Invest in security to secure investments
What CISO’s should know about SAP Security
Alexander Polyakov CTO ERPScan
Agenda • • • • • • • • •
SAP: Intro SAP security vulnerabiliAes SAP security myths Demo Problem SoluAon Sap security in figures report Future trends and predicAons Conclusions
2
Business applica0on security
All business processes are generally contained in ERP systems. Any informaAon an aJacker, be it a cybercriminal, industrial spy or compeAtor, might want is stored in the company’s ERP. This informaAon can include financial, customer or public relaAons, intellectual property, personally idenAfiable informaAon and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effecAve if targeted at the vicAm’s ERP system and cause significant damage to the business.
3
SAP • The most popular business applicaAon • More than 248000 customers worldwide • 86% of Forbes 500 run SAP
4
Business applica0on security • Complexity Complexity kills security. Many different vulnerabiliAes in all levels, from network to applicaAon • Customiza0on Cannot be installed out of the box. They have many (up to 50%) custom codes and business logic • Risky Rarely updated because administrators are scared they can be broken during updates; also, it is downAme • Unknown Mostly available inside the company (closed world) hJp://erpscan.com/wp-‐content/uploads/pres/ForgoJen%20World%20-‐%20Corporate%20Business%20ApplicaAon%20Systems%20Whitepaper.pdf
5
Why security? • Espionage – – – –
Stealing financial informaAon Stealing corporate secrets Stealing supplier and customer lists Stealing HR data
• Sabotage – Denial of service – ModificaAon of financial reports – Access to technology network (SCADA) by trust relaAons
• Fraud – False transacAons – ModificaAon of master data
6
SAP Security Problems Myth 1: Business applicaAons are only available internally what means no threat from the Internet
Myth 3: Business applicaAon internals are very specific and are not known for hackers
Myth 2: ERP security is a vendor’s problem
Myth 4 ERP security is all about SOD 7
Myth 1
Current point of view This myth is popular for internal corporate systems and people think that these systems are only available internally
Real life Yes maybe at the mainframe era you can use SAP only internally but not now in the era of global communicaAons. You need connecAon with •
Another offices
•
Customers and suppliers
•
For SAP systems you need connecAon with SAP network
Even if you do not have direct connec8on there are user worksta8ons connected to the internet 8
Myth 1
9
Myth 2
Vendor is NOT responsible for any damage within the vulnerabili8es in their products 10
Myth 2
• Vendor problems – Program errors – Architecture errors
• User problems – ImplementaAon architecture errors – Defaults and misconfiguraAons – Human factor – Patch management – Policies and procedures
Even if so>ware is secure it should be securely implemented 11
Myth 3
Current point of view Business applica8on internals are very specific and are not known for hackers
Real life: • Popular products “reviewed” by hackers, and thus more secure • Business applicaAons became more and more popular on the Internet • And also popular for hackers and researchers • Unfortunately, their security level is sAll like 3-‐5 years ago • Now they look as a defenseless child in a big city
12
Myth 4
Current point of view: Many people especially ERP people think that security is all about SOD
Real life: • Making AD access control don't give you secure infrastructure • Buying new engine for car every year will not help you if you simply puncture a wheel • And also remind Sachar Paulus interview that says: “other threat comes from people connec6ng their ERP systems to the Internet”
13
Myth 4
ERP system with secure SOD and nothing else it is much of spending all money on video systems, biometric access control and leaving the back door open for housekeepers 14
SAP Security
DEMO 1
15
SAP Security
Problem
16
SAP Security Problems How to protect ourselves from fraud and cyber-‐acAviAes? How to automate security checks for big landscapes? How to decrease costs? How to prioriAze updates?
• • • •
17
SAP Security talks
35
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
30
25
20
15
10
5
0 2006
2007
2008
2009
2010
2011
2012
18
ISACA Assurance (ITAFF)
2007 – Architecture vulnerabiliAes in RFC protocol 2008 – AJacks via SAPGUI 2009 – SAP backdoors 2010 – AJacks via SAP WEB applicaAons 2010 – Stuxnet for SAP 2011 – Architecture and program vulnerabiliAes in ABAP and J2EE 2012 – VulnerabiliAes in SAP soluAons (SolMan ,Portal, XI), Services (Dispatcher, Message Server ) and Protocols (XML , DIAG) 2013 – SAP Forensics and AnA-‐forensics
How to get this informa0on? 19
SAP Security notes
900 800 700 600 500
By January, 2013, a total of 2520 notes
400 300 200 100 0 2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
Only one vulnerability is enough to get access to ALL business-‐cri8cal DATA 20
Disclosed vulnerabili0es
21
And…
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
• * This aJack has not been confirmed by the customer nor by the police authoriAes in Greece invesAgaAng the case. SAP does not have any indicaAon that it happened. 22
SAP Security
Solu8ons
23
2002
• Business logic security (SOD) Prevents aKacks or mistakes made by insiders • SoluAon: GRC
2008
• ABAP Code security Prevents aKacks or mistakes made by developers SoluAon: Code audit
2010
• Applica6on pla=orm security • Prevents unauthorized access both within corporate network and from remote aKackers • Solu6on?
2013
• Forensics • What if missed something on listed areas?
24
Compliance
First of all chose one that you want • EAS-‐SEC • SAP NetWeaver ABAP Security configuraAon • ISACA (ITAF) • DSAG
25
SAP Security Guidelines • Guidelines made by SAP • First official SAP guide for technical security od ABAP stack • Secure ConfiguraAon of SAP NetWeaver® ApplicaAon Server Using ABAP • First version -‐ 2010 year, version 1.2 – 2012 year • For rapid assessment of most common technical misconfiguraAons in plarorm • Consists of 9 areas and 82 checks • Ideas as a second step and give more details to some of EAS-‐SEC standard areas
26
SAP Security Guidelines
• Network access control • WorkstaAon security • Password apolicies • Network security • HTTP security • Unnecessary web-‐applicaAons • RFC-‐connecAons • SAP Gateway security • SAP Message Server security 27
ISACA Assurance (ITAFF)
• Guidelines made by ISACA • Checks cover configuraAon and access control areas • First most full compliance • There were 3 versions published in 2002 2006 2009 (some areas are outdated ) • Technical part covered less than access control and miss criAcal areas • Most advantage is a big database of access control checks • Consists of 4 parts and about 160 checks • Ideal as a third step and detailed coverage of access control 28
DSAG
• Set of recommendaAons from Deutsche SAP Uses Group • Checks cover all security areas from technical configuraAon and source code to access control and management procedures • Currently biggest guideline about SAP Security • Last version in Jan 2011 • Consists of 8 areas and 200+ checks • Ideal as a final step for securing SAP but consists of many checks which neds addiAonal decision making which is highly depends on installaAon. hJp://www.dsag.de/fileadmin/media/Leiraeden/110818_Leiraden_Datenschutz_Englisch_final.pdf
29
EAS-‐SEC for NetWeaver (EASAI-‐NA)
Enterprise Applica8on Systems Applica8on Implementa8on – NetWeaver ABAP • Developed by ERPScan: First standard of series EAS-‐SEC • Will be published in September • Rapid assessment of SAP security in 9 areas • Contains 33 most criAcal checks • Ideal as a first step • Also contain informaAon for next steps • Categorized by priority and criAcality 30
EASAI-‐NA-‐2013
Access
EASAI-‐NA
CriAcality Easy to exploit
% of vulnerable systems
1. Lack of patch management
Anonymous
High
High
99%
2. Default Passwords for applicaAon access
Anonymous
High
High
95%
3. Unnecessary enabled funcAonality
Anonymous
High
High
90%
4. Open remote management interfaces
Anonymous
High
Medium
90%
5. Insecure configuraAon
Anonymous
Medium
Medium
90%
6. Unencrypted communicaAon
Anonymous
Medium
Medium
80%
7. Access control and SOD
User
High
Medium
99%
8. Insecure trust relaAons
User
High
Medium
80%
9. Logging and Monitoring
Administrator
High
Medium
98%
31
SAP Security
SAP Security in Figures 2013
32
Security notes by year
900
800 700 600 500 400 300 200 100 0 2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
More than 2600 in total 33
Security notes by cri0cality
High priority vulnerabili0es
Low priority vulnerabili0es
100
12
80
10 8
60
6
40
4
20
2
0
0 2012
2011
2010
2009
2012
2011
2010
2009
By the end of April 2013 6 -‐ RecommendaAons/addiAonal info 4 -‐ CorrecAon with low priority 3 -‐ CorrecAon with medium priority 2 -‐ CorrecAon with high priority 1 -‐ HotNews 0
200
400
600
800
1000
1200
1400
1600
1800
2000
34
Security notes by type
Top 10 vulnerabili0es by type 4% 4%
3% 1%
1 -‐ XSS 25%
5%
2 -‐ Missing authorisaAon check
7%
3 -‐ Directory traversal
9%
4 -‐ SQL InjecAon 22% 20%
5 -‐ InformaAon disclosure
35
Acknowledgments Number of vulnerabiliAes found by external researchers: 70 • 2010 -‐ 58 60 50 • 2011 -‐ 107 40 • 2012 -‐ 89 30 20 • 2013 -‐ 52 10
Percentage of vulnerabili0es found by external researchers:
0 2010
2011
2012
2013
The record of vulnerabili8es found by external researchers was cracked in January 2013: 76%
36
Acknowledgments • More interest from other companies 7 Number of already patched issues per year 6 5 4 3 2 1 0 2010 2011 2012 * Number of vulnerabili8es that were sent to SAP but were rejected because they were already found before by other company of SAP internal code review. 37
SAP security talks at conferences
35 30 25 20 15 10 5 0 2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
38
Talks about: • Common: SAP Backdoors, SAP Rootkits, SAP Forensics • Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI, SAP Portal, SAP SoluAon Manager, SAP TMS, SAP Management Console, SAP ICM/ITS • Protocols: DIAG, RFC, SOAP (MMC), Message Server, P4 • Languages: ABAP Buffer Overflow, ABAP SQL InjecAon, J2EE Verb Tampering, J2EE Invoker Servlet • Overview: SAP Cyber-‐aJacks, Top 10 InteresAng Issues, Myths about ERP Almost all every part of SAP was hacked 39
Top 5 SAP vulnerabili0es 2012 1. 2. 3. 4. 5.
SAP NetWeaver DilbertMsg servlet SSRF (June) SAP HostControl command injecAon (May) SAP SDM Agent command injecAon (November) SAP Message Server buffer overflow (February) SAP DIAG buffer overflow (May)
40
SAP NetWeaver DilbertMsg servlet SSRF
Espionage:
Cri0cal
Sabotage:
CriAcal
Fraud:
Medium
Availability:
Anonymously through the Internet
Ease of exploitaAon:
Medium
Future impact: High (New type of aJack) CVSSv2:
7.3
Advisory:
hJp://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐ authenAcaAon-‐bypass/
Patch:
Sap Note 1707494
Authors:
Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan)
41
SAP HostControl command injec0on
Espionage:
Cri0cal
Sabotage:
CriAcal
Fraud:
CriAcal
Availability:
Anonymously through the Internet
Ease of exploitaAon:
Easy (a Metasploit module exists)
Future impact: Low (Single issue) CVSSv2:
10
Advisory:
hJp://www.contexAs.com/research/blog/sap-‐parameter-‐ injecAon-‐no-‐space-‐arguments/
Patch:
SAP note 1341333
Author:
ContexAs
42
SAP J2EE file read/write
Espionage:
Cri0cal
Sabotage:
CriAcal
Fraud:
CriAcal
Availability:
Anonymously
Ease of exploitaAon:
Medium
Future impact:
Low
CVSSv2:
10
Advisory:
hJps://service.sap.com/sap/support/notes/1682613
Patch:
SAP Note 1682613
Author:
Juan Pablo
43
SAP Message Server buffer overflow
Espionage:
Cri0cal
Sabotage:
CriAcal
Fraud:
CriAcal
Availability:
Anonymous
Ease of exploitaAon:
Medium. Good knowledge of exploit wriAng for mulAple plarorms is necessary
CVSSv2:
10.0
Advisory:
hJp://www.zerodayiniAaAve.com/advisories/ZDI-‐12-‐112/
Patch:
SAP Notes 1649840 and 1649838
Author:
MarAn Gallo 44
SAP DIAG Buffer overflow
Espionage:
Cri0cal
Sabotage:
CriAcal
Fraud:
CriAcal
Availability:
Low. Trace must be on
Ease of exploitaAon:
Medium
CVSSv2:
9.3
Advisory:
hJp://www.coresecurity.com/content/sap-‐netweaver-‐ dispatcher-‐mulAple-‐vulnerabiliAes
Patch:
SAP Note 1687910
Author:
MarAn Gallo
45
SAP Security
SAP and Internet
46
SAP on the Internet • Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible • Companies connect different offices (by SAP XI) • Companies are connected to SAP (through SAP Router) • SAP GUI users are connected to the Internet • Administrators open management interfaces to the Internet for remote control
Almost all business applica8ons have web access now 47
Google search for web-‐based SAPs • As a result of the scan, 695 unique servers with different SAP web applicaAons were found (14% more than in 2011) • 22% of previously found services were deleted • 35% growth in the number of new services
48
Shodan scan 120%
Growth by applica0on server
100% 80%
6% 20%
41%
60% 40%
34%
20%
94% 72% 30%
0% -‐20% SAP NetWeaver J2EE
-‐20%
SAP NetWeaver ABAP
-‐40%
SAP Web ApplicaAon Server
-‐60%
Other (BusinessObjects,SAP HosAng, etc)
-‐80%
-‐55%
A total of 3741 server with different SAP web applica8ons were found 49
Internet Census 2012 scan • Not so legal project by Carna Botnet • As the result 3326 IP’s with SAP Web applicaAons NO SSL 32% SSL 68%
50
SAP NetWeaver ABAP -‐ versions • • • •
7.3 growth by 250% 7.2 growth by 70%
NetWeaver ABAP versions by popularity 11%
7.0 loss by 22% 6.4 loss by 45%
6% 5%
35%
7.0 EHP 0 (Nov 2005) 7.0 EHP 2 (Apr 2010) 7.0 EHP 1 (Oct 2008)
19%
7.3 (Jun 2011)
23%
6.2 (Dec 2003) 6.4 (Mar 2004)
The most popular release (35%, previously 45%) is s8ll NetWeaver 7.0, and it was released in 2005! But security is gecng beKer. 51
NetWeaver ABAP – informa0on disclosure • InformaAon about the ABAP engine version can be easily found by reading an HTTP response • Detailed info about the patch level can be obtained if the applicaAon server is not securely configured • An aJacker can get informaAon from some pages like /sap/ public/info
6% (was 59%) of servers s8ll have this issue 52
SAP NetWeaver ABAP – cri0cal services • Execute dangerous RFC funcAons using HTTP requests • NetWeaver ABAP URL – /sap/bc/soap/rfc • There are several criAcal funcAons, such as: - Read data from SAP tables - Create SAP users - Execute OS commands, Make financial transacAons, etc.
• By default, any user can have access to this interface and execute the RFC_PING command. So there are 2 main risks: • If there is a default username and password, the aJacker can execute numerous dangerous RFC funcAons • If a remote aJacker obtains any exisAng user credenAals, they can execute a denial of service aJack with a malformed XML packet
6% (was 40%) of ABAP systems on the Internet have SOAP RFC service 53
Preven0on
• Install SAP note 1394100 • Install SAP note 931252 • Disable applicaAons that are not necessary hJp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/ library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee? overridelayout=true
54
SAP NetWeaver J2EE -‐ versions • • • • •
7.31 growth from 0 to 3% 7.30 growth from 0 to 9% 7.02 growth by 67%
NetWeaver JAVA versions by popularity 9%
7.0 loss by 23% 6.4 loss by 40%
NetWeaver 7.00
9% 3% 44%
10%
NetWeaver 7.01 NetWeaver 7.02
25%
NetWeaver 7.30 NetWeaver 6.40 NetWeaver 7.31
The most popular release (44%, previously 57%) is s8ll NetWeaver 7.0, and it was released in 2005! But security is gecng beKer. 55
NetWeaver J2EE – informa0on disclosure • InformaAon about the J2EE engine version can be easily found by reading an HTTP response. • Detailed info about the patch level can be obtained if the applicaAon server is not securely configured and allows an aJacker to get informaAon from some pages: – /rep/build_info.jsp 26% (61% last year) – /bcb/bcbadmSystemInfo.jsp 1.5% (17% last year) – /AdapterFramework/version/version.jsp 2.7% (a new issue)
56
Preven0on
• Install SAP note 1503856 • Install SAP note 1548548 • Install SAP note 1679897 hJp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/ library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee? overridelayout=true
57
SAP NetWeaver J2EE – cri0cal services • NetWeaver J2EE URL: /ctc/ConfigTool (and 30 others) • Can be exploited without authenAcaAon • There are several criAcal funcAons, such as: • • • •
Create users Assign a role to a user Execute OS commands Remotely turn J2EE Engine on and off
• Was presented by us at BlackHat 2011 It was found that 50% (was 61%) of J2EE systems on the Internet have the CTC service enabled 58
Preven0on
• Install SAP note 1589525
59
From Internet to Intranet
60
SAP Router Special applicaAon proxy Transfers requests from Internet to SAP (and not only) Can work through VPN or SNC Almost every company uses it for connecAng to SAP to download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hJp://www.easymarketplace.de/saprouter.php • • • •
Almost every third company have SAP router accessible from internet by default port. 61
SAP Router: known issues • Absence of ACL – 15% – Possible to proxy any request to any internal address • InformaAon disclosure about internal systems – 19% – Denial of service by specifying many connecAons to any of the listed SAP servers – Proxy requests to internal network if there is absence of ACL
• Insecure configuraAon, authenAcaAon bypass – 5% • Heap corrupAon vulnerability
62
Port scan results • Are you sure that only the necessary SAP services are exposed to the Internet? • We were not • In 2011, we ran a global project to scan all of the Internet for SAP services • It is not completely finished yet, but we have the results for the top 1000 companies • We were shocked when we saw them first
63
Port scan results
35 30 25 Exposed services 2011
20
Exposed services 2013
15 10 5 0 SAP HostControl
SAP Dispatcher
SAP MMC
SAP Message Server SAP Message Server hJpd
SAP Router
Listed services should not be accessible from the Internet 64
South Africa vs Average
18
Exposed cri0cal SAP Services
16
Exposed services South Africa Ряд2
14 12 10 8 6 4 2 0 SAP Dispatcher
SAP MMC
SAP Message Server
SAP HostControl
SAP ITS Agate
SAP Message Server hJpd
65
SAP HostControl service • SAP HostControl is a service which allows remote control of SAP systems • There are some funcAons that can be used remotely without authenAcaAon • Issues: – Read developer traces with passwords – Remote command injecAon
• About every 120th (was 20th) company is vulnerable REMOTELY • About 35% assessed systems locally
66
Preven0on
• Sap note 927637 - Web service authentication in sapstartsrv as of Release 7.00 • Sap note 1439348 - Extended security settings for sapstartsrv
67
SAP Management console • SAP MMC allows remote control of SAP systems • There are some funcAons that can be used remotely without authenAcaAon • Issues: – Read developer traces with passwords – Read logs with JsessionIDs – Read informaAon about parameters
• About every 40th (was 11th) company is vulnerable REMOTELY • About 80% systems locally
68
SAP Message Server • • • •
SAP Message Server – load balancer for App servers Usually, this service is only available inside the company By default, the server is installed on the 36NN port Issue: – Memory corrupAon – InformaAon disclose – Unauthorized service registraAon (MITM)
• About every 60th (was every 10th) company is vulnerable REMOTELY • About 50% systems locally 69
SAP Message Server HTTP HTTP port of SAP Message Server Usually, this service is only available inside the company By default, the server is installed on the 81NN port Issue: unauthorized read of profile parameters About every 60th (was every 10th) company is vulnerable REMOTELY • About 90% systems locally • • • • •
70
Preven0on
• Install SAP note 916398
71
Sap Dispatcher service • SAP Dispatcher -‐ client-‐server communicaAons • It allows connecAng to SAP NetWeaver using the SAP GUI applicaAon through DIAG protocol • Should not be available from the Internet in any way • Issues: – There are a lot of default users that can be used to connect and fully compromise the system remotely – Also, there are memory corrupAon vulnerabiliAes in Dispatcher
• About every 20th (was 6th) company is vulnerable REMOTELY
72
Preven0on
• Install SAP note 1741793
73
But who actually tried to exploit it?
74
Alacks • Exploit market interest – Companies like ZDI buy exploits for SAP – Only in 2012 ZDI publish 5 criAcal SAP issues – Companies who trade 0-‐days say that there is interest from both sides
• Anonymous aJacks • Insider aJacks – Salary modificaAon – Material management fraud – Mistaken transacAons
• Evil subcontractors and ABAP backdoors
75
What has happened already? • Autocad virus (Industrial espionage) – hJp://www.telegraph.co.uk/technology/news/9346734/Espionage-‐ virus-‐sent-‐blueprints-‐to-‐China.html
• Internet-‐Trading virus (Fraud) – Ranbys modificaAon for QUICK – hJp://www.welivesecurity.com/2012/12/19/win32spy-‐ranbyus-‐ modifying-‐java-‐code-‐in-‐rbs/
• News resources hacking (Sabotage) – hJp://www.bloomberg.com/news/2013-‐04-‐23/dow-‐jones-‐drops-‐ recovers-‐a•er-‐false-‐report-‐on-‐ap-‐twiJer-‐page.html
76
What can be Just imagine what could be done by breaking: • One SAP system • All SAP Systems of a company • All SAP Systems on parAcular country • Everything
77
SAP strategy in app security • • • • • •
Now security is the number 1 priority for SAP Implemented own internal security process SDLC Security summits for internal teams Internal trainings with external researchers Strong partnership with research companies Investments in the automaAc and manual security assessment of new and old so•ware
78
Future threads and predic0ons • Old issues are being patched, but a lot of new systems have vulnerabiliAes • Number of vulnerabiliAes per year going down compared to 2010, but they are more criAcal • Number of companies who find issues in SAP is growing • SAll there are many uncovered areas in SAP security • SAP forensics can be a new research area because it is not easy to find evidence now, even if it exists
79
Forensics as a new trend for 2013 • If there are no aJacks, it doesn’t mean anything • Companies don’t like to share informaAon about data compromise • Companies don’t have ability to idenAfy aJack • Only 10% of systems use security audit at SAP • Only 2% of systems analyze them • Only 1% do correlaAon and deep analysis * Based on the assessment of over 250 servers of companies that allowed us to share results
80
Forensics as a new trend for 2013 • • • • •
ICM log icm/HTTP/logging_0 Security audit log in ABAP Table access logging rec/client Message Server log ms/audit SAP Gateway access log
70% 10% 4% 2% 2%
* Based on the assessment of over 250 servers of companies that allowed us to share results.
81
SAP Security tools
VA and configura0on monitoring 8 3
SIEM 6
SoD 10+
2 1 2
1 2
1 1
1
ABAP code security 3
* We did not compare the quality of the tools and their coverage. For example, SIEM capabiliAes for SAP can be found in many SIEM soluAons, but they cover 10% of all log file types. The same applies to Vulnerability assessment: we collected tools that have general scan capabiliAes including SAP as well as only SAP related. SAP checks in those tools can amount to 10 to 7000. 82
Conclusion • -‐ The interest in SAP plarorm security has been growing exponenAally, and not only among whitehats • + SAP security in default configuraAon is ge€ng much beJer now • -‐ SAP systems can become a target not only for direct aJacks (for example APT) but also for mass exploitaAon • + SAP invests money and resources in security, provides guidelines, and arranges conferences • -‐ unfortunately, SAP users sAll pay liJle aJenAon to SAP security • + I hope that this talk and the report that will be published next month will prove useful in this area 83
Conclusion
Issues are everywhere but the risks and price for miAgaAon are different
84
Conclusion It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
SAP guides Regular security assessments Monitoring technical security ABAP code review Segrega0on of du0es
It’s all in your hands
85
Future work
I'd like to thank SAP's Product Security Response Team for the great coopera8on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aKacks and demos, follow us at @erpscan and aKend future presenta8ons: • • • • •
Tomorrow! September 21 HackerHalted Conference (Atlanta, USA) October 7-‐8 HackerHalted Conference (Reykjavik, Iceland) October 30-‐31 RSA Europe (Amsterdam, Netherlands) November 7-‐8 ZeroNights (Moscow, Russia)
86