Current state 5
CISO
CIO
PATCHING SAP SYSTEMS
SAP BASIS
SAP SECURITY
SEGREGATION OF DUTIES
IT OPERATIONS
MONITORING SAP SYSTEMS
ENTERPRISE SECURITY
VULNERABILITY MANAGEMENT
NO EFFECTIVE OVERSIGHT
NO VISIBILITY
COMPLEXITYPOOR
INTEGRATION
SLIPPED THROUGH THE CRACKS
Future state 6
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Secure
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
7History
Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks
Source: https://www.gartner.com/doc/2665515/
EAS-SEC
SAP Cybersecurity Framework 9
Category PREDICT
Process Secure Development
Purpose To ensure security during SAP systems development and acquisition
Outcomes• Security Requirements• Development Standards and Processes• Security Plans
Implementation steps
1. Develop basic security requirements for configuration of servers, networks, SAP applications and client stations
2. Create secure development standards and processes3. Automate secure development processes
Asset Management 13
• Inventory of Assets
• Criticality Assessments
• Acceptable UseRequirements
Create an Inventory of Assets
Assess criticality of the assets
Develop complete specification of the SAP systems
Implementation: Outcomes:1
2
3
To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements
Asset Management. SAP Systems 14
System ID Purpose Interconnected Systems
SystemCriticality
Responsibility
System Type
Application Servers Clients Platform
DM0 Supply chain management • Internal: ERP, • Internet: no;• ICS: no;• Partners:
Partner1, Partner2
• Mobile: no
High John F. K. PROD 10.0.0.110.0.0.2
100:PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP)
ERP Enterprise Resource Planning
• Internal: HR1, HR2
• Internet: no• ICS: MES System• Partners: no• Mobile: no
Low Mike. PROD 10.0.16.6 200:PRD SAP ECC 6.0NetWeaver AS 7.3 ABAP
CRM Customer Relationship management
• Internal: ERP• Internet: yes• ICS: no• Partners: no• Mobile: no
Very High PROD 10.0.34.5 210:PRD SAP CRM 6.0NetWeaver AS ABAP 7.0
How to use?Inventory of Assets
What information do we handle and what are the requirements?- Personal data (GDPR)- Financial information (GLBA)- Customer data, Contracts, Marketing …
How to plan and carry out security activities?- Patch Management- Risk Management- Vulnerability Management- Compliance
What to secure in SAP?o SAP services: MMC, SAP Host Control can’t be found in SOLMAN, 30+o SAP components (CRM, BW, FI, … ) – set of ABAP programs, transactions and reports, 100+o Web Applications, 1000+
15
Business Environment 16
• Business Context
• SAP Continuity Plans
• Supplier Catalogue
Identify business context
Prepare SAP Continuity Plans
Maintain supplier catalogue
Implementation: Outcomes:1
2
3
To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships
Business Environment. Business Impact Analysis 17
Process Stakeholder SAP System Outage ImpactsEstimated Downtime
MTD RTO RPO
Pay vendor invoice
Joseph R. ERP Costs: 5.000 $ / dayOperations: moderateImage: moderate
72 hours 48 hours 12 hours (last backup)
Hire to retire Dorothy F. HR Image: High 72 hours 48 hours 12 hours (last backup)
Supplier Risks
Do you know if your suppliers are protecting your company’s sensitive
data as diligently as you do?
18
Require suppliers to implement specific SAP security controlsReview data flows (RFC, XI, DB, SOAP, HANA DB, …)
Governance 19
• SAP Cybersecurity Policy
• SAP Security Processes
• Control Procedures
Establish SAP Cybersecurity Policy
Develop SAP security processes
Implement control procedures
Implementation: Outcomes:1
2
3
To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
Vulnerability Management 21
Regularly perform SAP security audits and penetration testing
Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations
Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds
Implementation: Outcomes:
1
2
3
• Scan Plans
• Scan Profiles
• Remediation Plans
To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
Vulnerability Management. Analysis 22
Remediation constraints:• complete within 3 months• address vulnerabilities with high risk• remediation types: no kernel patch
Priority:- ease of exploitation: availability of public exploit, need for preparation, need
for credentials with special rights, etc.
- impact of a successful exploitation: full disclosure and OS-level access or just revealing of technical data?
- prevalence of the vulnerability among SAP systems
- importance of the SAP systems with the vulnerability.
23Vulnerability Management. Remediation PlanRemediation
Priority Vulnerability Vulnerability Risk
Remediation Type Remediation
1 SSEA_1000003: External RFC server registration
An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information
High Update configuration
Effort level: medium (~2d, downtime 4h)
To resolve this issue, it is recommended to configure the RFC server correctly
Links:RFC/ICF Security Guide
2 SSCA_00130: SSL encryption for ICM connections
No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack.
Medium Update configuration
Effort level: easy (~4h, downtime 2h)
Set the icm/server_port_NN parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access
3 SSCA_00223: Central application server that maintains the system log
Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks.
Medium Update configuration
Effort level: easy (~4h, downtime 2h)
The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges.
Links:• BOOK "Security, Audit and Control Features (SAP ERP 3rd
edition)" p. 413 check.4.10.2• DOC rslg/collect_daemon/host - Central Log Host
Risk Management 24
• Threat Model
• Risk Register
• Risk Responds
Create threat model for SAP systems
Assess likelihoods and estimate business impacts of cybersecurity risks
Automate risk management and develop risk response plans
Implementation: Outcomes:
1
2
3
To make decisions on addressing possible adverse impacts from the operation and use of SAP systems
26Risk Management. Oil & Gas ERP RisksSAP
Module Asset Threat Consequences
SCM Supply chain schema Rerouting supply chain Theft of crude oil and refined products
HRM HR data Stealing employees data (personal, salary, experience, etc.) Identity theft, headhunting
PM Oil and gas mining systemscontrol data Disrupting SCADA logic and processes Service outage, equipment
damage, workers injuries
MII Field data Stealing coordinates and volumes of exploratory and production wells Losing competitive advantage
SCM Midstream and downstream assets
Stealing information about equipment and transportation Facilitating theft and sabotage
PP Production line control data Disrupting SCADA logic and processes Production suspension
SD Prices Stealing price formation schemas Losing partners
FICO Finance transactions Creating fraud transactions Monetary losses
Secure Development 27
• SAP SecurityRequirements
• Development Standards and Processes
• Security Plans
Develop basic security requirements to configuration of servers, networks, SAP applications and endpoints
Create secure development standards and processes
Automate secure development processes
Implementation: Outcomes:
1
2
3
To ensure security during SAP systems development and acquisition
28Secure Development. Code Vulnerability Usage
Type Cause Exploiter
Code Injections Security ignorance Hackers
Backdoors
• Desire to simplify development
• Intent to control a system
Developers
Missing authorization checks Negligence Insiders
Obsolete statements Natural obsolescence of code
Administrators (unintentionally)
For Industry 32
1. Assess your SAP security capabilities
2. Make business case for SAP security initiative
3. Conduct SAP security audit
4. Ensure compliance of SAP systems with GDPR/GLBA/PCI DSS … requirements
5. Implement & automate relevant SAP security processes
For Consulting
1. Include SAP systems in scope of your existing services GDPR audit ISMS implementation for SAP systems in scope Threat detection and SAP – SIEM integration
2. Prove your selling proposition is unique with ROI of SAP security
3. Create a 360-degree image of an SAP security provider
33
Professional ServicesPredict SAP data breach
SAP Penetration Testing
SAP Security Audit
SAP Vulnerability Management as a Service
35
Thank you
Rex TumminiaDirector of Sales, North [email protected]
Join our grouplinkedin.com/groups/13543110
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
Michael RakutkoHead of Professional [email protected]
36