name surname company / designation session · pdf filesolman bi –bw on hana ... server...
TRANSCRIPT
ROB COOMBE RSSC, Swaziland – Group CIO
TUNDE OGUNKOYA DeltaGRiC Consulting (Pty) Ltd – Consulting Partner, Africa
Protecting your Crown Jewels in SAP - a cybersecurity perspective; Beyond SoD
Protecting your Crown Jewels in SAP - A cybersecurity perspective; - Beyond Segregation of Duties
An RSSC case study
• Introduction
• Rob Coombe , Royal Swaziland Sugar Corporation, Swaziland
• Tunde Ogunkoya, DeltaGRiC Consulting (Pty) Ltd, Africa
• Cyber Security in General, Application Layer and SAP Security Myths
• Show Me… Shodan, Trello etc.
• Situational Awareness - SAP Attacks globally
• The RSSC Project; Scope, Initiation
• Vulnerability Assessment
• Penetration Testing
• 360 degrees of the SAP landscape
• Outcomes from the Project: Honest feedback from our landscape (Show Me … Landscape Hack (Already remediated ))
• Learnings...
• Patch Management, Custom Z-Programs, Need for Virtual patching -- certain Vuln covered but not completely solved.
• Next Steps for organizations
Agenda
4
Introduction
The Royal Swaziland Sugar Corporation farms 20 000 hectares of sugar, which is crushed in two mills
producing over 430 000 tons of sugar. We also produce Refined Sugar and Potable Ethanol
52 Disparate systems
No business visibility, difficult to achieve reliability
Costs only available once a month 15 days after month end.
3 Cane figures reported from three different sources – Agriculture, Manufacturing and Finance.
Planning done on a bespoke system
Three weeks to adjust budgets for a single change in Agriculture
Technology Risk
Technologies were old, not documented, not supported.
RSSC – Early Adopters of SAP
innovations – One of the first
HANA implementations in Africa
HANA as a platform
ERP SUITE – ECC6 EHP7
Vistex – Agribusiness Solution
(Farm Management)
Payroll – Swaziland Country
EHSM
Project Systems
TRM
SOLMAN
BI – BW on HANA
Workforce Performance Builder
GRC - Access Control
ESS/MSS
PI
800 users – 23 Modules – All transactions which have a value occur in SAP
Introduction
RSSC – Early Adopters of SAP innovations
– One of the first HANA implementations in Africa
But security investment is often not aligned with actual risks
Cyber Security challenge in Organizations
SAP Security: Myth or Reality?
Certain Misconception in most SAP CoE
SAP Cyber-Security GAP
Management often has a false
sense of confidence that they
have SAP covered, while
cybersecurity teams feel they
have little to no visibility into
SAP. It was also apparent that
the SAP cyber-security gap is
becoming more ambiguous
because of asset mapping
issues – who houses the “crown
jewels” are being secured on a
daily basis..
SAP Patch Management Debacle
On average all companies are working
with an 18-month window of vulnerability
timeline. This window starts with the time
a vulnerability is found to when a patch is
issued by SAP and finally deployed by the
organization itself. Deployment is still the
biggest problem organizations face. In fact
- SAP has issued over 3300 patches in
total with 391 issued in 2014 alone. That
is 30+ per month on average. With
approximately 46% of patches ranked as
“critical” it’s difficult for an organization to
prioritize their patches without disruption
to the business.
Misconfiguration
Companies are having a very difficult
time keeping track of how systems
are configured let alone
understanding their entire SAP
landscape. An organization’s “Crown
Jewels” reside within SAP and
misconfigured SAP systems and
portals are open targets for any
adversary. Even if systems have the
latest patch installed, a
misconfiguration will allow hackers to
access key information and business
processes. In most cases, an
attacker’s presence will go unnoticed
for months.
HANA / IoT
Organizations are moving to the new de-facto database
server HANA for new SAP solutions. This changes
everything as organizations cannot view SAP as a
“legacy” system. Organizations have also been told that
with HANA they will be more secure, however the fact is
that since 2014 there’s been a 450% increase in new
security patches and with 82% considered “high
priority”. Additionally as organizations continue to
advance their SAP systems with rapid application
development, mobile deployments and connecting a
multitude of different devices (think vending machines,
water meters, etc) to SAP via open APIs an
organization’s SAP attack surface is expanding at a
rapid pace let alone the complexity of managing security
risks.
Furthermore: Some Challenges
Perhaps Some reason why you see the last page and Online Servers
SAP Security: Myth or Reality ?
RSSC – leading in SAP
Show me: SHODAN / Trello
Many More … If you know where to search…
LinkedIn … Vulnerability Sites - NVD
Vuln
Introduced
National
Vulnerability
Database
Vuln
Discovered
You
Find It
You
FIX It
Exploits
Published
Hackers
Hack
Highest Security Risk
Race between You and Hackers
Vulnerability Life Cycle
Show me: SHODAN / Trello
Many More … If you know where to search…
LinkedIn … Vulnerability Sites - NVD
Misconfiguration Checks - WhiteBox
Virtual Patching necessary Z – code AuditingVulnerability Assessment
Need for Continuous Monitoring Black Box Testing WhiteBox Test - Misconfiguration
Penetration testing - SAP MMC, SAP Webservices,
Default passwords, SAP Gateway, saprouttab,
injections, privileges escalation…
By moving from SAP to OS and database to SAP, as well as lateral movement from SAP to another.
The project – RSSC Case Study
Learnings – SoD accounts for less than 20% of
what is needed to secure a SAP landscape
What do we need to Do?
ERPScan proprietary Framework
Credit: EASSEC 2017 / ERPScan
Technical Contracting / Admin
• Institute a credible cyber security
framework that includes SAP
• Note that Security is a continuous
shifting goal post (New
Vulnerabilities everyday) and
Month 3 situations are not same
in Month 12.
• Using the framework, make a
plan to continually monitor your
SAP landscape. Perhaps
implement SAP ETD solution or
other SIEM solutions like IBM
QRadar with some ability to
collect SAP logs
• Check your ABAP custom Z code;
statistics show that for every 1000
line of code, there will be at least
2 critical security risk, 4 – 7
medium risk
• Get a 3rd party independent
review on your SAP security
as you do your process
audits too.
• Separate your SAP Security
Contract from your existing
SAP contracts – You should
not have the same partner
being your goal keeper,
referee, coach and striker at
the same time.
• Strict SLA to monitor
deliverables in scope of work
set out
What should we be doing?
THANK YOU
Further [email protected]@deltagricconsulting.com