95% of erp systems are vulnerable to data breaches · 2019-10-25 · authorizations • complex ......
TRANSCRIPT
Onapsis Inc. | All Rights Reserved
Onapsis Inc. | All Rights Reserved
95% of ERP systems are vulnerable to data breaches
Do you have the right compensating controls?
Sergio Abraham – [email protected]
Onapsis Inc. | All Rights Reserved
Main questions we will answer throughout this presentation
• Why are ERP systems so complex?
• Why are ERP systems interesting for attackers/insiders?
• What is happening out there? + DEMO
• What are auditors doing today vs what should they be doing?
• How to approach ERP audit?
Onapsis Inc. | All Rights Reserved
COMPLEX ARCHITECTURES AND TECHNOLOGIES
• Based on various interacting components and have independent configurations• Leverage proprietary protocols and components not well documented and
accessible• Very specific software and configuration vulnerabilities
PATCHING AND UPDATING • Mostly non-existent patching processes• Risk of patching is perceived as higher than the risk of the vulnerabilities itself• Applying and testing patches across all applications without business disruption
is a challenge
CUSTOMIZATIONS • Highly customized applications, no two are the same• Large organizations need to map customer business processes through custom
code• Sometimes up to millions of customized objects that run their business
operations
INTEGRATIONS • Many integration endpoints, sending data back and forth to other internal and external systems
• Integration is a key part of the landscape• No single product, but many different products (and vendors)
AUTHORIZATIONS • Complex authorization concepts• Users are diverse and need access to specific objects and tasks• Proper understanding of authorization concepts within each platform is required
CRITICAL INFORMATION AND PROCESSES
• There are strong change management processes that delay or even block security improvements
• Critical information is held and processed by these applications• Most organizations are also legally forced to protect this information from data
loss• Systems are subject to compliance mandates such as SOX, GDPR, PCI, etc.
BUSINESS-CRITICAL APPLICATIONS
Why are they unique?
Onapsis Inc. | All Rights Reserved
92%
of the Global 2000 useSAP or Oracle EBS
77%
of the world’s revenue touches these ERP systems
ERP Cybersecurity – A Blindspot
4
88%
believe ERP to be a business-critical
application
1st public
exploit
targeting SAP
applications
Chinese breach
of USIS
targeted SAPSAP
NetWeaver
Portal public
exploit by
Chinese hacker
SAP
targeted
malware
discovered
1st DHS US-
CERT Alert for
SAP Business
Applications
Onapsis helps
Oracle secure
critical
vulnerability in
EBS
2nd DHS US-
CERT Alert
for SAP
Business
Applications
2012
2015
2014
2018
2016
2017
2013
HACKTIVIST
GROUPS
CYBER
CRIMINALS
CREATING
MALWARE
NATION-STATE
SPONSOREDINCREASED INTEREST
ON DARK WEB
UNITED STATES
DHS WARNING
3rd DHS US-
CERT Alert
for
10KBLAZE
exploits
2019
The Evolution of ERP Cyberattacks
Onapsis Inc. | All Rights Reserved
Onapsis Inc. | All Rights Reserved
Famous Vulnerabilities
10KBLAZE: A threat to the financial statements
"This risk to SAP customers can represent
a weakness in affected publicly-traded
organizations that may result in material
misstatements of the company's annual
financial statements (Form 10-K)”
Onapsis Inc. | All Rights Reserved
How are ERP Applications involved in key breaches?
Onapsis Inc. | All Rights Reserved
Key Findings from Threat Intelligence
Hacktivist groups are actively
attacking ERP applications to disrupt critical
business operations and
penetrate target organizations
Cybercriminals have evolved
malware to target internal, “behind-
the-firewall”ERP applications
Nation-state sponsored actors have targeted ERP
applications for cyber espionage
and sabotage
Dramatic increase in the interest in exploits for SAP
applications, including SAP HANA, in dark
web and cybercriminal
forums
Onapsis Inc. | All Rights Reserved
Onapsis Inc. | All Rights Reserved
Growing Interest in ERP applications
Cybercriminal forum with details on how to hack SAP applications
Evolution of mentions to SAP vulnerabilities with publicly available exploits
Onapsis Inc. | All Rights Reserved
Growing Interest in ERP applications (contd)
User asking for SAP HANA exploits with responses and links to resources
Exploits available within reach (Google)
Onapsis Inc. | All Rights Reserved
Example: Installing Malicious Code
Anatomy of an attack to ERP Applications
Commands used to exfiltrate SAP Credentials
Onapsis Inc. | All Rights Reserved
Example: Routing Employee Payments
• Uptake in cyberattacks targeting employees portals• Modifying current employees bank accounts to route paycheck• Both internal and externally-facing
IMAGE: https://www.ncsecu.org/BranchServices/Switch.html
Onapsis Inc. | All Rights Reserved
Tools, Techniques and Procedures
External Threats
Internet-Facing Applications being one of the most common entry mechanisms to the ERP environment.
Internal Threats
Internal Applications targeted through well-known exploits and vulnerabilities
• 10KBLAZE, Default Usernames and Passwords, Flawed Custom Reports
Unpatched vulnerabilities and misconfigurations still present in most environments
• 90% probability to finding critical misconfigurations (highlighted by the US-CERT)
Financial motivation remains being the ultimate goal of both attackers and insiders
Onapsis Inc. | All Rights Reserved
How to Audit ERP systems?
Onapsis Inc. | All Rights Reserved
Traditional Approaches – Blindspot still exists
Built-in ERP Tools Traditional Security Limited coverage
• Manual and complex• Cumbersome to manage• Built for ERP admins• Protects SAP business logic
layer -- SAP application layer remains exposed
• General purpose tools• Lacks visibility into application
layer• No expertise in ERP security
• Limited out-of-the-box policies• Hard to manage centrally• Limited coverage for SAP/Oracle• No team of security researchers
Onapsis Inc. | All Rights Reserved
Traditional Approaches – Blindspot still exists
Business Application
Customizations
Application Technology
Database
Operating System
Technology Stack - The GAP in ERP Audits
Traditional Security Audit
Windows, Unix, etc
Oracle, HANA, SQLServer, etc
SAP Netweaver, Oracle WebLogic, etc
Custom reports and applications
Finance & Controlling, Sales & Distribution, etc
Customizations
Application Technology
Onapsis Inc. | All Rights Reserved
Call to Action
Onapsis Inc. | All Rights Reserved
Call to Action
• Make sure people in charge of protecting ERP systems have coverage for all the layers
• Compliance-related efforts must be addressed at each layer (SOX, GDPR, PCI, NIST, etc)
• While different layers have different risks and controls to be placed, they are very interrelated:o If you are analyzing a specific business risk, the analysis has to be performed
across the 5 layers
Your role as auditor
Onapsis Inc. | All Rights Reserved
Risk Assessment at each layer
Business Application
Database
Operating System
Risk Example: Payments are made to fictitious vendors
What type of access/misconfigurations/vulnerabilities at the OS would allow this?
What type of access/misconfigurations/vulnerabilities at the DB would allow this?
What misconfigurations/vulnerabilities exist in the technology that would allow this?
What custom applications do not have the proper validations to avoid this?
What standard applications and privileges would allow this?
Customizations
Application Technology
Onapsis Inc. | All Rights Reserved
How to Audit ERP Systems?
Business Application
Focusing on the Application...
● Authentication: Password policies and configurations
● Access Control: Authorizations analysis - Who has access to what?
● Segregation of Duties: Authorizations analysis - Conflicting Accesses
● User Behavior:
○ User monitoring - Who is doing what?
○ Fraud detection - Detection of fraudulent activities
○ Analytics (more advanced) - Analysis of Behavioral Patterns to
Detect Malicious Activities
Customizations
Application Technology
Onapsis Inc. | All Rights Reserved
How to Audit ERP Systems?
Business Application
Focusing on the Application...
Customizations
Application Technology
● Security: Analysis of vulnerabilities in custom code. E.g.:
○ Authorizations By-Pass
○ Administrator Commands Execution
○ Unlimited Database Access
● Compliance to best practices
● Performance: How do custom reports affect overall system availability?
● Maintainability: Amount of custom code can be overkilling if not properly
designed and continuously reviewed
● Robustness: Prevention of operational errors
● Data Loss Prevention: Analysis of weaknesses that extract data from
the systems
Onapsis Inc. | All Rights Reserved
How to Audit ERP Systems?
Business Application
Focusing on the Application...
Customizations
Application Technology
● Authentication: Password policies and configurations (some ERP systems have
different authentication mechanisms for each layer/segmentation)
● Configurations: What critical configurations must be enforced and monitored?
○ Wrong technical configurations can override business controls. You
should follow vendor-specific security best practices.
○ E.g.: 10KBLAZE is a combination of two different misconfigurations
● Security Patches: What critical patches must be implemented ASAP?
○ Missing patches equals known vulnerabilities present. Critical
vulnerabilities can override business controls.
○ E.g.: Employee payments without user or password
● Log Configuration Management: What logs have to be enabled and configured?
○ Missing logging features prevent from proper monitoring
Onapsis Inc. | All Rights Reserved
Conclusion
• ERP systems support the most complex business processeso Therefore, ERP systems are the most complex applications
• Think about ERP systems as a matrix...o Top-Down: Several technology layers support business application
customization and extension▪ OS, DB, Application Technology, Customizations, Business Application
o Side-to-Side: Several segmentations support business complexity and operations▪ Application Servers, SAP Mandants/Clients, Oracle Nodes, Interfaces, etc
• As an Auditor, you should assess risks and test controls at each of those layers and segmentso Automation tools are essential to make this job efficient.
Just 1 (one) concept to remember...