ROB COOMBE RSSC, Swaziland – Group CIO

TUNDE OGUNKOYA DeltaGRiC Consulting (Pty) Ltd – Consulting Partner, Africa

Protecting your Crown Jewels in SAP - a cybersecurity perspective; Beyond SoD

Protecting your Crown Jewels in SAP - A cybersecurity perspective; - Beyond Segregation of Duties

An RSSC case study

• Introduction

• Rob Coombe , Royal Swaziland Sugar Corporation, Swaziland

• Tunde Ogunkoya, DeltaGRiC Consulting (Pty) Ltd, Africa

• Cyber Security in General, Application Layer and SAP Security Myths

• Show Me… Shodan, Trello etc.

• Situational Awareness - SAP Attacks globally

• The RSSC Project; Scope, Initiation

• Vulnerability Assessment

• Penetration Testing

• 360 degrees of the SAP landscape

• Outcomes from the Project: Honest feedback from our landscape (Show Me … Landscape Hack (Already remediated ))

• Learnings...

• Patch Management, Custom Z-Programs, Need for Virtual patching -- certain Vuln covered but not completely solved.

• Next Steps for organizations

Agenda

4

Introduction

The Royal Swaziland Sugar Corporation farms 20 000 hectares of sugar, which is crushed in two mills

producing over 430 000 tons of sugar. We also produce Refined Sugar and Potable Ethanol

52 Disparate systems

No business visibility, difficult to achieve reliability

Costs only available once a month 15 days after month end.

3 Cane figures reported from three different sources – Agriculture, Manufacturing and Finance.

Planning done on a bespoke system

Three weeks to adjust budgets for a single change in Agriculture

Technology Risk

Technologies were old, not documented, not supported.

RSSC – Early Adopters of SAP

innovations – One of the first

HANA implementations in Africa

HANA as a platform

ERP SUITE – ECC6 EHP7

Vistex – Agribusiness Solution

(Farm Management)

Payroll – Swaziland Country

EHSM

Project Systems

TRM

SOLMAN

BI – BW on HANA

Workforce Performance Builder

GRC - Access Control

ESS/MSS

PI

800 users – 23 Modules – All transactions which have a value occur in SAP

Introduction

RSSC – Early Adopters of SAP innovations

– One of the first HANA implementations in Africa

But security investment is often not aligned with actual risks

Cyber Security challenge in Organizations

SAP Security: Myth or Reality?

Certain Misconception in most SAP CoE

SAP Cyber-Security GAP

Management often has a false

sense of confidence that they

have SAP covered, while

cybersecurity teams feel they

have little to no visibility into

SAP. It was also apparent that

the SAP cyber-security gap is

becoming more ambiguous

because of asset mapping

issues – who houses the “crown

jewels” are being secured on a

daily basis..

SAP Patch Management Debacle

On average all companies are working

with an 18-month window of vulnerability

timeline. This window starts with the time

a vulnerability is found to when a patch is

issued by SAP and finally deployed by the

organization itself. Deployment is still the

biggest problem organizations face. In fact

- SAP has issued over 3300 patches in

total with 391 issued in 2014 alone. That

is 30+ per month on average. With

approximately 46% of patches ranked as

“critical” it’s difficult for an organization to

prioritize their patches without disruption

to the business.

Misconfiguration

Companies are having a very difficult

time keeping track of how systems

are configured let alone

understanding their entire SAP

landscape. An organization’s “Crown

Jewels” reside within SAP and

misconfigured SAP systems and

portals are open targets for any

adversary. Even if systems have the

latest patch installed, a

misconfiguration will allow hackers to

access key information and business

processes. In most cases, an

attacker’s presence will go unnoticed

for months.

HANA / IoT

Organizations are moving to the new de-facto database

server HANA for new SAP solutions. This changes

everything as organizations cannot view SAP as a

“legacy” system. Organizations have also been told that

with HANA they will be more secure, however the fact is

that since 2014 there’s been a 450% increase in new

security patches and with 82% considered “high

priority”. Additionally as organizations continue to

advance their SAP systems with rapid application

development, mobile deployments and connecting a

multitude of different devices (think vending machines,

water meters, etc) to SAP via open APIs an

organization’s SAP attack surface is expanding at a

rapid pace let alone the complexity of managing security

risks.

Furthermore: Some Challenges

Perhaps Some reason why you see the last page and Online Servers

SAP Security: Myth or Reality ?

RSSC – leading in SAP

Show me: SHODAN / Trello

Many More … If you know where to search…

LinkedIn … Vulnerability Sites - NVD

Vuln

Introduced

National

Vulnerability

Database

Vuln

Discovered

You

Find It

You

FIX It

Exploits

Published

Hackers

Hack

Highest Security Risk

Race between You and Hackers

Vulnerability Life Cycle

Show me: SHODAN / Trello

Many More … If you know where to search…

LinkedIn … Vulnerability Sites - NVD

Misconfiguration Checks - WhiteBox

Virtual Patching necessary Z – code AuditingVulnerability Assessment

Need for Continuous Monitoring Black Box Testing WhiteBox Test - Misconfiguration

Penetration testing - SAP MMC, SAP Webservices,

Default passwords, SAP Gateway, saprouttab,

injections, privileges escalation…

By moving from SAP to OS and database to SAP, as well as lateral movement from SAP to another.

The project – RSSC Case Study

Learnings – SoD accounts for less than 20% of

what is needed to secure a SAP landscape

What do we need to Do?

ERPScan proprietary Framework

Credit: EASSEC 2017 / ERPScan

Technical Contracting / Admin

• Institute a credible cyber security

framework that includes SAP

• Note that Security is a continuous

shifting goal post (New

Vulnerabilities everyday) and

Month 3 situations are not same

in Month 12.

• Using the framework, make a

plan to continually monitor your

SAP landscape. Perhaps

implement SAP ETD solution or

other SIEM solutions like IBM

QRadar with some ability to

collect SAP logs

• Check your ABAP custom Z code;

statistics show that for every 1000

line of code, there will be at least

2 critical security risk, 4 – 7

medium risk

• Get a 3rd party independent

review on your SAP security

as you do your process

audits too.

• Separate your SAP Security

Contract from your existing

SAP contracts – You should

not have the same partner

being your goal keeper,

referee, coach and striker at

the same time.

• Strict SLA to monitor

deliverables in scope of work

set out

What should we be doing?

THANK YOU

Further Questions?rcoombe@rssc.co.sztunde@deltagricconsulting.com