Securing SAP in 5 steps
Transcript of Securing SAP in 5 steps
About ERPScan
• The only 360-‐degree SAP Security solu?on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta@ons key security conferences worldwide • 25 Awards and nomina@ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
Securing SAP
• Have budget – Find people and tools (later)
• Don’t have budget – Try to show business how it is cri?cal
3
Ask 3rd par@es for
• Whitepapers
• Webinar from experts
• SAAS scanning of external-‐facing systems
• Pentest • Full SAP Security assessment
4
Pentest -‐ Anonymous scanning for SAP vulnerabili?es
• Analysis of exposed services (more than 20 possible)
• BlackBox analysis of installed applica?ons and vulnerabili?es • Exploita?on of founded vulnerabili?es • Presenta?on report for management
6
Pentest
• Scan external company network fro SAP
• Scan internal SAP systems from user or guest network
• Scan internal SAP systems from admin
We scan external systems and collect info from 2011
7
Analysis of running services
8
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hUpd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Remotely exposed services
• Only those services should be open for local access – Dispatcher – Message Server
– HTTP (ICM)
9
Internal access
• Next step in Blackbox analysis • Can be used as a star?ng point for SAP Security project • Can also be used as a final test aZer implementa?on
10
Pentest
Examples of vulnerabili@es
• Auth bypass in CTC • Anonymous user crea?on • Anonymous file read • Informa?on disclosure • Unauthorized access to KM documents
11
Pentest JAVA
Examples of vulnerabili@es:
• Buffer overflows • Informa?on disclosure about files in MMC
• Unauthorized access to log files • Injec?on of OS commands in SAPHostControl
• Dangerous web servies • Informa?on disclosure about parameters in Message Server
HTTP
12
Pentest ABAP
Full SAP Security assessment
• Configura?on analysis • Access control checks • Vulnerability scanning
13
Configura@on analysis
• Authen?ca?on (Password policies, SSO, users by different
criteria's). • Access control (Access to different web-‐services, tables,
transac?ons, insecure test services, unnecessary transac?ons and web-‐applica?ons)
• Encryp?on (SSL and SNC encryp?on) • Monitoring (Security audit log, system log and other) • Insecure configura?on( All other security checks for
par?cular services: Gateway, Message Server, ITS, SAPGUI, Web Dispatcher, MMC, Host Control, Portal)
14
Access control
• Users with cri?cal profiles • Users with cri?cal roles • Users with access to cri?cal tables • Users with access to transport • Users with access to development • Users with access to user administra?on • Users with access to system administra?on • Users with access to HR func?ons • Users with access to CRM func?ons • …..
15
Vulnerability scan
• Check for latest component versions • Check for missing Sapnotes • Exploit vulnerabili?es to check if they really exist
16
First of all chose one that you want
• EAS-‐SEC • SAP NetWeaver ABAP Security configura?on
• ISACA (ITAF) • DSAG
18
Compliance
Enterprise Applica)on Systems Applica)on Implementa)on – NetWeaver ABAP
• Developed by ERPScan: First standard of series EAS-‐SEC • Will be published in September
• Rapid assessment of SAP security in 9 areas
• Contains 33 most cri?cal checks
• Ideal as a first step • Also contain informa?on for next steps
• Categorized by priority and cri?cality
19
EAS-‐SEC for NetWeaver (EASAI-‐NA)
EASAI-‐NA-‐2013
20
EASAI-‐NA Access Cri@cality Easy to
exploit % of vulnerable systems
1. Lack of patch management Anonymous High High 99%
2. Default Passwords for applica?on access Anonymous High High 95%
3. Unnecessary enabled func?onality Anonymous High High 90%
4. Open remote management interfaces Anonymous High Medium 90%
5. Insecure configura?on Anonymous Medium Medium 90%
6. Unencrypted communica?on Anonymous Medium Medium 80%
7. Access control and SOD User High Medium 99%
8. Insecure trust rela?ons User High Medium 80%
9. Logging and Monitoring Administrator High Medium 98%
• [EASAI-‐NA-‐01] Component updates • [EASAI-‐NA-‐02] Kernel updated
What next: Other components should be be updated separately – SAP Router, SAP Gui, SAP NetWEaver J2EE, SAP BusinessObjects. And also OS and Database.
21
Lack of patch management
• [EASAI-‐NA-‐03] Default password check for user SAP* • [EASAI-‐NA-‐04] Default password check for user DDIC • [EASAI-‐NA-‐05] Default password check for user SAPCPIC • [EASAI-‐NA-‐06] Default password check for user MSADM • [EASAI-‐NA-‐07] Default password check for user EARLYWATCH
What next: Couple of addi)onal SAP components also use their
own default passwords. For example services SAP SDM and SAP ITS in their old versions has default passwords. APer you check all default passwords you can start with bruteforcing for simple passwords.
22
Default passwords
• [EASAI-‐NA-‐08] Access to RFC-‐func?ons using SOAP interface • [EASAI-‐NA-‐09] Access to RFC-‐func?ons using FORM interface • [EASAI-‐NA-‐10] Access to XI service using SOAP interface What next: You should analyze about 1500 other services which
are remotely enabled if they are really needed and also disable unused transac)ons, programs and reports.
23
Unnecessary enabled func@onality
• [EASAI-‐NA-‐11] Unauthorized access to SAPControl service • [EASAI-‐NA-‐12] Unauthorized access to SAPHostControl service • [EASAI-‐NA-‐13] Unauthorized access to Message Server service • [EASAI-‐NA-‐14] Unauthorized access to Oracle database What next: Full list of SAP services you can get from document
TCP/IP Ports Used by SAP Applica)ons .Also you should take care about 3rd party services which can be enabled on this server.
24
Open remote management interfaces
• [EASAI-‐NA-‐15] Minimum password length • [EASAI-‐NA-‐16] User locking policy • [EASAI-‐NA-‐17] Password compliance to current standards • [EASAI-‐NA-‐18] Access control to RFC (reginfo.dat) • [EASAI-‐NA-‐19] Access control to RFC (secinfo.dat) What next: First of all you can look at (Secure Configura)on of SAP
NetWeaver® Applica)on Server Using ABAP) document for detailed configura)on checks. APerwards you can pass throught detailed documents for each and every SAP service and module hUp://help.sap.com/saphelp_nw70/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
25
Insecure configura@on
• [EASAI-‐NA-‐20] Users with SAP_ALL profile • [EASAI-‐NA-‐21] Users which can run any program • [EASAI-‐NA-‐22] Users which can modify cri?cal table USR02 • [EASAI-‐NA-‐23] Users which can execute any OS command • [EASAI-‐NA-‐24] Disabled authoriza?on checks
What next: There are at leas about 100 cri)cal transac)ons only
in BASIS and approximately the same number in each other module. Detailed informa)on can be found in ISACA guidelines . APer that you can start with Segrega)on of Du)es.
26
Access control and SOD conflicts
• [EASAI-‐NA-‐25] Use of SSL for securing HTTP connec?ons • [EASAI-‐NA-‐26] Use of SNC for securing SAP Gui connec?ons • [EASAI-‐NA-‐27] Use of SNC for securing RFC connec?ons What next: Even if you use encryp)on you should check how is it
configured for every type of encryp)on and for every service because there are different complex configura)ons for each of encryp)on type. For example latest a^acks on SSL like BEAST and CRIME require companies to use more complex SSL configura)on.
27
Unencrypted connec@ons
• [EASAI-‐NA-‐28] RFC connec?ons with stored authen?ca?on data • [EASAI-‐NA-‐29] Trusted systems with lower security
What next: Check other ways to get access to trusted systems such
as database links o use of the same OS user or just use of the same passwords for different systems.
28
Insecure trusted connec@ons
• [EASAI-‐NA-‐30] Logging of security events • [EASAI-‐NA-‐31] Logging of HTTP requests • [EASAI-‐NA-‐32] Logging of table changes • [EASAI-‐NA-‐33] Logging of access to Gateway What next: There are about 30 different types of log files in SAP. The next
step aPer properly enabling main of them you should properly configure complex op)ons such as what exact tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a^acks should be collected and so on. Next step is to enable their centralized collec)on and storage and then add other log events.
29
Logging and Monitoring
• Guidelines made by SAP • First official SAP guide for technical security od ABAP stack • Secure Configura?on of SAP NetWeaver® Applica?on Server
Using ABAP • First version -‐ 2010 year, version 1.2 – 2012 year • For rapid assessment of most common technical
misconfigura?ons in plavorm • Consists of 9 areas and 82 checks • Ideas as a second step and give more details to some of EAS-‐SEC
standard areas
hUp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true
30
SAP Security Guidelines
• Network access control • Worksta?on security • Password policies • Network security • HTTP security • Unnecessary web-‐applica?ons • RFC-‐connec?ons • SAP Gateway security • SAP Message Server security
31
SAP Security Guidelines
• Guidelines made by ISACA
• Checks cover configura?on and access control areas • First most full compliance
• There were 3 versions published in 2002 2006 2009 (some areas are outdated )
• Technical part covered less than access control and miss cri?cal areas
• Most advantage is a big database of access control checks
• Consists of 4 parts and about 160 checks • Ideal as a third step and detailed coverage of access control
32
ISACA Assurance (ITAFF)
• Set of recommenda?ons from Deutsche SAP Uses Group
• Checks cover all security areas from technical configura?on and source code to access control and management procedures
• Currently biggest guideline about SAP Security • Last version in Jan 2011 • Consists of 8 areas and 200+ checks • Ideal as a final step for securing SAP but consists of many checks
which neds addi?onal decision making which is highly depends on installa?on.
hUp://www.dsag.de/fileadmin/media/Leivaeden/110818_Leivaden_Datenschutz_Englisch_final.pdf
33
DSAG
• Simple steps and sta?s?cs
• Cri?cal access • Segrega?on of Du?es • Op?miza?on and Maintenance
35
Internal security
• Analyze sta?s?cs – Number of users in Role
o 0 – Role is not used o >100 – Divide to different roles probably and check for cri?cal authoriza?ons
– Number of authoriza?ons in role
– Number of authoriza?on objects in role
36
Simple steps
• There are different areas such as HR, Basis, Fixed Assets, Material management
• Each of those roles have list of cri?cal transac?ons and authoriza?ons
• Those can be found in ISACA guidelines • First of all you should decrease a number of cri?cal roles • For example users which can only modify table USR02 can do
everything they want!
37
Cri@cal access
• Obtain list of roles with cri?cal access to par?cular transac?ons • Minimize roles • Obtaining list of users with cri?cal access to par?cular
transac?ons • Sort them by type/locking status/etc • Exclude administrators and superusers (and minimize them)
• Minimize users
39
Cri@cal access op@miza@on
• Use default templates or customize them • Obtain list of business roles in a company • Obtain list of ac?ons in par?cular role • Assign transac?on and authoriza?on objects to ac?on • Create or modify matrix (add risk values)
40
SOD analysis
• Result: – List of users with cri?cal conflicts – List of roles with cri?cal conflicts
• Solving: – Obtain roles with maximum number of segrega?ons – Op?mize them – Obtain users with maximum number of segrega?ons – Op?mize them
43
SOD – results analysis
• You will get thousands of conflicts within first ?me • How to solve them quickly:
– Exclude all administrators – Look at HOW exactly rights are assigned (all * values should be excluded) – Look at the history of executed transac?ons
44
Op@miza@on
ABAP
• ABAP – as any other language can have a vulnerabili?es • Also it can be used for wri?ng backdoors • Development inside a company is almost without any control
• Developer access to system == god in SAP
46
Source code review
• EASAD-‐9 standard from series of standards designed for Enterprise applica?on systems security assessment (EAS-‐SEC)
• Full name: – Enterprise Applica?on Systems Applica?on Development
• Describes 9 areas or source code issues for business languages • Universal categories for different languages and systems
(SAP,Oracle,Dynamix,1C,Infor…..)
• Categorized based on cri?cality and probability of exploita?on
47
EASAD -‐ 9 categories
1. Code injec?ons 2. Cri?cal calls 3. Missing authoriza?on checks 4. Path traversal 5. Modifica?on of displayed content 6. Backdoors 7. Covert channels 8. Informa?on disclosure 9. Obsolete statements
48
Anonymous Acack (?)
50
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
• This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened.
Internal fraud
• It is very hard to make everything secure so you need to monitor everything addi?onally
• ACFE published report about 7% revenue looses from fraud only in USA.
• Examples that we saw: – Salary modifica?on – Material management fraud – Mistakes
51
SAP Forensics
• Real threats exist • But there is not so many info on public • Companies are not interested in publica?on of compromise • But main problem is here:
– How can you be sure that there were no compromise? – Only 10% of systems have Security Audit Log enabled – Only few of them analyze those logs – And much less do central storage and correla?on
53
Log sta@s@cs
• Web access 70% • Security audit log 10% • Table logging 4% • Message Server 2% • SAP Gateway 2%
54
Log sta@s@cs
• SAP Web Dispatcher – Security log • SAP Web Dispatcher – HTTP log • SAP Router log • SAP Gateway log • SAP Message Server log • SAP Message server HTTP Log • SAP Security audit log • ABAP -‐ user changes log • ABAP -‐ table changes log • ABAP -‐ document changes log • Trace files
55
SAP Security Logs
56
Name Default Central storage
SAP Web Dispatcher – Security Log Enabled No SAP Web Dispatcher – HTTP log Disabled No SAP Router log Disabled No SAP Gateway log Disabled No SAP Message Server log Disabled No SAP Message Server HTTP log Disabled No SAP Security audit log Disabled CCMS? ABAP User changes log Enabled No ABAP Table changes log Disabled No
ABAP Document changes log Disabled No Trace files Disabled No Developer trace Enabled No
And also
We devote a^en)on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par)cular func)on, you can e-‐mail us or give us a call. We will be glad to consider your sugges)ons
for the next releases or monthly updates.
57
web: www.erpscan.com www.dsecrg.com e-‐mail: [email protected], [email protected]