5 real ways to destroy business by breaking sap applications
TRANSCRIPT
Invest in security to secure investments
5 real ways to destroy business by breaking SAP applica8ons
Alexander Polyakov. CTO, ERPScan
About ERPScan
• The only 360-‐degree SAP security soluBon: ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgments from SAP ( 150+ ) • 60+ presenta8ons at key security conferences worldwide • 25 awards and nomina8ons • Research team – 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
Large enterprise sectors
• Oil & Gas • Manufacturing • LogisBcs • Finance • Nuclear Power • Retail • TelecommunicaBon • etc.
3
• The role of business applicaBons in a typical work environment • The need to control them to opBmize business processes • Scope for enormous reducBon in resource overheads and other
direct monetary impact • PotenBal problems that one can’t overlook • The need to reflect on security aspects – is it overstated? • Why is it a REAL and existent risk?
4
Business applica8ons
• Espionage – The] of financial informaBon – Corporate secret and informaBon the] – Supplier and customer list the] – HR data the]
• Sabotage – Denial of service – Tampering of financial records and accounBng data – Access to technology network (SCADA) by trust relaBons
• Fraud – False transacBons – ModificaBon of master data
5
What can the implica8ons be?
SAP
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)
6
• The most popular business applicaBon • More than 263000 customers worldwide • 83% Forbes 500 companies run SAP • Main system – ERP • Main pla|orms
‒ SAP NetWeaver ABAP ‒ SAP NetWeaver J2EE ‒ SAP BusinessObjects ‒ SAP HANA ‒ SAP Mobile Pla|orm (SUP)
SAP Security
• Complexity Complexity kills security. Many different vulnerabiliBes in all levels, from network to applicaBon
• Customiza8on Cannot be installed out of the box. A lot of (up to 50 %) custom code and business logic
• Risky Rarely updated because administrators are scared of crashes and downBme
• Unknown Mostly available inside the company (closed world)
h�p://erpscan.com/wp-‐content/uploads/pres/Forgo�en%20World%20-‐%20Corporate%20Business%20ApplicaBon%20Systems%20Whitepaper.pdf
7
Risk 1: Credit card data theQ
• Risk: credit card data theQ • Affects: Companies storing and processing PCI data: Banks,
Processing, Merchants, Payment Gateways, Retail • Type: Espionage • Module: SD (Sales and DistribuBon) – part of ERP • A�acker can get access to mulBple tables that store credit card
data: VCKUN, VCNUM, CCARDEC, about 50 other tables. Credit card data the] means direct monetary and reputaBon loss
8
Risk 1: Credit card data theQ
• There are mulBple ways for an a�acker to access CC data • Even if it’s encrypted, one can:
– Use FM to decrypt it – CCARD_DENVELOPE – Use report to get decrypted – Or use another report to find some info: RV20A003
• SoluBon: ConfiguraBon Checks, Patch Management, Access Control, Code Scanning
• Defense – DecrypBon of credit card data in SD – SAP Note 766703 – DecrypBon of credit card data for the whole ERP – SAP Note 1032588 – Credit card data in report RV20A003 – SAP Note 836079
9
Risk 1: Credit card data theQ (DEMO)
10
Risk 2: Compe88ve intelligence
• Risk: Compromise of bidding informa8on • Affects: Companies using SRM for bidding • Type: Espionage • Module: SRM • Compe1tors’ intelligence (Espionage) • SAP SRM systems are accessible through the Internet. So unfair
compeBtors have a sufficient loophole to spy privileged pricing informaBon and propose compeBBve pricing to win a tender
11
Risk 2: Compe88ve intelligence
• SAP Cfolders applicaBon for document exchange is a part of SRM. It has some vulnerabiliBes and insecure configuraBon problems, resulBng in access to official pricing informaBon
• This means that the compeBtor’s documents could be completely removed from the systems, or the informaBon might be manipulated to win a tender
• A�ack successfully simulated during penetraBon tests • Program vulnerabiliBes that can aid an a�acker:
– h�p://erpscan.com/advisories/dsecrg-‐09-‐014-‐sap-‐cfolders-‐mulBple-‐stored-‐xss-‐vulnerabilies/ – h�p://erpscan.com/advisories/dsecrg-‐09-‐021-‐sap-‐cfolders-‐mulBple-‐linked-‐xss-‐vulnerabiliBes/
• Defense: SAP Notes 1284360, 1292875
12
Risk 3: Inten8onally causing manufacturing defects
• Risk: Inten8onally causing manufacturing defects (Sabotage) • Affects: Manufacturing sector such as AviaBon, Aerospace
AutomoBve, TransportaBon, Consumer Products, Electronics, Semiconductor, Industrial Machinery and Equipment
• Type: Sabotage • Module: SAP PLM • Access to SAP PLM systems could allow unauthorized changes in
product creaBon schemaBcs, as SAP PLM is usually integrated into CAD. One small change could result in a defecBve batch of products, causing serious financial and reputaBonal losses and, someBmes, harm to life and limb
13
• FDA recalled the whole batch of 1200 tracheostomical devices because of 3 deaths caused by technical problems
• IKEA had to recall the enBre batch of 10000 beds with steel rods that had caused physical trauma to kids, claiming it to be a designer’s mistake
• Toyota was forced to recall 3 large batches of passenger cars of up to 500000 each because of wide ranging construcBon problems with airbags, thro�le, and other parts of the car
• US staBsBcs from FDA reveal such recalls occurring frequently. A similar situaBon can also be observed with consumer products
Financial losses caused by traumas reach one trillion dollars a year * Those examples are not caused by misusing SAP!
14
Risk 3: Crea8ng defects in products inten8onally
• Risk: Salary data: unauthorized data manipula8on • Affects: Every company • Type: Fraud • Module: HCM • Access to the SAP HR system allows insiders to manipulate wage
figures. The direct change can be easily detected, but the risk lies in the potenBal manipulaBon of the number of addiBonal working hours to be processed, which, in turn, affect the wages. This fraud is extremely difficult to detect
15
Risk 4: Salary data unauthorized access
• Users can find out a colleague’s salary details (PA30 transacBon) → DemoBvaBon
• Also, an a�acker may do this by direct access to the tables PA0008, PA0014, PA0015
• DEMO (PA30)
16
Risk 4: Salary data unauthorized access
• Users can modify their own salary – TransacBon PA30 is responsible for salary access – A�acker can change the number of hours using this transacBon
• DEMO
17
Risk 4: Salary data unauthorized access
• Risk: Industrial sabotage and disaster • Affects: Every company with ICS/technology network. Oil and
Gas, UBliBes, Manufacturing • Type: Sabotage/Fraud • Module: SAP EAM / SAP XMII • SAP EAM system can have technical connecBons to facility
managements systems. By accessing EAM, one can hack facility management/SCADA/Smart Home/Smart Grid systems as well and actually change criBcal parameters, like heat or pressure, which can lead to disaster and potenBal death
18
Risk 5: Industrial sabotage
• Technology systems are usually insecure and based on obsolete operaBon systems. The only security for them is a firewall, which totally isolates them from corporate network
• Except for those systems which need connecBon for data transfer, such as SAP EAM
• How they a�ack: – RFC connecBons – Shared database or other resources – Same passwords for OS/DB/ApplicaBon – Same domain – Simply exploit ICS vulnerabiliBes
19
Risk 5: Industrial Sabotage
• Risk 6: Delayed salary payout in HR • Risk 7: Forgery of business-‐criBcal data (Asset management) • Risk 8: MisappropriaBon of material resources in MM • Risk 9: Tampering with banking informaBon data • Risk 10: ModificaBon of reports in BI • Risk 11: Remote illegal updates upload • Risk 12: A�ack from the Internet • Risk 13: Remote Denial of Service via Portal
20
Bonus
• 3000+ vulnerabiliBes in all SAP products • 2368 vulnerabiliBes in SAP NetWeaver ABAP based systems • 1050 vulnerabiliBes in basic components, which are the same
for every system • About 350 vulnerabiliBes in ECC modules
21
1 1 13 10 10 27 14 77
130
833 731
641
364
161
322
0
200
400
600
800
1000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
How they can do this?
SAP NetWeaver ABAP – Sta8s8cs
2363
22
2363 vulnerabili8es
SAP NetWeaver J2EE – Sta8s8cs
23
513 vulnerabili8es
24
76 vulnerabili8es
SAP BusinessObjects – Sta8s8cs
25
14 vulnerabili8es
SAP HANA – Sta8s8cs
26
SAP a`acks
• EAS-‐SEC: Recourse which combines – Guidelines for assessing enterprise applicaBon security – Guidelines for assessing custom code – Surveys about enterprise applicaBon security
27
Defense
• CriBcal networks are complex • System is as secure as its most insecure component • HolisBc approach • Check out eas-‐sec.org • Check out erpscan.com
28
Conclusion
We devote a=en>on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par>cular func>on, you can e-‐mail us or give us a call. We will be glad to consider your sugges>ons for the next releases or monthly updates.
29
About
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com [email protected]