sap security in figures
TRANSCRIPT
![Page 1: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/1.jpg)
Invest in security to secure investments
SAP Security in figures 2013
Alexander Polyakov CTO ERPScan
![Page 2: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/2.jpg)
About ERPScan
• The only 360-‐degree SAP Security solu=on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaEons key security conferences worldwide • 25 Awards and nominaEons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
![Page 3: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/3.jpg)
Agenda
• SAP: Intro • SAP: vulnerabili=es • SAP: threats from the Internet • Cri=cal SAP services • Known incidents • Future trends and predic=ons • Conclusions
3
![Page 4: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/4.jpg)
SAP
• The most popular business applica=on • More than 240000 customers worldwide • 86% of Forbes 500 run SAP
4
![Page 5: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/5.jpg)
Why SAP security?
• Espionage – Stealing financial informa=on – Stealing corporate secrets – Stealing supplier and customer lists – Stealing HR data
• Sabotage – Denial of service – Modifica=on of financial reports – Access to technology network (SCADA) by trust rela=ons
• Fraud – False transac=ons – Modifica=on of master data
5
![Page 6: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/6.jpg)
SAP Security
SAP Vulnerabili=es
6
![Page 7: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/7.jpg)
Security notes by year
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
More than 2600 in total
7
![Page 8: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/8.jpg)
Security notes by criEcality
0
20
40
60
80
100
2012 2011 2010 2009
High priority vulnerabiliEes
0
2
4
6
8
10
12
2012 2011 2010 2009
Low priority vulnerabiliEes
0 200 400 600 800 1000 1200 1400 1600 1800 2000
1 -‐ HotNews
2 -‐ Correc=on with high priority
3 -‐ Correc=on with medium priority
4 -‐ Correc=on with low priority
6 -‐ Recommenda=ons/addi=onal info
By the end of April 2013
8
![Page 9: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/9.jpg)
Security notes by type
25%
22%
20%
9%
7%
5%
4% 4% 3%
1%
Top 10 vulnerabiliEes by type
1 -‐ XSS
2 -‐ Missing authorisa=on check
3 -‐ Directory traversal
4 -‐ SQL Injec=on
5 -‐ Informa=on disclosure
6 -‐ Code injec=on
7 -‐ Unauthen=ca=on bypass
8 -‐ Hardcoded creden=als
9 -‐ Remore code execu=on
10 -‐ Verb tampering
9
![Page 10: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/10.jpg)
Acknowledgments
Number of vulnerabili=es found by external researchers: • 2010 -‐ 58 • 2011 -‐ 107 • 2012 -‐ 89 • 2013 -‐ 52
The record of vulnerabili1es found by external researchers was
cracked in January 2013: 76%
0
10
20
30
40
50
60
70
2010 2011 2012 2013
Percentage of vulnerabiliEes found by external researchers:
10
![Page 11: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/11.jpg)
Acknowledgments
• More interest from other companies * Number of vulnerabili1es that were sent to SAP but were
rejected because they were already found before by other company of SAP internal code review.
0
1
2
3
4
5
6
7
2010 2011 2012
Number of already patched issues per year
11
![Page 12: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/12.jpg)
SAP security talks at conferences
0
5
10
15
20
25
30
35
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
12
![Page 13: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/13.jpg)
Talks about:
• Common: SAP Backdoors, SAP Rootkits, SAP Forensics • Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI,
SAP Portal, SAP Solu=on Manager, SAP TMS, SAP Management Console, SAP ICM/ITS
• Protocols: DIAG, RFC, SOAP (MMC), Message Server, P4 • Languages: ABAP Buffer Overflow, ABAP SQL Injec=on, J2EE
Verb Tampering, J2EE Invoker Servlet • Overview: SAP Cyber-‐aiacks, Top 10 Interes=ng Issues, Myths
about ERP
Almost all every part of SAP was hacked
13
![Page 14: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/14.jpg)
Top 5 SAP vulnerabiliEes 2012
1. SAP NetWeaver DilbertMsg servlet SSRF (June) 2. SAP HostControl command injec=on (May) 3. SAP SDM Agent command injec=on (November) 4. SAP Message Server buffer overflow (February) 5. SAP DIAG buffer overflow (May)
14
![Page 15: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/15.jpg)
SAP NetWeaver DilbertMsg servlet SSRF
Espionage: CriEcal Sabotage: Cri=cal Fraud: Medium Availability: Anonymously through the Internet Ease of exploitaEon: Medium Future impact: High (New type of aiack) CVSSv2: 10 Advisory: hip://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐
authen=ca=on-‐bypass/
Patch: Sap Note 1707494
Authors: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan)
15
![Page 16: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/16.jpg)
SAP HostControl command injecEon
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Anonymously through the Internet
Ease of exploitaEon: Easy (a Metasploit module exists)
Future impact: Low (Single issue)
CVSSv2: 10
Advisory: hip://www.contex=s.com/research/blog/sap-‐parameter-‐injec=on-‐no-‐space-‐arguments/
Patch: SAP note 1341333
Author: Contex=s
16
![Page 17: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/17.jpg)
SAP J2EE file read/write
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Anonymously
Ease of exploitaEon: Medium
Future impact: Low
CVSSv2: 10
Advisory: hips://service.sap.com/sap/support/notes/1682613
Patch: SAP Note 1682613
Author: Juan Pablo
17
![Page 18: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/18.jpg)
SAP Message Server buffer overflow
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Anonymous
Ease of exploitaEon: Medium. Good knowledge of exploit wri=ng for mul=ple plalorms is necessary
CVSSv2: 10.0
Advisory: hip://www.zerodayini=a=ve.com/advisories/ZDI-‐12-‐112/
Patch: SAP Notes 1649840 and 1649838
Author: Mar=n Gallo
18
![Page 19: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/19.jpg)
SAP DIAG Buffer overflow
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Low. Trace must be on
Ease of exploitaEon: Medium
CVSSv2: 9.3
Advisory: hip://www.coresecurity.com/content/sap-‐netweaver-‐dispatcher-‐mul=ple-‐vulnerabili=es
Patch: SAP Note 1687910
Author: Mar=n Gallo
19
![Page 20: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/20.jpg)
SAP Security
SAP and Internet
20
![Page 21: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/21.jpg)
SAP on the Internet
• Among people who work with SAP, a popular myth exists that SAP systems are inaccessible from the Internet, so all SAP vulnerabili=es can only be exploited by an insider.
21
![Page 22: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/22.jpg)
SAP on the Internet
• Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible
• Companies connect different offices (by SAP XI) • Companies are connected to SAP (through SAP Router) • SAP GUI users are connected to the Internet • Administrators open management interfaces to the Internet for
remote control
Almost all business applicaEons have web access now
22
![Page 23: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/23.jpg)
Google search for web-‐based SAPs
• As a result of the scan, 695 unique servers with different SAP web applica=ons were found (14% more than in 2011)
• 22% of previously found services were deleted • 35% growth in the number of new services
23
![Page 24: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/24.jpg)
Google search by country
24
FINLAND RUSSIA
AUSTRIA DENMARK MEXICO SPAIN KOREA
NORWAY BELGIUM FRANCE CANADA BRAZIL
SWITZERLAND ITALY
NETHERLANDS CHINA
UNITED KINGDOM INDIA
GERMANY UNITED STATES
0 50 100 150 200 250
SAP web servers by country (Top 20)
![Page 25: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/25.jpg)
Shodan scan
41%
34%
20%
6%
SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web Applica=on Server
Other (BusinessObjects,SAP Hos=ng, etc)
94% 72%
30%
-‐20%
-‐55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth by applicaEon server
A total of 3741 server with different SAP web applicaEons were found
25
![Page 26: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/26.jpg)
Shodan scan by country
0%
100%
200%
300%
400%
500%
600%
MEXICA CHILE INDIA CHINA TAIWAN
Growth of SAP web servers (Top 5)
0 500 1000 1500
AUSTRALIA TAIWAN
CHILE MEXICO
DENMARK NETHERLANDS
TURKEY CANADA
SWITZERLAND UNITED KINGDOM
KOREA CHINA
FRANCE BELGIUM
BRAZIL SPAIN INDIA ITALY
GERMANY UNITED STATES
SAP web servers by country (Top 20)
26
![Page 27: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/27.jpg)
Internet Census 2012 scan
• Not so legal project by Carna Botnet • As the result 3326 IP’s with SAP Web applica=ons
NO SSL 32%
SSL 68%
27
![Page 28: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/28.jpg)
SAP NetWeaver ABAP -‐ versions
• 7.3 growth by 250% • 7.2 growth by 70% • 7.0 loss by 22% • 6.4 loss by 45%
35%
23%
19%
11% 6% 5%
NetWeaver ABAP versions by popularity
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
The most popular release (35%, previously 45%) is s=ll NetWeaver 7.0, and it was released in 2005!
But security is gerng beier.
28
![Page 29: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/29.jpg)
NetWeaver ABAP – informaEon disclosure
• Informa=on about the ABAP engine version can be easily found by reading an HTTP response
• Detailed info about the patch level can be obtained if the applica=on server is not securely configured
• An aiacker can get informa=on from some pages like /sap/public/info
6% (was 59%) of servers s=ll have this issue
29
![Page 30: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/30.jpg)
SAP NetWeaver ABAP – criEcal services
• Execute dangerous RFC func=ons using HTTP requests • NetWeaver ABAP URL – /sap/bc/soap/rfc • There are several cri=cal func=ons, such as:
- Read data from SAP tables - Create SAP users - Execute OS commands, Make financial transac=ons, etc.
• By default, any user can have access to this interface and execute the RFC_PING command. So there are 2 main risks:
- If there is a default username and password, the aiacker can execute numerous dangerous RFC func=ons
- If a remote aiacker obtains any exis=ng user creden=als, they can execute a denial of service aiack with a malformed XML packet
6% (was 40%) of ABAP systems on the Internet have WebRFC service
30
![Page 31: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/31.jpg)
SAP NetWeaver J2EE -‐ versions
• 7.31 growth from 0 to 3% • 7.30 growth from 0 to 9% • 7.02 growth by 67% • 7.0 loss by 23% • 6.4 loss by 40%
44%
25%
10% 9%
9% 3%
NetWeaver JAVA versions by popularity
NetWeaver 7.00
NetWeaver 7.01
NetWeaver 7.02
NetWeaver 7.30
NetWeaver 6.40
NetWeaver 7.31
The most popular release (44%, previously 57%) is s=ll NetWeaver 7.0, and it was released in 2005!
But security is gerng beier.
31
![Page 32: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/32.jpg)
NetWeaver J2EE – informaEon disclosure
• Informa=on about the J2EE engine version can be easily found by reading an HTTP response.
• Detailed info about the patch level can be obtained if the applica=on server is not securely configured and allows an aiacker to get informa=on from some pages: – /rep/build_info.jsp 26% (61% last year) – /bcb/bcbadmSystemInfo.jsp 1.5% (17% last year) – /AdapterFramework/version/version.jsp 2.7% (a new issue)
32
![Page 33: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/33.jpg)
SAP NetWeaver J2EE – criEcal services
• NetWeaver J2EE URL: /ctc/ConfigTool (and 30 others) • Can be exploited without authenEcaEon • There are several cri=cal func=ons, such as:
• Create users • Assign a role to a user • Execute OS commands • Remotely turn J2EE Engine on and off
• Was presented by us at BlackHat 2011
.
It was found that 50% (was 61%) of J2EE systems on the Internet have the CTC service enabled.
33
![Page 34: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/34.jpg)
From Internet to Intranet
34
SAP Security
![Page 35: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/35.jpg)
* Some numbers are approximate (mostly less than in real world) due to the very high number of resources that needed to fully analyze internet for SAP services with detailed numbers. We use op1mized scan approach which will be described in whitepaper.
35
Disclaimer
![Page 36: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/36.jpg)
SAP Router
• Special applica=on proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connec=ng to SAP to
download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hip://www.easymarketplace.de/saprouter.php
Almost every third company have SAP router accessible from internet by default port.
36
![Page 37: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/37.jpg)
SAP Router: known issues
• Absence of ACL – 15% – Possible to proxy any request to any internal address
• Informa=on disclosure about internal systems – 19% – Denial of service by specifying many connec=ons to any of the listed SAP
servers – Proxy requests to internal network if there is absence of ACL
• Insecure configura=on, authen=ca=on bypass – 5% • Heap corrup=on vulnerability
37
![Page 38: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/38.jpg)
Port scan results
• Are you sure that only the necessary SAP services are exposed to the Internet?
• We were not • In 2011, we ran a global project to scan all of the Internet for
SAP services • It is not completely finished yet, but we have the results for the
top 1000 companies • We were shocked when we saw them first
38
![Page 39: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/39.jpg)
Port scan results
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hipd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Listed services should not be accessible from the Internet
39
![Page 40: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/40.jpg)
• SAP HostControl is a service which allows remote control of SAP systems
• There are some func=ons that can be used remotely without authen=ca=on
• Issues: – Read developer traces with passwords – Remote command injec=on
• About every 120th (was 20th) company is vulnerable REMOTELY • About 35% assessed systems locally
40
SAP HostControl service
![Page 41: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/41.jpg)
• SAP MMC allows remote control of SAP systems • There are some func=ons that can be used remotely without
authen=ca=on • Issues:
– Read developer traces with passwords – Read logs with JsessionIDs – Read informa=on about parameters
• About every 40th (was 11th) company is vulnerable REMOTELY • About 80% systems locally
41
SAP Management console
![Page 42: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/42.jpg)
SAP Message Server
• SAP Message Server – load balancer for App servers • Usually, this service is only available inside the company • By default, the server is installed on the 36NN port • Issue:
– Memory corrup=on – Informa=on disclose – Unauthorized service registra=on (MITM)
• About every 60th (was every 10th) company is vulnerable REMOTELY
• About 50% systems locally
42
![Page 43: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/43.jpg)
SAP Message Server HTTP
• HTTP port of SAP Message Server • Usually, this service is only available inside the company • By default, the server is installed on the 81NN port • Issue: unauthorized read of profile parameters • About every 60th (was every 10th) company is vulnerable
REMOTELY • About 90% systems locally
43
![Page 44: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/44.jpg)
• SAP Dispatcher -‐ client-‐server communica=ons • It allows connec=ng to SAP NetWeaver using the SAP GUI
applica=on through DIAG protocol • Should not be available from the Internet in any way • Issues:
– There are a lot of default users that can be used to connect and fully compromise the system remotely
– Also, there are memory corrup=on vulnerabili=es in Dispatcher
• About every 20th (was 6th) company is vulnerable REMOTELY
44
Sap Dispatcher service
![Page 45: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/45.jpg)
But who actually tried to exploit it?
45
![Page 46: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/46.jpg)
Known internal fraud incidents
• Exploit market interest • Anonymous aiacks • Insider aiacks • Evil subcontractors and ABAP backdoors
46
![Page 47: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/47.jpg)
Market Interest
• Whitehat buyers and sellers – Companies like ZDI buy exploits for SAP – Only in 2012 ZDI publish 5 cri=cal SAP issues
• Whitehat buyers and different sellers – Companies who trade 0-‐days say that there is interest from both sides
• Black market – Anonymous aiack? – Why not?
47
![Page 48: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/48.jpg)
Market Interest
48
![Page 49: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/49.jpg)
Anonymous ahack
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
• This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened.
49
![Page 50: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/50.jpg)
Insider ahacks
• The Associa=on of Cer=fied Fraud Examiners (ACFE) survey showed that U.S. organiza=ons lose an es=mated 7% of annual revenues to fraud.
• Real examples that we met: – Salary modifica=on – Material management fraud – Mistaken transac=ons
50
![Page 51: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/51.jpg)
Evil subcontractors and ABAP Backdoors
• They exist! • Some=mes it is possible to find them
51
![Page 52: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/52.jpg)
What had happened already?
• Autocad virus (Industrial espionage) – hip://www.telegraph.co.uk/technology/news/9346734/Espionage-‐virus-‐sent-‐blueprints-‐to-‐China.html
• Internet-‐Trading virus (Fraud) – Ranbys modifica=on for QUICK – hip://www.welivesecurity.com/2012/12/19/win32spy-‐ranbyus-‐modifying-‐java-‐code-‐in-‐rbs/
• News resources hacking (Sabotage) – hip://www.bloomberg.com/news/2013-‐04-‐23/dow-‐jones-‐drops-‐recovers-‐ayer-‐false-‐report-‐on-‐ap-‐twiier-‐page.html
52
![Page 53: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/53.jpg)
What can be
Just imagine what could be done by breaking: • One SAP system • All SAP Systems of a company • All SAP Systems on par=cular country • Everything
53
![Page 54: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/54.jpg)
SAP strategy in app security
• Now security is the number 1 priority for SAP • Implemented own internal security process SDLC • Security summits for internal teams • Internal trainings with external researchers • Strong partnership with research companies • Investments in the automa=c and manual security assessment
of new and old soyware
54
![Page 55: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/55.jpg)
Future threads and predicEons
• Old issues are being patched, but a lot of new systems have vulnerabili=es
• Number of vulnerabili=es per year going down compared to 2010, but they are more cri=cal
• Number of companies who find issues in SAP is growing • S=ll there are many uncovered areas in SAP security • SAP forensics can be a new research area because it is not easy
to find evidence now, even if it exists
55
![Page 56: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/56.jpg)
Forensics as a new trend for 2013
• If there are no aiacks, it doesn’t mean anything • Companies don’t like to share informa=on about data
compromise • Companies don’t have ability to iden=fy aiack • Only 10% of systems use security audit at SAP • Only 2% of systems analyze them • Only 1% do correla=on and deep analysis
* Based on the assessment of over 250 servers of companies that allowed us to share results
56
![Page 57: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/57.jpg)
Forensics as a new trend for 2013
• ICM log icm/HTTP/logging_0 70% • Security audit log in ABAP 10% • Table access logging rec/client 4% • Message Server log ms/audit 2% • SAP Gateway access log 2%
* Based on the assessment of over 250 servers of companies that allowed us to share results.
57
![Page 58: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/58.jpg)
Conclusion
• -‐ The interest in SAP plalorm security has been growing exponen=ally, and not only among whitehats
• + SAP security in default configura=on is gerng much beier now
• -‐ SAP systems can become a target not only for direct aiacks (for example APT) but also for mass exploita=on
• + SAP invests money and resources in security, provides guidelines, and arranges conferences
• -‐ unfortunately, SAP users s=ll pay liile aien=on to SAP security
• + I hope that this talk and the report that will be published next month will prove useful in this area
58
![Page 59: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/59.jpg)
Conclusion
Issues are everywhere but the risks and price for mi=ga=on are different
59
![Page 60: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/60.jpg)
Conclusion
I'd like to thank SAP Product Security Response Team for their great coopera1on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aVacks and demos, follow us at @erpscan and aVend future presenta1ons:
End of Оctober – Release of “SAP Security in Figures 2013”
60
![Page 61: SAP security in figures](https://reader030.vdocument.in/reader030/viewer/2022032513/55d20751bb61ebd61a8b45dd/html5/thumbnails/61.jpg)
Conclusion
We devote aVen1on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par1cular func1on, you can e-‐mail us or give us a call. We will be glad to consider your sugges1ons for the next releases or monthly updates.
web: www.erpscan.com www.dsecrg.com e-‐mail: [email protected], [email protected]
61