Alexander Polyakov CTO ERPScan

Similar documents
ERP Security. Myths, Problems, Solutions

Top 10 most interes.ng SAP vulnerabili.es and a9acks

Invest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan

EAS-SEC Project: Securing Enterprise Business Applications

Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov

sec.org

THE STATE OF SAP SECURITY 2013: VULNERABILITIES, THREATS AND TRENDS

Forgotten World: Corporate Business Application Systems

If I want a perfect cyberweapon, I'll target ERP

Security testing the Internet-of-things

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

A GLOBAL SURVEY Authors:

Some notes on SAP Security

Evolution of Penetration Testing

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov

!"#$%&'()*#"+,&-(.#,"*'/'.%-*

Kaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars

Network Performance Tools

Invest in security to secure investments Oracle PeopleSoft applications are under attacks!

How To Protect Virtualized Data From Security Threats

PRACTICAL PENTESTING OF ERP SYSTEMS AND BUSINESS

Thick Client Application Security

Penetration: from Application down to OS

Hardening of SAP HTTP- and Webservices

Hardening of SAP HTTP- and Webservices

Oracle Database Security Myths

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

Phase 2: Scanning Detec0ng informa0on useful for break- in Live machines Network topology Firewall configura0on Applica0ons and OS types Vulnerabili0es

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

A crushing blow at the heart of SAP J2EE Engine. For BlackHat USA Version 1.0

Top Ten Fraud Risks in the Oracle E Business Suite

Professional Penetration Testing Techniques and Vulnerability Assessment ...

March 10 th 2011, OSG All Hands Mee6ng, Network Performance Jason Zurawski Internet2 NDT

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

Phone Systems Buyer s Guide

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

ATTACKS TO SAP WEB APPLICATIONS

Five Factors Driving Businesses to Rethink EDI on IBM i

Attacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. Troopers, Germany. March 30th,

SAP. Penetration Testing. with Onapsis Bizploit. Mariano Nuñez. Di Croce. HITB Security Conference, Dubai. April 22,

What is Web Security? Motivation

Mobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

A Brief Overview of the Mobile App Ecosystem. September 13, 2012

Practical pentesting of ERP s and business applications

Parallels Solu+ons for Business Keeping IT in Control of Mac in the Enterprise. Carlos Capó Sr. Manager, Global Business Solu6ons

Mobile Weblink Security

Security Protocols: SSH. Michael E. Locasto University of Calgary

Case Studies in Solving Testing Constraints using Service Virtualization

Pervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements

Oracle PeopleSoft Applications are Under Attack

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Top 10 Database. Misconfigurations.

Securing Database Servers. Database security for enterprise information systems and security professionals

Andreas Mertz (Founder/Man. Dir. it-cube SYSTEMS, CISSP) 360 SAP Security

Bacula Open Source Project Bacula Systems (professional support)

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Internal Penetration Test

MTD Keystone s Multiple Service Platforms

Lotus Domino Security

HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs

Reducing Application Vulnerabilities by Security Engineering

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Detecting and Stopping Cyber Attacks Against Oracle Databases June 25, 2015

Penetration Testing Corporate Collaboration Portals. Giorgio Fedon, Co-Founder at Minded Security

Application Security Testing

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?

SAP Netweaver Application Server and Netweaver Portal Security

Paco Hope Florence Mo ay <fmo 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Integrigy Corporate Overview

Privileged Administra0on Best Prac0ces :: September 1, 2015

Enterprise. Thousands of companies save 1me and money by using SIMMS to manage their inventory.

The Seven Habits of State-of-the-Art Mobile App Security

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Different ways to guess Oracle database SID

Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012

ITS Strategic Plan Enabling an Unbounded University

Balancing Usability and Security for Medical Devices

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

FTC Data Security Standard

Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies

Bank of America Security by Design. Derrick Barksdale Jason Gillam

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WEB APPLICATION VULNERABILITY STATISTICS (2013)

CSE/ISE 311: Systems Administra5on Network Firewalls

Columbia University Web Security Standards and Practices. Objective and Scope

How to Audit the Top Ten E-Business Suite Security Risks

AppDefend Application Firewall Overview

Assessing BYOD with the Smarthpone Pentest Framework. Georgia Weidman

Passwords are for Chumps

Data Management in the Cloud: Limitations and Opportunities. Annies Ductan

Data Center Evolu.on and the Cloud. Paul A. Strassmann George Mason University November 5, 2008, 7:20 to 10:00 PM

Web App Security Audit Services

How to complete the Secure Internet Site Declaration (SISD) form

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Transcription:

Invest in security to secure investments ERP Security. Myths, Problems, Solu6ons Alexander Polyakov CTO ERPScan

About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presenta6ons key security conferences worldwide 25 Awards and nomina6ons Research team - 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2

Intro ERP - Enterprise resource planning is an integrated computer- based system used to manage internal and external resources including tangible assets, financial resources, materials, and human resource Wikipedia 3

Intro Business applica8ons like ERP, CRM, SRM and others are one of the major topics within the scope of computer security as these applica8ons store business data and any vulnerability in these applica8ons can cause a significant monetary loss or even stoppage of business. 4

Main Problems in ERP Security Complex structure (complexity kills security) Inside a company (closed world) Different vulnerabili6es At all the levels Rarely updated administrators are scared they can be broken during updates 5

Myths Myth 1: Business applica8ons are only available internally what means no threat from the Internet Myth 3: Business applica8on internals are very specific and are not known for hackers Myth 2: ERP security is a vendor s problem Myth 4 ERP security is all about SOD 6

Myth 1: Business Applica6ons are Only Available Internally Top management point of view This myth is popular for internal corporate systems and people think that these systems are only available internally Real life Yes maybe at the mainframe era with SAP R/2 and in some implementa8ons of R/3 you can use SAP only internally but not now in the era of global communica8ons. As a minimum you need the integra8on with: o o o Another offices Customers and suppliers For SAP systems you need connec8on with SAP network Even if you do not have direct connec4on there are user worksta4ons connected to the internet 7

Myth 1: Business Applica6ons are Only Available Internally It is necessary to bring together people who understand ERP security, and people who understand the Internet, e- mail and security of WEB- services 8

Myth 1: Business Applica6ons are Only Available Internally 9

Myth 2. ERP Security is a Vendor s Problem From the point of law: Vendor is NOT responsible for the vulnerabili6es in their products Business applica6on security is the problem of a Client 10

Myth 2. ERP Security is a Vendor s Problem Vendor problems Client problems { { 1. Program Errors 2. Architecture errors 3. Implementa8on architecture errors 4. Defaults / Misconfigura8ons 5. Human factor 6. Patch management 7. Policies/ processes / etc From technical point: There can be so many fails even if the so\ware is secure 11

Myth 3. Business Applica6on Internals are not Known to Hackers Current point of view: Mostly installed inside a company Not so popular among hackers like Windows or Apple products Closed world Security through obscurity 12

Myth 3. Business Applica6on Internals are not Known to Hackers Real life: Popular products are on the a_ack by hackers, and becoming more and more secure Business applica8ons WERE closed but over the last 5 years they have became more and more popular on the Internet And also popular for hackers and researchers (will be shown in the future sta8s8cs) Unfortunately, their security level is s8ll like 3-5 years ago Now they look as a defenseless child in a big city 13

Myth 4. ERP Security is All about SOD Current point of view: Many people especially ERP people think that security is all about SOD Real life: Making AD access control dont give you secure infrastructure Buying new engine for car every year will not help you if you simply puncture a wheel And also remind Sachar Paulus interview that says: other threat comes from people connec4ng their ERP systems to the Internet 14

Myth 4. ERP Security is All about SOD ERP system with secure SOD and nothing else it is much of spending all money on video systems, biometric access control and leaving the back door open for housekeepers 15

Myth 4. ERP Security is All about SOD 1 Lack of patch management CRITICAL REMOTE 2 Default passwords for applica8on access CRITICAL REMOTE 3 SOD conflicts CRITICAL LOCAL 4 Unnecessary enabled applica8on features HIGH REMOTE 5 Open remote management interfaces HIGH REMOTE 6 Lack of password lockout/complexity checks MEDIUM REMOTE 7 Insecure op8ons MEDIUM REMOTE 8 Unencrypted communica8ons HIGH REMOTE 9 Insecure trust rela8ons MEDIUM LOCAL 10 Guest access MEDIUM REMOTE Top 10 Applica6on Implementa6on Problems (OWASP- EAS EASAI Top 10) 16

Problems 17

ERP Security Problems Development: Architecture Program errors Implementa6on: Architecture Configura6on Patch management Policies Awareness Control: Policies Security assessment Awareness SoD Overall system security 18

Development Problems SAP Languages OWN TECHNOLOGIES (ABAP/BSP) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js) Other (C/wbs/sql) Plaborms PeopleSo\ Oracle OWN TECHNOLOGIES (BPEL /PLSQL) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js/cgi) Other (C/wbs/sql) Technologies OWN TECHNOLOGIES (Peoplecode/PLSQL) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js/cgi) Other (C/wbs/sql) 19

Implementa6on Problems Different Databases Different Architecture Different OS Different product versions Huge amount of customiza8on 20

Different Architecture Different mandates on different instances on different physical servers Can be DEV TEST or PROD Can have different modules such as SRM/PLM/CRM/ERP connected by different ways to itself and other systems Different DMZ/ terminal server installa8ons Add IM/LDAP/AD and other solu8ons to our architecture And even more 21

Different OS OS popularity for SAP Windows NT - 28% AIX - 25% Linux - 19% SunOS - 13% HP- UX - 11% OS/400-4% 22

Different Plaborms ABAP or JAVA or BusinessObjects Only ABAP Can be: - SAP R/3 4.6 - SAP R/3 4.7 Entertprise - SAP NetWeaver 6.4 - SAP NetWeaver 7.0 - SAP NetWeaver 7.2 - SAP NetWeaver 7.3 - Also Add- ons - Also industry solu8ons 23

Great Amount of Customiza6on Approximately about 40-60% of ERP are custom code With own vulnerabili8es Also there can be custom many custom items Authoriza8on objects Authoriza8ons Roles Transac8ons Programs Etc If you have customized the system you must have security solu4ons customized that is much more harder than checklist- like solu4ons 24

Solu6ons 25

How to Make Secure ERP System in 5 Steps Develop secure sonware Implement it securely Teach administrators Increase user awareness Control the whole process 26

Introducing OWASP- EAS Develop secure sonware OWASP- Enterprise Business Applica8on Security Vulnerability Tes8ng Guide v0.1 Implement it securely Enterprise Business Applica8on Security Implementa8on Assessment Guide Teach administrators Our Trainings Increase user awareness SAP Security in figures report Control the whole process Tools 27

Introducing OWASP- EAS Need guides for developers and vulnerability testers to assess enterprise applica8ons Sources: We have OWASP good and focused mainly on WEB vulnerabili8es We have WASC good but focused on WEB We have SANS 25 good but not about ERP We have CWE good but too big We have OSTMM good but focused on assessing systems not sonware SAP/Oracle security guides good but too many informa8on Result: OWASP- EAS Enterprise Business Applica8on Security Vulnerability Tes8ng Guide v.0.1 28

Introducing OWASP- EAS Analyze most popular vulnerabili8es in enterprise systems Create TOP 10 list Collect informa8on about examples, threats and countermeasures Release Guide Aner a year go back to step 1 29

Enterprise Applica6on Security Vulnerability Tes6ng Guide 30

Top 10 31

Examples XSS There is an unlimited number of XSS in SAP The latest one at h_p://erpscan.com Informa6on Disclosure ORACLE Financials /pls/dad/find_web.ping /OA_HTML/jsp/fnd/fndping.jsp SAP Netweaver /sap/public/info 32

Examples of Network Security Improper access control / traversal (SAP Netweaver) RFC func8ons can be called remotely You need a user and a password ALMOST ALL SAP administrators do not change the password for user SAPCPIC Using his creden8als we can call the func6on that tries to read the file on our SMB share Gotcha! Hashes are stolen 33

Top 10 Frontend Vulnerabili6es 34

Examples of Frontend Vulnerabili6es Buffer overflow Can be exploited to gain remote access to user Also format string and memory corrup8on The latest one at h_p://www.exploit- db.com/exploits/14416/ NEW vulns are being patched now. Soon at h_p://erpscan.com/ Also other vulnerable ERPs 35

Examples of Frontend Vulnerabili6es Hard- coded passwords (some ERPs, we don t spell names) Very dangerous Fat client with hard- coded passwords to database Checking of access rights is on the client site. They are exploited to gain remote access to user Exploited simply by sniffing database connec8on and direct connec8on with stolen password As a result we are DBA on database 36

Enterprise Business Applica4on Security Implementa4on Assessment 37

Enterprise Applica6on Security Implementa6on Assessment Build secure applica8on is not enough Need to do securely Install it Configure it Manage it 38

Enterprise Applica6on Security Implementa6on Assessment Analyze the most cri8cal areas of misconfigura8ons Group it Create TOP 10 list Collect informa8on about examples, threats and countermeasures Release Guide Aner a year go back to step 1 39

Enterprise Applica6on Security Implementa6on Assessment 40

Network and Architecture 41

Examples of Network Security Capture SAP traffic tcpdump -n -i eth0 'tcp[13] & 3!= 0 and (( tcp[2:2] >= 3200 tcp[2:2] < 3300) > or 5 ( tcp[2:2] >= 3600 tcp[2:2] < > 3700)) Find a user and decode the password. A user has access to XI system without business data Use the SM59 transac8on that can show all RFC connec8ons. There was only one connec8on to HR system with hardcoded creden8als found Creden8als were of the remote RFC user created for data exchange This user called ALEREMOTE had SAP_ALL privileges 42

Opera6ng Systems 43

OS Vulnerabili6es: Access to Cri6cal Files Database files (DATA + encrypted Oracle and SAP passwords) /oracle/<dbsid>/sapdata/system_1/system.data1 SAP config files (encrypted passwords) /usr/sap/<sapsid>/<instance ID>/sec/* /usr/sap/<sapsid>/<instance ID>/sec/sapsys.pse Configtool Config files (Encrypted Database password) \usr\sap\dm0\sys\global\security\data\secstope.proper8es \usr\sap\dm0\sys\global\security\data\secstope.key J2EE Trace files (Plaintext passwords) /usr/sap/<sapsid>/<instanceid>/j2ee/cluster/dispatcher/log/defaulttrace. 0.trc ICM config files (encrypted password) \usr\sap\dm0\sys\exe\uc\nti386\icmauth.txt There are many cri4cal files on SAP server that can be used by unprivileged user to gain access to SAP applica4on: 44

Database vulnerabili6es 45

Examples of Database Vulnerabili6es Unnecessary enabled services Any database have them by default o Oracle MSSQL UTL_FILE, UTL_HTTP, UTL_TCP,etc o Master..xp_dirtree \\fakesmb\sharee o Can be used to steal creden8als o! ERPs run database from the own service creden8al, not from the Network Service 46

Applica6on Vulnerabili6es 47

Examples of Applica6on Vulnerabili6es Default passwords Any ERP installs with predefined passwords o For Applica8on o For Database o Some8mes for OS Most of them are well known Will be published at OWASP 48

SAP default passwords FOR Applica6on FOR Database SAPR3/SAP + Oracle defaults in the older versions 49

PeopleSo\ default passwords FOR Applica8on (many) FEDTBHADMN1/ FEDTBHADMN1 FEDTBHADMN1/ FEDTBHMGR01 FEDTBHMGR02/ FEDTBHMGR02 HAM/HAM etc For Database Peop1e/Peop1e PS/PS Sysadm/sysadm + Oracle defaults in the old versions 50

Oracle EBS default passwords FOR Applica8on (many) ANONYMOUS, APPMGR, ASGADM, ASGEST, AUTOINSTALL, FEDER SYSTEM, GUEST, ADMIN, IBEGUEST, IEXADMIN, SYSADMIN, etc FOR Database OUTLN, SYSTEM, MDSYS, CTXSYS, AOLDEMO, APPLSYS, APPS, APPLSYSPUB, OLAPSYS, SCOTT, PO 51

Examples of Applica6on Vulnerabili6es Remote management interfaces Example of SAP (other have the same problems) There is web RFC access Google it /sap/bc/webrfc All RFC features are possible Plus something more including dos/smbrelay Details later on h_p://erpscan.com Remote pwnage is possible 52

Frontend Vulnerabili6es 53

Lack of encryp6on (in SAP) 54

Examples of Frontend Vulnerabili6es Insecure distribu6on service Example of SAP (others have the same problems) SAPGUI onen distributes from corporate file server Onen this share available for any user Configura8on files and distribu8ves can be overwri_en Insert Trojan Redirect to fake servers The same problems when using terminal services 55

Increase Awareness 56

Enterprise Applica6on Vulnerability Sta6s6cs 2009 This document we will show a result of stadsdcal research in the Business ApplicaDon security area made by ERPScan and OWASP- EAS project. The purpose of this document is to raise awareness about Enterprise Business ApplicaDon security by showing the current number of vulnerabilides found in these applicadons and how cridcal it is can be Analyzed systems ERP Systems Business Frontend sonware. Database systems Applica8on servers Analyzed resources h_p://securityfocus.com, h_p://exploit- db.com h_p://cwe.mitre.org, h_p://cvedetails.com h_p://oracle.com, h_p://sdn.sap.com, h_p://ibm.com 57

Enterprise Applica6on vulnerability sta6s6cs More than 150 vuln. per year 58

Enterprise Database vulnerability sta6s6cs 59

SAP Vulnerabili6es Growing 60

Growing interest Number of found vulnerabili8es grows gree8ngs to all companies in applica8on security area Number of talks about ERP security at conferences grows 2006(1),2007(1),2008(2),2009(3),2010(10!) And also companies pay more a_en8on to this area SAP security response team are growing every year This area is becoming popular. We really need automa6c tools for ERP security assessment for pentesters and for administrators 61

Need for Automa6on What we have done Sapsploit and Sapscan tools for pentes8ng and trojaning SAP users ERPSCAN Online free service for assessing SAP Frontend security ERPSCAN Security scanner for SAP enterprise applica8on for solving full area of problems in SAP solu8ons 62

ERPSCAN Security Scanner for SAP Corporate scanner for assessing security of SAP systems Checking for misconfigura6ons, public vulnerabili6es, 0- days, compliance with standards and metrics Checking both ABAP and JAVA instances, more than 400 checks Whitebox scanning to prevent possible damage Addi8onal engine for checking exis6ng vulnerabili6es without exploi6ng them Extended knowledgebase for all checks with detailed descrip6ons and countermeasures collected by ERPcan experts ERPSCAN.COM 63

Conclusion about ERP Security ERP security is not a myth Becomes more popular for BlackHats and WhiteHats There is a need to create guidelines and increase awareness in this area OWASP- EAS call for volunteers with background in this area ERP security is very complex and if you are ready to do it 24/7 then do it If you cannot do, leave it to professionals 64

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information