Вы находитесь на странице: 1из 19

CYBER-ATTACKS & SAP SYSTEMS

Is our business-critical infrastructure exposed?


by Mariano Nunez
mnunez@onapsis.com Black Hat Europe 2012 Briefings

Abstract Global Fortune 1000 companies, large governmental organizations and defense entities have something in common: they rely on SAP platforms to run their business critical processes and information! "n this scenario, cyber criminals loo#ing to perform espionage, sabotage or financial fraud attac#s #no$ that these systems are #eeping the business cro$n %e$els! &ut, ho$ difficult is for them to brea# into an SAP system today' Are $e properly protecting the business information or are $e e(posed' Five years ago, $e $ere invited to hold the first public presentation on real $orld cyber threats to SAP systems at &lac#)at *urope +00,! Since then, $e have performed specialized Penetration -ests against the SAP platforms of several of the largest organizations of the $orld, enabling us to get an educated ans$er to those .uestions! -his $hite paper analyzes ho$ the /SAP security0 concept has evolved over the last years and $hether organizations are staying ahead of the real $orld threats affecting their SAP platforms!

Copyright 2012 Onapsis, Inc. - ll rights reser!e". #o portion of this "ocu$ent $ay %e repro"uce" in &hole or in part &ithout the prior &ritten per$ission of Onapsis, Inc. Onapsis offers no specific guarantee regar"ing the accuracy or co$pleteness of the infor$ation presente", %ut the professional staff of Onapsis $akes e!ery reasona%le effort to present the $ost relia%le infor$ation a!aila%le to it an" to $eet or e'cee" any applica%le in"ustry stan"ar"s. (his pu%lication contains references to the pro"ucts of ) * +. ) *, ,-., ' pps, ' pp, ) * #et/ea!er, 0uet, *artnerE"ge, By0esign, ) * Business By0esign, an" other ) * pro"ucts an" ser!ices $entione" herein are tra"e$arks or registere" tra"e$arks of ) * + in +er$any an" in se!eral other countries all o!er the &orl". Business O%1ects an" the Business O%1ects logo, BusinessO%1ects, Crystal ,eports, Crystal 0ecisions, /e% Intelligence, 2celsius an" other Business O%1ects pro"ucts an" ser!ices $entione" herein are tra"e$arks or registere" tra"e$arks of Business O%1ects in the 3nite" )tates an"-or other countries. ) * + is neither the author nor the pu%lisher of this pu%lication an" is not responsi%le for its content, an" ) * +roup shall not %e lia%le for errors or o$issions &ith respect to the $aterials.

TABLE OF CONTENTS

1. Introduction........................................................................................................................4 2. A Dangerous Status-quo....................................................................................................5 2.1. What SAP security used to be i!e years ago..........................................................5 2.2. "he orgotten #ayer......................................................................................................5 2.$. A di erent %higher& ris' (ro i#e.....................................................................................) 2.4. A rising threat..............................................................................................................) $. SAP Syste*s on the Internet.............................................................................................+ $.1. Pub#ic in or*ation in search engines..........................................................................+ $.2. ,eyond SAP Web a((#ications...................................................................................4. "he Insider "hreat............................................................................................................1. 5. /ro* the "renches0 "he 1urrent Security 2e!e# o SAP I*(#e*entations......................11 ). "he "3P-11 !u#nerabi#ities a ecting the SAP In rastructure...........................................12 ).1. ,I451 "51-.10 6u#nerab#e So t7are in 8se............................................................12 ).2. ,I451 "51-.20 Standard 8sers 7ith De au#t Pass7ords........................................12 ).$. ,I451 "51-.$0 8nsecured SAP 9ate7ay...............................................................12 ).4. ,I451 "51-.40 8nsecured SAP:3rac#e authentication...........................................1$ ).5. ,I451 "51-.50 Insecure ;/1 inter aces.................................................................1$ ).). ,I451 "51-.)0 Insu icient Security Audit 2ogging.................................................1$ ).<. ,I451 "51-.<0 8nsecured SAP =essage Ser!er...................................................14 ).+. ,I451 "51-.+0 Dangerous SAP Web A((#ications.................................................14 ).-. ,I451 "51-.-0 8n(rotected Access to Ad*inistration Ser!ices.............................14 ).1.. ,I451 "51-1.0 Insecure >et7or' 5n!iron*ent....................................................14 ).11. ,I451 "51-110 8nencry(ted 1o**unications......................................................15 <. De ending the SAP P#at or*0 Protecting our ,usiness-critica# In rastructure..................1) <.1. "he 1ha##enges.........................................................................................................1) <.2. SAP Security - Who is res(onsib#e?.........................................................................1) +. 1onc#usions......................................................................................................................1+ About 3na(sis......................................................................................................................1Note: In order to ind the #atest !ersion o this 7hite-(a(er@ (#ease chec' the 3na(sis ;esearch 2abs 7ebsite at htt(0::777.ona(sis.co*:

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

1. INTRODUCTION
9#oba# /ortune-1... co*(anies@ #arge go!ern*enta# entities and de ense agencies ha!e so*ething in co**on0 *ost o the* re#y on SAP syste*s to run their business-critica# (rocesses and in or*ation. Aey (rocesses such as sa#es@ in!oicing@ *anu acturing@ (rocure*ent@ hu*an resources *anage*ent and inancia# (#anning are *anaged and (rocessed by syste*s running SAP so t7are. "his critica# nature is 7hat *a'es the* high#y attracti!e or cyber-cri*ina#s and cyber-terrorists0 i a *a#icious (arty is ab#e to co*(ro*ise an organiBationCs SAP (#at or*@ he 7ou#d be ab#e to engage in es(ionage@ sabotage and inancia# raud attac's 7ith se!ere i*(#ications to the business. "his 7hite-(a(er ana#yBes ho7 the SAP security conce(t has e!o#!ed o!er the #ast years and 7hether organiBations are staying ahead o the rea#-7or#d threats a ecting their SAP (#at or*s.

D 2.12 3na(sis@ Inc.

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

2. A DANGEROUS STATUS-QUO
2.1. What !"# security$ used to be fi%e years a&o
/i!e years ago@ the SAP security disci(#ine #oo'ed as i it had reached its (ara*ount or *ost (art o the In or*ation Security and Audit co**unities. ,ac' then@ this (ractice 7as regarded as a synony* o Segregation o Duties %SoD& contro#s. "his 'ind o contro#s are designed to ensure that the res(onsibi#ity o (er or*ing critica# business o(erations is s(#it across di erent indi!idua#s@ to *ini*iBe the chances o raudu#ent acti!ities against the organiBation. In the SAP 7or#d@ these contro#s are i*(#e*ented by trans#ating dangerous business:technica# o(erations into the res(ecti!e SAP authoriBation obEects that 7ou#d enab#e their eFecution@ and ensuring that no user in the syste* is enEoying o inco*(atib#e authoriBations.

2.2. 'he for&otten layer


Whi#e the re!ie7 and en orce*ent o SoD contro#s are one o the (i##ars o the SAP syste*Cs security@ they are not the on#y ones. SAP business a((#ications are eFecuted by high#y-co*(#eF techno#ogica# ra*e7or's@ usua##y re erred to as the >etWea!er or ,ASIS co*(onents %,usiness In rastructure&. "he ,usiness In rastructure in charge o critica# tas's such as authenticating users@ authoriBing their acti!ities@ inter acing 7ith other syste*s@ encry(ting:decry(ting sensiti!e co**unications and (ersistent data@ auditing security e!ents@ etc. "he security o this #ayer has been traditiona##y disregarded during SAP i*(#e*entation (roEects@ as it 7as considered as an additiona# barrier to achie!ing the usua##y-cha##enging go-#i!e date@ 7ithout a c#ear return on in!est*ent. As *entioned be ore@ another i*(ortant reason 7as that there 7as a reigning false sense of security@ 7here organiBations be#ie!ed that securing the syste*s 7as a## about en orcing SoD contro#s. "he status-quo 7as bro'en in ,#ac'Gat 2..<@ 7hen it 7as (ub#ic#y de*onstrated that SAP security 7as ar beyond SoD contro#s@ and the security o the ,usiness In rastructure 7as o (ara*ount i*(ortance0 Eust as any other techno#ogica# co*(onent@ this #ayer is (rone to security !u#nerabi#ities. I these !u#nerabi#ities 7ere eF(#oited@ *a#icious attac'ers 7ou#d be ab#e to (er or* es(ionage@ sabotage and raud attac's to the business.

D 2.12 3na(sis@ Inc.

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

2.(. " different )hi&her* ris+ profile


"he *ain concern regarding the #ac' o security o the ,usiness In rastructure is that it introduces *uch higher ris's to the (#at or*. "his section detai#s the di erence in the characteristics o attac's eF(#oiting 7ea'nesses in the di erent #ayers0 5F(#oitation o a SoD 7ea'ness 1. "he attac'er needs a !ali" user account in the target SAP syste*. 2. "he attac'er needs to ind out that he has *ore (ri!i#eges than he shou#d ha!e@ identi ying the additiona# sensiti!e authoriBations that he 7as granted. $. 1o**on auditing eatures *ay detect his acti!ities. 5F(#oitation o a ,usiness In rastructure 7ea'ness 1. "he attac'er doe !ot !eed a !ali" user account in the target SAP syste*. 2. A "##e $"% &tt&#' ()%% &%%o( *)+ to &#*)e,e SAP-ALL o. e/"),&%e!t 0.),)%e1e . $. 1o**on auditing eatures (o"%d !ot detect his acti!ities. As it can be obser!ed@ attac's to the ,usiness In rastructure ha!e se!era# ad!antages ro* an attac'erCs (oint o !ie70 they require #ess 'no7#edge o the target (#at or*@ ha!e greater i*(act and #ess chances o being detected.

2.,. " risin& threat


"he nu*ber o re(orted SAP security !u#nerabi#ities has been rising dra*atica##y o!er the #ast years. /i!e years ago@ the tota# nu*ber o re#eased SAP Security >otes 7as -.@ 7ith a year#y a!erage o a((roFi*ate#y 2. ne7 issues re#eased through 2..4 H 2..). Since 2..<@ the nu*ber o re#eased SAP Security >otes:(atches started to increase in an un(recedented sca#e. "his resu#ted in a tota# nu*ber o 1-.. as o /ebruary@ 2.12@ 7ith a year#y a!erage o a((roFi*ate#y ).. ne7 notes in 2.1. and 2.11. "he o##o7ing chart i##ustrates the e!o#ution in the nu*ber o SAP Security >otes re#eased (er year0

D 2.12 3na(sis@ Inc.

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

"he dra*atic increase in the nu*ber o SAP security (atches 7as dri!en *ain#y because o the o##o7ing actors0 An increased interest by the in or*ation security research co**unity in 5;P security !u#nerabi#ities. "he increased accessibi#ity to SAP syste*s or the genera# (ub#ic. SAPCs enhanced e orts into increasing the security o its so t7are a((#ications.

In this scenario@ organiBations are no7 acing a big cha##enge0 "he need to understand 7hich o the re#eased SAP security (atches are a ecting their s(eci ic co*(onents in their #arge (#at or*. "he di icu#ty in deter*ining 7hich o the SAP syste*s are *issing those a((#icab#e security (atches. "he di icu#ty in (rioritiBing the i*(#e*entation o the (atches@ understanding the associated ris' o the eFisting !u#nerabi#ity. "he e ort in!o#!ed in i*(#e*enting the necessary (atches@ inc#uding (ro(er qua#ity-assurance to *ini*iBe disru(tion o eFisting business (rocesses.

D 2.12 3na(sis@ Inc.

<

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

2. SAP SYSTEMS ON T3E INTERNET


A decade ago it 7as not co**on to ind SAP syste*s on#ine. >o7adays@ due to *odern business require*ents@ *any organiBations are eF(osing their SAP (#at or* to be accessed by custo*ers@ e*(#oyees and !endors. "his situation ob!ious#y increases the ris' o cyber-attac's@ as the uni!erse o (ossib#e attac'ers is dra*atica##y eF(anded. "his section ana#yBes the current eF(osure o SAP syste*s to the Internet.

(.1. #ublic information in search en&ines


As *any SAP syste*s are connected to the Internet and (ro!ide Web inter aces or re*ote access@ it is (ossib#e to obtain in or*ation ro* (ub#ic search engines. 9oog#e 8sing 9oog#e dor's it is (ossib#e to search or co**on SAP Web a((#ications@ such as SAP 5nter(rise Porta#s@ I"S ser!ices@ ,SP and Webdyn(ros@ 7hich can re!ea# the (resence o an SAP A((#ication Ser!er connected to the Internet. "he o##o7ing screenshot i##ustrates a search or eF(osed 5nter(rise Porta#s0

"he di erent SAP 7eb co*(onents can be searched through di erent dor's@ such as0 inur#0:irE:(orta# %5nter(rise Porta#& inur#0:sa(:bc:bs( %SAP Web A((#ication Ser!er& inur#0:scri(ts:7gate %SAP I"S& inur#0in o!ie7a(( %SAP ,usiness 3bEects&

SG3DA> SG3DA> is a another use u# resource to ind SAP syste*s on#ine. As it indeFes the returned Web ser!er banners@ this a((#ication can be used to eF(ose
D 2.12 3na(sis@ Inc.

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

syste*s running SAP 7eb a((#ications Eust by searching or the string SAP.

(.2. -eyond !"# Web applications


In *any cases@ organiBations 7ho are not eF(osing their SAP (#at or* through Web A((#ications to the Internet be#ie!e that there is no outside access to their (#at or*s. "his is usua##y 7rong. As (art o the agree*ents entered 7ith SAP 7hen (urchasing the so t7are #icenses@ organiBations agree on a su((ort contract. "his su((ort 7or's *ain#y by ha!ing a connection ro* SAP o ices to the organiBationCs SAP syste*. "his re*ote su((ort connection is (er or*ed through a s(ecia# co*(onent ca##ed SAProuter@ 7hich *ust be re*ote#y a!ai#ab#e or SAP. Whi#e this shou#d be a#7ays done through a 6P> connection 7ith SAP ser!ers@ it has been detected in *any cases that the SAProuter 7as direct#y eF(osed to the Internet. In the short-ter*@ an statistica# ana#ysis o sensiti!e SAP ser!ices direct#y eF(osed to the Internet@ such as the SAProuter@ 7i## be (ub#ished.

D 2.12 3na(sis@ Inc.

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

4. T3E INSIDER T3REAT


Whi#e enab#ing access ro* the Internet to the SAP (#at or* increases the associated ris's@ by no *eans shou#d the interna# net7or' be considered as a trusted en!iron*ent. 2arge organiBations ha!e thousands o e*(#oyees@ outsourced sta @ contractors@ etc. 7ho are e!eryday connected to the interna# net7or' and *ust be considered as (otentia# threat agents. In the ones running SAP (#at or*s@ intruders are usua##y (resented 7ith a a!ourab#e en!iron*ent or attac'ing the SAP syste*s once they are connected to the net7or' %either (hysica##y or through 6P> connections&. "his situation is co**on#y caused by0 1. "he #ac' o (ro(er interna# net7or' seg*entation@ by not de(#oying the SAP ser!ers in a (rotected@ interna# D=4. 2. 5!en i the (re!ious (oint is 7e## co!ered@ a ne7 (rob#e* arises0 so*e o the SAP co*(onents sti## require the /ire7a## to a##o7 access to technica# ser!ices@ such as the SAP 9ate7ay@ or the eFecution o certain business (rocesses. "his o(ens a ho#e in the /ire7a## 7hich is i*(ossib#e to c#ose. $. A (ossib#e so#ution to the (re!ious (oint is the de(#oy*ent o an IPS:IDS syste*@ 7hich is ab#e to ana#yBe the a##o7ed tra ic and detect attac' (atterns. Go7e!er@ none o the to(-tier IPS:IDS !endors ha!e these ca(abi#ities today@ 7hich resu#ts in a a#se sense o security. "his scenario high#ights the need to ensure that the SAP syste*s are (ro(er#y (rotected@ as interna# attac'ers ha!e a a!ourab#e situation in regards to reaching the target ser!ers and intend to eF(#oit !u#nerabi#ities in the*.

D 2.12 3na(sis@ Inc.

1.

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

5. FROM T3E TRENC3ES: T3E CURRENT SECURITY LE6EL OF SAP IMPLEMENTATIONS


Since 2..5@ 3na(sis eF(erts ha!e (er or*ed se!era# s(ecia#iBed Penetration "ests to the SAP i*(#e*entations o so*e o the #argest organiBations o the 7or#d. In *ost cases@ these (roEects 7ere (er or*ed 7ith the o##o7ing characteristics0 >et7or' access to the end-user net7or' %through 6P> or onsite& 7as (ro!ided. 3n#y a #ist o IP addresses o the target SAP syste*s 7as in or*ed. >o user:(ass7ords credentia#s in any syste*s 7ere (ro!ided.

3!er these years@ these eF(erts ha!e e!a#uated the security o *ore than 55. SAP A((#ication Ser!ers in tota#. "he indings are sur(rising0 It 7ou#d ha!e been (ossib#e or an attac'er to achie!e u## contro# o the SAP (#at or* in *ore than -5I o the cases. "he obtained (ri!i#eges %SAPJA22 or equi!a#ent& 7ou#d enab#e a *a#icious (arty to (er or* es(ionage@ sabotage and raud attac's to the business in or*ation and (rocesses *anaged by the target syste*s. 3n#y 5I o the e!a#uated SAP syste*s had the (ro(er security audit #ogging eatures enab#ed. >one o the e!a#uated SAP syste*s 7ere u##y u(dated 7ith the #atest SAP security (atches. In *ost cases@ the attac' !ectors that #eaded to the initia# co*(ro*ise co*(rised the eF(#oitation o !u#nerabi#ities that ha!e been in the (ub#ic do*ain or *ore than 5 years.

=any o these !u#nerabi#ities and attac' !ectors are detai#ed in the o##o7ing section.

D 2.12 3na(sis@ Inc.

11

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

7. T3E TOP-11 6ULNERABILITIES AFFECTING T3E SAP INFRASTRUCTURE


In 2.1.@ ,I451 H "he ,usiness Security 1o**unity - 7as created. ,I451.org is a non-(ro it organiBation ocused on security threats a ecting 5;P syste*s and business-critica# in rastructure. A*ong se!era# other (roEects@ the ,I451 "51:11 #ists the *ost co**on and *ost critica# security ris's a ecting the ,usiness ;unti*e #ayer:in rastructure o SAP (#at or*s. "he o##o7ing (oints detai# 7hich are the *ost co**on ris's and 7hich cou#d be the i*(act o their success u# eF(#oitation.

..1. -I/01 '01-213 456N07"-60 !89'W"70 IN 5!0


;is' "he SAP (#at or* is running based on techno#ogica# ra*e7or's 7hose !ersions are a ected by re(orted security !u#nerabi#ities and the res(ecti!e iFes ha!e not been a((#ied. ,usiness I*(act Attac'ers 7ou#d be ab#e to eF(#oit re(orted security !u#nerabi#ities and (er or* unauthoriBed acti!ities o!er the business in or*ation (rocessed by the a ected SAP syste*.

..2. -I/01 '01-223 !'"N:"7: 5!07! WI'; :09"56' #"!!W87:!


;is' 8sers created auto*atica##y during the SAP syste* insta##ation@ or other standard (rocedures@ are con igured 7ith de au#t@ (ub#ic#y 'no7n (ass7ords. ,usiness I*(act Attac'ers 7ou#d be ab#e to #ogin to the a ected SAP syste* using a standard SAP user account. As these accounts are usua##y high#y (ri!i#eged@ the business in or*ation 7ou#d be eF(osed es(ionage@ sabotage and raud attac's.

..(. -I/01 '01-2(3 5N!01570: !"# <"'0W"=


;is' "he SAP A((#ication Ser!erKs 9ate7ay is not restricting the starting@ registration or cance##ation o eFterna# ;/1 ser!ers.

D 2.12 3na(sis@ Inc.

12

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

,usiness I*(act Attac'ers 7ou#d be ab#e to obtain u## contro# o the SAP syste*. /urther*ore@ they 7ou#d be ab#e to interce(t and *ani(u#ate inter aces used or trans*itting sensiti!e business in or*ation.

..,. -I/01 '01-2,3 5N!01570: !"#>87"160 "5';0N'I1"'I8N


;is' "he SAP A,AP A((#ication Ser!er authenticates to the 3rac#e database through the 3PSL *echanis*@ and the 3rac#eKs #istener has not been secured. ,usiness I*(act Attac'ers 7ou#d be ab#e to obtain u## contro# o the a ected SAP syste*Ks database@ enab#ing the* to create@ !isua#iBe@ *odi y and:or de#ete any business in or*ation (rocessed by the syste*.

..?. -I/01 '01-2?3 IN!01570 791 IN'079"10!


;is' "he SAP en!iron*ent is using insecure ;/1 connections ro* syste*s o #o7er security-c#assi ication #e!e# to syste*s 7ith higher security-c#assi ication #e!e#s. ,usiness I*(act Attac'ers 7ou#d be ab#e to (er or* ;/1 (i!oting attac's@ by irst co*(ro*ising an SAP syste* 7ith #o7 security-c#assi ication and@ subsequent#y@ abusing insecure inter aces to co*(ro*ise SAP syste*s 7ith higher security c#assi ication #e!e#s.

.... -I/01 '01-2.3 IN!599I1I0N' !0157I'= "5:I' 68<<IN<


;is' "he SAP Syste*Ks auditing eatures are disab#ed or not (ro(er#y con igured. ,usiness I*(act It 7ou#d not be (ossib#e to detect sus(icious acti!ities or attac's against the SAP syste*. /urther*ore@ !a#uab#e in or*ation or orensic in!estigations 7ou#d not be a!ai#ab#e.

D 2.12 3na(sis@ Inc.

1$

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

..@. -I/01 '01-2@3 5N!01570: !"# M0!!"<0 !07407


;is' "he SAP Syste*Ks =essage Ser!er is not restricting the registration o SAP A((#ication Ser!ers. ,usiness I*(act Attac'ers 7ou#d be ab#e to register *a#icious SAP A((#ication Ser!ers and (er or* *an-in-the-*idd#e attac's@ being ab#e to obtain !a#id user access credentia#s and sensiti!e business in or*ation. Attac's against user 7or'stations 7ou#d a#so be (ossib#e.

..A. -I/01 '01-2A3 :"N<0785! !"# W0"##6I1"'I8N!


;is' "he SAP A((#ication Ser!er is a##o7ing access to Web a((#ications 7ith re(orted security !u#nerabi#ities or sensiti!e unctiona#ity. ,usiness I*(act Attac'ers 7ou#d be ab#e to eF(#oit !u#nerabi#ities in such Web a((#ications@ enab#ing the* to (er or* unauthoriBed acti!ities o!er the business in or*ation (rocessed by the a ected SAP syste*.

..B. -I/01 '01-2B3 5N#78'01'0: "110!! '8 ":MINI!'7"'I8N !074I10!


;is' "he SAP A((#ication Ser!er is not restricting access to sensiti!e ad*inistration or *onitoring ser!ices. ,usiness I*(act Attac'ers 7ou#d be ab#e to access ad*inistration or *onitoring ser!ices and (er or* unauthoriBed acti!ities o!er the a ected SAP syste*s@ (ossib#y #eading to es(ionage and:or sabotage attac's.

..12. -I/01 '01-123 IN!01570 N0'W87C 0N4I78NM0N'


;is' "he net7or' en!iron*ent o the SAP (#at or* is not (ro(er#y secured through the de(#oy*ent and con iguration o net7or' ire7a##s@ s(ecia#iBed Intrusion Pre!ention and Detection syste*s and a((#ication-#ayer gate7ays.

D 2.12 3na(sis@ Inc.

14

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

,usiness I*(act Attac'ers 7ou#d be ab#e to access sensiti!e SAP net7or' ser!ices and (ossib#y eF(#oit !u#nerabi#ities and unsa e con igurations in the*@ #eading to the eFecution o unauthoriBed acti!ities o!er the a ected SAP (#at or*.

..11. -I/01 '01-113 5N0N17=#'0: 18MM5NI1"'I8N!


;is' "he con identia#ity and integrity o co**unications in the SAP #andsca(e is not en orced. "hese co**unications co*(rise SAP-to-SAP connections as 7e## as interactions bet7een SAP ser!ers and eFterna# syste*s@ such as user 7or'stations and third-(arty syste*s. ,usiness I*(act Attac'ers 7ou#d be ab#e to access sensiti!e technica# and business in or*ation being trans erred to: ro* the SAP en!iron*ent.

D 2.12 3na(sis@ Inc.

15

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

8. DEFENDING T3E SAP PLATFORM: PROTECTING OUR BUSINESS-CRITICAL INFRASTRUCTURE


@.1. 'he 1hallen&es
"here are *ain#y three cha##enges that arise 7hen (#anning ho7 to (rotect the business-critica# in rastructure su((orted by the organiBationCs SAP (#at or*0 K!o(%ed1e SAP has a 7ide !ariety o high#y co*(#eF techno#ogica# co*(onents@ each o the* eaturing their o7n@ in *any cases (ro(rietary@ security architectures. Ha!ing a speciali4e" kno&le"ge of each specific ) * co$ponent is highly i$portant in or"er to ensure a proper lock-"o&n of the syste$s. S#o0e =any organiBations used to assess and secure on#y a #i*ited (art o the SAP (#at or*0 ty(ica##y the 1entra# Instance and the (roducti!e c#ient %*andant& o the Production syste*. In or"er to pro!i"e a resilient infrastructure, the platfor$ $ust %e protecte" holistically. (his co$prises e!ery client an" e!ery instance in e!ery syste$ of e!ery lan"scape of the organi4ation. single hole can 1eopar"i4e the security of the entire platfor$. Pe.)od)#)t9 "he security o SAP en!iron*ents is high#y dyna*ic. 3ne the one hand@ SAP is continuous#y re#easing ne7 Security >otes 7hich are ai*ed to (rotect against the eF(#oitation o 'no7n !u#nerabi#ities. 3n the other hand@ SAP ad*inistrators (eriodica##y interact 7ith the security con iguration o the syste*s@ changing (ara*eters that *ay render the syste*s !u#nerab#e. (he security of the ) * infrastructure $ust %e e!aluate" perio"ically, at least after each ) * )ecurity *atch 0ay, to !erify &hether ne& risks ha!e %een raise" an" e!aluate $itigation actions.

@.2. !"# !ecurity - Who is responsible?


8n#i'e other syste*s or a((#ications such as 2DAP directories@ Web ser!ers and Do*ain contro##ers@ in so*e organiBations the security o SAP a((#ications usua##y sti## a##s under the do*ain o "he ,usiness. "here ore@ this situation resu#ts in a c#ear segregation o duties inconsistency@ 7here the o icers in charge o securing the syste*s are the sa*e ones 7ho are res(onsib#e or !eri ying 7hether they are secure or not.
D 2.12 3na(sis@ Inc.

1)

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

Whi#e it is acce(tab#e that the organiBationCs SAP tea*s are res(onsib#e or doing their best e ort into (rotecting the SAP (#at or*@ it is high#y i*(ortant that the In or*ation Security =anager : 1IS3 de(art*ent !erifies 7hether the current security #e!e# *atches the organiBationCs de ined ris' a((etite. "he o##o7ing questions are ai*ed at ser!ing as a starting (oint or urther thin'ing o this situation in the readerCs organiBation0 Is the SAP (#at or* a b#ac'boF or the In or*ation Security tea*? Does the In or*ation Security tea* trust but !eri y? Who 7i## be u#ti*ate#y res(onsib#e i there is a security breach in the SAP (#at or*? What i the SAP (#at or* is co*(ro*ised@ not by a high-(ro i#e and co*(#eF attac'@ but rather as the resu#t o the eF(#oitation o a !u#nerabi#ity that has been (ub#ic#y 'no7n or se!era# years?

D 2.12 3na(sis@ Inc.

1<

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

:. CONCLUSIONS
,ased on the authorCs ie#d eF(erience@ it can be conc#uded that *any SAP i*(#e*entations are current#y not (ro(er#y (rotected and are eF(osed to highi*(act attac's. "he *ost critica# attac' !ectors co*(rise the eF(#oitation o technica# !u#nerabi#ities and *is-con igurations at the in rastructure #ayer o this (#at or*@ as *any o the* do not e!en require a !a#id user account in the target syste*s. 3!er the #ast years@ SAP has i*(ro!ed its interna# security e orts and #aunched se!era# initiati!es to raise a7areness on the i*(ortance o this subEect a*ong its custo*ers. "he cha##enge is no7 or custo*ers to catch-u( and (rotect their syste*s ho#istica##y@ reducing the #i'ehood o success u# attac's to their business. It is eF(ected that the in or*ation (resented in this docu*ent he#(s organiBations to better identi y their current security (osture@ understand eFisting ris's and e!a#uate *itigation acti!ities according#y.

D 2.12 3na(sis@ Inc.

1+

Cyber-Attacks & SAP Systems &lac# )at *urope +01+ &riefings

A;o"t O!&0 )
3na(sis (ro!ides inno!ati!e security so t7are so#utions to (rotect 5;P syste*s ro* cyber-attac's. "hrough un*atched 5;P security@ co*(#iance and continuous *onitoring (roducts@ 3na(sis secures the business-critica# in rastructure o its g#oba# custo*ers against es(ionage@ sabotage and inancia# raud threats. 3na(sis M1@ the co*(anyCs #agshi( (roduct@ is the industryCs irst co*(rehensi!e so#ution or the auto*ated security assess*ent o SAP (#at or*s. ,eing the irst and on#y SAP-certi ied so#ution o its 'ind@ 3na(sis M1 a##o7s custo*ers to (er or* auto*ated 6u#nerabi#ity Assess*ents@ Security N 1o*(#iance Audits and Penetration "ests o!er their entire SAP (#at or*. 3na(sis is bac'ed by the 3na(sis ;esearch 2abs@ a 7or#d-reno7ned tea* o SAP N 5;P security eF(erts 7ho are continuous#y in!ited to #ecture at the #eading I" security con erences@ such as ;SA and ,#ac'Gat@ and eatured by *ainstrea* *edia such as 1>>@ ;euters@ ID9 and >e7 Oor' "i*es. /or urther in or*ation about our so#utions@ (#ease contact in oPona(sis.co* and !isit our 7ebsite at 777.ona(sis.co*. us at

D 2.12 3na(sis@ Inc.

1-

Вам также может понравиться