Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Transcription

1 Soteria Health Check A Cyber Security Health Check for SAP systems

2 Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security Health Check is an ideal introductory service for firms who have not used us before. It is a very practical and economical means of checking the thoroughness and quality of our work, whilst getting another perspective on your cyber security profile. Potentially uncovering a range of network, system, database and administrative vulnerabilities which you may wish to address. Soteria Health Check typically takes 8-10 days to complete and concludes with your being presented with a Cyber Security Health Check report. At that point you can decide how you wish to progress.

3 Contents Overview: Soteria Health Check UK Cyber Essentials scheme OWASP Cyber Security Vulnerabilities Other Cyber Security Considerations Cyber Security Health Check Report SAP Specific Penetration testing Contact details

4 Overview: Soteria Health Check Soteria s Health Check is an efficient means of evaluating your organisations current security profile against recognised security risks. Vulnerability Assessment We utilise 3rd party tools such as NMAP and Nessus to perform vulnerability tests to reveal open ports and accessible services which could be exploited by hackers. Access Control We scrutinise user and system accounts looking for excessive or accumulated privileges, default passwords and poor password maintenance etiquette. We also use applications like Webscurify and Nikto to identify vulnerabilities in web servers. Patch Management We examine the security patch management of your SAP systems looking for any important omissions. Likewise patching of your network and client based Anti-Virus software. Attack vector review We review the most common prevailing web enabled cyber-attack vectors as categorised by OWASP top ten, and examine your organisations defence profile against each attack type. E.g. Injection, XSS, CSRF, buffer-overflows, man-in-themiddle. SAP Specific Penetration Testing (optional) We conduct a SAP specific penetration test, which has been tailored to look for classic SAP vulnerabilities. Including RFC connections, gateway servers, and interrogating SAP data packages, and standard SAP admin accounts.

5 UK Cyber Essentials scheme Copyright: Open Government Licence v3.0 We will step through the UK Government Cyber Essentials Scheme, rating your compliance with every step.

6 OWASP Cyber Security Vulnerabilities A1 Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Input validation of SAP fields and remove/escape illegal characters. The OWASP preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. A2 Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities. The SAP NetWeaver platform features central routines for user authentication and single sign-on that cannot be bypassed. Different authentication strengths can be configured, such as user/password or digital certificates, and certified interfaces exist to plug-in partner solutions. Create a whitelist / blacklist in the sqlnet.ora file for host names or IP addresses Review the REMOTE_OS_AUTHENT parameter setting for remote database access.

7 OWASP Cyber Security Vulnerabilities A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Input validation and SAP Secure Programming Guidelines. BSP/HTMLB or WebDynpro should be used in combination with ACL whitelists. Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename): 1. Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. 2. SAP Access Control. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

8 OWASP Cyber Security Vulnerabilities A5 Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date. Configure to a level that provides a baseline security using standard SAP settings. Develop a consistent system hardening process and regular software updates. Development, QA, and production environments should all be configured identically. Tasks include: ensure ports and services that are not required are closed, restrict access to BASIS functions, access and identity management and security patch management. A strong SAP application architecture that provides good separation and security between components. Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.

9 OWASP Cyber Security Vulnerabilities A6 Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax ids, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Sensitie data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Do all of the following, at a minimum: 1. Consider the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit. 2. Don t store sensitive data unnecessarily. Discard it as soon as possible. Data you don t have can t be stolen. 3. Ensure strong standard algorithms and strong keys are used, and proper key management is in place. 4. Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt. 5. Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.

10 OWASP Cyber Security Vulnerabilities A7 Missing Function Level Access Control Virtually all web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality. SAP provides a consistent and easily analysable authorization module that is invoked from all your business functions. 1. Configure the process for managing entitlements and ensure you can update and audit easily. Don t hard code. 2. The enforcement mechanism denies all access by default, requiring explicit grants to specific roles for access to every function. 3. Workflow conditions need to be in the proper state to allow access. NOTE: Most web applications don t display links and buttons to unauthorized functions, but this presentation layer access control doesn t actually provide protection. You must also implement checks in the controller or business logic.

11 OWASP Cyber Security Vulnerabilities A8 Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Preventing CSRF usually requires the inclusion of an unpredictable token in each HTTP request. Such tokens should, at a minimum, be unique per user session. The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure. The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs the risk that the URL will be exposed to an attacker, thus compromising the secret token.

12 OWASP Cyber Security Vulnerabilities A9 Using Known Vulnerable Components Vulnerable components, such as libraries, frameworks, and other software modules almost always run with full privilege. So, if exploited, they can cause serious data loss or server takeover. Applications using these vulnerable components may undermine their defences and enable a range of possible attacks and impacts. Ensure that you keep your components up-to-date. Many open source projects (and other component sources) do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. A10 Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Safe use of redirects and forwards can be done in a number of ways: Simply avoid using redirects and forwards. If used, don t involve user parameters in calculating the destination. This can usually be done. If destination parameters can t be avoided, ensure that the supplied value is valid, and authorised for the user.

13 Other Cyber Security Considerations Virus and Malware Virus Protection is required as a baseline security measure. The SAP Virus Scan Interface has built in scanning for: GUI_UPLOAD in the SAP ABAP Stack HTTP_UPLOAD (BSP) File Upload of WebDynpro for Java. Secure Remote Function Calls (RFCs). Default RFC communication is performed in clear-text exposing data and log on information to network sniffing. SAP has released a number of patches for the RFC library and Secure Network Communications (SNC) can be used to encrypt network traffic. Access to transaction SM59 and table RFCDES should be reviewed, and authorisation object S_RFCACL can improve the security of trusted RFC calls.

14 Other Cyber Security Considerations Secure configuration of the Gateway Server Man In The Middle Attacks can involve the manipulation of RFC calls that are intended for a legitimate external server before returning the results to the requesting client through the Gateway. Such an attack could be used to modify RFC requests and the data returned to SAP systems. Monitor / disable remote access to the Gateway Server that controls traffic between SAP and external systems. Buffer Overflow Buffer overflows are a common attack vector to introduce malicious code to an application. SAP Secure Programming Guidelines to provide Input validation of custom code and conduct detailed reviews to discover and eliminate buffer overflow problems in custom code for the Webfacing technology components of SAP NetWeaver (SAP Web Application Server, SAP Internet Transaction Server, and SAP Enterprise Portal ). Consider Penetration testing.

15 Other Cyber Security Considerations Java script attacks against the sandbox Internet browsers can open vulnerabilities to the application. Java is open source code that is vulnerable to reverse engineering. Controls can include disabling Java in the browser and using separate browsers for Java based web applications. Disable unnecessary services. Consider the SAP White Paper recommendations to prevent a Java attack. Program errors Insecure custom code can introduce security vulnerabilities. SAP Secure Programming Guidelines can ensure a basic level of code security to counter problems such as race conditions, inadvertent information disclosure in error messages and anonymous web browsing.

16 Other Cyber Security Considerations Controlling SAP Users SAP has numerous default users and passwords that require secure configuration. Administrators should change the default passwords of standard users and design control strategies for all privileged default users. Password Security Password security can be compromised by software tools to decrypt passwords. Standard SAP password security can be enhanced by disallowing backwards compatibility in the CDVN1 hashing algorithm.

17 Other Cyber Security Considerations Backdoors and Rootkits Backdoors and rootkits are often very difficult to detect in the thousands of lines of code in typical application software. SAP Code Inspector can be used to guard against backdoors and rootkits in critical programs. Secure Web services Web services should be hardened in line with SAP recommendations. Customise error pages so they do not display sensitive system information about the target system such as hostname, SSID and system number. Disable unnecessary services and follow the SAP security recommendations in the guide Secure Configuration, SAP Netweaver Application Server ABAP.

18 Other Cyber Security Considerations Secure the SAP GUI and web clients Potential buffer overflow vulnerabilities have been identified and have been addressed by SAP patches. Web clients can be vulnerable to phishing attacks. SAP GUI should be patched or upgraded against known buffer overflow vulnerabilities. Consider disabling SAP GUI scripting and virtualisation options. Phishing attacks can be addressed by user education, using SSL/TLS to enable users to identify legitimate websites, URL filtering to block malicious sites, and hardening, upgrading and patching Internet browsers. Regulatory and Standards Considerations Frameworks such as the ISO27000 series and CobiT 5 are positive for the assurance of stakeholders and customers. Implementing Security best practice can help achieve compliance with regulations and achievement of IT Security certification.

19 Cyber Security Health Check Report Upon completion a report will be issued containing the following: Executive Summary of detected vulnerabilities and the possible impacts for the business. Real attack vectors describing how your systems can be exploited and the related Business Risks. Detailed Technical Report detailing detected vulnerabilities, misconfigurations and associated risks. Detailed recommendations for Vulnerability Patching. Mitigation Plan Report outlining a step-by-step action plan with detailed mitigation activities for each detected issue. Security Guidelines for General System Configuration.

20 SAP Specific Penetration Testing We conduct penetration tests which are looking for SAP specific weaknesses and areas of greatest vulnerability, including: Exposure of SAP Routers, (and sending payloads through them). Attacking SOAP RFC connections. Attacking the SAP Management Console (accessing both ABAP and Java processes). Attacking Netweaver SMB relay (thus facilitate escalation of privileges to that of the OS user). Brute-forcing the SAP Web UI logon. Exposure of SAP Internet Communication Framework (ICF) components and services.

21 SAP Specific Penetration Testing To view some recent examples of SAP penetration tests we have carried out, please see contact us for sanitised output from SAP specific penetration tests.

22 Contact Us: For an informal conversation to discuss your SAP cyber concerns, or to arrange an on-site no obligation meeting, please contact us at: Soteria Cyber Security Wyche Innovation Centre Walwyn Road Malvern Herefordshire. WR13 6PL