Soteria Health

Check

A Cyber Security Health Check

for SAP systems

Members of the UK cyber security forum

Security Health Check…

is an ideal introductory service for firms who have not used us

before. It is a very practical and economical means of

checking the thoroughness and quality of our work,

whilst getting another perspective on your cyber security

profile. Potentially uncovering a range of network,

system, database and administrative vulnerabilities which

you may wish to address.

Soteria Health Check typically takes 8-10 days to complete

and concludes with your being presented with a Cyber

Security Health Check report. At that point you

can decide how you wish to progress.

Members of the UK cyber security forum

are staffed by SAP certified consultants. We are CISSP

qualified, and members of the UK Cyber Security Forum.

Soteria Cyber Security…

Contents

• Overview: Soteria Health Check

• UK Cyber Essentials scheme

• OWASP Cyber Security Vulnerabilities

• Other Cyber Security Considerations

• Cyber Security Health Check Report

• SAP Specific Penetration testing

• Contact details

Members of the UK cyber security forum

Overview: Soteria Health Check

Soteria’s Health Check is an efficient means of evaluating your

organisations current security profile against recognised security risks.

Vulnerability Assessment

We utilise 3rd party tools such as NMAP and Nessus to perform vulnerability tests to

reveal open ports and accessible services which could be exploited by hackers.

Access Control

We scrutinise user and system accounts looking for excessive or accumulated

privileges, default passwords and poor password maintenance etiquette. We also

use applications like Webscurify and Nikto to identify vulnerabilities in web servers.

Patch Management

We examine the security patch management of your SAP® systems looking for any

important omissions. Likewise patching of your network and client based Anti-Virus

software.

Attack vector review

We review the most common prevailing web enabled cyber-attack vectors as

categorised by OWASP top ten, and examine your organisations defence profile

against each attack type. E.g. Injection, XSS, CSRF, buffer-overflows, man-in-the-

middle.

SAP Specific Penetration Testing (optional)

We conduct a SAP specific penetration test, which has been tailored to look for

classic SAP vulnerabilities. Including RFC connections, gateway servers, and

interrogating SAP data packages, and standard SAP admin accounts.

UK Cyber Essentials scheme – Copyright: Open Government Licence v3.0

We will step through the UK Government Cyber Essentials

Scheme, rating your compliance with every step.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A1 – Injection

Injection flaws, such as SQL, OS,

and LDAP injection occur when

untrusted data is sent to an

interpreter as part of a command or

query. The attacker’s hostile data

can trick the interpreter into

executing unintended commands or

accessing unauthorized data.

Input validation of SAP® fields and

remove/escape illegal characters.

The OWASP preferred option is to

use a safe API which avoids the use

of the interpreter entirely or

provides a parameterized interface.

A2 – Broken Authentication and

Session Management

Application functions related to

authentication and session

management are often not

implemented correctly, allowing

attackers to compromise passwords,

keys, session tokens, or exploit other

implementation flaws to assume

other users’ identities.

The SAP NetWeaver® platform

features central routines for user

authentication and single sign-on that

cannot be bypassed. Different

authentication strengths can be

configured, such as user/password or

digital certificates, and certified

interfaces exist to plug-in partner

solutions.

Create a whitelist / blacklist in the

sqlnet.ora file for host names or IP

addresses

Review the REMOTE_OS_AUTHENT

parameter setting for remote

database access.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A3 – Cross-Site Scripting (XSS)

XSS flaws occur whenever an

application takes untrusted data

and sends it to a web browser

without proper validation or

escaping. XSS allows attackers to

execute scripts in the victim’s

browser which can hijack user

sessions, deface web sites, or

redirect the user to malicious

sites.

Input validation and SAP Secure

Programming Guidelines®.

BSP/HTMLB or WebDynpro

should be used in combination

with ACL whitelists.

A4 – Insecure Direct Object

References

A direct object reference occurs

when a developer exposes a

reference to an internal

implementation object, such as a

file, directory, or database key.

Without an access control check

or other protection, attackers can

manipulate these references to

access unauthorized data.

Preventing insecure direct object

references requires selecting an

approach for protecting each user

accessible object (e.g., object

number, filename):

1. Use per user or session indirect

object references. This prevents

attackers from directly targeting

unauthorized resources.

2. SAP Access Control®. Each use

of a direct object reference from

an untrusted source must include

an access control check to ensure

the user is authorized for the

requested object.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A5 – Security Misconfiguration

Good security requires having a

secure configuration defined and

deployed for the application,

frameworks, application server,

web server, database server, and

platform. All these settings

should be defined, implemented,

and maintained as many are not

shipped with secure defaults.

This includes keeping all software

up to date.

Configure to a level that provides

a baseline security using standard

SAP settings. Develop a

consistent system hardening

process and regular software

updates. Development, QA, and

production environments should

all be configured identically.

Tasks include: ensure ports and

services that are not required are

closed, restrict access to BASIS

functions, access and identity

management and security patch

management.

A strong SAP® application

architecture that provides good

separation and security between

components.

Consider running scans and doing

audits periodically to help detect

future misconfigurations or

missing patches.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A6 – Sensitive Data Exposure

Many web applications do not

properly protect sensitive data,

such as credit cards, tax ids, and

authentication credentials.

Attackers may steal or modify

such weakly protected data to

conduct identity theft, credit

card fraud, or other crimes.

Sensitie data deserves extra

protection such as encryption at

rest or in transit, as well as

special precautions when

exchanged with the browser.

Do all of the following, at a

minimum:

1. Consider the threats you plan

to protect this data from (e.g.,

insider attack, external user),

make sure you encrypt all

sensitive data at rest and in

transit.

2. Don’t store sensitive data

unnecessarily. Discard it as soon

as possible. Data you don’t have

can’t be stolen.

3. Ensure strong standard

algorithms and strong keys are

used, and proper key

management is in place.

4. Ensure passwords are stored

with an algorithm specifically

designed for password

protection, such as bcrypt,

PBKDF2, or scrypt.

5. Disable autocomplete on

forms collecting sensitive data

and disable caching for pages

displaying sensitive data.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A7 – Missing Function Level

Access Control

Virtually all web applications

verify function level access

rights before making that

functionality visible in the UI.

However, applications need to

perform the same access control

checks on the server when each

function is accessed. If requests

are not verified, attackers will

be able to forge requests in

order to access unauthorized

functionality.

SAP provides a consistent and

easily analysable authorization

module that is invoked from all

your business functions.

1. Configure the process for

managing entitlements and

ensure you can update and audit

easily. Don’t hard code.

2. The enforcement mechanism

denies all access by default,

requiring explicit grants to

specific roles for access to every

function.

3. Workflow conditions need to

be in the proper state to allow

access. NOTE: Most web

applications don’t display links

and buttons to unauthorized

functions, but this “presentation

layer access control” doesn’t

actually provide protection. You

must also implement checks in

the controller or business logic.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A8 – Cross-Site Request Forgery

(CSRF)

A CSRF attack forces a logged-on

victim’s browser to send a

forged HTTP request, including

the victim’s session cookie and

any other automatically included

authentication information, to a

vulnerable web application. This

allows the attacker to force the

victim’s browser to generate

requests the vulnerable

application thinks are legitimate

requests from the victim.

Preventing CSRF usually requires

the inclusion of an unpredictable

token in each HTTP request.

Such tokens should, at a

minimum, be unique per user

session.

The preferred option is to

include the unique token in a

hidden field. This causes the

value to be sent in the body of

the HTTP request, avoiding its

inclusion in the URL, which is

subject to exposure.

The unique token can also be

included in the URL itself, or a

URL parameter. However, such

placement runs the risk that the

URL will be exposed to an

attacker, thus compromising the

secret token.

OWASP Cyber Security Vulnerabilities

Members of the UK cyber security forum

A9 – Using Known Vulnerable

Components

Vulnerable components, such as

libraries, frameworks, and other

software modules almost always

run with full privilege. So, if

exploited, they can cause

serious data loss or server

takeover. Applications using

these vulnerable components

may undermine their defences

and enable a range of possible

attacks and impacts.

Ensure that you keep your

components up-to-date. Many

open source projects (and other

component sources) do not

create vulnerability patches for

old versions. Instead, most

simply fix the problem in the

next version.

A10 – Unvalidated Redirects and

Forwards

Web applications frequently

redirect and forward users to

other pages and websites, and use

untrusted data to determine the

destination pages. Without proper

validation, attackers can redirect

victims to phishing or malware

sites, or use forwards to access

unauthorized pages.

Safe use of redirects and forwards

can be done in a number of ways:

Simply avoid using redirects and

forwards.

If used, don’t involve user

parameters in calculating the

destination. This can usually be

done.

If destination parameters can’t be

avoided, ensure that the supplied

value is valid, and authorised for

the user.

Other Cyber Security Considerations

Members of the UK cyber security forum

Virus and MalwareVirus Protection is required as a

baseline security measure.

The SAP Virus Scan Interface® has built in

scanning for:

GUI_UPLOAD in the SAP ABAP Stack

HTTP_UPLOAD (BSP)

File Upload of WebDynpro for Java.

Secure Remote

Function Calls

(RFCs).

Default RFC communication is

performed in clear-text exposing

data and log on information to

network sniffing.

SAP has released a number of patches for

the RFC library and Secure Network

Communications ® (SNC) can be used to

encrypt network traffic.

Access to transaction SM59 and table

RFCDES should be reviewed, and

authorisation object S_RFCACL can improve

the security of trusted RFC calls.

Other Cyber Security Considerations

Members of the UK cyber security forum

Secure

configuration of

the Gateway

Server

Man In The Middle Attacks can

involve the manipulation of RFC

calls that are intended for a

legitimate

external server before returning

the results to the requesting

client through the Gateway. Such

an attack could be used to modify

RFC requests and the data

returned

to SAP systems.

Monitor / disable remote access to the

Gateway Server that controls traffic

between SAP and external systems.

Buffer Overflow

Buffer overflows are a common

attack vector to introduce

malicious code to an application.

SAP Secure Programming Guidelines®

to provide Input validation of custom

code and conduct detailed reviews to

discover and eliminate buffer overflow

problems in custom code for the Web-

facing technology components of SAP

NetWeaver® (SAP Web Application

Server®, SAP Internet Transaction

Server®, and SAP Enterprise Portal®).

Consider Penetration testing.

Other Cyber Security Considerations

Members of the UK cyber security forum

Java script attacks

against the sandbox

Internet browsers can open

vulnerabilities to the application.

Java is open source code that is

vulnerable to reverse engineering.

Controls can include disabling Java in the

browser and using separate browsers for

Java based web applications. Disable

unnecessary services. Consider the SAP

White Paper recommendations to prevent a

Java attack.

Program errorsInsecure custom code can introduce

security vulnerabilities.

SAP Secure Programming Guidelines® can

ensure a basic level of code security to

counter problems such as race

conditions, inadvertent information

disclosure in error messages and

anonymous web browsing.

Other Cyber Security Considerations

Members of the UK cyber security forum

Controlling SAP

Users

SAP® has numerous default users and

passwords that require secure

configuration.

Administrators should change the

default passwords of standard users and

design control strategies for all

privileged default users.

Password SecurityPassword security can be compromised

by software tools to decrypt passwords.

Standard SAP® password security can be

enhanced by disallowing backwards

compatibility in the CDVN1 hashing algorithm.

Other Cyber Security Considerations

Members of the UK cyber security forum

Backdoors and

Rootkits

Backdoors and rootkits are often very

difficult to detect in the thousands of

lines of code in typical application

software.

SAP Code Inspector® can be used to

guard against backdoors and rootkits in

critical programs.

Secure Web servicesWeb services should be hardened in line

with SAP recommendations.

Customise error pages so they do not display

sensitive system information about the target

system such as hostname, SSID and system

number.

Disable unnecessary services and follow the

SAP security recommendations® in the guide

Secure Configuration, SAP Netweaver

Application Server ABAP®.

Other Cyber Security Considerations

Members of the UK cyber security forum

Secure the SAP

GUI® and web

clients

Potential buffer overflow

vulnerabilities have been identified

and have been addressed by SAP

patches.

Web clients can be vulnerable to

phishing attacks.

SAP GUI® should be patched or

upgraded against known buffer

overflow vulnerabilities. Consider

disabling SAP GUI scripting and

virtualisation options.

Phishing attacks can be addressed by user

education, using SSL/TLS to enable users to

identify legitimate websites, URL filtering

to block malicious sites, and hardening,

upgrading and patching Internet browsers.

Regulatory and

Standards

Considerations

Frameworks such as the ISO27000

series and CobiT 5 are positive for the

assurance of stakeholders and

customers.

Implementing Security best practice can help

achieve compliance with regulations and

achievement of IT Security certification.

Cyber Security Health Check Report

Upon completion a report will be issued containing the following:

• Executive Summary of detected vulnerabilities and the possible impacts

for the business. Real attack vectors describing how your systems can

be exploited and the related Business Risks.

• Detailed Technical Report detailing detected vulnerabilities,

misconfigurations and associated risks. Detailed recommendations for

Vulnerability Patching.

• Mitigation Plan Report outlining a step-by-step action plan with detailed

mitigation activities for each detected issue.

• Security Guidelines for General System Configuration.

Members of the UK cyber security forum

SAP Specific Penetration Testing

We conduct penetration tests which are looking for SAP specific

weaknesses and areas of greatest vulnerability, including:

• Exposure of SAP Routers, (and sending payloads through them).

• Attacking SOAP RFC connections.

• Attacking the SAP Management Console (accessing both ABAP and Java

processes).

• Attacking Netweaver SMB relay (thus facilitate escalation of privileges

to that of the OS user).

• Brute-forcing the SAP Web UI logon.

• Exposure of SAP Internet Communication Framework (ICF) components

and services.

Members of the UK cyber security forum

SAP Specific Penetration Testing

To view some recent examples of SAP penetration tests we have carried

out, please see contact us for sanitised output from SAP specific

penetration tests.

Members of the UK cyber security forum

Contact Us:

For an informal conversation to discuss your SAP cyber concerns, or

to arrange an on-site no obligation meeting, please contact us at:

enquiries@soteriacyber.com

www.soteriacyber.com

Soteria Cyber Security

Wyche Innovation Centre

Walwyn Road

Malvern

Herefordshire. WR13 6PL

Members of the UK cyber security forum