Alexander Polyakov CTO ERPScan
|
|
- Sherman Randall
- 8 years ago
- Views:
Transcription
1 Invest in security to secure investments ERP Security. Myths, Problems, Solu6ons Alexander Polyakov CTO ERPScan
2 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presenta6ons key security conferences worldwide 25 Awards and nomina6ons Research team - 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2
3 Intro ERP - Enterprise resource planning is an integrated computer- based system used to manage internal and external resources including tangible assets, financial resources, materials, and human resource Wikipedia 3
4 Intro Business applica8ons like ERP, CRM, SRM and others are one of the major topics within the scope of computer security as these applica8ons store business data and any vulnerability in these applica8ons can cause a significant monetary loss or even stoppage of business. 4
5 Main Problems in ERP Security Complex structure (complexity kills security) Inside a company (closed world) Different vulnerabili6es At all the levels Rarely updated administrators are scared they can be broken during updates 5
6 Myths Myth 1: Business applica8ons are only available internally what means no threat from the Internet Myth 3: Business applica8on internals are very specific and are not known for hackers Myth 2: ERP security is a vendor s problem Myth 4 ERP security is all about SOD 6
7 Myth 1: Business Applica6ons are Only Available Internally Top management point of view This myth is popular for internal corporate systems and people think that these systems are only available internally Real life Yes maybe at the mainframe era with SAP R/2 and in some implementa8ons of R/3 you can use SAP only internally but not now in the era of global communica8ons. As a minimum you need the integra8on with: o o o Another offices Customers and suppliers For SAP systems you need connec8on with SAP network Even if you do not have direct connec4on there are user worksta4ons connected to the internet 7
8 Myth 1: Business Applica6ons are Only Available Internally It is necessary to bring together people who understand ERP security, and people who understand the Internet, e- mail and security of WEB- services 8
9 Myth 1: Business Applica6ons are Only Available Internally 9
10 Myth 2. ERP Security is a Vendor s Problem From the point of law: Vendor is NOT responsible for the vulnerabili6es in their products Business applica6on security is the problem of a Client 10
11 Myth 2. ERP Security is a Vendor s Problem Vendor problems Client problems { { 1. Program Errors 2. Architecture errors 3. Implementa8on architecture errors 4. Defaults / Misconfigura8ons 5. Human factor 6. Patch management 7. Policies/ processes / etc From technical point: There can be so many fails even if the so\ware is secure 11
12 Myth 3. Business Applica6on Internals are not Known to Hackers Current point of view: Mostly installed inside a company Not so popular among hackers like Windows or Apple products Closed world Security through obscurity 12
13 Myth 3. Business Applica6on Internals are not Known to Hackers Real life: Popular products are on the a_ack by hackers, and becoming more and more secure Business applica8ons WERE closed but over the last 5 years they have became more and more popular on the Internet And also popular for hackers and researchers (will be shown in the future sta8s8cs) Unfortunately, their security level is s8ll like 3-5 years ago Now they look as a defenseless child in a big city 13
14 Myth 4. ERP Security is All about SOD Current point of view: Many people especially ERP people think that security is all about SOD Real life: Making AD access control dont give you secure infrastructure Buying new engine for car every year will not help you if you simply puncture a wheel And also remind Sachar Paulus interview that says: other threat comes from people connec4ng their ERP systems to the Internet 14
15 Myth 4. ERP Security is All about SOD ERP system with secure SOD and nothing else it is much of spending all money on video systems, biometric access control and leaving the back door open for housekeepers 15
16 Myth 4. ERP Security is All about SOD 1 Lack of patch management CRITICAL REMOTE 2 Default passwords for applica8on access CRITICAL REMOTE 3 SOD conflicts CRITICAL LOCAL 4 Unnecessary enabled applica8on features HIGH REMOTE 5 Open remote management interfaces HIGH REMOTE 6 Lack of password lockout/complexity checks MEDIUM REMOTE 7 Insecure op8ons MEDIUM REMOTE 8 Unencrypted communica8ons HIGH REMOTE 9 Insecure trust rela8ons MEDIUM LOCAL 10 Guest access MEDIUM REMOTE Top 10 Applica6on Implementa6on Problems (OWASP- EAS EASAI Top 10) 16
17 Problems 17
18 ERP Security Problems Development: Architecture Program errors Implementa6on: Architecture Configura6on Patch management Policies Awareness Control: Policies Security assessment Awareness SoD Overall system security 18
19 Development Problems SAP Languages OWN TECHNOLOGIES (ABAP/BSP) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js) Other (C/wbs/sql) Plaborms PeopleSo\ Oracle OWN TECHNOLOGIES (BPEL /PLSQL) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js/cgi) Other (C/wbs/sql) Technologies OWN TECHNOLOGIES (Peoplecode/PLSQL) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js/cgi) Other (C/wbs/sql) 19
20 Implementa6on Problems Different Databases Different Architecture Different OS Different product versions Huge amount of customiza8on 20
21 Different Architecture Different mandates on different instances on different physical servers Can be DEV TEST or PROD Can have different modules such as SRM/PLM/CRM/ERP connected by different ways to itself and other systems Different DMZ/ terminal server installa8ons Add IM/LDAP/AD and other solu8ons to our architecture And even more 21
22 Different OS OS popularity for SAP Windows NT - 28% AIX - 25% Linux - 19% SunOS - 13% HP- UX - 11% OS/400-4% 22
23 Different Plaborms ABAP or JAVA or BusinessObjects Only ABAP Can be: - SAP R/ SAP R/3 4.7 Entertprise - SAP NetWeaver SAP NetWeaver SAP NetWeaver SAP NetWeaver Also Add- ons - Also industry solu8ons 23
24 Great Amount of Customiza6on Approximately about 40-60% of ERP are custom code With own vulnerabili8es Also there can be custom many custom items Authoriza8on objects Authoriza8ons Roles Transac8ons Programs Etc If you have customized the system you must have security solu4ons customized that is much more harder than checklist- like solu4ons 24
25 Solu6ons 25
26 How to Make Secure ERP System in 5 Steps Develop secure sonware Implement it securely Teach administrators Increase user awareness Control the whole process 26
27 Introducing OWASP- EAS Develop secure sonware OWASP- Enterprise Business Applica8on Security Vulnerability Tes8ng Guide v0.1 Implement it securely Enterprise Business Applica8on Security Implementa8on Assessment Guide Teach administrators Our Trainings Increase user awareness SAP Security in figures report Control the whole process Tools 27
28 Introducing OWASP- EAS Need guides for developers and vulnerability testers to assess enterprise applica8ons Sources: We have OWASP good and focused mainly on WEB vulnerabili8es We have WASC good but focused on WEB We have SANS 25 good but not about ERP We have CWE good but too big We have OSTMM good but focused on assessing systems not sonware SAP/Oracle security guides good but too many informa8on Result: OWASP- EAS Enterprise Business Applica8on Security Vulnerability Tes8ng Guide v
29 Introducing OWASP- EAS Analyze most popular vulnerabili8es in enterprise systems Create TOP 10 list Collect informa8on about examples, threats and countermeasures Release Guide Aner a year go back to step 1 29
30 Enterprise Applica6on Security Vulnerability Tes6ng Guide 30
31 Top 10 31
32 Examples XSS There is an unlimited number of XSS in SAP The latest one at h_p://erpscan.com Informa6on Disclosure ORACLE Financials /pls/dad/find_web.ping /OA_HTML/jsp/fnd/fndping.jsp SAP Netweaver /sap/public/info 32
33 Examples of Network Security Improper access control / traversal (SAP Netweaver) RFC func8ons can be called remotely You need a user and a password ALMOST ALL SAP administrators do not change the password for user SAPCPIC Using his creden8als we can call the func6on that tries to read the file on our SMB share Gotcha! Hashes are stolen 33
34 Top 10 Frontend Vulnerabili6es 34
35 Examples of Frontend Vulnerabili6es Buffer overflow Can be exploited to gain remote access to user Also format string and memory corrup8on The latest one at h_p:// db.com/exploits/14416/ NEW vulns are being patched now. Soon at h_p://erpscan.com/ Also other vulnerable ERPs 35
36 Examples of Frontend Vulnerabili6es Hard- coded passwords (some ERPs, we don t spell names) Very dangerous Fat client with hard- coded passwords to database Checking of access rights is on the client site. They are exploited to gain remote access to user Exploited simply by sniffing database connec8on and direct connec8on with stolen password As a result we are DBA on database 36
37 Enterprise Business Applica4on Security Implementa4on Assessment 37
38 Enterprise Applica6on Security Implementa6on Assessment Build secure applica8on is not enough Need to do securely Install it Configure it Manage it 38
39 Enterprise Applica6on Security Implementa6on Assessment Analyze the most cri8cal areas of misconfigura8ons Group it Create TOP 10 list Collect informa8on about examples, threats and countermeasures Release Guide Aner a year go back to step 1 39
40 Enterprise Applica6on Security Implementa6on Assessment 40
41 Network and Architecture 41
42 Examples of Network Security Capture SAP traffic tcpdump -n -i eth0 'tcp[13] & 3!= 0 and (( tcp[2:2] >= 3200 tcp[2:2] < 3300) > or 5 ( tcp[2:2] >= 3600 tcp[2:2] < > 3700)) Find a user and decode the password. A user has access to XI system without business data Use the SM59 transac8on that can show all RFC connec8ons. There was only one connec8on to HR system with hardcoded creden8als found Creden8als were of the remote RFC user created for data exchange This user called ALEREMOTE had SAP_ALL privileges 42
43 Opera6ng Systems 43
44 OS Vulnerabili6es: Access to Cri6cal Files Database files (DATA + encrypted Oracle and SAP passwords) /oracle/<dbsid>/sapdata/system_1/system.data1 SAP config files (encrypted passwords) /usr/sap/<sapsid>/<instance ID>/sec/* /usr/sap/<sapsid>/<instance ID>/sec/sapsys.pse Configtool Config files (Encrypted Database password) \usr\sap\dm0\sys\global\security\data\secstope.proper8es \usr\sap\dm0\sys\global\security\data\secstope.key J2EE Trace files (Plaintext passwords) /usr/sap/<sapsid>/<instanceid>/j2ee/cluster/dispatcher/log/defaulttrace. 0.trc ICM config files (encrypted password) \usr\sap\dm0\sys\exe\uc\nti386\icmauth.txt There are many cri4cal files on SAP server that can be used by unprivileged user to gain access to SAP applica4on: 44
45 Database vulnerabili6es 45
46 Examples of Database Vulnerabili6es Unnecessary enabled services Any database have them by default o Oracle MSSQL UTL_FILE, UTL_HTTP, UTL_TCP,etc o Master..xp_dirtree \\fakesmb\sharee o Can be used to steal creden8als o! ERPs run database from the own service creden8al, not from the Network Service 46
47 Applica6on Vulnerabili6es 47
48 Examples of Applica6on Vulnerabili6es Default passwords Any ERP installs with predefined passwords o For Applica8on o For Database o Some8mes for OS Most of them are well known Will be published at OWASP 48
49 SAP default passwords FOR Applica6on FOR Database SAPR3/SAP + Oracle defaults in the older versions 49
50 PeopleSo\ default passwords FOR Applica8on (many) FEDTBHADMN1/ FEDTBHADMN1 FEDTBHADMN1/ FEDTBHMGR01 FEDTBHMGR02/ FEDTBHMGR02 HAM/HAM etc For Database Peop1e/Peop1e PS/PS Sysadm/sysadm + Oracle defaults in the old versions 50
51 Oracle EBS default passwords FOR Applica8on (many) ANONYMOUS, APPMGR, ASGADM, ASGEST, AUTOINSTALL, FEDER SYSTEM, GUEST, ADMIN, IBEGUEST, IEXADMIN, SYSADMIN, etc FOR Database OUTLN, SYSTEM, MDSYS, CTXSYS, AOLDEMO, APPLSYS, APPS, APPLSYSPUB, OLAPSYS, SCOTT, PO 51
52 Examples of Applica6on Vulnerabili6es Remote management interfaces Example of SAP (other have the same problems) There is web RFC access Google it /sap/bc/webrfc All RFC features are possible Plus something more including dos/smbrelay Details later on h_p://erpscan.com Remote pwnage is possible 52
53 Frontend Vulnerabili6es 53
54 Lack of encryp6on (in SAP) 54
55 Examples of Frontend Vulnerabili6es Insecure distribu6on service Example of SAP (others have the same problems) SAPGUI onen distributes from corporate file server Onen this share available for any user Configura8on files and distribu8ves can be overwri_en Insert Trojan Redirect to fake servers The same problems when using terminal services 55
56 Increase Awareness 56
57 Enterprise Applica6on Vulnerability Sta6s6cs 2009 This document we will show a result of stadsdcal research in the Business ApplicaDon security area made by ERPScan and OWASP- EAS project. The purpose of this document is to raise awareness about Enterprise Business ApplicaDon security by showing the current number of vulnerabilides found in these applicadons and how cridcal it is can be Analyzed systems ERP Systems Business Frontend sonware. Database systems Applica8on servers Analyzed resources h_p://securityfocus.com, h_p://exploit- db.com h_p://cwe.mitre.org, h_p://cvedetails.com h_p://oracle.com, h_p://sdn.sap.com, h_p://ibm.com 57
58 Enterprise Applica6on vulnerability sta6s6cs More than 150 vuln. per year 58
59 Enterprise Database vulnerability sta6s6cs 59
60 SAP Vulnerabili6es Growing 60
61 Growing interest Number of found vulnerabili8es grows gree8ngs to all companies in applica8on security area Number of talks about ERP security at conferences grows 2006(1),2007(1),2008(2),2009(3),2010(10!) And also companies pay more a_en8on to this area SAP security response team are growing every year This area is becoming popular. We really need automa6c tools for ERP security assessment for pentesters and for administrators 61
62 Need for Automa6on What we have done Sapsploit and Sapscan tools for pentes8ng and trojaning SAP users ERPSCAN Online free service for assessing SAP Frontend security ERPSCAN Security scanner for SAP enterprise applica8on for solving full area of problems in SAP solu8ons 62
63 ERPSCAN Security Scanner for SAP Corporate scanner for assessing security of SAP systems Checking for misconfigura6ons, public vulnerabili6es, 0- days, compliance with standards and metrics Checking both ABAP and JAVA instances, more than 400 checks Whitebox scanning to prevent possible damage Addi8onal engine for checking exis6ng vulnerabili6es without exploi6ng them Extended knowledgebase for all checks with detailed descrip6ons and countermeasures collected by ERPcan experts ERPSCAN.COM 63
64 Conclusion about ERP Security ERP security is not a myth Becomes more popular for BlackHats and WhiteHats There is a need to create guidelines and increase awareness in this area OWASP- EAS call for volunteers with background in this area ERP security is very complex and if you are ready to do it 24/7 then do it If you cannot do, leave it to professionals 64
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions Digital Security Ilya Medvedovskiy CEO of the Digital Security company Network security research since 1994 (NoVell networks) Book bestseller Attack through the
More informationTop 10 most interes.ng SAP vulnerabili.es and a9acks
Invest in security to secure investments Top 10 most interes.ng SAP vulnerabili.es and a9acks Alexander Polyakov CTO at ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security
More informationInvest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan
Invest in security to secure investments Breaking SAP Portal Dmitry Chastuhin Principal Researcher at ERPScan 1 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite
More informationEAS-SEC Project: Securing Enterprise Business Applications
EAS-SEC Project: Securing Enterprise Business Applications SESSION ID: SEC-W06 Alexander Polyakov CTO ERPScan @Twitter sh2kerr Alexander Polyakov CTO of the ERPScan inc EAS-SEC.org President Business application
More informationTop 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov
Invest in security to secure investments Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov CTO at ERPScan May 9, 2012 Me Business application security expert What is SAP? Shut
More informationwww.erpscan.com www.eas- sec.org
Analysis of 3000 vulnerabilities in SAP Disclaimer... 2 1. Intro... 3 2. Brief results... 4 3. General vulnerability statistics... 6 4. Number of acknowledgements to external researchers... 12 5. Vulnerabilities
More informationTHE STATE OF SAP SECURITY 2013: VULNERABILITIES, THREATS AND TRENDS
THE STATE OF SAP SECURITY 2013: VULNERABILITIES, THREATS AND TRENDS Alexander Polyakov ERPScan Session ID: DAS-T03 Session Classification: Intermediate Agenda SAP: Intro SAP: vulnerabilities SAP: threats
More informationForgotten World: Corporate Business Application Systems
Forgotten World: Corporate Business Application Systems Alexander Polyakov (dsecrg.com) Val Smith (AttackResearch.com) BlackHat DC 2011 1. Abstract... 3 2. Intro... 4 2.1. Threat... 4 2.2. Introduction
More informationIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP Alexander Polyakov / ERPScan Session ID: ADS-R07 Session Classification: Advanced Intro I hate CYBER talks and all that buzz I usually do more technical
More informationSecurity testing the Internet-of-things
Security testing the Internet-of-things Lindholmen Software Development Day 2014-10-16 Emilie Lundin Barse Informa(on Security Consultant, Combitech emilie.barse@combitech.se Contents State of security
More informationVoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov
VoIP Security How to prevent eavesdropping on VoIP conversa8ons Dmitry Dessiatnikov DISCLAIMER All informa8on in this presenta8on is provided for informa8on purposes only and in no event shall Security
More informationInception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen jppereze@onapsis.com May 23 rd, 2012 HITB Conference, Amsterdam Disclaimer This publication is copyright 2012
More informationA GLOBAL SURVEY 2001 2013 Authors:
12 YEARS OF SAP SECURITY IN FIGURES: A GLOBAL SURVEY 2001 2013 Authors: Alexander Polyakov Alexey Tyurin Other contributors: Kirill Nikitenkov Evgeny Neyolov Alina Oprisko Dmitry Shimansky A GLOBAL SURVEY
More informationSome notes on SAP Security
Alexander Polyakov. PCI QSA,PA-QSA Director of Security Audit Department, Digital Security Head of Digital Security Research Group [DSecRG] a.polyakov@dsec.ru Some notes on SAP security Who is that guy?
More informationEvolution of Penetration Testing
Alexander Polyakov, QSA,PA-QSA CTO Digital Security (dsec.ru) Head of DSecRG (dsecrg.com) ERPSCAN Architect (erpscan.com) Head of OWASP-EAS Pentests? Again? Why? Many companies are doing this Many companies
More informationNetwork Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones
Network Security Security in Compu5ng, Chapter 7 Topics l Network AAacks l Reconnaissance l AAacks l Spoofing l Web Site Vulnerabili5es l Denial of Service l Network Defences l Firewalls l Demilitarised
More informationMobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov
Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business Dmitry Dessiatnikov DISCLAIMER All informa,on in this presenta,on is provided for informa,on purposes only and in
More information!"#$%&'()*#"+,&-(.#,"*'/'.%-*
!"#$%&'()*#"+,&-(.#,"*'/'.%-*!01234567* #0894:6;90* '!#'?* 15* =@3* 03A* B30346;90* 98* 10=3B46=3C* 59DA643* 894* %0=34E4153* &359F4G3* -606B3:30=* >%&-?* =@6=* E4921C35* =@3* 836=F435* 60C* 8F0G;90671;35*
More informationKaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars
Kaseya Fundamentals Workshop DAY THREE Developed by Kaseya University Powered by IT Scholars Kaseya Version 6.5 Last updated March, 2014 Day Two Overview Day Two Lab Review Patch Management Configura;on
More informationNetwork Performance Tools
Network Performance Tools Jeff Boote Internet2/R&D June 1, 2008 NANOG 43/ Brooklyn, NY Overview BWCTL OWAMP NDT/NPAD BWCTL: What is it? A resource alloca=on and scheduling daemon for arbitra=on of iperf
More informationInvest in security to secure investments Oracle PeopleSoft applications are under attacks!
Invest in security to secure investments Oracle PeopleSoft applications are under attacks! Alexey Tyurin About ERPScan The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationPRACTICAL PENTESTING OF ERP SYSTEMS AND BUSINESS
PRACTICAL PENTESTING OF ERP SYSTEMS AND BUSINESS APPLICATIONS VERSION 1.0 10.07.2013 Authors: Alexander Polyakov Alexey Tyurin With help of: Dmitry Chastukhin Dmitry Evdokimov Evgeny Neyolov www.erpscan.com
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationPenetration: from Application down to OS
April 13, 2010 Penetration: from Application down to OS Getting OS Access Using Lotus Domino Application Server Vulnerabilities Digitаl Security Research Group (DSecRG) www.dsecrg.com Alexandr Polyakov.
More informationHardening of SAP HTTP- and Webservices
Hardening of SAP HTTP- and Webservices Frederik Weidemann Nürnberg 20.10.2010 Virtual Forge GmbH frederik.weidemann (at) virtualforge.de Copyright The Foundation Permission is granted to copy, distribute
More informationHardening of SAP HTTP- and Webservices
Hardening of SAP HTTP- and Webservices Sebastian Schinzel (Slides shamelessly stolen from by colleague Frederik Weidemann) Virtual Forge GmbH University of Mannheim Hardening of SAP HTTP- and Webservices
More informationOracle Database Security Myths
Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationWith so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.
1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly
More informationPhase 2: Scanning Detec0ng informa0on useful for break- in Live machines Network topology Firewall configura0on Applica0ons and OS types Vulnerabili0es
Phase 2: Scanning Detec0ng informa0on useful for break- in Live machines Network topology Firewall configura0on Applica0ons and OS types Vulnerabili0es Finding live hosts Ping sweep TCP SYN sweep Map network
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationA crushing blow at the heart of SAP J2EE Engine. For BlackHat USA 2011. Version 1.0
A crushing blow at the heart of SAP J2EE Engine. Architecture and program vulnerabilities in SAP s J2EE engine For BlackHat USA 2011. Version 1.0 Alexander Polyakov CTO at ERPScan Head of DSecRG Research
More informationTop Ten Fraud Risks in the Oracle E Business Suite
Top Ten Fraud Risks in the Oracle E Business Suite Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation February
More informationProfessional Penetration Testing Techniques and Vulnerability Assessment ...
Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment
More informationMarch 10 th 2011, OSG All Hands Mee6ng, Network Performance Jason Zurawski Internet2 NDT
March 10 th 2011, OSG All Hands Mee6ng, Network Performance Jason Zurawski Internet2 NDT Agenda Tutorial Agenda: Network Performance Primer Why Should We Care? (15 Mins) GeNng the Tools (10 Mins) Use of
More informationPrivacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik
Privacy- Preserving P2P Data Sharing with OneSwarm Presented by Adnan Malik Privacy The protec?on of informa?on from unauthorized disclosure Centraliza?on and privacy threat Websites Facebook TwiFer Peer
More informationPhone Systems Buyer s Guide
Phone Systems Buyer s Guide Contents How Cri(cal is Communica(on to Your Business? 3 Fundamental Issues 4 Phone Systems Basic Features 6 Features for Users with Advanced Needs 10 Key Ques(ons for All Buyers
More informationASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
More informationATTACKS TO SAP WEB APPLICATIONS
ATTACKS TO SAP WEB APPLICATIONS by Mariano Nuñez Di Croce mnunez@onapsis.com BlackHat DC 2011 Briefings Abstract "SAP platforms are only accessible internally". While that was true in many organizations
More informationFive Factors Driving Businesses to Rethink EDI on IBM i
Simplify and Accelerate e- Business Integra6on Five Factors Driving Businesses to Rethink EDI on IBM i EDI Change Drivers External Loca6ons, Partners, and Services Customers Suppliers / Service Providers
More informationAttacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. Troopers, Germany. March 30th, 2011. mnunez@onapsis.
Attacks to SAP Web Applications Your crown jewels online Mariano Nuñez Di Croce mnunez@onapsis.com March 30th, 2011 Troopers, Germany Disclaimer This publication is copyright 2011 Onapsis SRL All rights
More informationSAP. Penetration Testing. with Onapsis Bizploit. Mariano Nuñez. Di Croce. HITB Security Conference, Dubai. April 22, 2010. mnunez@onapsis.
SAP Penetration Testing with Onapsis Bizploit Mariano Nuñez Di Croce mnunez@onapsis.com April 22, 2010 HITB Security Conference, Dubai Disclaimer This publication is copyright Onapsis SRL 2010 All rights
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationMobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact
Mobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact Stephen Breen 06 AUG 2014 Bios Stephen Breen Senior Consultant Christopher Camejo Director of Assessment Services 2 Contents
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationA Brief Overview of the Mobile App Ecosystem. September 13, 2012
A Brief Overview of the Mobile App Ecosystem September 13, 2012 Presenters Pam Dixon, Execu9ve Director, World Privacy Forum Jules Polonetsky, Director and Co- Chair, Future of Privacy Forum Nathan Good,
More informationPractical pentesting of ERP s and business applications
Invest in security to secure investments Practical pentesting of ERP s and business applications Alexander Polyakov CTO in ERPScan Alexey Tyurin Director of consulting department in ERPScan Alexander Polyakov
More informationParallels Solu+ons for Business Keeping IT in Control of Mac in the Enterprise. Carlos Capó Sr. Manager, Global Business Solu6ons
Parallels Solu+ons for Business Keeping IT in Control of Mac in the Enterprise Carlos Capó Sr. Manager, Global Business Solu6ons Leader in Applica6on Accessibility and Mac Enablement Strong Foundation
More informationMobile Weblink Security
Name Maryam Al- Naemi Date 11/01/2013 Subject ITGS higher level Title How safe is the informa@on we store on our smartphones? Area of impact Home & Leisure Social & Ethical Issue Security Ar:cle Smartphone
More informationSecurity Protocols: SSH. Michael E. Locasto University of Calgary
Security Protocols: SSH Michael E. Locasto University of Calgary Agenda Philosophy: data protec?on on the network Discussion of SSH SSH history Authen?ca?on Mechanisms SSH2 design overview / architecture
More informationCase Studies in Solving Testing Constraints using Service Virtualization
Case Studies in Solving Testing Constraints using Service Virtualization Rix.Groenboom@Parasoft.NL 2/21/14 1 Introduction Paraso& is supplier automated tes1ng solu1ons Since 1984, Los Angeles (US) and
More informationPervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements
OpAuditTM from is the first compliance management product on the market to successfully track manual controls and technical controls in the same workflow-based system. This ingenious solution gathers &
More informationOracle PeopleSoft Applications are Under Attack
Oracle PeopleSoft Applications are Under Attack Alexey Tyurin Email: a.tyurin@erpscan.com Twitter: @antyurin Table of Contents Introduction... 3 About PeopleSoft applications... 3 Core technologies...
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationTop 10 Database. Misconfigurations. mtrinidad@appsecinc.com
Top 10 Database Vulnerabilities and Misconfigurations Mark Trinidad mtrinidad@appsecinc.com Some Newsworthy Breaches From 2011 2 In 2012.. Hackers carry 2011 momentum in 2012 Data theft, hacktivism, espionage
More informationSecuring Database Servers. Database security for enterprise information systems and security professionals
Securing Database Servers Database security for enterprise information systems and security professionals Introduction: Database servers are the foundation of virtually every Electronic Business, Financial,
More informationAndreas Mertz (Founder/Man. Dir. it-cube SYSTEMS, CISSP) 360 SAP Security
Andreas Mertz (Founder/Man. Dir. it-cube SYSTEMS, CISSP) 360 SAP Security Agenda Motivation SAP Threat Vectors / SAP Hack Solution Approach the 360 of agilesi Threat Detection Secenarios / SIEM use cases
More informationBacula Open Source Project Bacula Systems (professional support)
Bacula Open Source Project Bacula Systems (professional support) The Enterprise Ready Open Source Network Backup Solu
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationInternal Penetration Test
Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00
More informationMTD Keystone s Multiple Service Platforms
MTD s Multiple Service Platforms uses the Microso/ Office pla5orm and is an MS Access applica:on with integra:on to the common Microso/ Office applica:ons, namely Excel, Word, and Outlook. may be installed
More informationLotus Domino Security
An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Lotus Domino is an Application server that provides groupware
More informationHI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Opera5ons Bugcrowd @Kym_Possible whoami? Senior Director of a Red Team PSIRT
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationDetecting and Stopping Cyber Attacks Against Oracle Databases June 25, 2015
Detecting and Stopping Cyber Attacks Against Oracle Databases June 25, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda How and Why Prevention Q&A 1 2 3 4 5 Targeted Attack Detection
More informationPenetration Testing Corporate Collaboration Portals. Giorgio Fedon, Co-Founder at Minded Security
Penetration Testing Corporate Collaboration Portals Giorgio Fedon, Co-Founder at Minded Security Something About Me Security Researcher Owasp Italy Member Web Application Security and Malware Research
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationCYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?
CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed? by Mariano Nunez mnunez@onapsis.com Abstract Global Fortune 1000 companies, large governmental organizations and defense entities
More informationSAP Netweaver Application Server and Netweaver Portal Security
VU University Amsterdam SAP Netweaver Application Server and Netweaver Portal Security Author: Nick Kirtley Supervisors: Abbas Shahim, Frank Hakkennes Date: 28-09-2012 Organization: VU University Amsterdam,
More informationPaco Hope <paco@cigital.com> Florence Mo ay <fmo ay@cigital.com> 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware
Paco Hope Florence Moay 2012 Cigital. All Rights Reserved. SecAppDev 1 Objectives Define third party soware What it is, why we use it Define the risks from third
More informationiscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi
iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi Agenda Introduction iscsi Attacks Enumeration Authorization Authentication iscsi Defenses Information Security Partners (isec) isec Partners Independent
More informationIntegrigy Corporate Overview
mission critical applications mission critical security Application and Database Security Auditing, Vulnerability Assessment, and Compliance Integrigy Corporate Overview Integrigy Overview Integrigy Corporation
More informationPrivileged Administra0on Best Prac0ces :: September 1, 2015
Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program
More informationEnterprise. Thousands of companies save 1me and money by using SIMMS to manage their inventory.
Enterprise Thousands of companies save 1me and money by using SIMMS to manage their inventory. SIMMS is a powerful inventory management system that enables you to gain fast and accurate control over your
More informationThe Seven Habits of State-of-the-Art Mobile App Security
#mstrworld The Seven Habits of State-of-the-Art Mobile App Security Mobile Security 8 July 2014 Anand Dwivedi, Product Manager, MicroStrategy strworld Agenda - Seven Habits of State of the Art Mobile App
More informationmission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer
mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director
More informationCOURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
More informationDifferent ways to guess Oracle database SID
30 October 2008 Different ways to guess Oracle database SID Digitаl Security Research Group (DSecRG) Alexander Polyakov a.polyakov@dsec.ru http://dsecrg.ru Content Introduction...3 A brief info about SID
More informationGeoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012
2012 User Conference April 22-24, 2012 Atlanta, Georgia Together Toward Tomorrow Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012 open source administration software for education!
More information2015-16 ITS Strategic Plan Enabling an Unbounded University
2015-16 ITS Strategic Plan Enabling an Unbounded University Update: July 31, 2015 IniAaAve: Agility Through Technology Vision Mission Enable Unbounded Learning Support student success through the innovaave
More informationBalancing Usability and Security for Medical Devices
Balancing Usability and Security for Medical Devices Ken Hoyme Adven&um Labs ken.hoyme@adven8umlabs.com Robert North, LLC bnorth@humancenteredstrategies.com March 17, 2014 3/17/2014 2014 Adven8um Labs
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationSAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT
SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT Foreword by Prof. Wolfgang Lassmann... 15 Foreword by Dr. Sachar Paulus... 17 1 Introduction...
More informationFTC Data Security Standard
FTC Data Security Standard The FTC takes the posi6on (Being tested now in li6ga6on) that Sec6on 5 of the FTC Act requires Reasonable Security under the circumstances: that companies have reasonable controls
More informationEffec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies
Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step Arbela Technologies Why Upgrade? What to do? How to do it? Tools and templates Agenda Sure Step 2012 Ax2012 Upgrade specific steps Checklist
More informationBank of America Security by Design. Derrick Barksdale Jason Gillam
Bank of America Security by Design Derrick Barksdale Jason Gillam Costs of Correcting Defects 2 Bank of America The Three P s Product Design and build security into our product People Cultivate a security
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationCSE/ISE 311: Systems Administra5on Network Firewalls
Network Firewalls Don Porter Firewalls: An Essen2al Tool Previous Lectures: Every service on a system visible to the outside world is a poten2al a>ack vector Observa2ons: It is really hard to police every
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationHow to Audit the Top Ten E-Business Suite Security Risks
In-Source Your IT Audit Series How to Audit the Top Ten E-Business Suite Security Risks February 28, 2012 Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost
More informationAppDefend Application Firewall Overview
AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture
More informationAssessing BYOD with the Smarthpone Pentest Framework. Georgia Weidman
Assessing BYOD with the Smarthpone Pentest Framework Georgia Weidman BYOD Is Not New Contractor Laptop Rogue Access Point Gaming Console Tradi>onal Vulnerability Scanning The iphone in Ques>on Is
More informationPasswords are for Chumps
Copyright 2014 Splunk Inc. Passwords are for Chumps David Veuve SE, Splunk Who Am I?! David Veuve Sales Engineer for Major Accounts in Northern California! dveuve@splunk.com! Former Splunk Customer (For
More informationData Management in the Cloud: Limitations and Opportunities. Annies Ductan
Data Management in the Cloud: Limitations and Opportunities Annies Ductan Discussion Outline: Introduc)on Overview Vision of Cloud Compu8ng Managing Data in The Cloud Cloud Characteris8cs Data Management
More informationData Center Evolu.on and the Cloud. Paul A. Strassmann George Mason University November 5, 2008, 7:20 to 10:00 PM
Data Center Evolu.on and the Cloud Paul A. Strassmann George Mason University November 5, 2008, 7:20 to 10:00 PM 1 Hardware Evolu.on 2 Where is hardware going? x86 con(nues to move upstream Massive compute
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationSTATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013
STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810 October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department
More information