bh eu 12 dicroce cyberattacks to sap systems wp
TRANSCRIPT
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
1/19
CYBER-ATTACKS &SAP SYSTEMS
Is our business-critical infrastructure exposed?
by Mariano [email protected]
Black Hat Europe 2012 Briefings
Abstract
Global Fortune 1000 companies, large governmental organizationsand defense entities have something in common: they rely on SAP
platforms to run their businesscritical processes and information! "nthis scenario, cybercriminals loo#ing to perform espionage, sabotage
or financial fraud attac#s #no$ that these systems are #eeping thebusiness cro$n %e$els!
&ut, ho$ difficult is for them to brea# into an SAP system today' Are$e properly protecting the business information or are $e e(posed'
Five years ago, $e $ere invited to hold the first public presentationon real$orld cyberthreats to SAP systems at &lac#)at *urope +00!Since then, $e have performed specialized Penetration -ests againstthe SAP platforms of several of the largest organizations of the $orld,
enabling us to get an educated ans$er to those .uestions!
-his $hitepaper analyzes ho$ the /SAP security concept has
evolved over the last years and $hether organizations are stayingahead of the real$orld threats affecting their SAP platforms!
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
2/19
Copyright 2012 Onapsis, Inc. - ll rights reser!e".
#o portion of this "ocu$ent $ay %e repro"uce" in &hole or in part &ithout the prior &ritten per$ission of
Onapsis, Inc.
Onapsis offers no specific guarantee regar"ing the accuracy or co$pleteness of the infor$ation presente",%ut the professional staff of Onapsis $akes e!ery reasona%le effort to present the $ost relia%le infor$ationa!aila%le to it an" to $eet or e'cee" any applica%le in"ustry stan"ar"s.
(his pu%lication contains references to the pro"ucts of )* +. )*, , 'pps, 'pp, )* #et/ea!er,uet, *artnerE"ge, Byesign, )* Business Byesign, an" other )* pro"ucts an" ser!ices $entione"herein are tra"e$arks or registere" tra"e$arks of )* + in +er$any an" in se!eral other countries allo!er the &orl".
Business O%ects an" the Business O%ects logo, BusinessO%ects, Crystal eports, Crystal ecisions, /e%Intelligence, celsius an" other Business O%ects pro"ucts an" ser!ices $entione" herein are tra"e$arks or
registere" tra"e$arks of Business O%ects in the 3nite" )tates an"or other countries.
)* + is neither the author nor the pu%lisher of this pu%lication an" is not responsi%le for its content, an")* +roup shall not %e lia%le for errors or o$issions &ith respect to the $aterials.
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
3/19
TABLE OF CONTENTS
1. Introduction........................................................................................................................42. A Dangerous Status-quo....................................................................................................5
2.1. What SAP security used to be i!e years ago..........................................................52.2. "he orgotten #ayer......................................................................................................52.$. A dierent %higher& ris' (roi#e.....................................................................................)2.4. A rising threat..............................................................................................................)
$. SAP Syste*s on the Internet.............................................................................................+$.1. Pub#ic inor*ation in search engines..........................................................................+$.2. ,eyond SAP Web a((#ications...................................................................................
4. "he Insider "hreat............................................................................................................15. /ro* the "renches0 "he urrent Security e!e# o SAP I*(#e*entations......................11). "he "3P-11 !u#nerabi#ities aecting the SAP Inrastructure...........................................12
).1. ,I "-10 6u#nerab#e Sot7are in 8se............................................................12).2. ,I "-20 Standard 8sers 7ith Deau#t Pass7ords........................................12).$. ,I "-$0 8nsecured SAP 9ate7ay...............................................................12).4. ,I "-40 8nsecured SAP:3rac#e authentication...........................................1$).5. ,I "-50 Insecure ;/ interaces.................................................................1$).). ,I "-)0 Insuicient Security Audit ogging.................................................1$).et7or' n!iron*ent....................................................14).11. ,I "-110 8nencry(ted o**unications......................................................15
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
4/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
1. INTRODUCTION9#oba# /ortune-1 co*(anies@ #arge go!ern*enta# entities and deenseagencies ha!e so*ething in co**on0 *ost o the* re#y on SAP syste*s to runtheir business-critica# (rocesses and inor*ation. ey (rocesses such as sa#es@in!oicing@ *anuacturing@ (rocure*ent@ hu*an resources *anage*ent andinancia# (#anning are *anaged and (rocessed by syste*s running SAPsot7are.
"his critica# nature is 7hat *a'es the* high#y attracti!e or cyber-cri*ina#s andcyber-terrorists0 i a *a#icious (arty is ab#e to co*(ro*ise an organiBationCsSAP (#ator*@ he 7ou#d be ab#e to engage in es(ionage@ sabotage and inancia#raud attac's 7ith se!ere i*(#ications to the business.
"his 7hite-(a(er ana#yBes ho7 the SAP security conce(t has e!o#!ed o!er the#ast years and 7hether organiBations are staying ahead o the rea#-7or#d threatsaecting their SAP (#ator*s.
212 3na(sis@ Inc. 4
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
5/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
2. A DANGEROUS STATUS-QUO
2.1. What !"# security$ used to be fi%e years a&o
/i!e years ago@ the SAP security disci(#ine #oo'ed as i it had reached its(ara*ount or *ost (art o the Inor*ation Security and Audit co**unities.
,ac' then@ this (ractice 7as regarded as a synony* o Segregation o Duties%SoD& contro#s. "his 'ind o contro#s are designed to ensure that theres(onsibi#ity o (eror*ing critica# business o(erations is s(#it across dierentindi!idua#s@ to *ini*iBe the chances o raudu#ent acti!ities against the
organiBation.In the SAP 7or#d@ these contro#s are i*(#e*ented by trans#ating dangerousbusiness:technica# o(erations into the res(ecti!e SAP authoriBation obEects that7ou#d enab#e their eFecution@ and ensuring that no user in the syste* isenEoying o inco*(atib#e authoriBations.
2.2. 'he for&otten layer
Whi#e the re!ie7 and enorce*ent o SoD contro#s are one o the (i##ars o theSAP syste*Cs security@ they are not the on#y ones.
SAP business a((#ications are eFecuted by high#y-co*(#eF techno#ogica#ra*e7or's@ usua##y reerred to as the >etWea!er or ,ASIS co*(onents%,usiness Inrastructure&. "he ,usiness Inrastructure in charge o critica#tas's such as authenticating users@ authoriBing their acti!ities@ interacing 7ithother syste*s@ encry(ting:decry(ting sensiti!e co**unications and (ersistentdata@ auditing security e!ents@ etc.
"he security o this #ayer has been traditiona##y disregarded during SAPi*(#e*entation (roEects@ as it 7as considered as an additiona# barrier toachie!ing the usua##y-cha##enging go-#i!e date@ 7ithout a c#ear return on
in!est*ent. As *entioned beore@ another i*(ortant reason 7as that there 7asa reigning false sense of security@ 7here organiBations be#ie!ed that securingthe syste*s 7as a## about enorcing SoD contro#s.
"he status-quo 7as bro'en in ,#ac'Gat 2
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
6/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
2.(. " different )hi&her* ris+ profile
"he *ain concern regarding the #ac' o security o the ,usiness Inrastructure isthat it introduces *uch higher ris's to the (#ator*.
"his section detai#s the dierence in the characteristics o attac's eF(#oiting7ea'nesses in the dierent #ayers0
F(#oitation o a SoD 7ea'ness
1. "he attac'er needs a !ali" user account in the target SAP syste*.
2. "he attac'er needs to ind out that he has *ore (ri!i#eges than he shou#d
ha!e@ identiying the additiona# sensiti!e authoriBations that he 7asgranted.
$. o**on auditing eatures *ay detect his acti!ities.
F(#oitation o a ,usiness Inrastructure 7ea'ness
1. "he attac'er doe !ot !eeda !ali" user account in the target SAPsyste*.
2. A "##e$"% tt#' ()%% %%o( *)+ to #*)e,e SAPALL oe/"),%e!t 0),)%ee.
$. o**on auditing eatures(o"%d !otdetect his acti!ities.
As it can be obser!ed@ attac's to the ,usiness Inrastructure ha!e se!era#ad!antages ro* an attac'erCs (oint o !ie70 they require #ess 'no7#edge o thetarget (#ator*@ ha!e greater i*(act and #ess chances o being detected.
2.,. " risin& threat
"he nu*ber o re(orted SAP security !u#nerabi#ities has been rising
dra*atica##y o!er the #ast years./i!e years ago@ the tota# nu*ber o re#eased SAP Security >otes 7as @ 7ith ayear#y a!erage o a((roFi*ate#y 2 ne7 issues re#eased through 24 H 2).
Since 2otes:(atches started toincrease in an un(recedented sca#e. "his resu#ted in a tota# nu*ber o 1 aso /ebruary@ 212@ 7ith a year#y a!erage o a((roFi*ate#y ) ne7 notes in21 and 211.
"he o##o7ing chart i##ustrates the e!o#ution in the nu*ber o SAP Security >otes
re#eased (er year0
212 3na(sis@ Inc. )
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
7/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
"he dra*atic increase in the nu*ber o SAP security (atches 7as dri!en *ain#ybecause o the o##o7ing actors0
An increased interest by the inor*ation security research co**unity in;P security !u#nerabi#ities.
"he increased accessibi#ity to SAP syste*s or the genera# (ub#ic.
SAPCs enhanced eorts into increasing the security o its sot7area((#ications.
In this scenario@ organiBations are no7 acing a big cha##enge0
"he need to understand 7hich o the re#eased SAP security (atches areaecting their s(eciic co*(onents in their #arge (#ator*.
"he diicu#ty in deter*ining 7hich o the SAP syste*s are *issing thosea((#icab#e security (atches.
"he diicu#ty in (rioritiBing the i*(#e*entation o the (atches@understanding the associated ris' o the eFisting !u#nerabi#ity.
"he eort in!o#!ed in i*(#e*enting the necessary (atches@ inc#uding(ro(er qua#ity-assurance to *ini*iBe disru(tion o eFisting business(rocesses.
212 3na(sis@ Inc.
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
8/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
. SAP SYSTEMS ON T3E INTERNETA decade ago it 7as not co**on to ind SAP syste*s on#ine. >o7adays@ dueto *odern business require*ents@ *any organiBations are eF(osing their SAP(#ator* to be accessed by custo*ers@ e*(#oyees and !endors.
"his situation ob!ious#y increases the ris' o cyber-attac's@ as the uni!erse o(ossib#e attac'ers is dra*atica##y eF(anded. "his section ana#yBes the currenteF(osure o SAP syste*s to the Internet.
(.1. #ublic information in search en&inesAs *any SAP syste*s are connected to the Internet and (ro!ide Webinteraces or re*ote access@ it is (ossib#e to obtain inor*ation ro* (ub#icsearch engines.
9oog#e
8sing 9oog#e dor's it is (ossib#e to search or co**on SAP Web a((#ications@such as SAP nter(rise Porta#s@ I"S ser!ices@ ,SP and Webdyn(ros@ 7hich canre!ea# the (resence o an SAP A((#ication Ser!er connected to the Internet.
"he o##o7ing screenshot i##ustrates a search or eF(osed nter(rise Porta#s0
"he dierent SAP 7eb co*(onents can be searched through dierent dor's@such as0
inur#0:irE:(orta# %nter(rise Porta#&
inur#0:sa(:bc:bs( %SAP Web A((#ication Ser!er&
inur#0:scri(ts:7gate %SAP I"S&
inur#0ino!ie7a(( %SAP ,usiness 3bEects&
SG3DA>
SG3DA> is a another useu# resource to ind SAP syste*s on#ine. As it indeFesthe returned Web ser!er banners@ this a((#ication can be used to eF(ose
212 3na(sis@ Inc. +
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
9/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
syste*s running SAP 7eb a((#ications Eust by searching or the string SAP.
(.2. eyond !"# Web applications
In *any cases@ organiBations 7ho are not eF(osing their SAP (#ator* throughWeb A((#ications to the Internet be#ie!e that there is no outside access to their(#ator*s. "his is usua##y 7rong.
As (art o the agree*ents entered 7ith SAP 7hen (urchasing the sot7are#icenses@ organiBations agree on a su((ort contract. "his su((ort 7or's *ain#yby ha!ing a connection ro* SAP oices to the organiBationCs SAP syste*.
"his re*ote su((ort connection is (eror*ed through a s(ecia# co*(onentca##ed SAProuter@ 7hich *ust be re*ote#y a!ai#ab#e or SAP. Whi#e this shou#dbe a#7ays done through a 6P> connection 7ith SAP ser!ers@ it has beendetected in *any cases that the SAProuter 7as direct#y eF(osed to the Internet.
In the short-ter*@ an statistica# ana#ysis o sensiti!e SAP ser!ices direct#y
eF(osed to the Internet@ such as the SAProuter@ 7i## be (ub#ished.
212 3na(sis@ Inc.
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
10/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
4. T3E INSIDER T3REATWhi#e enab#ing access ro* the Internet to the SAP (#ator* increases theassociated ris's@ by no *eans shou#d the interna# net7or' be considered as atrusted en!iron*ent.
arge organiBations ha!e thousands o e*(#oyees@ outsourced sta@contractors@ etc. 7ho are e!eryday connected to the interna# net7or' and *ustbe considered as (otentia# threat agents.
In the ones running SAP (#ator*s@ intruders are usua##y (resented 7ith aa!ourab#e en!iron*ent or attac'ing the SAP syste*s once they are connectedto the net7or' %either (hysica##y or through 6P> connections&.
"his situation is co**on#y caused by0
1. "he #ac' o (ro(er interna# net7or' seg*entation@ by not de(#oying theSAP ser!ers in a (rotected@ interna# D=.
2. !en i the (re!ious (oint is 7e## co!ered@ a ne7 (rob#e* arises0 so*e othe SAP co*(onents sti## require the /ire7a## to a##o7 access to technica#ser!ices@ such as the SAP 9ate7ay@ or the eFecution o certain business(rocesses. "his o(ens a ho#e in the /ire7a## 7hich is i*(ossib#e to c#ose.
$. A (ossib#e so#ution to the (re!ious (oint is the de(#oy*ent o an IPS:IDSsyste*@ 7hich is ab#e to ana#yBe the a##o7ed traic and detect attac'(atterns. Go7e!er@ none o the to(-tier IPS:IDS !endors ha!e theseca(abi#ities today@ 7hich resu#ts in a a#se sense o security.
"his scenario high#ights the need to ensure that the SAP syste*s are (ro(er#y(rotected@ as interna# attac'ers ha!e a a!ourab#e situation in regards toreaching the target ser!ers and intend to eF(#oit !u#nerabi#ities in the*.
212 3na(sis@ Inc. 1
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
11/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
5. FROM T3E TRENC3ES: T3E CURRENT SECURITYLE6EL OF SAP IMPLEMENTATIONS
Since 25@ 3na(sis eF(erts ha!e (eror*ed se!era# s(ecia#iBed Penetration"ests to the SAP i*(#e*entations o so*e o the #argest organiBations o the7or#d.
In *ost cases@ these (roEects 7ere (eror*ed 7ith the o##o7ing characteristics0
>et7or' access to the end-user net7or' %through 6P> or onsite& 7as(ro!ided.
3n#y a #ist o IP addresses o the target SAP syste*s 7as inor*ed.
>o user:(ass7ords credentia#s in any syste*s 7ere (ro!ided.
3!er these years@ these eF(erts ha!e e!a#uated the security o *ore than 55SAP A((#ication Ser!ers in tota#.
"he indings are sur(rising0
It 7ou#d ha!e been (ossib#e or an attac'er to achie!e u## contro# o theSAP (#ator* in *ore than 5 o the cases.
"he obtained (ri!i#eges %SAPJA or equi!a#ent& 7ou#d enab#e a*a#icious (arty to (eror* es(ionage@ sabotage and raud attac's to thebusiness inor*ation and (rocesses *anaged by the target syste*s.
3n#y 5 o the e!a#uated SAP syste*s had the (ro(er security audit#ogging eatures enab#ed.
>one o the e!a#uated SAP syste*s 7ere u##y u(dated 7ith the #atestSAP security (atches.
In *ost cases@ the attac' !ectors that #eaded to the initia# co*(ro*iseco*(rised the eF(#oitation o !u#nerabi#ities that ha!e been in the (ub#icdo*ain or *ore than 5 years.
=any o these !u#nerabi#ities and attac' !ectors are detai#ed in the o##o7ingsection.
212 3na(sis@ Inc. 11
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
12/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
7. T3E TOP-11 6ULNERABILITIES AFFECTING T3ESAP INFRASTRUCTURE
In 21@ ,I H "he ,usiness Security o**unity - 7as created. ,I.orgis a non-(roit organiBation ocused on security threats aecting ;P syste*sand business-critica# inrastructure.
A*ong se!era# other (roEects@ the ,I ":11 #ists the *ost co**on and*ost critica# security ris's aecting the ,usiness ;unti*e #ayer:inrastructure oSAP (#ator*s.
"he o##o7ing (oints detai# 7hich are the *ost co**on ris's and 7hich cou#dbe the i*(act o their successu# eF(#oitation.
.1. I/0 '0-13 456N07"60 !89'W"70 IN 5!0
;is'"he SAP (#ator* is running based on techno#ogica# ra*e7or's 7hose!ersions are aected by re(orted security !u#nerabi#ities and the res(ecti!eiFes ha!e not been a((#ied.
,usiness I*(actAttac'ers 7ou#d be ab#e to eF(#oit re(orted security !u#nerabi#ities and (eror*unauthoriBed acti!ities o!er the business inor*ation (rocessed by the aectedSAP syste*.
.2. I/0 '0-23 !'"N:"7: 5!07! WI'; :09"56'#"!!W87:!
;is'8sers created auto*atica##y during the SAP syste* insta##ation@ or otherstandard (rocedures@ are conigured 7ith deau#t@ (ub#ic#y 'no7n (ass7ords.
,usiness I*(actAttac'ers 7ou#d be ab#e to #ogin to the aected SAP syste* using a standardSAP user account. As these accounts are usua##y high#y (ri!i#eged@ the businessinor*ation 7ou#d be eF(osed es(ionage@ sabotage and raud attac's.
.(. I/0 '0-(3 5N!0570: !"#
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
13/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
,usiness I*(act
Attac'ers 7ou#d be ab#e to obtain u## contro# o the SAP syste*. /urther*ore@they 7ou#d be ab#e to interce(t and *ani(u#ate interaces used or trans*ittingsensiti!e business inor*ation.
.,. I/0 '0-,3 5N!0570: !"#>87"60"5';0N'I"'I8N
;is'"he SAP A,AP A((#ication Ser!er authenticates to the 3rac#e databasethrough the 3PSL *echanis*@ and the 3rac#eKs #istener has not been secured.
,usiness I*(actAttac'ers 7ou#d be ab#e to obtain u## contro# o the aected SAP syste*Ksdatabase@ enab#ing the* to create@ !isua#iBe@ *odiy and:or de#ete any businessinor*ation (rocessed by the syste*.
.. I/0 '0-3 IN!0570 79 IN'079"0!
;is'"he SAP en!iron*ent is using insecure ;/ connections ro* syste*s o #o7ersecurity-c#assiication #e!e# to syste*s 7ith higher security-c#assiication #e!e#s.
,usiness I*(actAttac'ers 7ou#d be ab#e to (eror* ;/ (i!oting attac's@ by irst co*(ro*isingan SAP syste* 7ith #o7 security-c#assiication and@ subsequent#y@ abusinginsecure interaces to co*(ro*ise SAP syste*s 7ith higher securityc#assiication #e!e#s.
.. I/0 '0-3 IN!599II0N' !057I'= "5:I'
68
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
14/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
.. I/0 '0-3 5N!0570: !"# M0!!"
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
15/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
,usiness I*(act
Attac'ers 7ou#d be ab#e to access sensiti!e SAP net7or' ser!ices and (ossib#yeF(#oit !u#nerabi#ities and unsae conigurations in the*@ #eading to theeFecution o unauthoriBed acti!ities o!er the aected SAP (#ator*.
.11. I/0 '0-113 5N0N7=#'0: 8MM5NI"'I8N!
;is'"he conidentia#ity and integrity o co**unications in the SAP #andsca(e is notenorced. "hese co**unications co*(rise SAP-to-SAP connections as 7e## asinteractions bet7een SAP ser!ers and eFterna# syste*s@ such as user7or'stations and third-(arty syste*s.
,usiness I*(actAttac'ers 7ou#d be ab#e to access sensiti!e technica# and business inor*ationbeing transerred to:ro* the SAP en!iron*ent.
212 3na(sis@ Inc. 15
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
16/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
8. DEFENDING T3E SAP PLATFORM: PROTECTINGOUR BUSINESS-CRITICAL INFRASTRUCTURE
.1. 'he hallen&es
"here are *ain#y three cha##enges that arise 7hen (#anning ho7 to (rotect thebusiness-critica# inrastructure su((orted by the organiBationCs SAP (#ator*0
K!o(%edeSAP has a 7ide !ariety o high#y co*(#eF techno#ogica# co*(onents@
each o the* eaturing their o7n@ in *any cases (ro(rietary@ securityarchitectures.Ha!ing a speciali4e" kno&le"ge of each specific )* co$ponent ishighly i$portant in or"er to ensure a proper lock-"o&n of the syste$s.
S#o0e=any organiBations used to assess and secure on#y a #i*ited (art o theSAP (#ator*0 ty(ica##y the entra# Instance and the (roducti!e c#ient%*andant& o the Production syste*.In or"er to pro!i"e a resilient infrastructure, the platfor$ $ust %eprotecte" holistically. (his co$prises e!ery client an" e!ery instance in
e!ery syste$ of e!ery lan"scape of the organi4ation. single hole caneopar"i4e the security of the entire platfor$.
Pe)od)#)t9"he security o SAP en!iron*ents is high#y dyna*ic. 3ne the one hand@SAP is continuous#y re#easing ne7 Security >otes 7hich are ai*ed to(rotect against the eF(#oitation o 'no7n !u#nerabi#ities. 3n the otherhand@ SAP ad*inistrators (eriodica##y interact 7ith the securityconiguration o the syste*s@ changing (ara*eters that *ay render thesyste*s !u#nerab#e.(he security of the )* infrastructure $ust %e e!aluate" perio"ically, at
least after each )* )ecurity *atch ay, to !erify &hether ne& risksha!e %een raise" an" e!aluate $itigation actions.
.2. !"# !ecurity - Who is responsible?
8n#i'e other syste*s or a((#ications such as DAP directories@ Web ser!ersand Do*ain contro##ers@ in so*e organiBations the security o SAP a((#icationsusua##y sti## a##s under the do*ain o "he ,usiness.
"hereore@ this situation resu#ts in a c#ear segregation o duties inconsistency@
7here the oicers in charge o securing the syste*s are the sa*e ones 7hoare res(onsib#e or !eriying 7hether they are secure or not.
212 3na(sis@ Inc. 1)
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
17/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
Whi#e it is acce(tab#e that the organiBationCs SAP tea*s are res(onsib#e ordoing their best eort into (rotecting the SAP (#ator*@ it is high#y i*(ortant thatthe Inor*ation Security =anager : IS3 de(art*ent !erifies 7hether thecurrent security #e!e# *atches the organiBationCs deined ris' a((etite.
"he o##o7ing questions are ai*ed at ser!ing as a starting (oint or urtherthin'ing o this situation in the readerCs organiBation0
Is the SAP (#ator* a b#ac'boF or the Inor*ation Security tea*?
Does the Inor*ation Security tea* trust but !eriy?
Who 7i## be u#ti*ate#y res(onsib#e i there is a security breach in the SAP
(#ator*? What i the SAP (#ator* is co*(ro*ised@ not by a high-(roi#e and
co*(#eF attac'@ but rather as the resu#t o the eF(#oitation o a!u#nerabi#ity that has been (ub#ic#y 'no7n or se!era# years?
212 3na(sis@ Inc. 1
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
18/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
. CONCLUSIONS,ased on the authorCs ie#d eF(erience@ it can be conc#uded that *any SAPi*(#e*entations are current#y not (ro(er#y (rotected and are eF(osed to high-i*(act attac's.
"he *ost critica# attac' !ectors co*(rise the eF(#oitation o technica#!u#nerabi#ities and *is-conigurations at the inrastructure #ayer o this (#ator*@as *any o the* do not e!en require a !a#id user account in the target syste*s.
3!er the #ast years@ SAP has i*(ro!ed its interna# security eorts and #aunched
se!era# initiati!es to raise a7areness on the i*(ortance o this subEect a*ongits custo*ers. "he cha##enge is no7 or custo*ers to catch-u( and (rotect theirsyste*s ho#istica##y@ reducing the #i'ehood o successu# attac's to theirbusiness.
It is eF(ected that the inor*ation (resented in this docu*ent he#(sorganiBations to better identiy their current security (osture@ understandeFisting ris's and e!a#uate *itigation acti!ities according#y.
212 3na(sis@ Inc. 1+
-
8/13/2019 Bh Eu 12 DiCroce CyberAttacks to SAP Systems WP
19/19
Cyber-Attacks & SAP Systems&lac# )at *urope +01+ &riefings
A;o"t O!0)3na(sis (ro!ides inno!ati!e security sot7are so#utions to (rotect ;P syste*sro* cyber-attac's. "hrough un*atched ;P security@ co*(#iance andcontinuous *onitoring (roducts@ 3na(sis secures the business-critica#inrastructure o its g#oba# custo*ers against es(ionage@ sabotage and inancia#raud threats.
3na(sis M1@ the co*(anyCs #agshi( (roduct@ is the industryCs irstco*(rehensi!e so#ution or the auto*ated security assess*ent o SAP(#ator*s. ,eing the irst and on#y SAP-certiied so#ution o its 'ind@ 3na(sis M1
a##o7s custo*ers to (eror* auto*ated 6u#nerabi#ity Assess*ents@ Security No*(#iance Audits and Penetration "ests o!er their entire SAP (#ator*.
3na(sis is bac'ed by the 3na(sis ;esearch abs@ a 7or#d-reno7ned tea* oSAP N ;P security eF(erts 7ho are continuous#y in!ited to #ecture at the#eading I" security conerences@ such as ;SA and ,#ac'Gat@ and eatured by*ainstrea* *edia such as >>@ ;euters@ ID9 and >e7 Oor' "i*es.
/or urther inor*ation about our so#utions@ (#ease contact us atinoona(sis.co*and !isit our 7ebsite at777.ona(sis.co*.
212 3na(sis@ Inc. 1
http://www.onapsis.com/x1mailto:[email protected]://www.onapsis.com/http://www.onapsis.com/mailto:[email protected]://www.onapsis.com/x1