2. What We’ll Cover …
• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up
1
3. Cyber Attacks on SAP Systems: Why?
• In 2012, Cybercrime costs rose nearly 40 percent and attack
frequency doubled (Ponemon Institute)
Industrial espionage
State-sponsored attacks
• Why would someone attack our ERP platform?
It runs our business-critical processes
It stores our most sensitive information
Our organization is highly dependent on it
• Therefore, by nature, they are the perfect target for espionage,
sabotage, and financial fraud attacks
2
4. Espionage, Sabotage, and Financial Fraud
• Espionage
How much would the information stored in our SAP systems be
worth to our biggest competitor?
• Sabotage
How much money would we lose if our SAP system is taken
offline continuously, for several hours or even days?
• Financial fraud
What would be the economic impact if someone is able to
manipulate all our financial information and processes without
any kind of restrictions or controls?
3
5. Common (Dangerous) Misconceptions
• “Our SAP system is only accessible internally (trusted networks)”
We better check! Attackers can find SAP systems online using
simple Google queries and public search engines:
63,100 results
4,470 results
Internet is NOT the only untrusted network!
Outsourced contractors doing remote SAP administration
Our own end-user network! (Malicious employees, spear-
phishing attacks, etc.)
4
6. Common (Dangerous) Misconceptions (cont.)
• “Our SAP system has never been hacked”
Can we really be sure?
Do we have the Security Audit Log enabled?
Do we have all the “other” logs enabled?
If so, are we reviewing them periodically?
• “SAP systems are intrinsically insecure/secure”
SAP systems are no different than any other software
Most of the most-commonly-found security gaps can be
mitigated if customers followed the SAP security guidelines
and implemented SAP Security Notes promptly
5
7. Common (Dangerous) Misconceptions (cont.)
• “We only need to audit/secure our Production systems”
“A chain is as strong as its weakest link”
Think like an attacker: How would you try to break in?
Go after the usually-audited, probably-more-secure
Production system? OR …
Break into a Development environment, and then “jump to”
Production (shared passwords, RFC pivoting, etc.)?
6
8. Common (Dangerous) Misconceptions (cont.)
• “The risk of our SAP system being attacked is low”
We are not fighting against “script kiddies,” but malicious
organizations with vast resources and capabilities
Information about SAP vulnerabilities has been in the public
domain for 10+ years!
7
9. Common (Dangerous) Misconceptions (cont.)
• “The risk of our SAP system being attacked is low” (cont.)
In October 2012, hacktivist group Anonymous claimed intent to
exploit SAP systems
It was the first time this kind of news hit the headlines
Anonymous claimed to have broken into the Greek Ministry
of Finance (to be confirmed) and mentioned:
“We have new guns in our arsenal.
A sweet 0day SAP exploit is in our hands
and oh boy we’re gonna sploit the hell out of it.”
8
10. What We’ll Cover …
• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up
9
11. Towards a Holistic SAP Security Approach
• “SAP Security” used to be a synonym of “Segregation of Duties
controls” for several years (a.k.a., user roles and profiles)
Auditing & Enforcing SoD controls is a critical piece of the SAP
platform’s security. The only problem is that it is not enough.
• An SAP system can be divided in several layers:
SAP Business Logic
SAP Solution
SAP Application Layer
Database
Base Infrastructure
Operating System
10
12. The SAP Application Layer
• SoD controls are only protecting the Business Logic layer!
• The SAP Application Layer (SAP NetWeaver®/BASIS) is critical,
and has been traditionally overlooked
Handles critical tasks and components such as authentication,
authorization, interfacing, audit logging, etc.
Successful attacks to this layer would
result in a complete compromise of the
SAP system (SAP_ALL or equivalent)
11
13. The Evolution of SAP Security Notes
• Vulnerabilities discovered in SAP applications are patched by
SAP and released to customers as SAP Security Notes
• Each Security Note solves one or more vulnerabilities
SAP Security Notes per year
In September 2010, SAP started releasing Security
Notes periodically (2nd Tuesday of every month)
12
14. Anatomy of an SoD Violation Attack
3 - Access
with Valid SAP
User
4 - High-
• Context: Privileges
Obtained
• Attacker needs a valid user account
5 - Access to
• This user must have high privileges Sensitive
• Probability of detection: Med-High Info/Process
13
15. Anatomy of an SAP Application Layer Attack
1-
Vulnerability
Identified
2-
Vulnerability
Exploited
• Context:
• Exploitation usually does not 4 - High-
require valid user account Privileges
(anonymous!) Obtained
• Usually exploitation high- 5 - Access to
privileges Sensitive
• Probability of detection: Low Info/Process
14
16. What We’ll Cover …
• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up
15
17. The BIZEC TEC/11
• BIZEC is a non-profit organization with the mission of analyzing
current and future threats affecting ERP systems
• Current initiatives covering SAP solutions:
APP/11: The most common ABAP security issues
TEC/11: The most common SAP Application Layer security
issues
• In this presentation, we will cover BIZEC TEC/11
16
18. 11 Risks Affecting the SAP Application Layer
• BIZEC TEC-01: MISSING SAP SECURITY NOTES
Risk:
The SAP platform is running based on technological
components whose versions are affected by reported
security vulnerabilities and the respective SAP Security
Notes have not been applied
Business Impact:
Attackers would be able to exploit reported security
vulnerabilities and perform unauthorized activities over the
business information processed by the affected SAP system
17
19. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-02: STANDARD USERS WITH DEFAULT PASSWORDS
Risk:
Users created automatically during the SAP system
installation, or other administrative procedures, are
configured with default, publicly-known passwords
Business Impact:
Attackers would be able to log in to the affected SAP system
using a standard SAP user account. As these accounts are
usually highly privileged, the business information would be
exposed to espionage, sabotage, and fraud attacks.
18
20. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-03: DANGEROUS SAP WEB APPLICATIONS
Risk:
The SAP Application Server is providing Web applications
with reported security vulnerabilities or sensitive
functionality (XSS, SQL Injection, Invoker Servlet detour,
Verb Tampering, XXE Tunneling, etc.)
Business Impact:
Attackers would be able to exploit vulnerabilities in such
Web applications, enabling them to perform unauthorized
activities over the business information processed by the
affected SAP system
19
21. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-04: UNSECURED SAP GATEWAY
Risk:
The SAP Application Server’s Gateway is not restricting the
starting, registration, or cancellation of external RFC servers
Business Impact:
Attackers would be able to obtain full control of the SAP
system. Furthermore, they would be able to intercept and
manipulate interfaces used for transmitting sensitive
business information.
20
22. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-05: UNSECURED SAP/ORACLE AUTHENTICATION
Risk:
The SAP ABAP Application Server authenticates to the
Oracle database through the external OS authentication
scheme, and the Oracle’s listener has not been secured
Business Impact:
Attackers would be able to obtain full control of the affected
SAP system’s database, enabling them to create, visualize,
modify and/or delete any business information processed by
the system
21
23. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-06: INSECURE RFC INTERFACES
Risk:
The SAP environment is using insecure RFC connections
from systems of lower security-classification level to
systems with higher security-classification levels
Business Impact:
Attackers would be able to perform RFC pivoting attacks by
first compromising an SAP system with low security-
classification and, subsequently, abusing insecure interfaces
to compromise SAP systems with higher security-
classification levels (i.e., from DEV PRD)
22
24. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-07: UNSECURED SAP MESSAGE SERVER
Risk:
The SAP System’s Message Server is not restricting the
registration of SAP Application Servers, therefore allowing
access to unauthorized systems
Business Impact:
Attackers would be able to register malicious SAP
Application Servers and perform man-in-the-middle attacks,
being able to obtain valid user access credentials and
sensitive business information. Attacks against user
workstations would also be possible.
23
25. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-08: INSECURE SAP ADMINISTRATION AND
MONITORING SERVICES
Risk:
The SAP platform is not protected against unauthorized
access to sensitive administration or monitoring services,
such as the SAP Management Console, the P4 interface,
SDM, Solution Manager, Transport Management System, etc.
Business Impact:
Attackers would be able to access administration or
monitoring services and perform unauthorized activities over
the affected SAP systems, possibly leading to espionage
and/or sabotage attacks 24
26. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-09: INSECURE SAP NETWORK FILTERING
Risk:
The SAP platform network is not properly isolated from
untrusted networks, both external and internal, and intrusion
detection/prevention systems have not been implemented
Business Impact:
Attackers would be able to access sensitive SAP network
services and possibly exploit vulnerabilities and unsafe
configurations in them, leading to the execution of
unauthorized activities over the affected SAP platform
25
27. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-10: INSECURE SAPROUTER IMPLEMENTATION
Risk:
The SAProuter Route Permission Table is not properly
configured to allow connections only from/to authorized
systems, restricting the use of native protocols and/or
logging features are not properly configured
Business Impact:
Attackers would be able to access SAP and non-SAP
systems from untrusted networks, potentially launching
attacks to the reachable systems
26
28. 11 Risks Affecting the SAP Application Layer (cont.)
• BIZEC TEC-11: UNENCRYPTED COMMUNICATIONS
Risk:
The confidentiality and integrity of communications in the
SAP landscape is not enforced. These communications
comprise SAP-to-SAP connections as well as interactions
between SAP servers and external systems, such as user
workstations and third-party systems.
Business Impact:
Attackers would be able to access sensitive technical and
business information being transferred to/from the SAP
environment
27
29. What We’ll Cover …
• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up
28
30. From the Trenches
• It is critical to provide innovative solutions that help customers
continuously assess and protect their SAP systems,
complementing their existing SoD efforts
• A quick look: SAP Penetration Tests
The goal of these projects are to identify existing vulnerabilities
and understand the involved business impact of a cyber attack
Done without SAP user credentials
Were performed remotely (VPN)
Only informed of the IP addresses of the SAP systems (in
order to save time)
29
31. From the Trenches – The Results
• Over 95% of the evaluated systems were exposed to espionage,
sabotage, and fraud attacks
• Less than 5% of them had the Security Audit features enabled
• None of them had the latest SAP Security Notes applied
• In most cases, the attack vectors that lead to the initial
compromise resulted from the exploitation of vulnerabilities that
have been publicly known for more than 5 years
30
32. What We’ll Cover …
• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up
31
33. Protecting Our SAP Platform
• The good news is that it is possible to significantly reduce the
probability of successful cyber attacks to our SAP platforms
• From a ROI perspective, it is better to focus on mitigating the
threats that would result in the initial compromise. Once an
attacker has full control, it is very difficult to stop him.
• SAP is doing a great job and has significantly boosted its
initiatives into proving more open and detailed Standards and
Guidelines, specifically focused in the aspects we covered in this
presentation
32
34. Protecting Our SAP Platform (cont.)
• We have to approach the security of the SAP platform holistically:
All the layers (OS, DB, SAP Application Layer, SAP Business
Logic) must be protected. Failing to secure one would
jeopardize the security of the entire system.
• We have to secure the entire Platform:
Every Landscape in the organization
Every System in each Landscape (not just PRD)
Every Client in each System (not just the Production one)
Every Application Server in each System (not just the CI)
Every security-relevant parameter of the 1,500+ available (ABAP
systems)
33
35. Tips for Mitigating the 11 Risks
• Please bear in mind that these are only high-level guidelines!
Mitigating each of these risks requires a deeper analysis.
• BIZEC TEC-01: MISSING SAP SECURITY NOTES
Design and implement an SAP Security Patching Strategy,
defining a process to:
1. Identify which SAP Security Notes do affect your platform
2. Prioritize them according to risk (and remediation effort)
3. Implement them in QA environments and roll out to PRD
Define an “SAP Security Patching” SLA with your
contractors or internal teams to ensure protection
34
36. Tips for Mitigating the 11 Risks (cont.)
• BIZEC TEC-02: STANDARD USERS WITH DEFAULT PASSWORDS
Secure all the default and standard users in ALL the clients of
your SAP systems
• BIZEC TEC-03: DANGEROUS SAP WEB APPLICATIONS
Evaluate which Web Applications your Business really needs.
Disable any unnecessary ones. Deploy an IDS/IPS.
• BIZEC TEC-04: UNSECURED SAP GATEWAY
Monitor existing connections to the Gateway for a period of
time. Create initial secinfo and reginfo files. Only allow required
interfaces from trusted systems.
35
37. Tips for Mitigating the 11 Risks (cont.)
• BIZEC TEC-05: UNSECURED SAP/ORACLE AUTHENTICATION
Configure the Oracle listener to accept connections from SAP
instances and trusted systems. Firewall the SAP network!
• BIZEC TEC-06: INSECURE RFC INTERFACES
Analyze your RFC Destinations and check for stored logon
credentials, encryption, profiles at target systems, etc.
• BIZEC TEC-07: UNSECURED SAP MESSAGE SERVER
Configure the Message Server’s ACL to only accept
connections from the System’s instances. Configure separate
ports for internal and user connections.
36
38. Tips for Mitigating the 11 Risks (cont.)
• BIZEC TEC-08: INSECURE SAP ADMINISTRATION AND
MONITORING SERVICES
Disable/restrict access to administration services from
untrusted systems
• BIZEC TEC-09: INSECURE SAP NETWORK FILTERING
Implement external and internal DMZs for the SAP platform.
Deploy SAP-specialized Intrusion Detection and Prevention
solutions.
37
39. Tips for Mitigating the 11 Risks (cont.)
• BIZEC TEC-10: INSECURE SAPROUTER IMPLEMENTATION
Ensure the Route Permission Table only allows connections
from/to authorized systems and ports. Do not use “P”, but “S”
rules. Enable logging.
• BIZEC TEC-11: UNENCRYPTED COMMUNICATIONS
Implement SNC between SAP clients and SAP servers, and
between SAP servers and untrusted networks
38
40. Where Do I Start?
• Implementing a Sustainable SAP Security Strategy
Performing an SAP Application Security Assessment to
understand the current exposure is a good start
However, as you know, security is not a state, but a process
Highest ROI will come from establishing a continuous
assessment and remediation strategy
Assessing the SAP platform at least once a month,
after each SAP Security Patch Day
39
41. Where Do I Start? (cont.)
• Therefore, these activities must be run periodically. The most
cost-effective solution is through automation.
• But … who ensures these products are actually used, properly
configured, and follow-up on the findings?
Your internal SAP Security Teams, or
Your IT Security Teams, or
Your Trusted Advisory/Compliance Partner who can deliver an
end-to-end Continuous SAP Application Security Compliance
solution
40
42. What We’ll Cover …
• Introduction
• Why Segregation of Duties is not enough
• 11 risks that could render your platform vulnerable
• From the trenches – The current state of SAP security
• Protecting our SAP platform
• Wrap-up
41
43. Where to Find More Information
• Onapsis Resources:
Other SAP Security Presentations
www.onapsis.com/research-presentations.php
Onapsis SAP Security In-Depth Publications
www.onapsis.com/research-publications.php
Onapsis Bizploit – Opensource GPL Project
www.onapsis.com/bizploit
• BIZEC:
BIZEC TEC/11 Risks (Version 2.0, 2012).
www.bizec.org/wiki/BIZEC_TEC11
42
44. Where to Find More Information (cont.)
• Great SAP Resources:
Secure Configuration of SAP NetWeaver Application Server
Using ABAP (SAP AG, 2012).
http://scn.sap.com/docs/DOC-17149
Protecting SAP Applications Based on Java and ABAP Against
Common Attacks (SAP AG, 2011).
http://bit.ly/VagxSI *
Bjoern Brencher, “SAP Runs SAP – Remote Function Call:
Gateway Hacking and Defense” (SAP TechEd, 2012).
SAP Security Web site – www.sap.com/security
* Requires login credentials to the SAP Service Marketplace
43
45. 7 Key Points to Take Home
• Our SAP platforms are natural targets for cyber attackers
• Segregation of Duties controls are critical for the security of our
SAP systems, but they are not enough
• If the SAP Application Layer is not properly secured, cyber
attackers that do not even have a user would be able to perform
espionage, sabotage, and financial fraud attacks
• Review if your Platform is exposed to the 11 presented risks and
mitigate them as soon as possible
• Secure systems beyond PRD and implement a sustainable
strategy
• As Internal or External Auditors, we must address the SAP
Application Layer risks. Otherwise, we may be signing-off blindly.
• If our XYZ-compliant SAP system gets hacked through a 5-year-
old vulnerability, we are clearly doing something wrong 44
46. Your Turn!
Visit us at Exhibit hall
for further
discussions and live
demos!
Mariano Nunez
Email: mnunez@onapsis.com
Twitter: @marianonunezdc
Please remember to complete your session evaluation
45
47. PwC Contacts
Alliance Director:
Cynthia McConathy Cynthia.McConathy@us.pwc.com
East:
Bob Clark, Philadelphia clark@us.pwc.com
Sachin Mandal, New York sachin.mandal@us.pwc.com
Greg Pillay, Florida gregory.k.pillay@us.pwc.com
MidWest
Sean Donahue, Milwaukee sean.p.donahue@us.pwc.com
Dave Erickson, Chicago dave.erickson@us.pwc.com
Mickey Roach, Dallas mickey.roach@us.pwc.com
Tammy Wojtasiak, Minneapolis tamara.wojtasiak@us.pwc.com
West
Jamie Draper, San Francisco james.draper@us.pwc.com
46
48. Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.
47