EXECUTIVE BRIEFINGERP CYBER SECURITY 2021/Q1
Troels Lindgaard, 1DigitalTrust
Frederik Weidemann, Onapsis Inc.
January 27th 2021
128 January 2021 Executive Briefing: ERP Cyber Security 2021
1.Perspectives on SAP cyber security
2.Evolution of mission critical application cyber attacks
3.Newest threats to SAP Systems
4.How to prevent SAP security breaches
28 January 2021 2Executive Briefing: ERP Cyber Security 2021
AGENDA
RISK OF DYING IN AN AIRPLANE?
1:29 million (for EU & US airlines)
Source statistic: Statisticsbrain.com, The Economist via https://www.sueddeutsche.de/panorama/germanwings-flug-4u9525-ein-toedlicher-blitzschlag-ist-wahrscheinlicher-1.2409131Photo by Nathan Hobbs on Unsplash
28 January 2021 Executive Briefing: ERP Cyber Security 2021 3
RISK OF DYING IN A CAR ACCIDENT
1: 8303 (USA 2018)
Sources statistics: US https://www.iii.org/fact-statistic/facts-statistics-mortality-riskGER https://www.adac.de/news/bilanz-verkehrstote/Photo by Clark Van Der Beken on Unsplash
1:27255 (Germany 2019)
28 January 2021 Executive Briefing: ERP Cyber Security 2021 4
RISK OF ERP DATA BREACHES
1:2Source: IDC Survey – ERP Security: The Reality of Business Critical Application Protection
28 January 2021 Executive Briefing: ERP Cyber Security 2021 5
It’s not a question if you’ll be breached, but when it will happen …
28 January 2021 Executive Briefing: ERP Cyber Security 2021 6
RISK OF BREACHES
ERP BREACHES ARE NOT HAPPENING?
28 January 2021 7
51%
Source: IDC Survey – ERP Security: The Reality of Business Critical Application Protection
}
Executive Briefing: ERP Cyber Security 2021
BUSINESS RISKS – DATA INTEGRITY – LOSS OF AUDIT TRAIL AND DATA RELIABILITY
28 January 2021 8
Source: IDC Survey – ERP Security: The Reality of Business Critical Application Protection
Executive Briefing: ERP Cyber Security 2021
WORLD ECONOMIC FORUM THE GLOBAL RISKS REPORT 2020
28 January 2021 9
Source: http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdfWorld Economic Forum Global Risks Perception Survey 2019–2020
Executive Briefing: ERP Cyber Security 2021
HACKTIVIST GROUPS
2012
1st public exploit
targeting SAP applications
CYBERCRIMINALS CREATING MALWARE
SAP targeted
malware discovered
PUBLIC EXPLOIT
Chinese
hacker
exploits SAP NetWeaver
NATION-STATE SPONSORED
Chinese breach
of USIS targeted SAP
1ST DHS
US-CERT
ALERT
for SAP
Business Applications
INCREASED INTEREST ON DARK WEB
Onapsis helps
Oracle secure
critical
vulnerability in EBS
2ND DHS
US-CERT
ALERT
for SAP
Business Applications
3RD DHS US-
CERT ALERT
for SAP
10KBLAZE Vulnerability
PAYDAY
Oracle Vulnerabilities
EXPLOIT
TOOLKIT
SAP RFCpwn
BigDebIT
Oracle Vulnerabilities
4th DHS US-
CERT ALERT
for SAP RECON Vulnerability
DHS US-CERT ALERT
ONAPSIS THREAT INTEL
2013
20142015
2016
2017
2018
2019
2020
28 January 2021 Executive Briefing: ERP Cyber Security 2021
EVOLUTION OF MISSION-CRITICAL APPLICATION CYBERATTACKS
INTERNET EXPOSURE RECON JULY 2020
Continent Total Percentage
Africa 20 0.80%
Asia 605 24.09%
Europe 598 23.82%
Middle East 146 5.81%
North America 836 33.29%
Oceania 69 2.75%
South America 231 9.20%
Not Specified 6 0.24%
Total 2511 100.00%
28 January 2021 Executive Briefing: ERP Cyber Security 2021 11
28 January 2021 12Executive Briefing: ERP Cyber Security 2021
Source: https://zerodium.com, 26.10.2020
Zerodium is
actively
searching for
SAP NetWeaver exploits
28 January 2021 Executive Briefing: ERP Cyber Security 2021 13
SAP NETWEAVER™ IN FOCUS OF ZERODIUM
1. Exploitation of EEM
2. Exploitation of SMDagent
3. Lateral movement with SAP Control escalating to root privileges on entire SAP landscape
Remark:
A public exploit for 1. (CVE-2020-6207 has been released on 14.01.2021)
28 January 2021 Executive Briefing: ERP Cyber Security 2021 14
CHALLENGE丨BLACK HAT USA 2020 EXPLOITATION DEMONSTRATION OF SOLUTIONMANAGER
Example | Black Hat USA 2020: P. Artuso & Y. Genuer (Onapsis)
28 January 2021 Executive Briefing: ERP Cyber Security 2021 15
EXPLOITATION DEMONSTRATION OF SOLUTIONMANAGER
28 January 2021 Executive Briefing: ERP Cyber Security 2021 16
Example | Black Hat USA 2020: P. Artuso & Y. Genuer (Onapsis)
EXPLOITATION DEMONSTRATION OF SOLUTIONMANAGER
RESULT:Root on SAP landscapeSAP_ALL in all systems
28 January 2021 Executive Briefing: ERP Cyber Security 2021 17
Example | Black Hat USA 2020: P. Artuso & Y. Genuer (Onapsis)
EXPLOITATION DEMONSTRATION OF SOLUTIONMANAGER
28 January 2021 19
Related SAP OSS Notes
• Patch 2902645 https://launchpad.support.sap.com/#/notes/2902645
• Patch 2902456 https://launchpad.support.sap.com/#/notes/2902456
• Patch 2890213 https://launchpad.support.sap.com/#/notes/2890213
• Patch 2808158 https://launchpad.support.sap.com/#/notes/2808158
• Patch 2823733 https://launchpad.support.sap.com/#/notes/2823733
• Patch 2839864 https://launchpad.support.sap.com/#/notes/2839864
• Patch 2849096 https://launchpad.support.sap.com/#/notes/2849096
• Patch 2772266 https://launchpad.support.sap.com/#/notes/2772266
• Patch 2738791 https://launchpad.support.sap.com/#/notes/2738791
• Patch 2748699 https://launchpad.support.sap.com/#/notes/2748699
• Patch 2845377 https://launchpad.support.sap.com/#/notes/2845377
• Patch 2904933 https://launchpad.support.sap.com/#/notes/2904933
Executive Briefing: ERP Cyber Security 2021
BLACK HAT USA 2020: “AN UNAUTHENTICATED JOURNEY TO ROOT
0
100
200
300
400
500
600
700
800
900
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Correction with low priority
Correction with medium priority
Correction with high priority
HotNews
Change of SAP’s patching policy
24 month rule
Source: https://support.sap.com/securitynotes – aggregated extract from Jan 2021
Change of SAP’s patching strategySecurity notes are delivered with SPs
depending on their priority level
There are HotNews
every year
Change of SAP’s security strategy in 2009
e.g. static code analysis usage in ERP standard
using CodeProfiler
28 January 2021 Executive Briefing: ERP Cyber Security 2021 20
CHALLENGE丨SAP® PATCH MANAGEMENT
BUSINESS CASE – AVOID PROFIT LOSS
• Example: Cost for ERP Cyber security protection is 0,5-1% of the profit loss*
BUSINESS CASE – AVOID SHARE PRICE DECLINE
• Example: Cost for ERP Cyber security protection is 0,01-0,02% of the loss in market value**
BUSINESS CASE – AVOID EMERGENCY AND CLEAN UP COSTS
• Example: Cost for ERP Cyber security protection is 0,5 - 2 % of the Emergency and clean up costs***
28 January 2021 21
* Based on the reported profit loss from Maersk, Demant and ISS, compared with the average yearly cost for ERP Cyber security protection program.** Based on the share price loss from the attack is public and until the share price decline ends, from Maersk, Demant and ISS, compared with the average yearly cost for ERP Cyber security protection program.*** Based on the reported costs for emergency and clean up costs from Maersk, Demant and ISS, compared with the average yearly cost for ERP Cyber security protection program.
Executive Briefing: ERP Cyber Security 2021
BUSINESS CASE FOR ERP CYBER SECURITY PROTECTION
• Cost for an ERP Cyber security system is 1-5 hours of downtime for 2/3 of companies
28 January 2021 22
Source: IDC Survey – ERP Security: The Reality of Business Critical Application Protection
Executive Briefing: ERP Cyber Security 2021
BUSINESS CASE – NO DOWNTIME
1. Understand the technology you’re using
2. Measure your security maturity level across your environment
3. Setup a centralized security measurement control, e.g. build a SAP security dashboard
4. Automate your security checks to avoid faulty settings
28 January 2021 Executive Briefing: ERP Cyber Security 2021 23
BEST PRACTICES FOR 2021
ERP Assets SaaS Assets
MISSION-CRITICAL APPLICATIONS
CUSTOMER RELATIONSHIP | PRODUCT LIFECYCLE | HUMAN CAPITAL | SUPPLY CHAIN | SUPPLIER RELATIONSHIP | BUSINESS INTELLIGENCE
28 January 2021 Executive Briefing: ERP Cyber Security 2021 24
THE ONAPSIS PLATFORM | MOST COMPREHENSIVE SOLUTION FOR PROTECTING YOUR MISSION-CRITICAL APPLICATIONS
28 January 2021 Executive Briefing: ERP Cyber Security 2021 25
THE ONAPSIS PLATFORM – DASHBOARD
28 January 2021 26Executive Briefing: ERP Cyber Security 2021
THE ONAPSIS PLATFORM – CODE SCANNING
28 January 2021 27Executive Briefing: ERP Cyber Security 2021
THE ONAPSIS PLATFORM – EXAMPLE: SPLUNK INTEGRATION
Basic security ❖ Risk catalogue❖ Logging / SIEM❖ Cyber security
❖ System settings❖ Coding❖ Integrations❖ Change Management(Transports)
❖ Standard authorization concept
Compliance and Fraud prevention❖ SoD authorization concept❖ Built in controls in SAP❖ Control catalogue❖ Control descriptions❖ Control user guides❖ Governance
GDPR❖ Deletion❖ Subject access reporting❖ Authorizations
License❖ Risk mitigation, review,
optimization, clean up
28 January 2021 Executive Briefing: ERP Cyber Security 2021 28
SAP RISK, SECURITY AND COMPLIANCE
❖ Basic security❖ Compliance & fraud
prevention❖ GDPR❖ Licenses
❖ Basic security❖ Compliance & fraud
prevention❖ GDPR❖ Licenses
❖ Basic security❖ Compliance & fraud
prevention❖ GDPR❖ Licenses
1 2 3
RISK ASSESSMENT IMPLEMENTATION GOVERNANCE AND CONTINUES MONITORING
Agree on Business case potentials and
risk scenarios?
Business case and riskscenarios verified?
Business case realizationand risk mitigation
Business case realization and risk mitigation
28 January 2021 Executive Briefing: ERP Cyber Security 2021 29
1DIGITALTRUST APPROACH FOR RISK AND COMPLIANCE IN SAP
BUSINESS RISKILLUSTRATION
Ensuring application availability,
streamlining audit processes
and protecting the business from
risk are essential.
O P E R A T I O N A L
R E S I L I E N C Y
A S S E S S M E N T
Prevent application
downtime and costly
business disruption
A U D I T
E F F I C I E N C Y
A S S E S S M E N T
Eliminate resource
consuming manual audit
processes
C Y B E R
R I S K
A S S E S S M E N T
Reduce vulnerabilities
and misconfiguration to
protect the business
• Get a risk assessment of your SAP system – Business Risk Illustration (BRI)
• Executive Overview
• Do you have known risks?
• Next steps
Rules of engagement
• Senior level commitment
• Technical verification of findings (Are controls already in place)
• Discuss outcome (risk to the business) and next steps
Onapsis is the leading ERP Cyber security vendor for SAP and Oracle.
1DigitalTrust is a SAP Cyber security, compliance and data privacy consultancy in the Nordics
28 January 2021 Executive Briefing: ERP Cyber Security 2021 31
CALL TO ACTION NOW: ARE YOUR ERP SYSTEMS’ SECURE?
Troels LindgårdE: [email protected]
M: +45 5363 5787
1DigitalTrustwww.1digitaltrust.com
Contact for demo, business case building or other questions.
28 January 2021 Executive Briefing: ERP Cyber Security 2021 32
CONTACT US & NEXT STEPS
Frederik WeidemannE: [email protected]
M: +49 151 18215 211
Onapsishttps://www.onapsis.com/
Contact for technical questions.
APPENDIX
OUR BELIEFS
Our overall belief is that Digital Trust is good for business;
Trust creates loyalty, both for our clients and their customers.
SUSTAINABILITY
We have a responsibility when doing business. As a new company we must live out the UN sustainable development goals (SDG) with a special focus on climate. As an example we plant 1 tree for every billable hour #1Hour1Tree.
We have therefore planted our first forest, 1DigitalTrust Forest, a forest with over 8.000 trees next to Gudenaaen in Jutland, Denmark.
services
SAP License ManagementSAP S/4 License conversionsSAP Contract ReviewSAP License reviewsSAP License optimizationsSAP Indirect use analysis and optimizations
SAP License Management
SAP Customer Data Cloud Data Ethics
Services
SAP Customer Data CloudCIAM (Customer Identity & Access Management)SAP Customer Data Cloud Implementation
SAP Customer IdentitySAP Customer ConsentSAP Customer ProfileB2B
In a box solution CDC in a boxConsent management
1DIGITALTRUST SERVICES
Data EthicsSAP Cyber securityCodingIntegration TransportSystem settings
SAP ComplianceAccess & Identity ManagementSAP Authorization Management Segregation of dutiesSecure LoggingGDPR Management ConsultingGDPR Project ManagementGDPR Compliance AssessmentGDPR in SAP – Data Analysis & DeletionILM accelerator for GDPR compliance
Partners
MANAGEMENT FUNCTIONALITY
ASSESS
Find & Remediate Security Risks
Manage Change; Avoid Disruption
CONTROL COMPLY
Automate Audit Processes
DEFEND
Continuous Threat Monitoring
Integrations with workflow services: Integrations with change management and development environments:
SAP ChaRM, TMS, HANA Studio, Eclipse, Web IDE, ABAP development workbench
Integrations with SIEMs:
Asset DiscoveryReporting &
Analysis
Scheduling &
Workflows
Users & Role
Management
Ticketing/SOC
Integration
• SAP and Oracle EBS system misconfigurations, patches vulnerabilities, authorizations
• Deployed SAP custom code for security and quality errors
• SAP system interfaces and communications
• Identify security and quality errors in SAP custom code
• Lock and block SAP configuration changes
• Identify and blocking SAP transports with security issues and errors
• Evaluate compliance impact of SAP System vulnerabilities, misconfigurations, patches authorizations, deployed code
• Out-of-the-box & custom policies
• Evaluate and verify IT controls
• Near real-time attack alerts
• Monitor for SAP exploits , threats, user activity / transactions, privilege misuse
• Alert for changes to SAP system interfaces, bad transports
THE ONAPSIS PLATFORM