executive briefing erp cyber security - 1digitaltrust

EXECUTIVE BRIEFINGERP CYBER SECURITY 2021/Q1

Troels Lindgaard, 1DigitalTrust

Frederik Weidemann, Onapsis Inc.

January 27th 2021

128 January 2021 Executive Briefing: ERP Cyber Security 2021

1.Perspectives on SAP cyber security

2.Evolution of mission critical application cyber attacks

3.Newest threats to SAP Systems

4.How to prevent SAP security breaches

28 January 2021 2Executive Briefing: ERP Cyber Security 2021

AGENDA

RISK OF DYING IN AN AIRPLANE?

1:29 million (for EU & US airlines)

Source statistic: Statisticsbrain.com, The Economist via https://www.sueddeutsche.de/panorama/germanwings-flug-4u9525-ein-toedlicher-blitzschlag-ist-wahrscheinlicher-1.2409131Photo by Nathan Hobbs on Unsplash

28 January 2021 Executive Briefing: ERP Cyber Security 2021 3

https://www.sueddeutsche.de/panorama/germanwings-flug-4u9525-ein-toedlicher-blitzschlag-ist-wahrscheinlicher-1.2409131

https://unsplash.com/@nathanhobbs

https://unsplash.com/

RISK OF DYING IN A CAR ACCIDENT

1: 8303 (USA 2018)

Sources statistics: US https://www.iii.org/fact-statistic/facts-statistics-mortality-riskGER https://www.adac.de/news/bilanz-verkehrstote/Photo by Clark Van Der Beken on Unsplash

1:27255 (Germany 2019)


https://www.iii.org/fact-statistic/facts-statistics-mortality-risk

https://www.adac.de/news/bilanz-verkehrstote/

https://images.unsplash.com/photo-1597328290883-50c5787b7c7e?ixlib=rb-1.2.1&ixid=eyJhcHBfaWQiOjEyMDd9&auto=format&fit=crop&w=500&q=60

https://unsplash.com/

RISK OF ERP DATA BREACHES

1:2Source: IDC Survey – ERP Security: The Reality of Business Critical Application Protection


It’s not a question if you’ll be breached, but when it will happen …


RISK OF BREACHES

ERP BREACHES ARE NOT HAPPENING?

28 January 2021 7

51%

Source: IDC Survey – ERP Security: The Reality of Business Critical Application Protection

}

Executive Briefing: ERP Cyber Security 2021

BUSINESS RISKS – DATA INTEGRITY – LOSS OF AUDIT TRAIL AND DATA RELIABILITY

28 January 2021 8



WORLD ECONOMIC FORUM THE GLOBAL RISKS REPORT 2020

28 January 2021 9

Source: http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdfWorld Economic Forum Global Risks Perception Survey 2019–2020


http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf

HACKTIVIST GROUPS

2012

1st public exploit

targeting SAP applications

CYBERCRIMINALS CREATING MALWARE

SAP targeted

malware discovered

PUBLIC EXPLOIT

Chinese

hacker

exploits SAP NetWeaver

NATION-STATE SPONSORED

Chinese breach

of USIS targeted SAP

1ST DHS

US-CERT

ALERT

for SAP

Business Applications

INCREASED INTEREST ON DARK WEB

Onapsis helps

Oracle secure

critical

vulnerability in EBS

2ND DHS

US-CERT

ALERT

for SAP

Business Applications

3RD DHS US-

CERT ALERT

for SAP

10KBLAZE Vulnerability

PAYDAY

Oracle Vulnerabilities

EXPLOIT

TOOLKIT

SAP RFCpwn

BigDebIT

Oracle Vulnerabilities

4th DHS US-

CERT ALERT

for SAP RECON Vulnerability

DHS US-CERT ALERT

ONAPSIS THREAT INTEL

2013

20142015

2016

2017

2018

2019

2020

28 January 2021 Executive Briefing: ERP Cyber Security 2021

EVOLUTION OF MISSION-CRITICAL APPLICATION CYBERATTACKS

INTERNET EXPOSURE RECON JULY 2020

Continent Total Percentage

Africa 20 0.80%

Asia 605 24.09%

Europe 598 23.82%

Middle East 146 5.81%

North America 836 33.29%

Oceania 69 2.75%

South America 231 9.20%

Not Specified 6 0.24%

Total 2511 100.00%


Source: https://zerodium.com, 26.10.2020

Zerodium is

actively

searching for

SAP NetWeaver exploits


SAP NETWEAVER™ IN FOCUS OF ZERODIUM

https://zerodium.com/

1. Exploitation of EEM

2. Exploitation of SMDagent

3. Lateral movement with SAP Control escalating to root privileges on entire SAP landscape

Remark:

A public exploit for 1. (CVE-2020-6207 has been released on 14.01.2021)


CHALLENGE丨BLACK HAT USA 2020 EXPLOITATION DEMONSTRATION OF SOLUTIONMANAGER

Example | Black Hat USA 2020: P. Artuso & Y. Genuer (Onapsis)


EXPLOITATION DEMONSTRATION OF SOLUTIONMANAGER

RESULT:Root on SAP landscapeSAP_ALL in all systems




28 January 2021 19

Related SAP OSS Notes

• Patch 2902645 https://launchpad.support.sap.com/#/notes/2902645













BLACK HAT USA 2020: “AN UNAUTHENTICATED JOURNEY TO ROOT

https://launchpad.support.sap.com/#/notes/2902645












0

100

200

300

400

500

600

700

800

900

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

Correction with low priority

Correction with medium priority

Correction with high priority

HotNews

Change of SAP’s patching policy

24 month rule

Source: https://support.sap.com/securitynotes – aggregated extract from Jan 2021

Change of SAP’s patching strategySecurity notes are delivered with SPs

depending on their priority level

There are HotNews

every year

Change of SAP’s security strategy in 2009

e.g. static code analysis usage in ERP standard

using CodeProfiler


CHALLENGE丨SAP® PATCH MANAGEMENT

https://support.sap.com/securitynotes

BUSINESS CASE – AVOID PROFIT LOSS

• Example: Cost for ERP Cyber security protection is 0,5-1% of the profit loss*

BUSINESS CASE – AVOID SHARE PRICE DECLINE

• Example: Cost for ERP Cyber security protection is 0,01-0,02% of the loss in market value**

BUSINESS CASE – AVOID EMERGENCY AND CLEAN UP COSTS

• Example: Cost for ERP Cyber security protection is 0,5 - 2 % of the Emergency and clean up costs***

28 January 2021 21

* Based on the reported profit loss from Maersk, Demant and ISS, compared with the average yearly cost for ERP Cyber security protection program.** Based on the share price loss from the attack is public and until the share price decline ends, from Maersk, Demant and ISS, compared with the average yearly cost for ERP Cyber security protection program.*** Based on the reported costs for emergency and clean up costs from Maersk, Demant and ISS, compared with the average yearly cost for ERP Cyber security protection program.


BUSINESS CASE FOR ERP CYBER SECURITY PROTECTION

• Cost for an ERP Cyber security system is 1-5 hours of downtime for 2/3 of companies

28 January 2021 22



BUSINESS CASE – NO DOWNTIME

1. Understand the technology you’re using

2. Measure your security maturity level across your environment

3. Setup a centralized security measurement control, e.g. build a SAP security dashboard

4. Automate your security checks to avoid faulty settings


BEST PRACTICES FOR 2021


THE ONAPSIS PLATFORM – DASHBOARD


THE ONAPSIS PLATFORM – CODE SCANNING


THE ONAPSIS PLATFORM – EXAMPLE: SPLUNK INTEGRATION

Basic security ❖ Risk catalogue❖ Logging / SIEM❖ Cyber security

❖ System settings❖ Coding❖ Integrations❖ Change Management(Transports)

❖ Standard authorization concept

Compliance and Fraud prevention❖ SoD authorization concept❖ Built in controls in SAP❖ Control catalogue❖ Control descriptions❖ Control user guides❖ Governance

GDPR❖ Deletion❖ Subject access reporting❖ Authorizations

License❖ Risk mitigation, review,

optimization, clean up


SAP RISK, SECURITY AND COMPLIANCE

❖ Basic security❖ Compliance & fraud

prevention❖ GDPR❖ Licenses





1 2 3

RISK ASSESSMENT IMPLEMENTATION GOVERNANCE AND CONTINUES MONITORING

Agree on Business case potentials and

risk scenarios?

Business case and riskscenarios verified?

Business case realizationand risk mitigation

Business case realization and risk mitigation


1DIGITALTRUST APPROACH FOR RISK AND COMPLIANCE IN SAP

BUSINESS RISKILLUSTRATION

Ensuring application availability,

streamlining audit processes

and protecting the business from

risk are essential.

O P E R A T I O N A L

R E S I L I E N C Y

A S S E S S M E N T

Prevent application

downtime and costly

business disruption

A U D I T

E F F I C I E N C Y

A S S E S S M E N T

Eliminate resource

consuming manual audit

processes

C Y B E R

R I S K

A S S E S S M E N T

Reduce vulnerabilities

and misconfiguration to

protect the business

• Get a risk assessment of your SAP system – Business Risk Illustration (BRI)

• Executive Overview

• Do you have known risks?

• Next steps

Rules of engagement

• Senior level commitment

• Technical verification of findings (Are controls already in place)

• Discuss outcome (risk to the business) and next steps

Onapsis is the leading ERP Cyber security vendor for SAP and Oracle.

1DigitalTrust is a SAP Cyber security, compliance and data privacy consultancy in the Nordics


CALL TO ACTION NOW: ARE YOUR ERP SYSTEMS’ SECURE?

Troels LindgårdE: [email protected]

M: +45 5363 5787

1DigitalTrustwww.1digitaltrust.com

Contact for demo, business case building or other questions.


CONTACT US & NEXT STEPS

Frederik WeidemannE: [email protected]

M: +49 151 18215 211

Onapsishttps://www.onapsis.com/

Contact for technical questions.

mailto:[email protected]

http://www.1digitaltrust.com/

https://www.onapsis.com/

APPENDIX

OUR BELIEFS

Our overall belief is that Digital Trust is good for business;

Trust creates loyalty, both for our clients and their customers.

SUSTAINABILITY

We have a responsibility when doing business. As a new company we must live out the UN sustainable development goals (SDG) with a special focus on climate. As an example we plant 1 tree for every billable hour #1Hour1Tree.

We have therefore planted our first forest, 1DigitalTrust Forest, a forest with over 8.000 trees next to Gudenaaen in Jutland, Denmark.

services

SAP License ManagementSAP S/4 License conversionsSAP Contract ReviewSAP License reviewsSAP License optimizationsSAP Indirect use analysis and optimizations

SAP License Management

SAP Customer Data Cloud Data Ethics

Services

SAP Customer Data CloudCIAM (Customer Identity & Access Management)SAP Customer Data Cloud Implementation

SAP Customer IdentitySAP Customer ConsentSAP Customer ProfileB2B

In a box solution CDC in a boxConsent management

1DIGITALTRUST SERVICES

Data EthicsSAP Cyber securityCodingIntegration TransportSystem settings

SAP ComplianceAccess & Identity ManagementSAP Authorization Management Segregation of dutiesSecure LoggingGDPR Management ConsultingGDPR Project ManagementGDPR Compliance AssessmentGDPR in SAP – Data Analysis & DeletionILM accelerator for GDPR compliance

Partners

MANAGEMENT FUNCTIONALITY

ASSESS

Find & Remediate Security Risks

Manage Change; Avoid Disruption

CONTROL COMPLY

Automate Audit Processes

DEFEND

Continuous Threat Monitoring

Integrations with workflow services: Integrations with change management and development environments:

SAP ChaRM, TMS, HANA Studio, Eclipse, Web IDE, ABAP development workbench

Integrations with SIEMs:

Asset DiscoveryReporting &

Analysis

Scheduling &

Workflows

Users & Role

Management

Ticketing/SOC

Integration

• SAP and Oracle EBS system misconfigurations, patches vulnerabilities, authorizations

• Deployed SAP custom code for security and quality errors

• SAP system interfaces and communications

• Identify security and quality errors in SAP custom code

• Lock and block SAP configuration changes

• Identify and blocking SAP transports with security issues and errors

• Evaluate compliance impact of SAP System vulnerabilities, misconfigurations, patches authorizations, deployed code

• Out-of-the-box & custom policies

• Evaluate and verify IT controls

• Near real-time attack alerts

• Monitor for SAP exploits , threats, user activity / transactions, privilege misuse

• Alert for changes to SAP system interfaces, bad transports

THE ONAPSIS PLATFORM

executive briefing erp cyber security - 1digitaltrust

Documents