Академический Документы
Профессиональный Документы
Культура Документы
Abstract Global Fortune 1000 companies, large governmental organizations and defense entities have something in common: they rely on SAP platforms to run their business critical processes and information! "n this scenario, cyber criminals loo#ing to perform espionage, sabotage or financial fraud attac#s #no$ that these systems are #eeping the business cro$n %e$els! &ut, ho$ difficult is for them to brea# into an SAP system today' Are $e properly protecting the business information or are $e e(posed' Five years ago, $e $ere invited to hold the first public presentation on real $orld cyber threats to SAP systems at &lac#)at *urope +00,! Since then, $e have performed specialized Penetration -ests against the SAP platforms of several of the largest organizations of the $orld, enabling us to get an educated ans$er to those .uestions! -his $hite paper analyzes ho$ the /SAP security0 concept has evolved over the last years and $hether organizations are staying ahead of the real $orld threats affecting their SAP platforms!
Copyright 2012 Onapsis, Inc. - ll rights reser!e". #o portion of this "ocu$ent $ay %e repro"uce" in &hole or in part &ithout the prior &ritten per$ission of Onapsis, Inc. Onapsis offers no specific guarantee regar"ing the accuracy or co$pleteness of the infor$ation presente", %ut the professional staff of Onapsis $akes e!ery reasona%le effort to present the $ost relia%le infor$ation a!aila%le to it an" to $eet or e'cee" any applica%le in"ustry stan"ar"s. (his pu%lication contains references to the pro"ucts of ) * +. ) *, ,-., ' pps, ' pp, ) * #et/ea!er, 0uet, *artnerE"ge, By0esign, ) * Business By0esign, an" other ) * pro"ucts an" ser!ices $entione" herein are tra"e$arks or registere" tra"e$arks of ) * + in +er$any an" in se!eral other countries all o!er the &orl". Business O%1ects an" the Business O%1ects logo, BusinessO%1ects, Crystal ,eports, Crystal 0ecisions, /e% Intelligence, 2celsius an" other Business O%1ects pro"ucts an" ser!ices $entione" herein are tra"e$arks or registere" tra"e$arks of Business O%1ects in the 3nite" )tates an"-or other countries. ) * + is neither the author nor the pu%lisher of this pu%lication an" is not responsi%le for its content, an" ) * +roup shall not %e lia%le for errors or o$issions &ith respect to the $aterials.
TABLE OF CONTENTS
1. Introduction........................................................................................................................4 2. A Dangerous Status-quo....................................................................................................5 2.1. What SAP security used to be i!e years ago..........................................................5 2.2. "he orgotten #ayer......................................................................................................5 2.$. A di erent %higher& ris' (ro i#e.....................................................................................) 2.4. A rising threat..............................................................................................................) $. SAP Syste*s on the Internet.............................................................................................+ $.1. Pub#ic in or*ation in search engines..........................................................................+ $.2. ,eyond SAP Web a((#ications...................................................................................4. "he Insider "hreat............................................................................................................1. 5. /ro* the "renches0 "he 1urrent Security 2e!e# o SAP I*(#e*entations......................11 ). "he "3P-11 !u#nerabi#ities a ecting the SAP In rastructure...........................................12 ).1. ,I451 "51-.10 6u#nerab#e So t7are in 8se............................................................12 ).2. ,I451 "51-.20 Standard 8sers 7ith De au#t Pass7ords........................................12 ).$. ,I451 "51-.$0 8nsecured SAP 9ate7ay...............................................................12 ).4. ,I451 "51-.40 8nsecured SAP:3rac#e authentication...........................................1$ ).5. ,I451 "51-.50 Insecure ;/1 inter aces.................................................................1$ ).). ,I451 "51-.)0 Insu icient Security Audit 2ogging.................................................1$ ).<. ,I451 "51-.<0 8nsecured SAP =essage Ser!er...................................................14 ).+. ,I451 "51-.+0 Dangerous SAP Web A((#ications.................................................14 ).-. ,I451 "51-.-0 8n(rotected Access to Ad*inistration Ser!ices.............................14 ).1.. ,I451 "51-1.0 Insecure >et7or' 5n!iron*ent....................................................14 ).11. ,I451 "51-110 8nencry(ted 1o**unications......................................................15 <. De ending the SAP P#at or*0 Protecting our ,usiness-critica# In rastructure..................1) <.1. "he 1ha##enges.........................................................................................................1) <.2. SAP Security - Who is res(onsib#e?.........................................................................1) +. 1onc#usions......................................................................................................................1+ About 3na(sis......................................................................................................................1Note: In order to ind the #atest !ersion o this 7hite-(a(er@ (#ease chec' the 3na(sis ;esearch 2abs 7ebsite at htt(0::777.ona(sis.co*:
1. INTRODUCTION
9#oba# /ortune-1... co*(anies@ #arge go!ern*enta# entities and de ense agencies ha!e so*ething in co**on0 *ost o the* re#y on SAP syste*s to run their business-critica# (rocesses and in or*ation. Aey (rocesses such as sa#es@ in!oicing@ *anu acturing@ (rocure*ent@ hu*an resources *anage*ent and inancia# (#anning are *anaged and (rocessed by syste*s running SAP so t7are. "his critica# nature is 7hat *a'es the* high#y attracti!e or cyber-cri*ina#s and cyber-terrorists0 i a *a#icious (arty is ab#e to co*(ro*ise an organiBationCs SAP (#at or*@ he 7ou#d be ab#e to engage in es(ionage@ sabotage and inancia# raud attac's 7ith se!ere i*(#ications to the business. "his 7hite-(a(er ana#yBes ho7 the SAP security conce(t has e!o#!ed o!er the #ast years and 7hether organiBations are staying ahead o the rea#-7or#d threats a ecting their SAP (#at or*s.
2. A DANGEROUS STATUS-QUO
2.1. What !"# security$ used to be fi%e years a&o
/i!e years ago@ the SAP security disci(#ine #oo'ed as i it had reached its (ara*ount or *ost (art o the In or*ation Security and Audit co**unities. ,ac' then@ this (ractice 7as regarded as a synony* o Segregation o Duties %SoD& contro#s. "his 'ind o contro#s are designed to ensure that the res(onsibi#ity o (er or*ing critica# business o(erations is s(#it across di erent indi!idua#s@ to *ini*iBe the chances o raudu#ent acti!ities against the organiBation. In the SAP 7or#d@ these contro#s are i*(#e*ented by trans#ating dangerous business:technica# o(erations into the res(ecti!e SAP authoriBation obEects that 7ou#d enab#e their eFecution@ and ensuring that no user in the syste* is enEoying o inco*(atib#e authoriBations.
"he dra*atic increase in the nu*ber o SAP security (atches 7as dri!en *ain#y because o the o##o7ing actors0 An increased interest by the in or*ation security research co**unity in 5;P security !u#nerabi#ities. "he increased accessibi#ity to SAP syste*s or the genera# (ub#ic. SAPCs enhanced e orts into increasing the security o its so t7are a((#ications.
In this scenario@ organiBations are no7 acing a big cha##enge0 "he need to understand 7hich o the re#eased SAP security (atches are a ecting their s(eci ic co*(onents in their #arge (#at or*. "he di icu#ty in deter*ining 7hich o the SAP syste*s are *issing those a((#icab#e security (atches. "he di icu#ty in (rioritiBing the i*(#e*entation o the (atches@ understanding the associated ris' o the eFisting !u#nerabi#ity. "he e ort in!o#!ed in i*(#e*enting the necessary (atches@ inc#uding (ro(er qua#ity-assurance to *ini*iBe disru(tion o eFisting business (rocesses.
<
"he di erent SAP 7eb co*(onents can be searched through di erent dor's@ such as0 inur#0:irE:(orta# %5nter(rise Porta#& inur#0:sa(:bc:bs( %SAP Web A((#ication Ser!er& inur#0:scri(ts:7gate %SAP I"S& inur#0in o!ie7a(( %SAP ,usiness 3bEects&
SG3DA> SG3DA> is a another use u# resource to ind SAP syste*s on#ine. As it indeFes the returned Web ser!er banners@ this a((#ication can be used to eF(ose
D 2.12 3na(sis@ Inc.
syste*s running SAP 7eb a((#ications Eust by searching or the string SAP.
1.
3!er these years@ these eF(erts ha!e e!a#uated the security o *ore than 55. SAP A((#ication Ser!ers in tota#. "he indings are sur(rising0 It 7ou#d ha!e been (ossib#e or an attac'er to achie!e u## contro# o the SAP (#at or* in *ore than -5I o the cases. "he obtained (ri!i#eges %SAPJA22 or equi!a#ent& 7ou#d enab#e a *a#icious (arty to (er or* es(ionage@ sabotage and raud attac's to the business in or*ation and (rocesses *anaged by the target syste*s. 3n#y 5I o the e!a#uated SAP syste*s had the (ro(er security audit #ogging eatures enab#ed. >one o the e!a#uated SAP syste*s 7ere u##y u(dated 7ith the #atest SAP security (atches. In *ost cases@ the attac' !ectors that #eaded to the initia# co*(ro*ise co*(rised the eF(#oitation o !u#nerabi#ities that ha!e been in the (ub#ic do*ain or *ore than 5 years.
=any o these !u#nerabi#ities and attac' !ectors are detai#ed in the o##o7ing section.
11
12
,usiness I*(act Attac'ers 7ou#d be ab#e to obtain u## contro# o the SAP syste*. /urther*ore@ they 7ou#d be ab#e to interce(t and *ani(u#ate inter aces used or trans*itting sensiti!e business in or*ation.
1$
14
,usiness I*(act Attac'ers 7ou#d be ab#e to access sensiti!e SAP net7or' ser!ices and (ossib#y eF(#oit !u#nerabi#ities and unsa e con igurations in the*@ #eading to the eFecution o unauthoriBed acti!ities o!er the a ected SAP (#at or*.
15
1)
Whi#e it is acce(tab#e that the organiBationCs SAP tea*s are res(onsib#e or doing their best e ort into (rotecting the SAP (#at or*@ it is high#y i*(ortant that the In or*ation Security =anager : 1IS3 de(art*ent !erifies 7hether the current security #e!e# *atches the organiBationCs de ined ris' a((etite. "he o##o7ing questions are ai*ed at ser!ing as a starting (oint or urther thin'ing o this situation in the readerCs organiBation0 Is the SAP (#at or* a b#ac'boF or the In or*ation Security tea*? Does the In or*ation Security tea* trust but !eri y? Who 7i## be u#ti*ate#y res(onsib#e i there is a security breach in the SAP (#at or*? What i the SAP (#at or* is co*(ro*ised@ not by a high-(ro i#e and co*(#eF attac'@ but rather as the resu#t o the eF(#oitation o a !u#nerabi#ity that has been (ub#ic#y 'no7n or se!era# years?
1<
:. CONCLUSIONS
,ased on the authorCs ie#d eF(erience@ it can be conc#uded that *any SAP i*(#e*entations are current#y not (ro(er#y (rotected and are eF(osed to highi*(act attac's. "he *ost critica# attac' !ectors co*(rise the eF(#oitation o technica# !u#nerabi#ities and *is-con igurations at the in rastructure #ayer o this (#at or*@ as *any o the* do not e!en require a !a#id user account in the target syste*s. 3!er the #ast years@ SAP has i*(ro!ed its interna# security e orts and #aunched se!era# initiati!es to raise a7areness on the i*(ortance o this subEect a*ong its custo*ers. "he cha##enge is no7 or custo*ers to catch-u( and (rotect their syste*s ho#istica##y@ reducing the #i'ehood o success u# attac's to their business. It is eF(ected that the in or*ation (resented in this docu*ent he#(s organiBations to better identi y their current security (osture@ understand eFisting ris's and e!a#uate *itigation acti!ities according#y.
1+
A;o"t O!&0 )
3na(sis (ro!ides inno!ati!e security so t7are so#utions to (rotect 5;P syste*s ro* cyber-attac's. "hrough un*atched 5;P security@ co*(#iance and continuous *onitoring (roducts@ 3na(sis secures the business-critica# in rastructure o its g#oba# custo*ers against es(ionage@ sabotage and inancia# raud threats. 3na(sis M1@ the co*(anyCs #agshi( (roduct@ is the industryCs irst co*(rehensi!e so#ution or the auto*ated security assess*ent o SAP (#at or*s. ,eing the irst and on#y SAP-certi ied so#ution o its 'ind@ 3na(sis M1 a##o7s custo*ers to (er or* auto*ated 6u#nerabi#ity Assess*ents@ Security N 1o*(#iance Audits and Penetration "ests o!er their entire SAP (#at or*. 3na(sis is bac'ed by the 3na(sis ;esearch 2abs@ a 7or#d-reno7ned tea* o SAP N 5;P security eF(erts 7ho are continuous#y in!ited to #ecture at the #eading I" security con erences@ such as ;SA and ,#ac'Gat@ and eatured by *ainstrea* *edia such as 1>>@ ;euters@ ID9 and >e7 Oor' "i*es. /or urther in or*ation about our so#utions@ (#ease contact in oPona(sis.co* and !isit our 7ebsite at 777.ona(sis.co*. us at
1-