How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition...
Transcript of How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition...
![Page 1: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/1.jpg)
![Page 2: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/2.jpg)
![Page 3: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/3.jpg)
Agenda 3
![Page 4: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/4.jpg)
IntroductionCase for SAP Cybersecurity Framework
![Page 5: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/5.jpg)
Current state 5
CISO
CIO
PATCHING SAP SYSTEMS
SAP BASIS
SAP SECURITY
SEGREGATION OF DUTIES
IT OPERATIONS
MONITORING SAP SYSTEMS
ENTERPRISE SECURITY
VULNERABILITY MANAGEMENT
NO EFFECTIVE OVERSIGHT
NO VISIBILITY
COMPLEXITYPOOR
INTEGRATION
SLIPPED THROUGH THE CRACKS
![Page 6: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/6.jpg)
Future state 6
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Secure
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
![Page 7: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/7.jpg)
7History
Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks
Source: https://www.gartner.com/doc/2665515/
EAS-SEC
![Page 8: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/8.jpg)
![Page 9: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/9.jpg)
Process Description 9
Category PREDICT
Process Secure Development
Purpose To ensure security during SAP systems development and acquisition
Outcomes• Security Requirements• Development Standards and Processes• Security Plans
Implementation tiers
1. Develop basic security requirements for configuration of servers, networks, SAP applications and client stations
2. Create secure development standards and processes3. Automate secure development processes
![Page 10: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/10.jpg)
Implementation Tiers 10
50%
80% 99%
3-6 months
6-12 months 12 months
1
23
![Page 11: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/11.jpg)
PREVENTReduce the surface area of attack
![Page 12: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/12.jpg)
Prevent SAP Security Incidents 12
ACCESS CONTROLAWARENESS AND TRAINING
DATA SECURITY SECURE ARCHITECTURE
To ensure personnel and contractors have the necessary cybersecurity knowledge in order to perform their duties and responsibilities
To limit user privileges and prevent unauthorized use of an SAP systems
To enforce confidentiality, integrity and availability requirements on the data layer
To ensure security through-out all SAP components, connections, infrastructure facilities and enterprise security controls
![Page 13: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/13.jpg)
Implementation: Outcomes:
13Access Control
• Access Rules
• Access Mechanisms
• Access Control Reports
To limit user privileges and prevent unauthorized use of an SAP systems
Secure the network, servers and endpoint devices
Implement role-based access control to SAP functionality
Enforce Segregation of Duties controls according to business process rules
1
2
3
![Page 14: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/14.jpg)
Access Control. How to Create a User? 14
Ways to create a user in SAP system:1. Transaction SU01
2. Database table USR02
3. RFC function BAPI_USER_CREATE
4. Web exploit using InvokerServlet feature and CTC servlet
Number of objects:1. More then 300 000 transactions
2. More then 500 000 tables
3. More then 40 000 RFC functions
4. 500 known web exploits
![Page 15: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/15.jpg)
Common SOD issuesHow to analyze SOD rules without interview?
1. Authorization objects with * field values (i.e. S_TABU_DIS)
2. Distribution of users by roles
3. Profiling of user access (transaction traces)
15
37%
31%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
2
% of users with given roles
SAP_RCF_INTERNAL_CANDIDATE ZRCFUIX_WEB_SERVICES_INT_CND IDESUS_HR_ESS_MENU
VS::FI_DISPLAY_LINE_ITEMS VS::OM_DISPLAY SAP_DAL_ADMIN
SAP_LO_EMPLOYEE VS_MM_IM_DISPLAY IDES_XRPM_ADMINISTRATOR
VS_FI_GE_GLDISPLAY /0CUST/WELCOME_NWBC30 SAP_RCF_MANAGER
VS_HR_PA20_REPORTS ZIDES_PLMWUI_DISCRETE_MENU VS::SD_SALES_DISPLAY
![Page 16: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/16.jpg)
Implementation: Outcomes:
16Awareness and Training
• Training Materials
• Training Records
• Knowledge Assessment Reports
To ensure personnel and contractors have the necessary cybersecurity knowledge in order to perform their duties and responsibilities
Enlist commitment of Board and C-level executivesProvide SAP security trainings for BASIS and security teams
Provide awareness trainingto SAP users
1
2
3
![Page 17: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/17.jpg)
Board Commitment 17
Dissatisfaction + Vision + First Steps > Resistance to Change
• SAP security project news• SAP security articles• Board interviews
• Establish security team activities• Hire staff• Purchase tools• Provide trainings• Conduct audits and assessments
![Page 18: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/18.jpg)
Top SAP Security Websites 18
• darkreading.com
• sapsecuritypages.com
• websmp108.sap-ag.de/public/security
• erpscan.com/press-center/blog/what-is-sap-security-2/
• cert-devoteam.fr/publications/en/category/securite-sap-en/
• resources.infosecinstitute.com/sap-security-for-beginners-part-4-sap-risks-espionage/
• udemy.com/sap-cyber-security-training/
• SAP Security and Risk Management 2nd Editionby Mario Linkies, Horst Karin
![Page 19: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/19.jpg)
SAP Security for Users 19
Consequences
• blocked data (ransomware)
• compromised reports
• spread of infection
Attack Vectors
![Page 20: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/20.jpg)
Implementation: Outcomes:
20Data Security
• Data Inventory
• Data Flows
• Data Security Reports
To enforce confidentiality, integrity and availability requirements on the data layer
Classify data assets according to its value to organization
Protect data-in-transit using SNC and SSL/TLS
Protect data-at-rest by encryption, secure storage location and tokenization
1
2
3
![Page 21: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/21.jpg)
Data Security. Data Inventory 21
Information Asset Data Asset Type Location Protection
Requirements
Current Level of Protection
At Rest (description)
In Transit (description)
Payment Cards Details
Payments Table
Oracle DB Table
DataSource=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)));
GDPR, PCI DSS -
Payment Cards Details
Payments Transaction
SAP Transaction TR12 GDPR, PCI DSS SAP
Authorizations
Could be exported to NAS
Payment Reports Reports .XLSX
Electronic sheets, files on NAS
nas:\\finance\reports PCI DSS
Stored on NAS, protected by AD politics.
-
![Page 22: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/22.jpg)
GDPR Security Tasks 22
• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects
• Restrict access to personal data• Implement and describe security controls
to demonstrate compliance• Manage personal data lifecycle
• Monitor personal data access• Detect SAP security threats• Implement SAP incident response capabilities
GDPR Explained: What are the security requirements?Source: erpscan.com/press-center/blog/gdpr-explained-security-requirements/
![Page 23: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/23.jpg)
SAP HANA Encryption 23
![Page 24: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/24.jpg)
Implementation: Outcomes:
24Secure Architecture
• SAP SecurityArchitecture
• SAP Security Controls
• SAP Technical Solutions
To ensure security through-out all SAP components, connections, infrastructure facilities and enterprise security controls
Protect SAP perimeter
Secure SAP communications
Integrate SAP security and enterprise security
1
2
3
![Page 25: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/25.jpg)
Secure Architecture. System Schema 25
![Page 26: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/26.jpg)
Secure Communications 26
![Page 27: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/27.jpg)
Secure Architecture 27
![Page 28: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/28.jpg)
Further ActionsHow to use SAP Cybersecurity Framework?
![Page 29: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/29.jpg)
How secure we are? Do we meet GDPR requirements? Carry out SAP security audit!
For Industry 29
How to get budget and implement security processes?Assess your SAP security capabilities &
Make business case for SAP security initiative!
How to ensure business systems follow business rules?Profile and enhance SoD rules!
![Page 30: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/30.jpg)
For Consulting
1. Include SAP systems in scope of your existing services• GDPR audit• ISMS implementation for SAP systems in scope• Threat detection and SAP – SIEM integration
2. Prove your selling proposition is unique with ROI of SAP security
3. Create a 360-degree image of an SAP security provider
30
![Page 31: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/31.jpg)
31
![Page 32: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/32.jpg)
Professional ServicesPredict SAP data breach
SAP Penetration Testing
SAP Security Audit
SAP Vulnerability Management as a Service
32
![Page 33: How to prevent SAP security incidents? - ERPScan...• SAP Security and Risk Management 2nd Edition by Mario Linkies, Horst Karin SAP Security for Users 19 Consequences • blocked](https://reader030.fdocuments.net/reader030/viewer/2022040402/5e8301f6335a0a03b44e5ccf/html5/thumbnails/33.jpg)
Thank you
Join our grouplinkedin.com/groups/13543110
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
Parmesh PillaiSenior Manager at Commercial [email protected]
Michael RakutkoHead of Professional [email protected]
33