SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:

  • Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
  • Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
  • Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
  • Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
  • Project Systems: Budgeting, planning, forecasting.
Industrial Value Chain via http://practicalanalytics.wordpress.com/

Industrial Value Chain via http://practicalanalytics.wordpress.com/

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

Continue reading

Share Button

5 Questions CISOs Should Ask About SAP Security

Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.

This is a problem that tends to be overlooked by many organizations. In the second blog Adrian outlines the critical need for enterprise application security by presenting analysis on key use cases. These include compliance, transaction verification, usage of sensitive information, potential security threats from both inside and outside of an organization, and necessary changes for management and policy enforcement.

In the blog Adrian states:

“None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.”

This statement had me thinking… a majority of the current problem around SAP security stems from a lack of understanding around why it’s critical to implement new, more adaptive security solutions. Since joining Onapsis I’ve engaged with many of my friends in the cyber-security industry and have found that most CISOs and their teams do not have visibility into their SAP infrastructure, nor do they understand how connections are set-up between their SAP systems. There is truly a lack of insight into what SAP teams are doing to solve security issues. I have also found that when leaders in security ask their SAP counterparts in IT, they receive “old school” security answers like – “We have it covered as we use SAP GRC for access controls and separation of duties measures.”

Continue reading

Share Button

Welcome to the New Onapsis

I’m pleased to announce that today we’ve launched both a new product, a re-design of our website and ultimately – a new brand. This is a very exciting day for Onapsis!

Detection Dashboard

Detection Dashboard

After having great success with the Onapsis X1 product, we worked closely with our customers and partners over the last several years to produce this next-generation platform. Combining the unique knowledge and outstanding dedication of our researchers and engineers with the expertise of our product management team, we are confident that we’re delivering not only exactly what our customers and partners require, but the most advanced business-critical application security solution on the market.

Our new product, Onapsis Security Platform, is the first SAP-certified solution that combines a preventative, behavioral-based and context-aware detective approach for identifying and mitigating security risks, compliance gaps and cyber-attacks on business-critical applications. These applications include ERP, CRM, HCM, SCM, SRM and BI solutions.

Our new Platform is able to deliver continuous monitoring, real-time visibility and protection for SAP applications, providing coverage across SAP NetWeaver ABAP, J2EE, HANA, Mobile and BusinessObjects platforms. It also provides compliance gap analysis, automates the security audit process for SAP applications and is able to generate alarms to close windows of vulnerability, as detection and response actions are automatically triggered, including both alerting and real-time mitigation capabilities.

One thing we’ve heard from our customers was to integrate our capabilities with their existing network security, security management and SIEM solutions and workflows. And we always listened. The new platform is not intended to have CISOs, Compliance and SAP teams worry about “yet another platform to manage”, but to serve as the vehicle to seamlessly incorporate business-critical applications security running on SAP into their existing Risk Management, Audit and Incident Response initiatives.

We are so happy to see the launch of this product and look forward to continue developing solutions to ensure our customer’s success, solving their existing and upcoming challenges.

I welcome you to read more about our new platform and look forward to hearing from all of you with continued feedback that will help guide our technology roadmap:

Best regards,

Mariano

Share Button

How SAP Advisories Affect You

This week you will have seen from our twitter account, (@Onapsis) or other security news feeds like PacketStorm regarding the publication of information about six advisories discovered by the Onapsis Research Labs effecting SAP. In a past blog, Securing Your SAP Through Research, I talked about the importance and value of the security research we do here at Onapsis. Additionally, I have discussed the fact that we have seen automated, widespread attempts to compromise SAP systems as well as very targeted attacks and the implications of those attacks.

If you look at the latest six advisories released by the Onapsis Research Labs which are listed on our advisory page you will see they impact across a variety of SAP technologies that have very different delivery methods. There are three vulnerabilities effecting SAP HANA, two targeting the Extended Application Services (XS); one of which is XSS in the Administration Tool for SAP HANA XS and the third is an authentication bypass. A highlight for me was the discovery of a hardcoded user in SAP FI Manager Self-Service, which effects every installation of FI Manager.

It is very important that you stay informed by reading about the advisories we publish and also the monthly Security Notes releases by SAP and that you evaluate their relevance to your critical systems and the risk they represent to those critical systems.

Continue reading

Share Button

Learning from Zombie Zero Attacks Targeting ERP Systems

In my previous post I talked about the discovery of targeted malware embedded in physical scanners that were sold to shipping and logistics companies. Once operational the malware searched the victim’s network for ERP systems, compromised them (from the report it would appear all systems were compromised; and based on our own experience that has been the case in our engagements) and coped the data from these systems back to command and control servers, reportedly based in China.

It is tempting to think that this is an isolated problem only specific to one industry, but the reality is all businesses have hardware attached to their network that runs or has access to their critical systems and infrastructure. Counterfeit equipment is a long standing problem, with these fakes being hard to detect from the real thing. With the practice of the hardware being assembled by one company and the firmware being produced by another there is even more room for malicious software or instructions being added to printers, switches, routers and other equipment that exists in almost every network today.

Continue reading

Share Button

Holding the attack in your hand, how organization’s ERP systems are the target of Zombie Zero

Picture someone walking around a section of your business and simply scanning your business critical data, financial records and other ERP information away. It sounds like something out of Star Trek, but in a report published by Antone Gonsalves on CSO Online this has already happened to at least half a dozen large European and US Companies.

What happened? These companies all bought scanners from the same Chinese company for use in their shipping departments. These scanners were later discovered to have malware installed on them and when the scanners where connected into the businesses network and operated the malware was activated. This targeted malware, dubbed Zombie Zero, consisted of the three stage attack.

Stage one had the scanner look for and try to compromise any server with the word ‘finance’ in the host name. This searching and compromising activity would continue until the malware discovered and compromised the host, which each time was an ERP system. At this point stage two would begin.

Continue reading

Share Button

Assessing HANA Systems Against the SAP HANA Security Guide

SAP takes their responsibility to help their customers be secure seriously. They have released the SAP HANA Security Guide to help their customers deploy HANA in a secure way. SAP Security Guides are nothing new, they help define a minimum benchmark of a securely deployed SAP system.

For those tasked with assessing a SAP HANA (or ABAP) system and determining the complete risk the system represents to the business, they know that just performing a SoD check is not enough (and for those that don’t the list of security guides from SAP and this blog should help explain why). SAP states that “[these] security guides provide information that is relevant for all lifecycle phases”. When auditing or assessing these SAP systems, and HANA in particular a logical place to start is to compare the system against SAP’s own security recommendations and benchmarks for HANA.

The SAP HANA Security Guide provides those minimum security recommendations. At 102 pages, the guide provides a lot of detailed information about the SAP HANA solution, common deployment scenarios and an overview of the communication paths used within a SAP HANA deployment and how they should be secured. This is further broken out into the following areas:

  • SAP HANA User and Role Management
  • SAP HANA Authentication and Single-Sign On
  • SAP HANA Authorization
  • SAP HANA Data Storage Security
  • Auditing Activity in SAP HANA Systems
  • Security Risks of Trace and Dump Files
  • SAP HANA Additional Components
  • Security for SAP HANA Data Provisioning Technologies
  • Security Reference Information

Continue reading

Share Button

SAP Application Users: You can finally sleep at night!

Guest post from: Pete Nicoletti, CISO, Virtustream

As an SAP user, you’re well aware of and are enjoying the benefits of the world best ERP system. The information that you create and use contributes to your companies competitive advantage. Using SAP to make business decisions and report on all facets of your business is among the most critical functions in your company.

In addition to your internal users using this critical function, there is a very large community of… let’s call them “non-authorized users” to be PC. They would love to have access to your critical company data. Protecting your SAP systems and crown jewels information in “Internet time” from these unauthorized users (ok… hackers!) is extremely challenging. Think of all the SAP notes, patches, changes to your versions and landscapes, new mobile related threats, OS patching, network changes, acquisitions… all of these changes are occurring hundreds and thousands times a day! Each change to a system contributes to and increases risk.

Since you are smart security professional at RSA, you don’t use one of the risk mitigation strategies we have to delicately talk our executives out of called: “Ignore the Risk.” So, you are aware that your SAP system is undergoing constant change, and there are hackers working 24/7/365 to gain access to your data.

Those two nightmares should be keeping you up at night. So, let’s do a quick sleep study… you’re tossing and turning all night long… the recurring nightmare you have is that some bad actors are selling your information to your competition. What is the prescription to get a good night’s sleep? Onapsis.

Onapsis is the vulnerability scanner for SAP that identifies every security issue that your SAP system has. Before this tool, there was no way to know just how bad your nightmare is. Trust me… It’s bad. You should be having nightmares. As the world’s largest SAP hosting company we strive to reduce those above listed risks to our clients. How do we sleep at night hosting hundreds of the world’s largest SAP environments? Onapsis. It is the prescription for a restful night’s sleep. Know what your risks are, classify them, assign them to owners for remediation… and then validate they have been fixed. Standard security stuff right?

Before Onapsis there was just no way to do it. Come by booth 2109 here at RSA and let’s talk about we can secure your SAP world… and you can sleep better at night!

 

Guest post from:

Pete Nicoletti CISO
CISSP, CISA, CCSK, FCSE, CCSE
Virtustream Inc – www.virtustream.com

 

Share Button

Securing Your SAP Through Research

In the latest Notes Tuesday Onapsis was credited with discovering and reporting almost half (10 out of 23) of the vulnerabilities addressed by SAP (or alternatively three quarters or one third, depending on how you do the math: there were only 13 Notes that were attributed to third party security researchers of which Onapsis discovered 10. And SAP released 23 security notes on Notes Tuesday; but had also released an additional 10 notes since the last patch Tuesday; bringing the total released during that period to 33).

Having received a number of messages of appreciation and additional questions about the work done by Onapsis Labs to find so many of the vulnerabilities remediated by SAP this month, I thought people should know about the effort and work done to discover and responsibly report these risks every month.

So how do we find these issues in the first place? There are a number of possible ways. It could be a result of a number of activities that the Onapsis Research Labs team or Professional Services team perform. It might be we discover the vulnerability during a services engagement for a client; or as the output from a dedicated bug hunting activity (where our labs team will take a deep dive with SAP technology and attempt to find previously unknown issues in SAP modules and applications) or they are born out of ideas that lead to “What if” and other brain storming conversations that take place internally.

Continue reading

Share Button

Security Geeks Introduction to SAP – RFC Destinations

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the third in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

This blog builds on a webcast I was fortunate to take part in. My colleague Sergio Abraham has spent a considerable amount of time research RFC Destinations, the common ways they are configured and how various SAP components install RFC Destinations in order to function. I recommend in addition to this blog you view the webcast recording here and the corresponding question and answer session it generated here.

Continue reading

Share Button