For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
Kawika Technologies pvt ltd Software Development Company in Trivandrum
EAS-SEC: Framework for securing business applications
1. Invest
in
security
to
secure
investments
EAS-‐SEC:
Framework
for
Securing
Enterprise
Business
Applica;ons
Alexander
Polyakov
CTO
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta;ons
key
security
conferences
worldwide
• 25
Awards
and
nomina;ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
4. SAP
Security
notes
by
year
0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
More
than
2600
in
total
4
5. SAP
on
the
Internet
• Companies
have
SAP
Portals,
SAP
SRMs,
SAP
CRMs
remotely
accessible
• Companies
connect
different
offices
(by
SAP
XI)
• Companies
are
connected
to
SAP
(through
SAP
Router)
• SAP
GUI
users
are
connected
to
the
Internet
• Administrators
open
management
interfaces
to
the
Internet
for
remote
control
Almost
all
business
applica;ons
have
web
access
now
5
6. SAP
Router
• Special
applica8on
proxy
• Transfers
requests
from
Internet
to
SAP
(and
not
only)
• Can
work
through
VPN
or
SNC
• Almost
every
company
uses
it
for
connec8ng
to
SAP
to
download
updates
• Usually
listens
to
port
3299
About
5000
Routers
in
Internet
6
7. SAP
Router
vulnerability
• Remote
Code
Execu8on
vulnerability
• CVSS
9.3
• Nominated
for
top
5
server-‐side
vulnerabili8es
2013
7
10. Why
security?
• Espionage
– Stealing
financial
informa8on
– Stealing
corporate
secrets
– Stealing
supplier
and
customer
lists
– Stealing
HR
data
• Sabotage
– Denial
of
service
– Modifica8on
of
financial
reports
– Access
to
technology
network
(SCADA)
by
trust
rela8ons
• Fraud
– False
transac8ons
– Modifica8on
of
master
data
10
11. 11
3
areas
of
SAP
Security
2010
Applica3on
pla4orm
security
Prevents
unauthorized
access
both
insiders
and
remote
a3ackers
Solu8on:
Vulnerability
Assessment
and
Monitoring
2008
ABAP
Code
security
Prevents
a3acks
or
mistakes
made
by
developers
Solu8on:
Code
audit
2002
Business
logic
security
(SOD)
Prevents
a3acks
or
mistakes
made
Solu8on:
GRC
13. • Guidelines
made
by
SAP
• First
official
SAP
guide
for
technical
security
od
ABAP
stack
• Secure
Configura8on
of
SAP
NetWeaver®
Applica8on
Server
Using
ABAP
• First
version
-‐
2010
year,
version
1.2
–
2012
year
• For
rapid
assessment
of
most
common
technical
misconfigura8ons
in
plaform
• Consists
of
9
areas
and
82
checks
• Ideas
as
a
second
step
and
give
more
details
to
some
of
EAS-‐SEC
standard
areas
hgp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true
13
SAP
Security
Guidelines
14. • Guidelines
made
by
ISACA
• Checks
cover
configura8on
and
access
control
areas
• First
most
full
compliance
• There
were
3
versions
published
in
2002
2006
2009
(some
areas
are
outdated
)
• Technical
part
covered
less
than
access
control
and
miss
cri8cal
areas
• Most
advantage
is
a
big
database
of
access
control
checks
• Consists
of
4
parts
and
about
160
checks
• Ideal
as
a
third
step
and
detailed
coverage
of
access
control
14
ISACA
Assurance
(ITAFF)
15. • Set
of
recommenda8ons
from
Deutsche
SAP
Uses
Group
• Checks
cover
all
security
areas
from
technical
configura8on
and
source
code
to
access
control
and
management
procedures
• Currently
biggest
guideline
about
SAP
Security
• Last
version
in
Jan
2011
• Consists
of
8
areas
and
200+
checks
• Ideal
as
a
final
step
for
securing
SAP
but
consists
of
many
checks
which
needs
addi8onal
decision
making
which
is
highly
depends
on
installa8on.
hgp://www.dsag.de/fileadmin/media/Leifaeden/110818_Leifaden_Datenschutz_Englisch_final.pdf
15
DSAG
16. Enterprise
Applica:on
Systems
Vulnerability
Assessment
–
for
NetWeaver
ABAP
• Developed
by
ERPScan:
First
standard
of
series
EAS-‐SEC
• Rapid
assessment
of
SAP
security
in
9
areas
• Contains
33
most
cri;cal
checks
• Ideal
as
a
first
step
• Also
contain
informa8on
for
next
steps
• Categorized
by
priority
and
cri8cality
16
EAS-‐SEC
for
NetWeaver
(EASSEC-‐AIVA-‐
ABAP)
17.
EASSSEC-‐AIVA
Access
Cri;cality
Easy
to
exploit
%
of
vulnerable
systems
1.
Lack
of
patch
management
Anonymous
High
High
99%
2.
Default
Passwords
for
applica;on
access
Anonymous
High
High
95%
3.
Unnecessary
enabled
func;onality
Anonymous
High
High
90%
4.
Open
remote
management
interfaces
Anonymous
High
Medium
90%
5.
Insecure
configura;on
Anonymous
Medium
Medium
90%
6.
Unencrypted
communica;on
Anonymous
Medium
Medium
80%
7.
Access
control
and
SOD
User
High
Medium
99%
8.
Insecure
trust
rela;ons
User
High
Medium
80%
9.
Logging
and
Monitoring
Administrator
High
Medium
98%
17
EASSEC-‐AIVA-‐2013
18. • [EASAI-‐NA-‐01]
Component
updates
• [EASAI-‐NA-‐02]
Kernel
updated
What
next:
Other
components
should
be
be
updated
separately
–
SAP
Router,
SAP
Gui,
SAP
NetWEaver
J2EE,
SAP
BusinessObjects.
And
also
OS
and
Database.
18
Lack
of
patch
management
19. • [EASAI-‐NA-‐03]
Default
password
check
for
user
SAP*
• [EASAI-‐NA-‐04]
Default
password
check
for
user
DDIC
• [EASAI-‐NA-‐05]
Default
password
check
for
user
SAPCPIC
• [EASAI-‐NA-‐06]
Default
password
check
for
user
MSADM
• [EASAI-‐NA-‐07]
Default
password
check
for
user
EARLYWATCH
What
next:
Couple
of
addi:onal
SAP
components
also
use
their
own
default
passwords.
For
example
services
SAP
SDM
and
SAP
ITS
in
their
old
versions
has
default
passwords.
ARer
you
check
all
default
passwords
you
can
start
with
bruteforcing
for
simple
passwords.
19
Default
passwords
20. • [EASAI-‐NA-‐08]
Access
to
RFC-‐func8ons
using
SOAP
interface
• [EASAI-‐NA-‐09]
Access
to
RFC-‐func8ons
using
FORM
interface
• [EASAI-‐NA-‐10]
Access
to
XI
service
using
SOAP
interface
What
next:
You
should
analyze
about
1500
other
services
which
are
remotely
enabled
if
they
are
really
needed
and
also
disable
unused
transac:ons,
programs
and
reports.
20
Unnecessary
enabled
func;onality
21. • [EASAI-‐NA-‐11]
Unauthorized
access
to
SAPControl
service
• [EASAI-‐NA-‐12]
Unauthorized
access
to
SAPHostControl
service
• [EASAI-‐NA-‐13]
Unauthorized
access
to
Message
Server
service
• [EASAI-‐NA-‐14]
Unauthorized
access
to
Oracle
database
What
next:
Full
list
of
SAP
services
you
can
get
from
document
TCP/IP
Ports
Used
by
SAP
Applica:ons
.Also
you
should
take
care
about
3rd
party
services
which
can
be
enabled
on
this
server.
21
Open
remote
management
interfaces
22. • [EASAI-‐NA-‐15]
Minimum
password
length
• [EASAI-‐NA-‐16]
User
locking
policy
• [EASAI-‐NA-‐17]
Password
compliance
to
current
standards
• [EASAI-‐NA-‐18]
Access
control
to
RFC
(reginfo.dat)
• [EASAI-‐NA-‐19]
Access
control
to
RFC
(secinfo.dat)
What
next:
First
of
all
you
can
look
at
(Secure
Configura:on
of
SAP
NetWeaver®
Applica:on
Server
Using
ABAP)
document
for
detailed
configura:on
checks.
ARerwards
you
can
pass
throught
detailed
documents
for
each
and
every
SAP
service
and
module
hgp://help.sap.com/saphelp_nw70/helpdata/en/8c/
2ec59131d7f84ea514a67d628925a9/frameset.htm
22
Insecure
configura;on
23. • [EASAI-‐NA-‐20]
Users
with
SAP_ALL
profile
• [EASAI-‐NA-‐21]
Users
which
can
run
any
program
• [EASAI-‐NA-‐22]
Users
which
can
modify
cri8cal
table
USR02
• [EASAI-‐NA-‐23]
Users
which
can
execute
any
OS
command
• [EASAI-‐NA-‐24]
Disabled
authoriza8on
checks
What
next:
There
are
at
leas
about
100
cri:cal
transac:ons
only
in
BASIS
and
approximately
the
same
number
in
each
other
module.
Detailed
informa:on
can
be
found
in
ISACA
guidelines
.
ARer
that
you
can
start
with
Segrega:on
of
Du:es.
23
Access
control
and
SOD
conflicts
24. • [EASAI-‐NA-‐25]
Use
of
SSL
for
securing
HTTP
connec8ons
• [EASAI-‐NA-‐26]
Use
of
SNC
for
securing
SAP
Gui
connec8ons
• [EASAI-‐NA-‐27]
Use
of
SNC
for
securing
RFC
connec8ons
What
next:
Even
if
you
use
encryp:on
you
should
check
how
is
it
configured
for
every
type
of
encryp:on
and
for
every
service
because
there
are
different
complex
configura:ons
for
each
of
encryp:on
type.
For
example
latest
a3acks
on
SSL
like
BEAST
and
CRIME
require
companies
to
use
more
complex
SSL
configura:on.
24
Unencrypted
connec;ons
25. • [EASAI-‐NA-‐28]
RFC
connec8ons
with
stored
authen8ca8on
data
• [EASAI-‐NA-‐29]
Trusted
systems
with
lower
security
What
next:
Check
other
ways
to
get
access
to
trusted
systems
such
as
database
links
o
use
of
the
same
OS
user
or
just
use
of
the
same
passwords
for
different
systems.
25
Insecure
trusted
connec;ons
26. • [EASAI-‐NA-‐30]
Logging
of
security
events
• [EASAI-‐NA-‐31]
Logging
of
HTTP
requests
• [EASAI-‐NA-‐32]
Logging
of
table
changes
• [EASAI-‐NA-‐33]
Logging
of
access
to
Gateway
What
next:
There
are
about
30
different
types
of
log
files
in
SAP.
The
next
step
aRer
properly
enabling
main
of
them
you
should
properly
configure
complex
op:ons
such
as
what
exact
tables
to
monitor
for
changes,
what
kind
of
events
to
analyze
in
security
events
log,
what
types
of
Gateway
a3acks
should
be
collected
and
so
on.
Next
step
is
to
enable
their
centralized
collec:on
and
storage
and
then
add
other
log
events.
26
Logging
and
Monitoring
27. • Release
similar
compliance
guidelines
for
other
applica8ons
• Update
eas-‐sec.org
• Spread
this
ini8a8ve
27
Next
Steps
28. ?
The
only
solu8on
in
the
market
to
assess
3
8ers
of
SAP
Security
28
Ques;ons