Transcription
MotivationThe Business Case for SAPCybersecurity Framework
Current stateCISOENTERPRISE SECURITYSAP SECURITYLACK OF ONOF DUTIESSLIPPED THROUGHTHE CRACKSLACK OF VISIBILITYIT OPERATIONSSAP BASISPATCHINGSAP SYSTEMS3POORINTEGRATIONCOMPLEXITYCIOMONITORINGSAP SYSTEMS
Future stateCISOENTERPRISE SECURITYVulnerability Management Asset Management Risk Management Secure DevelopmentSAP BASISPatching SAP systems Incident Response Mitigation ImprovementsCIO4CROSAP SECURITYSegregation Of Duties Data Security Secure Architecture SecureIT OPERATIONSMonitoring SAP systems Threat Detection User Behavior Data Leakage
History5EAS-SECGartner: Designing an Adaptive Security Architecturefor Protection From Advanced Attackshttps://www.gartner.com/doc/2665515/
SAP Cybersecurity FrameworkCategoryPREDICTProcessSecure DevelopmentPurposeTo ensure security during SAP systems development andacquisition.Outcomes Security Requirements Development Standards and Processes Security PlansImplementationsteps1. Develop basic security requirements to configuration of servers,networks, SAP applications and client stations2. Create secure development standards and processes3. Automate secure development processes7
Implementation Tiers13-6 months50%280%6-12 months399%12 months8
BenefitsSAP CybersecurityFrameworkSecurity ProgramSecurity PoliciesSecurity PlansProcess DescriptionsTechnical Solutions9
PREDICTUnderstand SAP environment
PREDICTProcessPurposeAsset ManagementTo communicate information about SAP assets, security category of the assets, rules ofacceptable use and protection requirementsBusiness EnvironmentTo provide SAP business context, ensure cybersecurity continuity of SAP systems andaddress cybersecurity in supplier relationshipsGovernanceTo develop cybersecurity policies, roles, responsibilities and procedures to ensure SAPcybersecurity is understood and integrated to organization operational and managementprocessesVulnerabilityManagementTo provide cybersecurity assurance in SAP systems by assessing vulnerabilities andreducing attack vectorsRisk ManagementTo make decisions on addressing possible adverse impacts from the operation and use ofSAP systemsSecure DevelopmentTo ensure security during SAP systems development and acquisition11
Asset ManagementPurpose: To communicate information about SAP assets, security categoryof the assets, rules of acceptable use and protection requirementsImplementation:Outcomes:1Create an Inventory of Assets Inventory of Assets2Assess criticality of the assets Criticality AssessmentsDevelop complete specification of theSAP systems Acceptable UseRequirements312
Asset Management. Inventory of assetsSystem ponsib System ply chain management Internal: ERP, Internet: no; ICS: no; Partners:Partner1,Partner2 Mobile: noHighJohn F. K.PROD10.0.0.110.0.0.2ERPEnterprise ResourcePlanning Internal: HR1,HR2 Internet: no ICS: MES System Partners: no Mobile: noLowMike.PROD10.0.16.6 200:PRD SAP ECC 6.0NetWeaverAS 7.3 ABAPCRMCustomer Relationshipmanagement Internal: ERP Internet: yes ICS: no Partners: no Mobile: noPROD10.0.34.5 210:PRD SAP CRM 6.0NetWeaverAS ABAP 7.0Very High100:PRD SAP SCM 5.0(NetWeaverAS 7.1 ABAP)
Business EnvironmentPurpose: To provide SAP business context, ensure cybersecurity continuity of SAP systemsand address cybersecurity in supplier relationshipsImplementation:Outcomes:1Identify business context Business Context2Prepare SAP Continuity Plans SAP Continuity Plans3Maintain supplier catalogue Supplier Catalogue14
Business Environment. Business Impact AnalysisProcessStakeholderSAP SystemOutage ImpactsEstimated DowntimeMTDRTORPOPay vendorinvoiceJoseph R.ERPCosts: 5.000 / dayOperations: moderateImage: moderate72 hours48 hours12 hours(lastbackup)Hire to retireDorothy F.HRImage: High72 hours48 hours12 hours(lastbackup)15
GovernancePurpose: To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAPcybersecurity is understood and integrated to organization operational and management processesImplementation:Outcomes:1Establish SAP Cybersecurity Policy SAP Cybersecurity Policy2Develop SAP security processes SAP Security Processes3Implement control procedures Control Procedures16
Governance Structure17
Vulnerability ManagementPurpose: To provide cybersecurity assurance in SAP systems by assessingvulnerabilities and reducing attack vectorsImplementation:1Regularly perform SAP security audits andpenetration tests2Repeatedly scan SAP systems for vulnerabilities,recommend and track remediations3Monitor vulnerabilities, remediations and threatsonline from public and private sources and threatintelligence feedsOutcomes: Scan Plans Scan Profiles Remediation Plans18
Vulnerability Management. AnalysisConstraints and requirements (example): Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patchTasks:1. Prioritizing vulnerabilities:-ease of exploitation: availability of public exploit, need for preparation, needfor credentials with special rights, etc.;impact of a successful exploitation: full disclosure and OS-level access or justrevealing of technical data;prevalence of the vulnerability in SAP systems;criticality of the SAP systems with the vulnerability.2. Filtering vulnerabilities:Outcome: Remediation Plan19
Vulnerability Management. Remediation RiskSSEA 1000003: External RFC server registration HighAn attacker can use an insecure RFCconfiguration for registering his own RFCserver. As result he will be able to control andintercept client requests as well as to copy andchange information2SSCA 00130: SSL encryption for ICMconnectionsMediumNo encryption of network connection may leadto interception of transmitted data, thus to anunauthorized access. The HTTP protocoltransmits all authentication data as a plain text,which allows to intercept it easily with thespoofing attack.3SSCA 00223: Central application server thatmaintains the system logIncorrect permissions on this file in theoperating system can allow an attacker tomodify the contents of the file in such a way tohide his onTo resolve this issue, it is recommended to configure the RFCserver correctlyEffort level:medium ( 2d,downtime 4h)Links:RFC/ICF Security GuideUpdateconfigurationSet the icm/server port NN parameter to PROT HTTPS instead ofPROT HTTP to decrease the possibility of an unauthorized accessEffort level:easy ( 4h,downtime 2h)Medium20UpdateconfigurationEffort level:easy ( 4h,downtime 2h)The administrator of the operating system must correctly set theaccess rights to the file according to the principle of leastprivileges.Links: BOOK "Security, Audit and Control Features (SAP ERP 3rdedition)" p. 413 check.4.10.2 DOC rslg/collect daemon/host - Central Log Host
Risk ManagementPurpose: To make decisions on addressing possible adverse impacts from theoperation and use of SAP systemsImplementation:Outcomes:1Create threat model for SAP systems Threat Model2Assess likelihoods and estimate businessimpacts of cybersecurity risks Risk Register3Automate risk management and develop riskresponse plans Risk Responds21
Risk Management. Oil & Gas ERP RisksSAPModuleAssetThreatConsequencesSCMSupply chain schemaRerouting supply chainTheft of crude oil and refinedproductsHRMHR dataStealing employees data (personal,salary, experience, etc.)Identity theft, headhuntingPMOil and gas gaining systemscontrol dataDisrupting SCADA logic and processesService outage, equipmentdamage, workers injuriesMIIField dataStealing coordinates and volumes ofexploratory and production wellsLosing competitiveadvantageousSCMMidstream anddownstream assetsStealing information about equipmentand transportationFacilitating theft and sabotagePPProduction line control data Disrupting SCADA logic and processesProduction suspensionSDPricesStealing price formation schemasLosing partnersFICOFinance transactionsCreating fraud transactionsMonetary losses22
Secure DevelopmentTo ensure security during SAP systems development and acquisitionImplementation:Outcomes:Develop basic security requirements toconfiguration of servers, networks, SAPapplications and endpoints SAP SecurityRequirements2Create secure development standards andprocesses Development Standardsand Processes3Automate secure development processes Security Plans123
Secure Development. Code Vulnerability UsageTypeCauseExploiterCode InjectionsSecurity ignoranceHackersBackdoors Desire to simplifydevelopment Intent to control asystemDevelopersMissing authorizationchecksNegligenceInsidersObsolete statementsNatural obsolescence ofcodeAdministrators(unintentionally)24
PREVENTReduce the surfacearea of attack
PREVENTProcessPurposeAccess ControlTo limit rights of authorized users and prevent unauthorized use of an SAP systemAwareness and TrainingTo provide personnel and contractors cybersecurity awareness education and trainings toperform their duties and responsibilitiesData SecurityTo enforce requirements to confidentiality, integrity and availability of information inSAP systems on the data layerSecure ArchitectureTo ensure security of all SAP solutions through-out all SAP components, connections,infrastructure and security controls27
Access ControlPurpose: To limit rights of authorized users and prevent unauthorized use of an SAP systemImplementation:Outcomes:1Secure the network, servers andendpoint devicesAccess Rules2Implement role-based access control toSAP functionalityAccess Mechanisms3Enforce Segregation of Duties controlsaccording to business process rulesAccess Control Reports28
Access Control. How to Create a User?Ways to create a user in SAP system:Number of objects:1. Transaction SU011. More then 300 000 transactions2. Database table USR022. More then 500 000 tables3. RFC function BAPI USER CREATE3. More then 40 000 RFC functions4. Web exploit using InvokerServlet featureand CTC servlet4. 500 known web exploits29
Awareness and TrainingPurpose: To provide personnel and contractors cybersecurity awareness education andtrainings to perform their duties and responsibilitiesImplementation:Outcomes:Enlist commitment of Board andC-level executives Training Materials2Provide SAP security trainings forBASIS and security teams KnowledgeAssessment Reports3Provide awareness trainingto SAP users1 Training Records30
Awareness and Training. Commitment Establish security team activitiesHire staffPurchase toolsProvide trainingsConduct audits and assessments SAP security project news SAP security articles Board interviewsDissatisfaction Vision First Steps Resistance to Change31
Data Security32Purpose: To enforce requirements to confidentiality, integrity and availability of information inSAP systems on the data layerImplementation:Outcomes:Classify data assets according to itsvalue to organization Data Inventory2Protect data-in-transit using SNC andSSL/TLS Data Security Reports3Protect data-at-rest by encryption,secure storage location and tokenization1 Data Flows
Data Security. Data InventoryData AssetInformationAssetTypeLocationPayments TablePayment Cards Oracle DBDetailsTableDataSource (DESCRIPTION (ADDRESS (PROTOCOL TCP)(HOST MyHost)(PORT MyPort))(CONNECT DATA (SERVICE NAME MyOracleSID)));PaymentsTransactionPayment Cards SAPDetailsTransactionTR12Reports .XLSXPaymentReportsElectronicsheets, fileson NASProtectionRequirementsGDPR, PCI DSSGDPR, PCI DSSnas:\\finance\rePCI DSSports33Current Level of ProtectionAt Rest(description)In Transit(description)-SAPAuthorizationsCould beexported to NASStored on NAS,protected by AD politics.
Secure ArchitecturePurpose: To ensure security of all SAP solutions through-out all SAP components,connections, infrastructure and security controlsImplementation:1ProtectSAP perimeter2Secure SAPcommunications3Integrate SAP securityand enterprise securityOutcomes: SAP SecurityArchitecture SAP Security Controls SAP Technical Solutions34
Secure Architecture. System Schema35
36
DETECTMonitor threats
DETECTProcessPurposeEvent ManagementTo collect information on SAP security related eventsThreat DetectionTo detect attacks and possible threats to SAP systemsUser BehaviorTo detect deviations of user behavior from typical in SAP systemsData LeakageTo detect data leakages in SAP systems38
Event ManagementPurpose: To collect information on SAP security related eventsImplementation:Outcomes:1Configure SAP security audit log Audit Events2Collect SAP security-related events Event Databases3Monitor SAP related network, systems,personnel and external service provideractivities Event CollectingProcedures39
Event Management. Event SourcesMore than 30 logsooooooooSAP ABAP Security logSAP ABAP Audit logSAP ABAP HTTP logSAP ABAP ICM Security logSAP ABAP RFC logSAP J2EE HTTP logSAP HANA Security logSAP HANA logLog ManagementSolutions40
Threat DetectionPurpose: To detect attacks and possible threats to SAP systemsImplementation:1Configure IDS/IPS systems to detectSAP attack signatures2Manually review SAP security events3Monitor potential attacks, securityevent combinations and anomaliesOutcomes: Threat Catalogue Threat Data Sources Threat Detection Rules41
Threat Detection. Examples Password brute forcing attemptsUnauthorized access to RFC-servicesAttacks on WEB-resources (XSS, SQL Injection, Buffer overflow, etc.)Attacks via source code vulnerabilitiesAuthentication bypass (Verb Tampering, Invoker servlet)Critical actions (transaction, programs, URL’s)SOD conflicts42
User Behavior43Purpose: To detect deviations of user behavior from typical in SAP systemsImplementation:Outcomes:1Review privilege accounts activities Critical Actions Reports2Establish profiles for SAP user behaviorand detect anomalies3Monitor SAP business activities and SODconflicts in real time Baseline Behavior Profiles Anomaly Detection Rules
User Behavior. Examples1. Atypical behavior of users from audit department inSweden branch in comparison to their USA colleagues.2. Running an administrative transaction (e.g. SE16) by anon-privileged user.3. Use of account after the long (e.g. six months) period ofinactivity.4. First change of user location from USA to Egypt5. Access to risky resources (e.g. financial reports).6. Change of frequency for downloading reports.7. User generates unusual amount of traffic, possibly tryingto download the whole content of client database.44
Data LeakagePurpose: To detect data leakages in SAP systemsImplementation:Outcomes:Identify data leakage conditions incustom code and configuration Data Marking Practice2Analyze security events to detectpossible data leakage Leakage Detection Rules3Monitor data flows and devices todetect data leakage in real time1 Leakage Conditions45
Data Leakage. Leak Points Reports RFC / database / network connections Source code: Hardcoded e-mails Hardcode hostnames/SIDs Log files: Session id in java log traces46
47
RESPONDInvestigate, takeactions and improve
RESPONDProcessPurposeIncident ResponseTo systematically respond to violation or threat of violation of SAP security policies andpracticesClear CommunicationsTo establish structure for SAP security responsibility in a business and provide means forclear communications between its membersContinuous AnalysisTo continuously monitor effectiveness of SAP security processes and provide insights intostate of SAP securityMitigationTo design and model changes to security of SAP systemsImprovementsTo learn from external events and internal assessments of SAP security controls49
Incident ResponsePurpose: To systematically respond to violation or threat of violation of SAP securitypolicies and practicesImplementation:1Develop SAP security event correlation rulesand incident alert threshold2Develop SAP incidents response andrecovery plans3Automate SAP incident responseproceduresOutcomes: Incident Definitions Incident Cases Incident Response Plans50
Incident Response. WorkflowCollectCorrelateAnalyze51Act
Clear CommunicationPurpose: To establish structure for SAP security responsibility in a business and provide meansfor clear communications between its membersImplementation:Outcomes:1Assign responsibilities for ensuring SAP Security Security Responsibilities2Establish communications between securityteam and other parties Security Roles Delineation3rdEstablish communications with 3 partycompanies and threat intelligence providers Cyber Threat Information52
Clear Communication. dors
Continuous AnalysisPurpose: To provide insights into state of SAP securityImplementation:Outcomes:1Develop SAP security metrics SAP Security Metrics2Automate tracking of SAP security metricsand analyze trends SAP Security Dashboards3Develop SAP forensic investigationprocedures Forensic Procedures54
Continuous Analysis. Metrics Percentage (%) of SAP systems that have security plans in place Percentage (%) of SAP systems and service acquisition contracts that include SAP security requirements Percentage (%) of developers made a vulnerabilities in code Percentage (%) of systems with unimplemented SAP Notes with public exploits Percentage (%) of users with simple passwords Percentage (%) of SAP systems covered by risk assessment55
Mitigation56Purpose: To design, model and make changes to security of SAP systemsImplementation:Outcomes:1Develop SAP security controls knowledge base Knowledge Base2Implement task and change managementpractices for SAP systems Security CMDB3Deploy virtual patching and automaticcorrection tools for SAP security issues Security Workarounds
Mitigation. Virtual Patching57
ImprovementsPurpose: To learn from external events and improve SAP securityImplementation:1Continuously analyze SAP security updatesand threats2Attend SAP security events and trainings3Assess effectiveness of SAP security controlsOutcomes: ImprovementsSuggestions Controls Assessments58
Improvements. SAP Security Conferences 201759
60
Thank youMichael RakutkoHead of Professional Servicesm.rakutko@erpscan.comUSA:228 Hamilton Avenue, Fl. 3, Palo Alto,CA. 94301HQ Netherlands:Luna ArenA 238 Herikerbergweg,1101 CM Amsterdamwww.erpscan.cominbox@erpscan.com61
62
SAP SYSTEMS. SAP BASIS. SAPSECURITY. SEGREGATION . OF DUTIES. IT OPERATIONS. MONITORING . SAP SYSTEMS. . MII: Field data. Stealing coordinates and volumes of . SAP Security Architecture SAP Security Controls SAP Technical Solutions. Outcomes: Purpose: To ensure security of all SAP solutions through-out all SAP components, .
