soteria cybersecurity healthcheck-fb01
Post on 09-Apr-2017
111 Views
Preview:
TRANSCRIPT
Soteria Health
Check
A Cyber Security Health Check
for SAP systems
Members of the UK cyber security forum
Security Health Check…
is an ideal introductory service for firms who have not used us
before. It is a very practical and economical means of
checking the thoroughness and quality of our work,
whilst getting another perspective on your cyber security
profile. Potentially uncovering a range of network,
system, database and administrative vulnerabilities which
you may wish to address.
Soteria Health Check typically takes 8-10 days to complete
and concludes with your being presented with a Cyber
Security Health Check report. At that point you
can decide how you wish to progress.
Members of the UK cyber security forum
are staffed by SAP certified consultants. We are CISSP
qualified, and members of the UK Cyber Security Forum.
Soteria Cyber Security…
Contents
• Overview: Soteria Health Check
• UK Cyber Essentials scheme
• OWASP Cyber Security Vulnerabilities
• Other Cyber Security Considerations
• Cyber Security Health Check Report
• SAP Specific Penetration testing
• Contact details
Members of the UK cyber security forum
Overview: Soteria Health Check
Soteria’s Health Check is an efficient means of evaluating your
organisations current security profile against recognised security risks.
Vulnerability Assessment
We utilise 3rd party tools such as NMAP and Nessus to perform vulnerability tests to
reveal open ports and accessible services which could be exploited by hackers.
Access Control
We scrutinise user and system accounts looking for excessive or accumulated
privileges, default passwords and poor password maintenance etiquette. We also
use applications like Webscurify and Nikto to identify vulnerabilities in web servers.
Patch Management
We examine the security patch management of your SAP® systems looking for any
important omissions. Likewise patching of your network and client based Anti-Virus
software.
Attack vector review
We review the most common prevailing web enabled cyber-attack vectors as
categorised by OWASP top ten, and examine your organisations defence profile
against each attack type. E.g. Injection, XSS, CSRF, buffer-overflows, man-in-the-
middle.
SAP Specific Penetration Testing (optional)
We conduct a SAP specific penetration test, which has been tailored to look for
classic SAP vulnerabilities. Including RFC connections, gateway servers, and
interrogating SAP data packages, and standard SAP admin accounts.
UK Cyber Essentials scheme – Copyright: Open Government Licence v3.0
We will step through the UK Government Cyber Essentials
Scheme, rating your compliance with every step.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A1 – Injection
Injection flaws, such as SQL, OS,
and LDAP injection occur when
untrusted data is sent to an
interpreter as part of a command or
query. The attacker’s hostile data
can trick the interpreter into
executing unintended commands or
accessing unauthorized data.
Input validation of SAP® fields and
remove/escape illegal characters.
The OWASP preferred option is to
use a safe API which avoids the use
of the interpreter entirely or
provides a parameterized interface.
A2 – Broken Authentication and
Session Management
Application functions related to
authentication and session
management are often not
implemented correctly, allowing
attackers to compromise passwords,
keys, session tokens, or exploit other
implementation flaws to assume
other users’ identities.
The SAP NetWeaver® platform
features central routines for user
authentication and single sign-on that
cannot be bypassed. Different
authentication strengths can be
configured, such as user/password or
digital certificates, and certified
interfaces exist to plug-in partner
solutions.
Create a whitelist / blacklist in the
sqlnet.ora file for host names or IP
addresses
Review the REMOTE_OS_AUTHENT
parameter setting for remote
database access.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A3 – Cross-Site Scripting (XSS)
XSS flaws occur whenever an
application takes untrusted data
and sends it to a web browser
without proper validation or
escaping. XSS allows attackers to
execute scripts in the victim’s
browser which can hijack user
sessions, deface web sites, or
redirect the user to malicious
sites.
Input validation and SAP Secure
Programming Guidelines®.
BSP/HTMLB or WebDynpro
should be used in combination
with ACL whitelists.
A4 – Insecure Direct Object
References
A direct object reference occurs
when a developer exposes a
reference to an internal
implementation object, such as a
file, directory, or database key.
Without an access control check
or other protection, attackers can
manipulate these references to
access unauthorized data.
Preventing insecure direct object
references requires selecting an
approach for protecting each user
accessible object (e.g., object
number, filename):
1. Use per user or session indirect
object references. This prevents
attackers from directly targeting
unauthorized resources.
2. SAP Access Control®. Each use
of a direct object reference from
an untrusted source must include
an access control check to ensure
the user is authorized for the
requested object.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A5 – Security Misconfiguration
Good security requires having a
secure configuration defined and
deployed for the application,
frameworks, application server,
web server, database server, and
platform. All these settings
should be defined, implemented,
and maintained as many are not
shipped with secure defaults.
This includes keeping all software
up to date.
Configure to a level that provides
a baseline security using standard
SAP settings. Develop a
consistent system hardening
process and regular software
updates. Development, QA, and
production environments should
all be configured identically.
Tasks include: ensure ports and
services that are not required are
closed, restrict access to BASIS
functions, access and identity
management and security patch
management.
A strong SAP® application
architecture that provides good
separation and security between
components.
Consider running scans and doing
audits periodically to help detect
future misconfigurations or
missing patches.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A6 – Sensitive Data Exposure
Many web applications do not
properly protect sensitive data,
such as credit cards, tax ids, and
authentication credentials.
Attackers may steal or modify
such weakly protected data to
conduct identity theft, credit
card fraud, or other crimes.
Sensitie data deserves extra
protection such as encryption at
rest or in transit, as well as
special precautions when
exchanged with the browser.
Do all of the following, at a
minimum:
1. Consider the threats you plan
to protect this data from (e.g.,
insider attack, external user),
make sure you encrypt all
sensitive data at rest and in
transit.
2. Don’t store sensitive data
unnecessarily. Discard it as soon
as possible. Data you don’t have
can’t be stolen.
3. Ensure strong standard
algorithms and strong keys are
used, and proper key
management is in place.
4. Ensure passwords are stored
with an algorithm specifically
designed for password
protection, such as bcrypt,
PBKDF2, or scrypt.
5. Disable autocomplete on
forms collecting sensitive data
and disable caching for pages
displaying sensitive data.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A7 – Missing Function Level
Access Control
Virtually all web applications
verify function level access
rights before making that
functionality visible in the UI.
However, applications need to
perform the same access control
checks on the server when each
function is accessed. If requests
are not verified, attackers will
be able to forge requests in
order to access unauthorized
functionality.
SAP provides a consistent and
easily analysable authorization
module that is invoked from all
your business functions.
1. Configure the process for
managing entitlements and
ensure you can update and audit
easily. Don’t hard code.
2. The enforcement mechanism
denies all access by default,
requiring explicit grants to
specific roles for access to every
function.
3. Workflow conditions need to
be in the proper state to allow
access. NOTE: Most web
applications don’t display links
and buttons to unauthorized
functions, but this “presentation
layer access control” doesn’t
actually provide protection. You
must also implement checks in
the controller or business logic.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A8 – Cross-Site Request Forgery
(CSRF)
A CSRF attack forces a logged-on
victim’s browser to send a
forged HTTP request, including
the victim’s session cookie and
any other automatically included
authentication information, to a
vulnerable web application. This
allows the attacker to force the
victim’s browser to generate
requests the vulnerable
application thinks are legitimate
requests from the victim.
Preventing CSRF usually requires
the inclusion of an unpredictable
token in each HTTP request.
Such tokens should, at a
minimum, be unique per user
session.
The preferred option is to
include the unique token in a
hidden field. This causes the
value to be sent in the body of
the HTTP request, avoiding its
inclusion in the URL, which is
subject to exposure.
The unique token can also be
included in the URL itself, or a
URL parameter. However, such
placement runs the risk that the
URL will be exposed to an
attacker, thus compromising the
secret token.
OWASP Cyber Security Vulnerabilities
Members of the UK cyber security forum
A9 – Using Known Vulnerable
Components
Vulnerable components, such as
libraries, frameworks, and other
software modules almost always
run with full privilege. So, if
exploited, they can cause
serious data loss or server
takeover. Applications using
these vulnerable components
may undermine their defences
and enable a range of possible
attacks and impacts.
Ensure that you keep your
components up-to-date. Many
open source projects (and other
component sources) do not
create vulnerability patches for
old versions. Instead, most
simply fix the problem in the
next version.
A10 – Unvalidated Redirects and
Forwards
Web applications frequently
redirect and forward users to
other pages and websites, and use
untrusted data to determine the
destination pages. Without proper
validation, attackers can redirect
victims to phishing or malware
sites, or use forwards to access
unauthorized pages.
Safe use of redirects and forwards
can be done in a number of ways:
Simply avoid using redirects and
forwards.
If used, don’t involve user
parameters in calculating the
destination. This can usually be
done.
If destination parameters can’t be
avoided, ensure that the supplied
value is valid, and authorised for
the user.
Other Cyber Security Considerations
Members of the UK cyber security forum
Virus and MalwareVirus Protection is required as a
baseline security measure.
The SAP Virus Scan Interface® has built in
scanning for:
GUI_UPLOAD in the SAP ABAP Stack
HTTP_UPLOAD (BSP)
File Upload of WebDynpro for Java.
Secure Remote
Function Calls
(RFCs).
Default RFC communication is
performed in clear-text exposing
data and log on information to
network sniffing.
SAP has released a number of patches for
the RFC library and Secure Network
Communications ® (SNC) can be used to
encrypt network traffic.
Access to transaction SM59 and table
RFCDES should be reviewed, and
authorisation object S_RFCACL can improve
the security of trusted RFC calls.
Other Cyber Security Considerations
Members of the UK cyber security forum
Secure
configuration of
the Gateway
Server
Man In The Middle Attacks can
involve the manipulation of RFC
calls that are intended for a
legitimate
external server before returning
the results to the requesting
client through the Gateway. Such
an attack could be used to modify
RFC requests and the data
returned
to SAP systems.
Monitor / disable remote access to the
Gateway Server that controls traffic
between SAP and external systems.
Buffer Overflow
Buffer overflows are a common
attack vector to introduce
malicious code to an application.
SAP Secure Programming Guidelines®
to provide Input validation of custom
code and conduct detailed reviews to
discover and eliminate buffer overflow
problems in custom code for the Web-
facing technology components of SAP
NetWeaver® (SAP Web Application
Server®, SAP Internet Transaction
Server®, and SAP Enterprise Portal®).
Consider Penetration testing.
Other Cyber Security Considerations
Members of the UK cyber security forum
Java script attacks
against the sandbox
Internet browsers can open
vulnerabilities to the application.
Java is open source code that is
vulnerable to reverse engineering.
Controls can include disabling Java in the
browser and using separate browsers for
Java based web applications. Disable
unnecessary services. Consider the SAP
White Paper recommendations to prevent a
Java attack.
Program errorsInsecure custom code can introduce
security vulnerabilities.
SAP Secure Programming Guidelines® can
ensure a basic level of code security to
counter problems such as race
conditions, inadvertent information
disclosure in error messages and
anonymous web browsing.
Other Cyber Security Considerations
Members of the UK cyber security forum
Controlling SAP
Users
SAP® has numerous default users and
passwords that require secure
configuration.
Administrators should change the
default passwords of standard users and
design control strategies for all
privileged default users.
Password SecurityPassword security can be compromised
by software tools to decrypt passwords.
Standard SAP® password security can be
enhanced by disallowing backwards
compatibility in the CDVN1 hashing algorithm.
Other Cyber Security Considerations
Members of the UK cyber security forum
Backdoors and
Rootkits
Backdoors and rootkits are often very
difficult to detect in the thousands of
lines of code in typical application
software.
SAP Code Inspector® can be used to
guard against backdoors and rootkits in
critical programs.
Secure Web servicesWeb services should be hardened in line
with SAP recommendations.
Customise error pages so they do not display
sensitive system information about the target
system such as hostname, SSID and system
number.
Disable unnecessary services and follow the
SAP security recommendations® in the guide
Secure Configuration, SAP Netweaver
Application Server ABAP®.
Other Cyber Security Considerations
Members of the UK cyber security forum
Secure the SAP
GUI® and web
clients
Potential buffer overflow
vulnerabilities have been identified
and have been addressed by SAP
patches.
Web clients can be vulnerable to
phishing attacks.
SAP GUI® should be patched or
upgraded against known buffer
overflow vulnerabilities. Consider
disabling SAP GUI scripting and
virtualisation options.
Phishing attacks can be addressed by user
education, using SSL/TLS to enable users to
identify legitimate websites, URL filtering
to block malicious sites, and hardening,
upgrading and patching Internet browsers.
Regulatory and
Standards
Considerations
Frameworks such as the ISO27000
series and CobiT 5 are positive for the
assurance of stakeholders and
customers.
Implementing Security best practice can help
achieve compliance with regulations and
achievement of IT Security certification.
Cyber Security Health Check Report
Upon completion a report will be issued containing the following:
• Executive Summary of detected vulnerabilities and the possible impacts
for the business. Real attack vectors describing how your systems can
be exploited and the related Business Risks.
• Detailed Technical Report detailing detected vulnerabilities,
misconfigurations and associated risks. Detailed recommendations for
Vulnerability Patching.
• Mitigation Plan Report outlining a step-by-step action plan with detailed
mitigation activities for each detected issue.
• Security Guidelines for General System Configuration.
Members of the UK cyber security forum
SAP Specific Penetration Testing
We conduct penetration tests which are looking for SAP specific
weaknesses and areas of greatest vulnerability, including:
• Exposure of SAP Routers, (and sending payloads through them).
• Attacking SOAP RFC connections.
• Attacking the SAP Management Console (accessing both ABAP and Java
processes).
• Attacking Netweaver SMB relay (thus facilitate escalation of privileges
to that of the OS user).
• Brute-forcing the SAP Web UI logon.
• Exposure of SAP Internet Communication Framework (ICF) components
and services.
Members of the UK cyber security forum
SAP Specific Penetration Testing
To view some recent examples of SAP penetration tests we have carried
out, please see contact us for sanitised output from SAP specific
penetration tests.
Members of the UK cyber security forum
Contact Us:
For an informal conversation to discuss your SAP cyber concerns, or
to arrange an on-site no obligation meeting, please contact us at:
enquiries@soteriacyber.com
www.soteriacyber.com
Soteria Cyber Security
Wyche Innovation Centre
Walwyn Road
Malvern
Herefordshire. WR13 6PL
Members of the UK cyber security forum
top related