Enviar búsqueda
Cargar
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
•
3 recomendaciones
•
787 vistas
E
Ertunga Arsal
Seguir
Denunciar
Compartir
Denunciar
Compartir
1 de 44
Descargar ahora
Descargar para leer sin conexión
Recomendados
SAP Security - Enterprise Threat Detection Methodology for QRadar - SIEM
SAP Security - Enterprise Threat Detection Methodology for QRadar - SIEM
Ertunga Arsal
Implementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
What CISOs should know about SAP security
What CISOs should know about SAP security
ERPScan
SAP (in)security: New and best
SAP (in)security: New and best
ERPScan
SAP security in figures
SAP security in figures
ERPScan
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
ERPScan
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
Recomendados
SAP Security - Enterprise Threat Detection Methodology for QRadar - SIEM
SAP Security - Enterprise Threat Detection Methodology for QRadar - SIEM
Ertunga Arsal
Implementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
What CISOs should know about SAP security
What CISOs should know about SAP security
ERPScan
SAP (in)security: New and best
SAP (in)security: New and best
ERPScan
SAP security in figures
SAP security in figures
ERPScan
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
ERPScan
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]
akquinet enterprise solutions GmbH
SAP SDM Hacking
SAP SDM Hacking
ERPScan
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
SAP Technology
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
akquinet enterprise solutions GmbH
Assessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
Sap Security Assessment V3 English
Sap Security Assessment V3 English
guest5bd7a1
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
akquinet enterprise solutions GmbH
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
akquinet enterprise solutions GmbH
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...
akquinet enterprise solutions GmbH
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]
akquinet enterprise solutions GmbH
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
akquinet enterprise solutions GmbH
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
akquinet enterprise solutions GmbH
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
akquinet enterprise solutions GmbH
SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]
akquinet enterprise solutions GmbH
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
akquinet enterprise solutions GmbH
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
akquinet enterprise solutions GmbH
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
Sap Security Workshop
Sap Security Workshop
larrymcc
Introduction to SAP Security
Introduction to SAP Security
Nasir Gondal
Más contenido relacionado
La actualidad más candente
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]
akquinet enterprise solutions GmbH
SAP SDM Hacking
SAP SDM Hacking
ERPScan
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
SAP Technology
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
akquinet enterprise solutions GmbH
Assessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
Sap Security Assessment V3 English
Sap Security Assessment V3 English
guest5bd7a1
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
akquinet enterprise solutions GmbH
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
akquinet enterprise solutions GmbH
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...
akquinet enterprise solutions GmbH
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]
akquinet enterprise solutions GmbH
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
akquinet enterprise solutions GmbH
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
akquinet enterprise solutions GmbH
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
akquinet enterprise solutions GmbH
SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]
akquinet enterprise solutions GmbH
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
akquinet enterprise solutions GmbH
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
akquinet enterprise solutions GmbH
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
La actualidad más candente
(20)
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]
SAP SDM Hacking
SAP SDM Hacking
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
Assessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
Sap Security Assessment V3 English
Sap Security Assessment V3 English
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
Destacado
Sap Security Workshop
Sap Security Workshop
larrymcc
Introduction to SAP Security
Introduction to SAP Security
Nasir Gondal
SAP SECURITY GRC
SAP SECURITY GRC
techgurusuresh
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
Hanaysha
Data Science for Cyber Risk
Data Science for Cyber Risk
Scott Allen Mongeau
Behind the Magic – Your ERP Secrets Revealed
Behind the Magic – Your ERP Secrets Revealed
Panaya
Решения для защиты корпоративных и коммерческих цод
Решения для защиты корпоративных и коммерческих цод
Denis Batrankov, CISSP
Random forest using apache mahout
Random forest using apache mahout
Gaurav Kasliwal
Machine Learning with Apache Mahout
Machine Learning with Apache Mahout
Daniel Glauser
SAP Security Chat Tips to Improve SAP ERP Security
SAP Security Chat Tips to Improve SAP ERP Security
Panaya
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
Splunk
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
Splunk
Building an Analytics Enables SOC
Building an Analytics Enables SOC
Splunk
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
Apache Mahout Tutorial - Recommendation - 2013/2014
Apache Mahout Tutorial - Recommendation - 2013/2014
Cataldo Musto
Movie recommendation system using Apache Mahout and Facebook APIs
Movie recommendation system using Apache Mahout and Facebook APIs
Smitha Mysore Lokesh
Intro to Mahout
Intro to Mahout
Uri Lavi
What's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 Security
SAP Technology
SAP Security important Questions
SAP Security important Questions
Ragu M
Destacado
(20)
Sap Security Workshop
Sap Security Workshop
Introduction to SAP Security
Introduction to SAP Security
SAP SECURITY GRC
SAP SECURITY GRC
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
Data Science for Cyber Risk
Data Science for Cyber Risk
Behind the Magic – Your ERP Secrets Revealed
Behind the Magic – Your ERP Secrets Revealed
Решения для защиты корпоративных и коммерческих цод
Решения для защиты корпоративных и коммерческих цод
Random forest using apache mahout
Random forest using apache mahout
Machine Learning with Apache Mahout
Machine Learning with Apache Mahout
SAP Security Chat Tips to Improve SAP ERP Security
SAP Security Chat Tips to Improve SAP ERP Security
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics Enables SOC
Building an Analytics Enables SOC
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Apache Mahout Tutorial - Recommendation - 2013/2014
Apache Mahout Tutorial - Recommendation - 2013/2014
Movie recommendation system using Apache Mahout and Facebook APIs
Movie recommendation system using Apache Mahout and Facebook APIs
Intro to Mahout
Intro to Mahout
What's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 Security
SAP Security important Questions
SAP Security important Questions
Similar a SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
akquinet enterprise solutions GmbH
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Igor Igoroshka
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
akquinet enterprise solutions GmbH
Sap
Sap
ratan biraniya
SAP Online Training | SIMPLE FINANCE | HANA ADMIN | All SAP courses
SAP Online Training | SIMPLE FINANCE | HANA ADMIN | All SAP courses
RamireddyAmbati
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...
akquinet enterprise solutions GmbH
ERP open source Analytics
ERP open source Analytics
Stratebi
CWIN17 New-York / demanding markets digital business dynamic outcomes
CWIN17 New-York / demanding markets digital business dynamic outcomes
Capgemini
Tsecl user manual tr billing and printing
Tsecl user manual tr billing and printing
UF Technology
Incident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
AC200 Accounts Receivable And Payable Processing
AC200 Accounts Receivable And Payable Processing
Maria Perkins
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
EVAM_Streaming Analytics_v1.5
EVAM_Streaming Analytics_v1.5
John Nikolaidis
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
Positive pay edi process in sap
Positive pay edi process in sap
Rajeev Kumar
Sap into-1213948722097753-9
Sap into-1213948722097753-9
Sharif Razi Al Mahmud (Razib)
Sap introduction
Sap introduction
learnit training
SCADA a gyakorlatban - Accenture Industry X.0 Meetup
SCADA a gyakorlatban - Accenture Industry X.0 Meetup
Accenture Hungary
Similar a SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
(20)
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
Sap
Sap
SAP Online Training | SIMPLE FINANCE | HANA ADMIN | All SAP courses
SAP Online Training | SIMPLE FINANCE | HANA ADMIN | All SAP courses
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...
ERP open source Analytics
ERP open source Analytics
CWIN17 New-York / demanding markets digital business dynamic outcomes
CWIN17 New-York / demanding markets digital business dynamic outcomes
Tsecl user manual tr billing and printing
Tsecl user manual tr billing and printing
Incident Response and SAP Systems
Incident Response and SAP Systems
AC200 Accounts Receivable And Payable Processing
AC200 Accounts Receivable And Payable Processing
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
EVAM_Streaming Analytics_v1.5
EVAM_Streaming Analytics_v1.5
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Positive pay edi process in sap
Positive pay edi process in sap
Sap into-1213948722097753-9
Sap into-1213948722097753-9
Sap introduction
Sap introduction
SCADA a gyakorlatban - Accenture Industry X.0 Meetup
SCADA a gyakorlatban - Accenture Industry X.0 Meetup
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
1.
SAP Security: Real-life
Attacks to Business Processes Ertunga(Arsal( ertunga@esnc.de
2.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Agenda ‣ Business Processes ‣ SAP Systems ‣ Exploit Demo ‣ External Payment Solutions on SAP ‣ How to Stay Secure ‣ About Us 2
3.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Want to know how this happened? 3
4.
Part I -
The Business Processes The(Background
5.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 SAP: The Dominating System ‣More than 282.000 companies run SAP –87%(of(the(Forbes(Global(2000(companies( ‣SAP customers … –produce(95.000(cars(per(day( –fly(1.7(billion(passengers(per(year( –produce(over(70(million(barrels(of(oil(per(day(( ‣74% of the world’s transaction revenue touches an SAP system 5 *Source: SAP 2014 and McKinsey/SAP analysis update 4/2013
6.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Attacking the Core ‣ SAP systems are complex systems ‣ Numerous components ‣ Rarely hardened or properly patched ‣ It does not stop there… –SAP(applicaKons(contain(3rd(party(ABAP(addLons 6
7.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Attack Vectors 7
8.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 How can it be attacked? Example: 3rd Party Components ‣ Remote ABAP Code Injection in OpenText / IXOS ECM –Widely(used( –Allows(injecKng(ABAP(code(to(the(SAP( system.( –Many(customers(are(not(even(aware( they(need(to(patch! 8
9.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 How can it be attacked? Example: Core Components ‣ Remote OS Command Execution in SAP BASIS Com. Services –Allows(OS(command(execuKon,(with(the(rights(of(the(SAP(applicaKon(server( –Patched(2(years(aVer(we(reported(it([SAP(Note(1674132](( –SAP’s(CVVS(v2(base(score(for(this(vulnerability(is(6.0$(Medium$Risk)( ‣ We were able to bypass the patch’s protection –Second(patch(came(a(couple(of(months(later([SAP(Note(1826162]( –This(Kme(CVSS(v2(score(is:(7.5$(High$Risk)$ ‣ Same vulnerability higher CVSS score 9
10.
Exploit Demo Becoming an
admin user on the SAP system
11.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 End of Chapter I ‣ For the second part of the presentation, we assume that the attacker has sufficient authorizations for executing any action mentioned later. –By(exploiKng(vulnerabiliKes( –Collusion( –ExisKng(rights(( ‣ So, system is compromised. But where else can the attacker go from there? 11
12.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 What is a Business Process? ‣ Collection of related activities that produce a specific service or product for customers ‣ Begins with a customer’s need and ends with need fulfillment. ‣ Commonly done using SAP systems 12 Famous Example: The pin factory by Adam Smith
13.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Example: Attacking the Business Processes Finding & Exploiting Vendors which Expect Money ‣ The attacker could directly go to vendor payment history for determining the target bank accounts of vendors. 13
14.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Determining Victim Bank Accounts ‣ Attacker can filter out uninteresting accounts and focus on ones where the victim company will transfer more than 10.000 EUR 14
15.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Determining Victim Bank Accounts ‣ Attacker can pick the largest sum which will be paid ‣ … and check when the transfer will be done ‣ Last step: –Replacing(the(bank(account(of(the(Vendor( with(the(a`acker’s(bank(account 15
16.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Changing the Bank Accounts ‣ Attacker runs the transaction FK02 and searches victim vendor ‣ Attacker replaces the account number of the vendor with evil one ‣ Payment time: Sum is transferred to the attacker’s account 16
17.
Next: SAP Credit
Cards and Birds Credit(Card(Processing(on(SAP
18.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Credit Card Processing on SAP ‣ Sales and Distribution (SD) and many other SAP modules ‣ Few external solutions use tokenizing and and external portals, outside of SAP ‣ Pass through + storage 18 –Customer(orders( –Retail(point(of(sale((POS)( –Internet(commerce( –HR(L(travel(expenses –Data(tables( –Change(documents( –TransacKon(logs( –DB(logs
19.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Credit Card Data DB Tables ‣ We discovered more than 50 SAP DB tables which contain e.g. credit card numbers ‣ The used tables differ based on which modules and functionalities are used/activated on the customer ‣ Some common SAP tables are: 19 FPLTC Payment(cards:(TransacKon(data(L(SD BSEGC Document(L(Data(on(Payment(Card(Payments VCKUN Assign(customerLcredit(card VCNUM Credit(card(master Pa0105$(Subtype$0011) HR(Master(Record:(Infotype(0011((Ext.Bank(Transfers) PCA_SECURITY_RAW Card(Master:(EncrypKon CCSEC_ENC,$CCSEC_ENCV Encrypted(Payment(Card(Data CCARDEC Encrypted(Payment(Card(Data /PMPAY/PENCRP Paymetric(–(Encrypted(Paymetric(Card(Data((for(offline(usage,(now(obsolete)
20.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Accessing Cleartext Cardholder Information Recipe ‣ Type SE16 at the command bar of SAPGUI after you logon, hit Enter. –Type(the(table(which(you(want(to(display(and( press(Enter.(( •E.g.(FPLTC( ‣ Enter your criteria (empty == all) ‣ Copy paste the data as desired to your favorite PasteBin 20
21.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Accessing Cleartext Cardholder Information Using Remote Function Calls ‣ SAP-RFC (Remote Function Call) protocol can be utilized ‣ SOAP-RFC over HTTP allows Internet based access to RFC functionality. ‣ RFC_READ_TABLE function allows generic access to contents of the tables ‣ Sapsucker could be used for it? 21 source:(Wikipedia
22.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Free Tool? - Sapsucker ‣Named after the famous bird ‣Allows easy access to SAP tables via SAP-RFC and HTTP(s) ‣Allows reusing XSSed SAP logon cookies ‣SNC and SAP router supported ‣Easily extract and filter sensitive data 22
23.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Decrypting Encrypted Credit Card Numbers ‣ Due to PCI-DSS requirements, cardholder data must be encrypted. –Tables(e.g.(PCA_SECURITY_RAW,(CCSEC_ENC,( CCSEC_ENCV,(CCARDEC,(/PMPAY/PENCRP( contain(encrypted(data((if(encrypKon(is(enabled)(( ‣ Program RS_REPAIR_SOURCE spawns a code editor –An(a`acker(could(use(it(to(type(malicious(ABAP(code,( even(on(producKon(systems 23
24.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Are we the only ones? ‣ The data can be decrypted via function modules CCARD_DEVELOPE or CCSECA_CCNUM_DECRYPTION –the(RFC(/PMPAY/P_ENCRYP_RFC(or( XIPAY_E4_CRYPTO(for(Paymetric( ‣ People are already doing this! –and(they(are(sharing(their(experiences 24
25.
External Payment Solutions
on SAP
26.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 External Vendors for Payment Solutions ‣ It is common to see external solutions for securing CC data –Paymetric(XiPayLXiSecure((cool(tokenizing(stuff)(and(others(such(as( GMAPay,(PaylinX,(DelegoSecure,(Princeton(CardConnect(to(name(a( few…( ‣ Secure (assuming) payment solution + insecure SAP system equals to ? ‣ Most common solutions use “registered RFC servers” for SAP connectivity 26
27.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Standard Concept 27 Gateway' Service' SAP'System' External'programs'can'send' requests'to'PCI'Server'over' the'gateway'via'RFC' protocol' Payment'Card'Interface'Server'' registers'itself'on'SAP'Gateway' and'accepts'connecAons' CC_AUTHORIZATION' CC_SETTLEMENT' Reginfo'ACL' defines'who'can' register'a'server'or' connect'to'a' registered'server' SAP'system'can' send'requests'to' PCI'Server'over' the'gateway'via' RFC'protocol' 1 B A PCI'Server' Merchant/Bank' Registers'as' TP'ID=PAY.P01' Accesses'TP'PAY.P01' Accesses'TP'PAY.P01' External(Payment(Card( Interface(ConnecKvity L(with(registered(RFC(Servers
28.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 External Payment Card Interface Connectivity Standard Concept - Common Security Issues ‣ Customer does not configure ACL ‣ ACL can be bypassed (missing SAP kernel patch) ‣ Customer uses SAP’s tool to generate the access control list –SAP’s(reginfo(ACL(generator(creates(access(lists(with(ACCESS=* –SAP(does(not(acknowledge(this(as(a(security(issue( ‣ Predictable TP names of payment processors –enabling(unauthenKcated(a`acks 28
29.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 External Payment Card Interface Connectivity With registered RFC Servers - Attacks 29 Gateway' Service' SAP'System' Evil'external'programs'can' send'requests'to'PCI'Server' over'the'gateway'via'RFC' protocol'to'extract'CC' informaAon' Payment'Card'Interface'Server'' registers'itself'on'SAP'Gateway' and'accepts'connecAons' CC_AUTHORIZATION' CC_SETTLEMENT' Reginfo'ACL'defines'who'can' register'a'server'or'connect'to'a' registered'server' SAP'system'sends'requests'to' PCI'Server'over'the'gateway' 1 A 2 PCI'Server' Merchant/ Bank' Registers' TP'ID=PAY.P01' MITM:An'aTacker'can' pretend'to'be'PCI'server'by' registering'with'the'same'TP' ID'to'sniff'CC'informaAon'or' to'trick'the'SAP'system'that' payment'is'complete' B Registers' TP'ID=PAY.P01' Accesses'TP'PAY.P01'
30.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 Further Security Issues ‣ Fatal config flaws on SAP PI (process integration) ‣ Debugging or system tracing active on system ‣ Redirects e.g. to an external provider (before payment) to avoid PCI-DSS scope –Tokenizing(on(its(own(is(not(sufficient.(The(SAP(system(must(also(be(hardened.( 30
31.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 External Payment Card Interface Connectivity Standard Concept - Resulting in ‣ ManLinLtheLmiddle(a`ack(for(CC_SETTLEMENT(and( CC_AUTHORIZATION(funcKons( ‣ Credit card data theft ‣ Fake transaction authorization –“TransacKon(is(complete(let(me(deliver(the(goods…”( ‣ Foreseeable consequences –brand(damage,(legal(consequences(etc.( ‣ And some unforeseeable consequences… 31
32.
or Something More
Entertaining
33.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 ‣ SAP should be more social networking enabled? ‣ Tampering the payment card interface functions is possible –e.g.(SD_CCARD_AUTH_CALL_RFC((could(allow(capturing(credit(card(numbers(realLKme( •Including(validaKon(status,(card(validaKon(code(cvv2((called(cvc2(for(mastercard,(same(thing)( ‣ Introducing TweetBtttM –THE(FIRST(SAP(CREDIT(CARD(TO(TWITTER(INTERFACE( –Allows(SAP(system(to(tweet(aVer(a(credit(card(transacKon( –Requires(patching(SAP’s(code,(voids(warranty!( •That(should(be(the(least(of(your(worries( –Fallback(to(DNS(tunneling(when(Twi`er(is(unreachable Connecting SAP to Social Media 33
34.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 TweetBtttM* Challenges ‣ Twitter changed its API so HTTP is not allowed anymore –Good(side:(PCILDSS(compliant(backdoor( –Requires(imporKng(Twi`er’s(cert(via(transacKon(STRUST( •Workaround(by(invoking(SAPGENPSE –Delays:(1L3(seconds(per(tweet( ‣ DNS tunnel fallback when outbound connection is blocked –FuncKon(module(RFC_HOST_TO_IP(is( (mis)used(as(a(poor(man’s(DNS(tunnel(on(ABAP( ‣ Public source code? –SKll(in(discussions(with(the(legal(guys.(Follow( me(on(twi`er(to(stay(informed(:) 34 *B`tM(=(Bird(that(( talks(too(Much
35.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 35
36.
How to Stay
Secure from unforeseeable consequences
37.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 No.1: Address The Complete Picture 37
38.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 No.2: Implement a Holistic Process to Stay Secure 38 Detec%on( • Real&'me)security) monitoring) • SAP)event) correla'on) Response( • Automa'c)Threat)Mi'ga'on) • Automa'c)Firewall)Rule) Crea'on) Preven%on( • Vulnerability) Discovery) • Automa'c)Issue) Fixing)
39.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 No.3: Automate It ‣ Automated SAP security scans ‣ Automated SAP PCI-DSS compliance checks ‣ Automated ABAP code corrections ‣ Automated SAP real-time monitoring ‣ Automated SAP event correlation ‣ Automated continuous integration into Security Incident Event Management - SIEM ‣ Automated SAP vulnerability/issue fixing (remediation) ‣ Automated SAP intrusion detection, prevention and alerting 39
40.
About Us
41.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 ESNC GmbH - Germany Enterprise Security and Compliance ‣ ESNC assesses and fixes security vulnerabilities in SAP systems –ESNC(Security(Suite:(PentesKng,(realLKme(SAP(security(monitoring(and(automaKc(vulnerability( miKgaKon( ‣ Headquarters in Grünwald by Munich ‣ Customer base: Governmental institutions, banking, utilities, automative, oil&gas and other critical industries ‣ Presenter: Ertunga Arsal –Security(researcher(with(long(history(and(focus(on(SAP( –Audited(hundreds(of(corporate(and(government(enterprise(SAP(systems(to(date( –Credited(by(SAP(for(over(100(vulnerabiliKes( –Lecturer(“Systems(and(Network(Security”(at(Sabanci(University(for(postgraduates( –Speaker(at(CCC(annual(congress,(Defcon(Hashdays,(Deepsec,(SecLT(etc…( –Founder(of(ESNC( 41
42.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 The Menu of SAP Security ‣ A01 - SAP Audit & Assessment ‣ A02 - SAP PCI DSS 3.0 & Compliance ‣ A03 - SAP Remediation and Risk Management ‣ A04 - Security Policy Enforcement on SAP systems ‣ A05 - SAP Penetration Testing ‣ C01 - ABAP Code Security Assessment & Correction ‣ R01 - SAP Real-Time Monitoring & IDP ‣ R02 - SAP SIEM Integration 42
43.
© ESNC GmbH
- All rights Reserved.SAP Security - Real life Attacks to Business Processes Ertunga Arsal - Hack in Paris 2015 ‣ And many thanks to –Eric(Bushman(<ebushman@paymetric.com>(from(Paymetric(for(the(good(input( –and(my(team( This document contains references to products of SAP AG. SAP, ABAP, SAPGUI and other named SAP products and associated logos are brand names or registered trademarks of SAP AG in Germany and other countries in the world. HP is a registered trademark of Hewlett-Packard Company. Oracle and Java are registered trademarks of Oracle and/or its affiliates. All other trademarks are the property of their respective owners. This document is for educational purposes. It does not come with any warranty or guarantee. ESNC GmbH is not responsible of any misuse of the content. This document or parts of this document is not allowed to be distributed without ESNC’s written permission. Thank you 43
44.
Q&A Ertunga(Arsal(( Email:(ertunga@esnc.de
Descargar ahora