implementing sap security in 5 steps
TRANSCRIPT
Invest in security to secure investments
Implemen'ng SAP security in 5 steps
Alexander Polyakov. CTO, ERPScan
About ERPScan
• The only 360-‐degree SAP security solu'on: ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgments from SAP ( 150+ ) • 60+ presenta=ons at key security conferences worldwide • 25 awards and nomina=ons • Research team – 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
Large enterprise sectors
• Oil & Gas • Manufacturing • Logis'cs • Finance • Nuclear Power • Retail • Telecommunica'on • etc.
3
• The role of business applica'ons in a typical work environment • The need to control them to op'mize business processes • Scope for enormous reduc'on in resource overheads and other
direct monetary impact • Poten'al problems that one can’t overlook • The need to reflect on security aspects – is it overstated? • Why is it a REAL and existent risk?
4
Business applica=ons
• Espionage – The^ of financial informa'on – Corporate secret and informa'on the^ – Supplier and customer list the^ – HR data the^
• Sabotage – Denial of service – Tampering of financial records and accoun'ng data – Access to technology network (SCADA) by trust rela'ons
• Fraud – False transac'ons – Modifica'on of master data
5
What can the implica=ons be?
SAP
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)
6
• The most popular business applica'on • More than 263000 customers worldwide • 83% Forbes 500 companies run SAP • Main system – ERP • Main pla}orms
‒ SAP NetWeaver ABAP ‒ SAP NetWeaver J2EE ‒ SAP BusinessObjects ‒ SAP HANA ‒ SAP Mobile Pla}orm (SUP)
SAP security
• Complexity Complexity kills security. Many different vulnerabili'es in all levels, from network to applica'on
• Customiza=on Cannot be installed out of the box. A lot of (up to 50 %) custom code and business logic
• Risky Rarely updated because administrators are scared of crashes and down'me
• Unknown Mostly available inside the company (closed world)
h�p://erpscan.com/wp-‐content/uploads/pres/Forgo�en%20World%20-‐%20Corporate%20Business%20Applica'on%20Systems%20Whitepaper.pdf
7
Securing SAP
• Have budget – Find people and tools
• Don’t have budget – Try to show business how cri'cal it is
8
Ask 3rd par=es for
• Whitepapers
• Webinars from experts
• SAAS scanning of external-‐facing systems
• SAP penetra'on tes'ng • Deep SAP security assessment
9
Pentest – anonymous scan for SAP vulnerabili=es and ways to exploit them • Analysis of exposed services (more than 20 possible) • BlackBox analysis of installed applica'ons and vulnerabili'es • Exploita'on of found vulnerabili'es • Privilege escala'on • Presenta'on report for management ü Pentest can be a star'ng point for an SAP security project ü Pentest can also be a final test a^er implementa'on
11
Pentest
Analysis of running services
• Scan an external company network for SAP services
• Scan internal SAP systems from the user or guest network
• Scan internal SAP systems from the admin network
12
Remotely exposed services
13
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server h�pd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Internal access
• Only these services should be open for user access – Dispatcher or Message Server
– Gateway (for some users)
– ICM (for some users, if used)
14
Pentest JAVA
Examples of vulnerabili=es • Auth bypass in CTC • Anonymous user crea'on • Anonymous file read • Informa'on disclosure • Unauthorized access to KM documents
15
Pentest ABAP
Examples of vulnerabili=es: • Reginfo/Secinfo bypass • Oracle database access bypass • Buffer overflows • Informa'on disclosure about files in MMC • Unauthorized access to log files • Injec'on of OS commands in SAPHostControl • Dangerous web services • Informa'on disclosure of parameters in Message Server HTTP
16
Full SAP security assessment
17
• BlackBox vulnerability scan • Penetra'on tes'ng • WhiteBox configura'on scan
‒ Configura'on analysis ‒ Access control checks ‒ SAP Security Notes analysis ‒ Password complexity checks (bruteforce)
Configura=on analysis
18
• Authen'ca'on (Password policies, SSO, users by different criteria)
• Access control (Access to different web services, tables, transac'ons, insecure test services, unnecessary transac'ons and web applica'ons)
• Encryp'on (SSL and SNC encryp'on) • Monitoring (security audit log, system log and others) • Insecure configura'on(all other security checks for par'cular
services: Gateway, Message Server, ITS, SAPGUI, Web Dispatcher, MMC, Host Control, Portal)
Access control
19
• Users with cri'cal profiles • Users with cri'cal roles • Users with access to cri'cal tables • Users with access to transport • Users with access to development • Users with access to user administra'on • Users with access to system administra'on • Users with access to HR func'ons • Users with access to CRM func'ons • …Specific access control checks for industry solu'ons
Vulnerability scan
20
• Check for latest component versions • Check for missing SAP Security Notes • Correlate patches with SAP Security Notes • Exploit vulnerabili'es to check if they really exist • Risk management
Compliance
First of all, choose the one you want
• Technical ‒ EAS-‐SEC ‒ SAP NetWeaver ABAP Security Configura'on
‒ ISACA (ITAF) ‒ DSAG
• Industry ‒ PCI DSS ‒ NERC CIP
22
24
Business logic security (SoD) Prevents a4acks or mistakes made by insiders
Custom code security Prevents a4acks or mistakes made by developers
Applica=on pla^orm security Prevents unauthorized access both by insiders and remote a4ackers
3 areas of Business Applica=on Security
• For web, we have OWASP, WASC
• For network and OS, we have NIST, SANS • But what about Enterprise Business Applica'ons?
25
Security guidelines
• Ques'ons like "why?" and "what for?" are the alpha and omega of every research
• The most frequent ques'on we were asked:
“Guys, you are awesome! You are doing a great job so far, finding so many problems in our installaCons. It's absolutely fantasCc, but we don’t know where to start solving them.
Could you provide us with top 10/20/50/100/[your favorite number] most criCcal bugs in every area?”
26
Why? (1)
• We had to do something completely different from just Top 10 most cri'cal bugs
• Even if you patch all vulnerabili'es, lots of problems could s'll remain: access control, configura'on, logs
• The number one challenge is to understand all security areas of EAS and to have the opportunity to select several most cri'cal issues for every area
27
Why? (2)
Why? (3)
• We started to analyze the exis'ng guidelines and standards – High level policies: NIST,SOX,ISO,PCI-‐DSS – Technical guides: OWASP, WASC, SANS 25, CWE – SAP guides:
o Configura'on of SAP NetWeaver® Applica'on Server Using ABAP by SAP o ISACA Assurance (ITAF) by ISACA o DSAG by German SAP User Group
• Those standards are great, but, unfortunately, all of them have at least one big disadvantage
28
• Guidelines made by SAP
• First official SAP guide for technical security of ABAP stack
• Secure Configura'on of SAP NetWeaver® Applica'on Server Using ABAP
• First version in 2010, version 1.2 in 2012
29
SAP security guidelines
• For rapid assessment of the most common technical pla}orm misconfigura'ons
• Consists of 9 areas and 82 checks • Ideal as a second step, gives more details for some standard
EAS-‐SEC areas h4p://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true
30
SAP security guidelines
• Advantages: – Very brief but quite comprehensive (only 9 pages) – Covers applica'on pla}orm issues
– Applicable for every ABAP based pla}orm (either ERP or Solu'on Manager or HR)
• Disadvantages: – 82 checks is s'll a lot for a first brief look on secure configura'on – Doesn’t cover access control issues and logging and misses some things
even in pla}orm security – Gives people false sense of security if they cover all checks. But it
wouldn’t be completely true
31
SAP security guidelines
• Guidelines made by ISACA
• Checks cover configura'on and access control areas • The first most complete compliance
• There were 3 versions published in 2002, 2006, 2009 (some areas are outdated now)
32
ISACA Assurance (ITAFF)
• Technical part covers incomplete access control info and misses some cri'cal areas
• The biggest advantage is the big database of access control checks
• Consists of 4 parts and more than 160 checks
• Ideal as a third-‐step-‐guide and very useful for its detailed coverage of access control
33
ISACA Assurance (ITAFF)
• Advantages: – Detailed coverage of access control checks
• Disadvantages: – Outdated – Technical part is missing
– Too many checks, can’t be easily used by a non-‐SAP specialist
– Can’t be applied to any system without prior understanding of the business processes
– Is officially available only as part of the book, or you should be at least an ISACA member to get it
34
ISACA Assurance (ITAFF)
• Set of recommenda'ons from Deutsche SAP Uses Group
• Checks cover all security areas, from technical configura'on and source code to access control and management procedures
• Currently the biggest guideline about SAP security
35
DSAG
• Last version in Jan 2011 • Consists of 8 areas and 200+ checks • Ideal as a final step for securing SAP but consists of many checks
which needs addi'onal decision making (highly depends on the installa'on)
h4p://www.dsag.de/fileadmin/media/Lei[aeden/110818_Lei[aden_Datenschutz_Englisch_final.pdf
36
DSAG
• Advantages: – Ideal as a final step for securing SAP. – Great for SAP security administrators, covers almost all areas
• Disadvantages: – Same as ISACA: too big for a starter, and no help at all for security people
who are not familiar with SAP
– Can’t be directly applied to every system without prior understanding of business processes. Many checks are recommenda'ons, and the users should think for themselves if they are applicable in each case
37
DSAG
• The authors' efforts were: – to make this list as brief as possible – to cover the most cri'cal threats for each area – to make it easily used not only by SAP/ERP security experts but by every
security specialist – to provide comprehensive coverage of all cri'cal SAP security areas
• At the same 'me, to develop the most complete guide would be a never-‐ending story
• So we implemented the 80/20 rule for SAP security
39
EAS-‐SEC
• Developed by ERPScan • First release 2010 • Second edi'on 2013 (h�p://eas-‐sec.org ) • 3 main areas
– Implementa'on assessment
– Code review – Awareness
• Rapid assessment of Business Applica'on security
40
EAS-‐SEC
41
EASSEC-‐PVAG Access Cri=cality Easy to
exploit % of vulnerable systems
1. Lack of patch management Anonymous High High 99%
2. Default passwords for applica'on access Anonymous High High 95%
3. Unnecessary enabled func'onality Anonymous High High 90%
4. Open remote management interfaces Anonymous High Medium 90%
5. Insecure configura'on Anonymous Medium Medium 90%
6. Unencrypted communica'on Anonymous Medium Medium 80%
7. Access control and SOD User High Medium 99%
8. Insecure trust rela'ons User High Medium 80%
9. Logging and monitoring Administrator High Medium 98%
EASSEC Implementa=on Assessment
EAS-‐SEC for SAP NetWeaver ABAP
Enterprise ApplicaCon Systems ApplicaCon ImplementaCon – NetWeaver ABAP – Developed by ERPScan: First standard in the EAS-‐SEC series
– Published in 2013 h�p://erpscan.com/publica'ons/the-‐sap-‐netweaver-‐abap-‐pla}orm-‐vulnerability-‐assessment-‐guide/
– Rapid assessment of SAP security in 9 areas
– Contains 33 most cri'cal checks
– Ideal as a first step
– Also contains informa'on for next steps
– Categorized by priority and cri'cality
42
Enterprise ApplicaCon Systems Vulnerability Assessment – for NetWeaver ABAP – First standard in the EAS-‐SEC series
– Rapid assessment of SAP security in 9 areas
– Contains 33 most cri'cal checks
– Ideal as a first step
– Also contains informa'on for next steps
– Categorized by priority and cri'cality
43
EAS-‐SEC for NetWeaver (EASSEC-‐PVAG-‐ABAP)
• [EASAI-‐NA-‐01] Component updates • [EASAI-‐NA-‐02] Kernel updated What’s next: Other components should be be updated separately –
SAProuter, SAP GUI, SAP NetWeaver J2EE, SAP BusinessObjects. Also, OS and database
44
Lack of patch management
• [EASAI-‐NA-‐03] Default password check for user SAP* • [EASAI-‐NA-‐04] Default password check for user DDIC • [EASAI-‐NA-‐05] Default password check for user SAPCPIC • [EASAI-‐NA-‐06] Default password check for user MSADM • [EASAI-‐NA-‐07] Default password check for user EARLYWATCH What’s next: A couple of addiConal SAP components, like old
versions of SAP SDM and SAP ITS, have default passwords. Ajer you check all default passwords, you can start bruteforcing for simple passwords
45
Default passwords
• [EASAI-‐NA-‐08] Access to RFC-‐func'ons using SOAP interface • [EASAI-‐NA-‐09] Access to RFC-‐func'ons using FORM interface • [EASAI-‐NA-‐10] Access to XI service using SOAP interface What’s next: Analyze about 1500 other services which are
remotely enabled to see if they are really needed. Disable unused transacCons, programs and reports
46
Unnecessary enabled func=onality
• [EASAI-‐NA-‐11] Unauthorized access to SAPControl service • [EASAI-‐NA-‐12] Unauthorized access to SAPHostControl service • [EASAI-‐NA-‐13] Unauthorized access to Message Server service • [EASAI-‐NA-‐14] Unauthorized access to Oracle database What’s next: Full list of SAP services is available here:
TCP/IP Ports Used by SAP ApplicaCons. Also, take care of 3rd party services which can be enabled on this server
47
Open remote management interfaces
• [EASAI-‐NA-‐15] Minimum password length • [EASAI-‐NA-‐16] User locking policy • [EASAI-‐NA-‐17] Password compliance to current standards • [EASAI-‐NA-‐18] Access control to RFC (reginfo.dat) • [EASAI-‐NA-‐19] Access control to RFC (secinfo.dat) What’s next: First of all, look to Secure ConfiguraCon of SAP
NetWeaver® ApplicaCon Server Using ABAP for detailed configuraCon checks. Ajerwards, pass through detailed documents for each and every SAP service and module h4p://help.sap.com/saphelp_nw70/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
48
Insecure configura=on
• [EASAI-‐NA-‐20] Users with SAP_ALL profile • [EASAI-‐NA-‐21] Users which can run any program • [EASAI-‐NA-‐22] Users which can modify cri'cal table USR02 • [EASAI-‐NA-‐23] Users which can execute any OS command • [EASAI-‐NA-‐24] Disabled authoriza'on checks What’s next: There are at least 100 criCcal transacCons only in
BASIS and approximately the same number in any other module. Detailed informaCon can be found in ISACA guidelines. Ajer that, you can start SegregaCon of DuCes
49
Access control and SoD conflicts
• [EASAI-‐NA-‐25] Use of SSL for securing HTTP connec'ons • [EASAI-‐NA-‐26] Use of SNC for securing SAP GUI connec'ons • [EASAI-‐NA-‐27] Use of SNC for securing RFC connec'ons What’s next: Even if you use encrypCon, check how it is configured
for every encrypCon type and for every service because there are different complex configuraCons for each encrypCon type. For example, the latest a4acks on SSL (BEAST and CRIME) require companies to use more complex SSL configuraCons
50
Unencrypted connec=ons
• [EASAI-‐NA-‐28] RFC connec'ons with stored authen'ca'on data • [EASAI-‐NA-‐29] Trusted systems with lower security What’s next: Check other ways to get access to trusted systems,
such as database links, use of the same OS user, or use of similar passwords for different systems
51
Insecure trusted connec=ons
• [EASAI-‐NA-‐30] Logging of security events • [EASAI-‐NA-‐31] Logging of HTTP requests • [EASAI-‐NA-‐32] Logging of table changes • [EASAI-‐NA-‐33] Logging of access to Gateway What’s next: There are about 30 different types of log files in SAP.
Upon properly enabling the main ones, you should properly configure complex opCons, such as which specific tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a4acks should be collected. Next step is to enable their centralized collecCon and storage and then add other log events
52
Logging and monitoring
• SAP Security in Figures 2011 • SAP Security in Figures 2013 • 3000 vulnerabili'es in SAP • SAP Security in Figures 2014 (coming soon)
54
Awareness
Internal security
• Simple steps and sta's'cs
• Cri'cal access • Segrega'on of Du'es • Op'miza'on and maintenance
56
Simple steps
• Analyze sta's'cs – Number of users in a role
o 0 – Role is not used o >100 – Divide into different roles, check for cri'cal authoriza'ons
– Number of authoriza'ons in a role
– Number of authoriza'on objects in a role
57
Cri=cal access
• There are different areas: HR, Basis, Fixed Assets, Material Management
• Each of those roles has a list of cri'cal transac'ons and authoriza'ons (available in ISACA guidelines)
• First of all, decrease the number of cri'cal roles
• For example, users who can only modify the table USR02 can do everything they want!
58
Cri=cal access op=miza=on
• Obtain the list of roles with cri'cal access to par'cular transac'ons
• Minimize roles • Obtain the list of users with cri'cal access to par'cular
transac'ons • Sort them by type/locking status/etc. • Exclude administrators and superusers (and minimize them)
• Minimize users
60
SoD analysis
• Use default templates or customize them • Obtain the list of business roles in a company • Obtain the list of ac'ons in a par'cular role • Assign transac'ons and authoriza'on objects to ac'ons • Create or modify matrix (add risk values)
61
Analyzing SoD results
• Result: – List of users with cri'cal conflicts – List of roles with cri'cal conflicts
• Solving: – Obtain roles with maximum number of segrega'ons – Op'mize them – Obtain users with maximum number of segrega'ons – Op'mize them
64
Op=miza=on
• You will get thousands of conflicts the first 'me
• How to solve them quickly: – Exclude all administrators (SAP_ALL)
– Look at HOW exactly rights are assigned (all * values should be excluded)
– Look at the history of executed transac'ons
65
ABAP
• SAP uses ABAP, JAVA, and XSJX (for HANA) • ABAP, as any other language, can have vulnerabili'es • It can also be used for wri'ng backdoors • Development inside the company is almost uncontrolled
• Developer access to system == god in SAP
67
Source code review
• EASAD-‐9 standard from a series of standards designed for Enterprise Applica'on Systems Security Assessment (EAS-‐SEC)
• Full name:
– Enterprise Applica'on Systems Applica'on Development
• Describes 9 areas of source code issues for business languages • Universal categories for different languages and systems (SAP,
Oracle, Dynamix, Infor, …)
• Categorized based on cri'cality and exploita'on probability
68
EASAD – 9 categories
1. Code injec'ons 2. Cri'cal calls 3. Missing authoriza'on checks 4. Path traversal 5. Modifica'on of displayed content 6. Backdoors 7. Covert channels 8. Informa'on disclosure 9. Obsolete statements
69
Aeacks
• It is very hard to make everything secure, so you need addi'onal monitoring
• ACFE published a report about 7 % revenue losses from fraud in the USA
• Examples that we saw: – Salary modifica'on – Material management fraud – Mistakes
72
SAP forensics
• Real a�acks exist • But there is not so much public info • Companies are not interested in the publica'on of compromise • But the main problem is here:
– How can you be sure there was no compromise? – Only 10% of systems have Security Audit Log enabled – Only a few of them analyze those logs – And much fewer do central storage and correla'on
74
Log sta=s=cs
• Web access 70% • Security audit log 10% • Table logging 4% • Message Server 2% • SAP Gateway 2%
75
Log types
• SAP Web Dispatcher – Security log • SAP Web Dispatcher – HTTP log • SAProuter log • SAP Gateway log • SAP Message Server log • SAP Message Server HTTP Log • SAP security audit log • ABAP user changes log • ABAP table changes log • ABAP document changes log • Trace files
76
SAP Security Logs
77
Name Default Central storage
SAP Web Dispatcher – Security Log Enabled No SAP Web Dispatcher – HTTP log Disabled No SAProuter log Disabled No SAP Gateway log Disabled No SAP Message Server log Disabled No SAP Message Server HTTP log Disabled No SAP security audit log Disabled CCMS? ABAP user changes log Enabled No ABAP table changes log Disabled No
ABAP document changes log Disabled No Trace files Disabled No Developer trace Enabled No
• EAS-‐SEC: Recourse which combines – Guidelines for assessing enterprise applica'on security – Guidelines for assessing custom code – Surveys about enterprise applica'on security
78
Defense