central storage and correla'on

74

Log sta=s=cs

•  Web access 70% •  Security audit log 10% •  Table logging 4% •  Message Server 2% •  SAP Gateway 2%

75

Log types

•  SAP Web Dispatcher – Security log •  SAP Web Dispatcher – HTTP log •  SAProuter log •  SAP Gateway log •  SAP Message Server log •  SAP Message Server HTTP Log •  SAP security audit log •  ABAP user changes log •  ABAP table changes log •  ABAP document changes log •  Trace files

76

SAP Security Logs

77

Name Default Central storage

SAP Web Dispatcher – Security Log Enabled No SAP Web Dispatcher – HTTP log Disabled No SAProuter log Disabled No SAP Gateway log Disabled No SAP Message Server log Disabled No SAP Message Server HTTP log Disabled No SAP security audit log Disabled CCMS? ABAP user changes log Enabled No ABAP table changes log Disabled No

ABAP document changes log Disabled No Trace files Disabled No Developer trace Enabled No

•  EAS-‐SEC: Recourse which combines –  Guidelines for assessing enterprise applica'on security –  Guidelines for assessing custom code –  Surveys about enterprise applica'on security

78

Defense

•  Cri'cal networks are complex •  System is as secure as its most insecure component •  Holis'c approach •  Check out eas-‐sec.org •  Check out erpscan.com

79

Conclusion

implementing sap security in 5 steps

Software

degree sap security