Weitere ähnliche Inhalte Ähnlich wie Uninvited Guests: Why do hackers love our SAP landscapes? (20) Mehr von Virtual Forge (19) Kürzlich hochgeladen (20) Uninvited Guests: Why do hackers love our SAP landscapes?1. Prof. Dr. Sachar Paulus
Uninvited guests: why do hackers all over
the world love our SAP landscapes?
2. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
About the speaker
Professor for IT Security at Mannheim University of Applied
Sciences!
Previously Dean of Studies for a M. Sc. Programme in Security Management!
Research professorship through EU Project „OPTET“: Operationally Trustworthiness
Enabling Technologies!
Management Consultant!
SAP Security, Secure Software Engineering, Information Security Management
Systems!
Experience!
8 years with SAP (Director Product Management Security, Chief Security Officer)!
Prior to this working in SMEs in the area of security solutions and cryptology
3. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
Agenda
SAP compliance requirements!
Hackers and SAP systems!
SAP and the Cloud!
!
The software life cycle!
!
Potential reasons!
Recommendations
4. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
SAP compliance requirements
Many, many different sources: !
MA Risk, GoBS, IDW PS 330, KonTraG, …!
Sarbanes-Oxley, FDA CFR, PCI DSS, …!
!
Content:!
Critical authorizations!
Critical combinations of authorizations!
Encryption, secure storage!
digital signatures
These are:!
- functional requirements!
- on-top solutions!
- require low communication effort
5. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
Hackers and SAP systems
How hackers see SAP!
Very complicated, requires a lot of knowledge, proprietary!
But: IF interesting, then there is no real obstacle! JUST DO IT!
Since HANA there is a growing interest of hackers!
These are protected by:!
- non-functional requirements!
- system properties!
- communication with CISO dept
!
Attack surface!
Insiders, social engineering, etc.!
Web based access and interfaces (e.g. SQL-Injection)!
SAP specific weaknesses (e.g. RFC, Trusted Systems)!
Trojan horses, worms
6. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
SAP and the Cloud!
Running SAP in the Cloud!
Public Cloud: are the legal requirements met (e.g. data protection
regulation)? In which legal system is the data processed? Who has
(legitimate) access to the data?!
Public Cloud: Are the risks higher than running SAP in-house? Depends
against whom to protect…!
Any Cloud: do you trust your service provider?!
Using SAP Cloud Services!
There is a considerable offering with different types of services…!
… but in most cases they use standard internet technology!
==> you need to handle standard internet / web security!
7. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
The software life cycle!
Where do you NEED to work on security?!
Requirements engineering !
Architecture and design (= mostly prescribed by SAP)!
Coding (specifically customizing)!
Deployment!
Support!
Security is important in ANY of these phases!
If one piece is missing, all other efforts may!
not help any more
!
Fact: in ALL phases awareness and competence are missing!!
Ex. 1: Do you know your SAP security requirements?!
Ex. 2: Do you install SAP Security Notes in a timely manner?
8. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
Potential reasons!
Fact: in most organizations, SAP Security is way behind „normal“
Information Security Management!
Potential reasons:!
SAP operations is separated from other IT services !
Pure functional view on security, no quality view!
No acceptance / understanding why firewalls are useless!
There is not enough damage happening (resp. there is not enough communication
about attacks)!
Nobody is responsible!
The software manufacturer is to blame, I cannot do anything about it!
Access control is so tedious and costly - there is no space for something else
9. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
Recommendations: top down
Assign the responsibility for SAP Security!
You need a name and a face!
Develop your SAP security strategy!
Perform risk management - which of the risks am I ready to take? What about SAP
operations? What about the IT department?!
Develop your SAP security architecture!
Choose measures and solutions - what can be done by the SAP standard - what is my
focus area - how does all this play together?!
Record and document your SAP security requirements!
You need to document them to get them transparent - and subsequently addressed!
Document and let management approve your SAP security strategy and architecture
10. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
Recommendations: organizational topics
Cooperate with the information security department (CISO)!
Break down the „SAP“ wall, align with your peers!
Comparing risks may be demotivating at first, but will improve the overall
approach!
Cooperate with the quality assurance department!
Security is a quality goal - and should be handled as such in the internal QA
processes!
Integrate security checks into Procure-to-Pay!
Your peers do it for desktop software - why not having the same approach
for SAP add-ons and customization?
11. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014
Further recommendations
Authorizations!
It is more important to think about „who decides about what“ than to buy the right
tool!
Clear and simple organizational structures are making authorizations management a lot
easier!
SAP internet security!
The (new) web- and internet-interfaces of SAP are easily accessible to hackers and
should be treated with care, specifically SAP HANA!
Don’t trust too much into third party products that claim to prevent attacks in real
time (a la „Application Level Firewall“)!
SAP specifics!
SAP is a critical infrastructure: limit the use and accessibility of SAP specific protocols!
Assure secure coding in ABAP!
12. Prof. Dr. Sachar Paulus
Uninvited guests: why do hackers all over
the world love our SAP landscapes?