Date post: | 28-Nov-2014 |
Category: |
Business |
Upload: | twan-van-den-broek |
View: | 603 times |
Download: | 0 times |
sitNL 2012 Ciber, Eindhoven, December 8, 2012
© 2012 ERP Security 2
Agenda
o Introduction
o SAP Security in the news
o So how about SAP and Security, Some myths...
o SAP Security, the problem...
o Why bother?
o Show me the money!!!
o How to be safe instead of sorry
o Bizec
© 2012 ERP Security 3
Introduction
Who am I
SAP Technology specialist for profit and fun
SAP Security researcher for fun (not for profit)
Reported over 30 vulnerabilities to SAP Security team
Co-founder ERP Security
http://scn.sap.com/docs/DOC-8218
© 2012 ERP Security 4
We’ve all seen these...
© 2012 ERP Security 5
But this is rather new...
© 2012 ERP Security 6
Technical Risks in SAP are basically the same as for other IT systems
Except the value of the data stored in SAP is often much higher. Yet SAP Security is still mainly
related to Segregation of Duties.
Why? Some myths
• SAP platforms are only accessible internally
• SAP is expensive, so it must be secure
• SAP Security = Segregation of Duties
• SAP systems are not targeted by hackers
• SAP Security is SAP’s problem
• We are compliant, so we are secure
So how about SAP and Security Some myths....
© 2012 ERP Security 7
The Problem
• Lack of awareness with customers
• Lack of Time with customers
• High Complexity
• Lack of Budget
• Lack of good Figures
• Too much focus on SoD
• Build on code-base back from the 80’s / 90’s.
• Often more than 6-12 months behind with patches
• By default many Security features are switched OFF
• ...
Note1: value for 2012 is linearly extrapolated from 01.10.2012
Note2: December 2010 is excluded due to a one-time release of 500+ notes
0
200
400
600
800
1000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Number of released SAP Security Notes 1 2
SAP Security The problem...
© 2012 ERP Security 8
Why bother about SAP Security?
•To prevent losing business!!!
•To prevent bad PR
•To prevent losing customer confidence
•To prevent Legal prosecution
•To be in control
•To prevent costs of incident handling
Why bother about SAP Platform Security?
•Because SoD can be easily bypassed
•Often leaving no traces on SAP level
Why bother? The Obvious...
© 2012 ERP Security 9
Show me the money!!!
Some more examples of what might happen when you don’t secure your systems enough:
• Executing of OS commands
• Creating admin users
• ...
© 2012 ERP Security 10
How to be safe instead of sorry
SAP Infrastructure security needs to be addressed holistically:
• Remember there is no silver bullet
• SAP Infrastructure security is complex and involves many disciplines, so first take a step
back, analyze your current state of the landscape, do risk assessments, make a plan
and execute and keep on working on it.
• Get all parties involved, think about responsible people from Business, Risk management,
Security Officers, DB team, OS team, Network team, SAP Basis team, SoD team, etc.
• Teach / train users and administrators, work on general security awareness
• Control the process, stay up-to-date, evaluate periodically.
• Security is a process, not a state*! Embed it in the organization.
* Bruce Schneier
© 2012 ERP Security 11
How to be safe instead of sorry II
Some key takeaways:
• Patch regularly (duh...). Do this for Gui components, DB, OS, SAP and network
• Use e.g. the System Recommendations for SAP Security notes
• Take a look at the SAP Security guides that are relevant for you
• Read the security whitepapers
• At least close down some high risk components like the gateway, unnecessary
SICF services, etc. (See the guide)
• Check RSUSR003 and get rid of DEFAULT passwords
• Regularly review your landscape, don’t forget the open source tools
* Bruce Schneier
© 2012 ERP Security 12
Bizec.
The main goals of BIZEC are:
Raising awareness, demonstrating that ERP security must be analyzed holistically.
Analyze current and future threats affecting these systems.
Serve as a unique central point of knowledge and reference in this subject.
Provide experienced feedback to global organizations, helping them to increase the security of their business-critical
information.
Organize events with the community to share and exchange information.
Join & contribute! www.bizec.org
Bizec
© 2012 ERP Security 13
Questions?
© 2012 ERP Security 14
More information
See http://www.erp-sec.com
Contact me on
• @jvis
Need more info? Contact us...
© 2012 ERP Security 15
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.
All other product and service names mentioned are the trademarks of their respective companies. Data
contained in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not warrant
the accuracy or completeness of the information, text, graphics, links, or other items contained within this
material. This document is provided without a warranty of any kind, either express or implied, including but
not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect,
or consequential damages that may result from the use of this document.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and
SAP Group shall not be liable for errors or omissions with respect to the materials.
No part of this document may be reproduced without the prior written permission of ERP Security BV.
© 2012 ERP Security BV.
Disclaimer