Abstract image of a woman sitting on books and studying on a laptop

Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?

M
michelemanzotti

This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.

Technology
1 of 40
Downloaded 62 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Cyber-Attacks & SAP Systems ® Is our business-critical infrastructure exposed? Mariano Nunez mnunez@onapsis.com March 15th, 2012 BlackHat Europe 2012
Disclaimer This publication is copyright 2012 Onapsis, Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Cyber-attacks on SAP systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 2
Who is Onapsis, Inc.?  Company focused in the security of ERP systems and business-critical infrastructure (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).  Working with Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).  ERP security consulting services.  Trainings on business-critical infrastructure security. Who am I?  Co-founder & CEO at Onapsis.  Discovered 50+ vulnerabilities in SAP, Microsoft, IBM, ...  Speaker/Trainer at BlackHat, RSA, HackerHalted, HITB, Ekoparty, DeepSec, ...  Developer of the first opensource SAP/ERP PenTesting frameworks.  Lead author of the “SAP Security In-Depth” publication. Cyber-attacks on SAP systems Attacks to SAP Web Applications Cyber-attacks www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 3
Agenda  Introduction  A dangerous status-quo  External and internal threats  The current security level of SAP implementations  The TOP-11 vulnerabilities affecting the SAP infrastructure  Defending the SAP platform  Conclusions Attacks to SAPon SAP Systems Cyber-attacks Web Applications Cyber-Attacks to SAP systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 4
Introduction Cyber-attacks Web Applications Attacks to SAPon SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 5
What is SAP? ● Largest provider of business management solutions in the world. ● More than 140.000 implementations around the globe. ● More than 90.000 customers in 120 countries. ● Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. FINANCIAL PLANNING TREASURY PAYROLL INVOICING LOGISTICS SALES BILLING PRODUCTION PROCUREMENT Cyber-attacks on SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 6
A Dangerous Status-quo Cyber-attacks Web Applications Attacks to SAPon SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 7
What “SAP Security” used to be 5 years ago ● “SAP security” was regarded as a synonym of “Segregation of Duties controls”. ● Sample goal: “Make sure that if Tim can create a new vendor, he can not create purchase orders”. ● This was mapped to a SoD matrix with SAP transactions / authorization objects. ● Most large organizations had “SAP Security” in place: they were spending hundreds of thousands/millions of dollars in SAP security yearly by having: ● A dedicated Team of SAP security professionals. ● SoD & GRC software (usually costing $500K-$2M or more). Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 8
Breaking the status-quo / BlackHat 2007 ● The Information Security and Audit communities were doing fine with that status quo. Most SAP-related security documents and guidelines only dealt with SoD issues. ● One day, back in 2005, we were hired to do a Webapp pentest. ● The only difference was that the Web Server was an SAP Web Application Server. ● Suddenly, we started discovering vulnerabilities that were not in the apps, but in the framework itself! ● We checked online… they were not reported. ● Back then, the total number of reported SAP vulnerabilities was: 90 Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 9
What “SAP Security” really is ● SAP security is a complex discipline, that must be addressed holistically! ● SoD controls are necessary, but they are not enough. ● They only address one of the layers where security must be enforced. ● The forgotten layer: The Business Infrastructure (NetWeaver/Basis). ● Base framework in charge of critical tasks such as authentication, authorization, encryption, interfaces, audit, logging, etc. ● Can be susceptible of security vulnerabilities that, if exploited, can lead to espionage, sabotage and fraud attacks to the business information. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 10
A different (higher) risk profile ● Exploitation of a SoD weakness: 1. The attacker needs a valid user account in the target SAP system. 2. He needs to find out that he has more access than he should have. 3. Common auditing features may detect his activities. ● Exploitation of a technical/infrastructure weakness: 1. The attacker does not need a valid user account in the target SAP system. 2. A successful attack will allow him to achieve SAP_ALL privileges (even without having a real user!). 3. Common auditing features would not detect his activities. Cyber-attacks on SAP Systems Cyber-Attacks to SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 11
A Rising Threat ● The number of SAP Security Notes has increased dramatically over the last years. ● Security Notes usually address one or more vulnerabilities. ● Most of these issues affect the Business Runtime. Number of SAP Security Notes per Year Cyber-attacks to Attacks to SAPon SAP Systems Cyber-Attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 12
External and Internal Threats Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 13
Querying search engines ● While most SAP systems were only reachable internally a decade ago, now it’s common for SAP systems to be connected to the Internet. ● Attackers know how to find them using regular search engines. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 14
But… is it more than just Web apps? ● Even if companies believe they are not online, many of them are! ● When you acquire SAP, the agreement specifies that you have to allow remote access through a special component called SAProuter. ● Network services such as the Dispatcher, Gateway, Management Console, Message Server, P4 interface, etc. should never touch the Internet… ● What’s the reality? Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 15
- From the Trenches - The Current Security Level of SAP Implementations Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 16
From the trenches ● Since 2005, our experts were engaged to perform numerous SAP Penetration Tests, including some of the largest organizations of the world. ● We have evaluated 550+ SAP Application Servers in total. ● A typical project: ● Network access to the end-user network. ● List of IP addresses of SAP servers. ● NO user/password credentials. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 17
From the trenches ● Our findings: ● Over 95% of the systems were exposed to espionage, sabotage and fraud attacks. A malicious party would have been able to achieve SAP_ALL or equivalent privileges without having access credentials. ● Only 5% of the evaluated SAP systems had the proper security audit logging features enabled. ● None of the evaluated SAP systems were fully updated with the latest SAP security patches. ● In most cases, the attack vectors that leaded to the initial compromise comprised the exploitation of vulnerabilities that have been in the public domain for more than 5 years. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 18
The TOP-11 vulnerabilities affecting the SAP infrastructure Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 19
BIZEC.org, the business application security initiative ● BIZEC.org is a non-profit organization focused on security threats affecting ERP systems and business-critical infrastructure. ● The BIZEC TEC/11 project lists the most common and most critical security defects and threats affecting the Business Runtime layer/infrastructure of SAP platforms. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 20
BIZEC TEC-01: Vulnerable Software in Use Risk The SAP platform is running based on technological frameworks whose versions are affected by reported security vulnerabilities and the respective fixes have not been applied. Business Impact Attackers would be able to exploit reported security vulnerabilities and perform unauthorized activities over the business information processed by the affected SAP system. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 21
BIZEC TEC-02: Standard Users with Default Passwords Risk Users created automatically during the SAP system installation, or other standard procedures, are configured with default, publicly known passwords. Business Impact Attackers would be able to login to the affected SAP system using a standard SAP user account. As these accounts are usually highly privileged, the business information would be exposed espionage, sabotage and fraud attacks. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 22
BIZEC TEC-03: Unsecured SAP Gateway Risk The SAP Application Server’s Gateway is not restricting the starting, registration or cancellation of external RFC servers. Business Impact Attackers would be able to obtain full control of the SAP system. Furthermore, they would be able to intercept and manipulate interfaces used for transmitting sensitive business information. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 23
BIZEC TEC-04: Unsecured SAP/Oracle authentication Risk The SAP ABAP Application Server authenticates to the Oracle database through the OPS$ mechanism, and the Oracle’s listener has not been secured. Business Impact Attackers would be able to obtain full control of the affected SAP system’s database, enabling them to create, visualize, modify and/or delete any business information processed by the system. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 24
BIZEC TEC-05: Insecure RFC interfaces Risk The SAP environment is using insecure RFC connections from systems of lower security-classification level to systems with higher security- classification levels. Business Impact Attackers would be able to perform RFC pivoting attacks, by first compromising an SAP system with low security-classification and, subsequently, abusing insecure interfaces to compromise SAP systems with higher security-classification levels. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 25
BIZEC TEC-06: Insufficient Security Audit Logging Risk The SAP System’s auditing features are disabled or not properly configured. Business Impact It would not be possible to detect suspicious activities or attacks against the SAP system. Furthermore, valuable information for forensic investigations would not be available. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 26
BIZEC TEC-07: Unsecured SAP Message Server Risk The SAP System’s Message Server is not restricting the registration of SAP Application Servers. Business Impact Attackers would be able to register malicious SAP Application Servers and perform man-in-the-middle attacks, being able to obtain valid user access credentials and sensitive business information. Attacks against user workstations would also be possible. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 27
BIZEC TEC-08: Dangerous SAP Web Applications Risk The SAP Application Server is allowing access to Web applications with reported security vulnerabilities or sensitive functionality. Business Impact Attackers would be able to exploit vulnerabilities in such Web applications, enabling them to perform unauthorized activities over the business information processed by the affected SAP system. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 28
BIZEC TEC-09: Unprotected Access to Administration Services Risk The SAP Application Server is not restricting access to sensitive administration or monitoring services. Business Impact Attackers would be able to access administration or monitoring services and perform unauthorized activities over the affected SAP systems, possibly leading to espionage and/or sabotage attacks. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 29
BIZEC TEC-10: Insecure Network Environment Risk The network environment of the SAP platform is not properly secured through the deployment and configuration of network firewalls, specialized Intrusion Prevention and Detection systems and application- layer gateways. Business Impact Attackers would be able to access sensitive SAP network services and possibly exploit vulnerabilities and unsafe configurations in them, leading to the execution of unauthorized activities over the affected SAP platform. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 30
BIZEC TEC-11: Unencrypted Communications Risk The confidentiality and integrity of communications in the SAP landscape is not enforced. These communications comprise SAP-to-SAP connections as well as interactions between SAP servers and external systems, such as user workstations and third-party systems. Business Impact Attackers would be able to access sensitive technical and business information being transferred to/from the SAP environment. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 31
Defending the SAP Platform Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 32
The Challenges ● Knowledge. Understanding how to assess and secure an SAP system requires specialized knowledge. ● Scope. The entire platform must be secured. This comprises: ● Every Landscape (ERP, CRM, SCM, …) in the organization ● Every SAP system in each landscape ● Every Client (mandant) and AS in each system ● Every of the 1500+ configuration parameters of each AS ● Periodicity. The security of the SAP infrastructure must be evaluated periodically, at least after each SAP Security Patch Day, to verify whether new risks have been raised and evaluate mitigation actions. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 33
SAP Security - Who is responsible? ● Unlike other systems (such as Web servers, domain controllers, etc.), the security of SAP systems usually falls under the domain of “The Business”. ● This means that the officers in charge of securing the systems are the same ones who are responsible for verifying whether they are secure or not.  FAIL. ● If the organization's SAP teams are responsible for protecting the SAP platform, the Information Security Manager / CISO department must verify whether the current security level matches the organization's defined risk appetite. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 34
SAP Security - Who is responsible? Let’s think about it: ● Is the SAP platform a “blackbox” for the Information Security team? ● Does the Information Security team “trust but verify”? ● Who will be ultimately responsible if there is a security breach in the SAP platform? ● What if the SAP platform is compromised, not by a high-profile and complex attack, but rather as the result of the exploitation of a vulnerability that has been publicly known for several years? Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 35
Conclusions Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 36
Conclusions ● Segregation of Duties controls are necessary, but not enough! ● The SAP infrastructure can be exposed to technical security vulnerabilities that, if exploited, would enable espionage, sabotage and financial fraud attacks. ● The risk level in this matter is higher, as attackers do not even need a user account in the system! ● The number of SAP security notes have dramatically increased over the last years. Customers are not catching-up. ● Many companies state that “our SAP system has not been hacked”, but they do not even have the basic auditing features enabled! Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 37
Conclusions ● Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented. ● SAP is taking important steps into increasing the security of its customers’ systems (security guides, regular patches, new standards). ● While “The Business” may work on the security of the platform, it’s the responsibility of Information Security to verify that they are doing their job. ● If our business-critical infrastructure is hacked by a 5-year-old vulnerability, we are clearly doing something wrong. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 38
Questions? mnunez@onapsis.com @marianonunezdc Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 39
Thank you! www.onapsis.com Follow us! @onapsis Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 40

More Related Content

PDF
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
PDF
Penetration Testing SAP Systems
Onapsis Inc.
 
PDF
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
PDF
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
PDF
Onapsis SAP Backdoors
Onapsis Inc.
 
PDF
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
PDF
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
PDF
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Penetration Testing SAP Systems
Onapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Onapsis SAP Backdoors
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 

What's hot (20)

PDF
Incident Response and SAP Systems
Onapsis Inc.
 
PPTX
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
PDF
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
PDF
Highway to Production Securing the SAP TMS
Onapsis Inc.
 
PPTX
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
PDF
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
PDF
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
PDF
Android P Security Updates: What You Need to Know
NowSecure
 
PPTX
Security concerns in web erp
Manoj Jhawar
 
PDF
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
PDF
Building a Mobile App Pen Testing Blueprint
NowSecure
 
PDF
2014 09-04-pj
Sébastien GIORIA
 
PDF
Uninvited Guests: Why do hackers love our SAP landscapes?
Virtual Forge
 
PDF
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
PDF
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Cristian Garcia G.
 
PPTX
National Government Webinar: Reap the Rewards of IT Consolidation
SolarWinds
 
PDF
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
PDF
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
PPTX
DDos Attacks and Web Threats: How to Protect Your Site & Information
jenkoon
 
Incident Response and SAP Systems
Onapsis Inc.
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
Highway to Production Securing the SAP TMS
Onapsis Inc.
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Android P Security Updates: What You Need to Know
NowSecure
 
Security concerns in web erp
Manoj Jhawar
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
Building a Mobile App Pen Testing Blueprint
NowSecure
 
2014 09-04-pj
Sébastien GIORIA
 
Uninvited Guests: Why do hackers love our SAP landscapes?
Virtual Forge
 
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Cristian Garcia G.
 
National Government Webinar: Reap the Rewards of IT Consolidation
SolarWinds
 
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
jenkoon
 
Ad

Similar to Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed? (20)

PDF
Cyber-attacks to SAP Systems
Onapsis Inc.
 
PDF
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
PDF
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
PDF
SAP Business Objects Attacks
Onapsis Inc.
 
PDF
GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation
rclark004
 
PDF
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
PDF
Assess and monitor SAP security
ERPScan
 
PDF
EAS-SEC Project
ERPScan
 
PDF
What CISOs should know about SAP security
ERPScan
 
PDF
SAP security made easy
ERPScan
 
PDF
Attacks Based on Security Configurations
Onapsis Inc.
 
PPTX
SAP (In)Security: New and Best
Positive Hack Days
 
PDF
SAP Enterprise Threat Detection Overview
SAP Technology
 
PDF
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
PDF
SAP security in figures
ERPScan
 
PPTX
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
PeterSmetny1
 
PDF
Implementing SAP security in 5 steps
ERPScan
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
PDF
Onapsis Security Platform: Detection and Response
Onapsis Inc.
 
PDF
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
SAP Business Objects Attacks
Onapsis Inc.
 
GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation
rclark004
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
Assess and monitor SAP security
ERPScan
 
EAS-SEC Project
ERPScan
 
What CISOs should know about SAP security
ERPScan
 
SAP security made easy
ERPScan
 
Attacks Based on Security Configurations
Onapsis Inc.
 
SAP (In)Security: New and Best
Positive Hack Days
 
SAP Enterprise Threat Detection Overview
SAP Technology
 
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
SAP security in figures
ERPScan
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
PeterSmetny1
 
Implementing SAP security in 5 steps
ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
Onapsis Security Platform: Detection and Response
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Ad

More from michelemanzotti (11)

PDF
Attacking IPv6 Implementation Using Fragmentation
michelemanzotti
 
PDF
Hacking XPATH 2.0
michelemanzotti
 
PDF
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
michelemanzotti
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
PDF
GDI Font Fuzzing in Windows Kernel For Fun
michelemanzotti
 
PDF
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
PDF
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
PPTX
Federate Identity and Access Management
michelemanzotti
 
PPTX
Simple Network Management Protocol
michelemanzotti
 
PPTX
Sistema Federato Interregionale di Autenticazione
michelemanzotti
 
PPTX
L'impatto dei Servizi Applicativi
michelemanzotti
 
Attacking IPv6 Implementation Using Fragmentation
michelemanzotti
 
Hacking XPATH 2.0
michelemanzotti
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
michelemanzotti
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
GDI Font Fuzzing in Windows Kernel For Fun
michelemanzotti
 
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Federate Identity and Access Management
michelemanzotti
 
Simple Network Management Protocol
michelemanzotti
 
Sistema Federato Interregionale di Autenticazione
michelemanzotti
 
L'impatto dei Servizi Applicativi
michelemanzotti
 

Recently uploaded (20)

PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
DOCX
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 

Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?

  • 1. Cyber-Attacks & SAP Systems ® Is our business-critical infrastructure exposed? Mariano Nunez [email protected] March 15th, 2012 BlackHat Europe 2012
  • 2. Disclaimer This publication is copyright 2012 Onapsis, Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Cyber-attacks on SAP systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 2
  • 3. Who is Onapsis, Inc.?  Company focused in the security of ERP systems and business-critical infrastructure (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).  Working with Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).  ERP security consulting services.  Trainings on business-critical infrastructure security. Who am I?  Co-founder & CEO at Onapsis.  Discovered 50+ vulnerabilities in SAP, Microsoft, IBM, ...  Speaker/Trainer at BlackHat, RSA, HackerHalted, HITB, Ekoparty, DeepSec, ...  Developer of the first opensource SAP/ERP PenTesting frameworks.  Lead author of the “SAP Security In-Depth” publication. Cyber-attacks on SAP systems Attacks to SAP Web Applications Cyber-attacks www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 3
  • 4. Agenda  Introduction  A dangerous status-quo  External and internal threats  The current security level of SAP implementations  The TOP-11 vulnerabilities affecting the SAP infrastructure  Defending the SAP platform  Conclusions Attacks to SAPon SAP Systems Cyber-attacks Web Applications Cyber-Attacks to SAP systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 4
  • 5. Introduction Cyber-attacks Web Applications Attacks to SAPon SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 5
  • 6. What is SAP? ● Largest provider of business management solutions in the world. ● More than 140.000 implementations around the globe. ● More than 90.000 customers in 120 countries. ● Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. FINANCIAL PLANNING TREASURY PAYROLL INVOICING LOGISTICS SALES BILLING PRODUCTION PROCUREMENT Cyber-attacks on SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 6
  • 7. A Dangerous Status-quo Cyber-attacks Web Applications Attacks to SAPon SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 7
  • 8. What “SAP Security” used to be 5 years ago ● “SAP security” was regarded as a synonym of “Segregation of Duties controls”. ● Sample goal: “Make sure that if Tim can create a new vendor, he can not create purchase orders”. ● This was mapped to a SoD matrix with SAP transactions / authorization objects. ● Most large organizations had “SAP Security” in place: they were spending hundreds of thousands/millions of dollars in SAP security yearly by having: ● A dedicated Team of SAP security professionals. ● SoD & GRC software (usually costing $500K-$2M or more). Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 8
  • 9. Breaking the status-quo / BlackHat 2007 ● The Information Security and Audit communities were doing fine with that status quo. Most SAP-related security documents and guidelines only dealt with SoD issues. ● One day, back in 2005, we were hired to do a Webapp pentest. ● The only difference was that the Web Server was an SAP Web Application Server. ● Suddenly, we started discovering vulnerabilities that were not in the apps, but in the framework itself! ● We checked online… they were not reported. ● Back then, the total number of reported SAP vulnerabilities was: 90 Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 9
  • 10. What “SAP Security” really is ● SAP security is a complex discipline, that must be addressed holistically! ● SoD controls are necessary, but they are not enough. ● They only address one of the layers where security must be enforced. ● The forgotten layer: The Business Infrastructure (NetWeaver/Basis). ● Base framework in charge of critical tasks such as authentication, authorization, encryption, interfaces, audit, logging, etc. ● Can be susceptible of security vulnerabilities that, if exploited, can lead to espionage, sabotage and fraud attacks to the business information. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 10
  • 11. A different (higher) risk profile ● Exploitation of a SoD weakness: 1. The attacker needs a valid user account in the target SAP system. 2. He needs to find out that he has more access than he should have. 3. Common auditing features may detect his activities. ● Exploitation of a technical/infrastructure weakness: 1. The attacker does not need a valid user account in the target SAP system. 2. A successful attack will allow him to achieve SAP_ALL privileges (even without having a real user!). 3. Common auditing features would not detect his activities. Cyber-attacks on SAP Systems Cyber-Attacks to SAP Systems www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 11
  • 12. A Rising Threat ● The number of SAP Security Notes has increased dramatically over the last years. ● Security Notes usually address one or more vulnerabilities. ● Most of these issues affect the Business Runtime. Number of SAP Security Notes per Year Cyber-attacks to Attacks to SAPon SAP Systems Cyber-Attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 12
  • 13. External and Internal Threats Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 13
  • 14. Querying search engines ● While most SAP systems were only reachable internally a decade ago, now it’s common for SAP systems to be connected to the Internet. ● Attackers know how to find them using regular search engines. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 14
  • 15. But… is it more than just Web apps? ● Even if companies believe they are not online, many of them are! ● When you acquire SAP, the agreement specifies that you have to allow remote access through a special component called SAProuter. ● Network services such as the Dispatcher, Gateway, Management Console, Message Server, P4 interface, etc. should never touch the Internet… ● What’s the reality? Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 15
  • 16. - From the Trenches - The Current Security Level of SAP Implementations Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 16
  • 17. From the trenches ● Since 2005, our experts were engaged to perform numerous SAP Penetration Tests, including some of the largest organizations of the world. ● We have evaluated 550+ SAP Application Servers in total. ● A typical project: ● Network access to the end-user network. ● List of IP addresses of SAP servers. ● NO user/password credentials. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 17
  • 18. From the trenches ● Our findings: ● Over 95% of the systems were exposed to espionage, sabotage and fraud attacks. A malicious party would have been able to achieve SAP_ALL or equivalent privileges without having access credentials. ● Only 5% of the evaluated SAP systems had the proper security audit logging features enabled. ● None of the evaluated SAP systems were fully updated with the latest SAP security patches. ● In most cases, the attack vectors that leaded to the initial compromise comprised the exploitation of vulnerabilities that have been in the public domain for more than 5 years. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 18
  • 19. The TOP-11 vulnerabilities affecting the SAP infrastructure Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 19
  • 20. BIZEC.org, the business application security initiative ● BIZEC.org is a non-profit organization focused on security threats affecting ERP systems and business-critical infrastructure. ● The BIZEC TEC/11 project lists the most common and most critical security defects and threats affecting the Business Runtime layer/infrastructure of SAP platforms. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 20
  • 21. BIZEC TEC-01: Vulnerable Software in Use Risk The SAP platform is running based on technological frameworks whose versions are affected by reported security vulnerabilities and the respective fixes have not been applied. Business Impact Attackers would be able to exploit reported security vulnerabilities and perform unauthorized activities over the business information processed by the affected SAP system. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 21
  • 22. BIZEC TEC-02: Standard Users with Default Passwords Risk Users created automatically during the SAP system installation, or other standard procedures, are configured with default, publicly known passwords. Business Impact Attackers would be able to login to the affected SAP system using a standard SAP user account. As these accounts are usually highly privileged, the business information would be exposed espionage, sabotage and fraud attacks. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 22
  • 23. BIZEC TEC-03: Unsecured SAP Gateway Risk The SAP Application Server’s Gateway is not restricting the starting, registration or cancellation of external RFC servers. Business Impact Attackers would be able to obtain full control of the SAP system. Furthermore, they would be able to intercept and manipulate interfaces used for transmitting sensitive business information. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 23
  • 24. BIZEC TEC-04: Unsecured SAP/Oracle authentication Risk The SAP ABAP Application Server authenticates to the Oracle database through the OPS$ mechanism, and the Oracle’s listener has not been secured. Business Impact Attackers would be able to obtain full control of the affected SAP system’s database, enabling them to create, visualize, modify and/or delete any business information processed by the system. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 24
  • 25. BIZEC TEC-05: Insecure RFC interfaces Risk The SAP environment is using insecure RFC connections from systems of lower security-classification level to systems with higher security- classification levels. Business Impact Attackers would be able to perform RFC pivoting attacks, by first compromising an SAP system with low security-classification and, subsequently, abusing insecure interfaces to compromise SAP systems with higher security-classification levels. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 25
  • 26. BIZEC TEC-06: Insufficient Security Audit Logging Risk The SAP System’s auditing features are disabled or not properly configured. Business Impact It would not be possible to detect suspicious activities or attacks against the SAP system. Furthermore, valuable information for forensic investigations would not be available. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 26
  • 27. BIZEC TEC-07: Unsecured SAP Message Server Risk The SAP System’s Message Server is not restricting the registration of SAP Application Servers. Business Impact Attackers would be able to register malicious SAP Application Servers and perform man-in-the-middle attacks, being able to obtain valid user access credentials and sensitive business information. Attacks against user workstations would also be possible. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 27
  • 28. BIZEC TEC-08: Dangerous SAP Web Applications Risk The SAP Application Server is allowing access to Web applications with reported security vulnerabilities or sensitive functionality. Business Impact Attackers would be able to exploit vulnerabilities in such Web applications, enabling them to perform unauthorized activities over the business information processed by the affected SAP system. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 28
  • 29. BIZEC TEC-09: Unprotected Access to Administration Services Risk The SAP Application Server is not restricting access to sensitive administration or monitoring services. Business Impact Attackers would be able to access administration or monitoring services and perform unauthorized activities over the affected SAP systems, possibly leading to espionage and/or sabotage attacks. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 29
  • 30. BIZEC TEC-10: Insecure Network Environment Risk The network environment of the SAP platform is not properly secured through the deployment and configuration of network firewalls, specialized Intrusion Prevention and Detection systems and application- layer gateways. Business Impact Attackers would be able to access sensitive SAP network services and possibly exploit vulnerabilities and unsafe configurations in them, leading to the execution of unauthorized activities over the affected SAP platform. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 30
  • 31. BIZEC TEC-11: Unencrypted Communications Risk The confidentiality and integrity of communications in the SAP landscape is not enforced. These communications comprise SAP-to-SAP connections as well as interactions between SAP servers and external systems, such as user workstations and third-party systems. Business Impact Attackers would be able to access sensitive technical and business information being transferred to/from the SAP environment. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 31
  • 32. Defending the SAP Platform Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 32
  • 33. The Challenges ● Knowledge. Understanding how to assess and secure an SAP system requires specialized knowledge. ● Scope. The entire platform must be secured. This comprises: ● Every Landscape (ERP, CRM, SCM, …) in the organization ● Every SAP system in each landscape ● Every Client (mandant) and AS in each system ● Every of the 1500+ configuration parameters of each AS ● Periodicity. The security of the SAP infrastructure must be evaluated periodically, at least after each SAP Security Patch Day, to verify whether new risks have been raised and evaluate mitigation actions. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 33
  • 34. SAP Security - Who is responsible? ● Unlike other systems (such as Web servers, domain controllers, etc.), the security of SAP systems usually falls under the domain of “The Business”. ● This means that the officers in charge of securing the systems are the same ones who are responsible for verifying whether they are secure or not.  FAIL. ● If the organization's SAP teams are responsible for protecting the SAP platform, the Information Security Manager / CISO department must verify whether the current security level matches the organization's defined risk appetite. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 34
  • 35. SAP Security - Who is responsible? Let’s think about it: ● Is the SAP platform a “blackbox” for the Information Security team? ● Does the Information Security team “trust but verify”? ● Who will be ultimately responsible if there is a security breach in the SAP platform? ● What if the SAP platform is compromised, not by a high-profile and complex attack, but rather as the result of the exploitation of a vulnerability that has been publicly known for several years? Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 35
  • 36. Conclusions Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 36
  • 37. Conclusions ● Segregation of Duties controls are necessary, but not enough! ● The SAP infrastructure can be exposed to technical security vulnerabilities that, if exploited, would enable espionage, sabotage and financial fraud attacks. ● The risk level in this matter is higher, as attackers do not even need a user account in the system! ● The number of SAP security notes have dramatically increased over the last years. Customers are not catching-up. ● Many companies state that “our SAP system has not been hacked”, but they do not even have the basic auditing features enabled! Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 37
  • 38. Conclusions ● Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented. ● SAP is taking important steps into increasing the security of its customers’ systems (security guides, regular patches, new standards). ● While “The Business” may work on the security of the platform, it’s the responsibility of Information Security to verify that they are doing their job. ● If our business-critical infrastructure is hacked by a 5-year-old vulnerability, we are clearly doing something wrong. Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 38
  • 39. Questions? [email protected] @marianonunezdc Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 39
  • 40. Thank you! www.onapsis.com Follow us! @onapsis Attacks to SAPon SAP Systems Cyber-attacks Web Applications www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved 40