Introduction. Case for SAP Cybersecurity Framework

Transcription

1

2

3 Agenda 3

4 Introduction Case for SAP Cybersecurity Framework

5 Current state 5 ENTERPRISE SECURITY VULNERABILITY MANAGEMENT CISO NO EFFECTIVE OVERSIGHT SAP SECURITY SEGREGATION OF DUTIES NO VISIBILITY SLIPPED THROUGH THE CRACKS SAP BASIS IT OPERATIONS PATCHING SAP SYSTEMS COMPLEXITY CIO POOR INTEGRATION MONITORING SAP SYSTEMS

6 Future state 6 CISO CIO CRO ENTERPRISE SECURITY Vulnerability Management + Asset Management + Risk Management + Secure Development SAP SECURITY Segregation Of Duties + Data Security + Secure Architecture + Secure SAP BASIS Patching SAP systems + Incident Response + Mitigation + Improvements IT OPERATIONS Monitoring SAP systems + Threat Detection + User Behavior + Data Leakage

7 History 7 EAS-SEC Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks Source:

8

9 SAP Cybersecurity Framework 9 Category Process Purpose Outcomes Implementation steps PREDICT Secure Development To ensure security during SAP systems development and acquisition Security Requirements Development Standards and Processes Security Plans 1. Develop basic security requirements for configuration of servers, networks, SAP applications and client stations 2. Create secure development standards and processes 3. Automate secure development processes

10 Implementation Tiers months 50% % 99% 6-12 months 12 months

11 PREDICT Understand SAP environment

12 Predict SAP Breaches 12

13 Asset Management 13 To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements Implementation: Create an Inventory of Assets Assess criticality of the assets Develop complete specification of the SAP systems Outcomes: Inventory of Assets Criticality Assessments Acceptable Use Requirements

14 Asset Management. SAP Systems 14 System ID Purpose Interconnected Systems System Criticality Responsib ility System Type Application Servers Clients Platform DM0 Supply chain management Internal: ERP, Internet: no; ICS: no; Partners: Partner1, Partner2 Mobile: no High John F. K. PROD :PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP) ERP Enterprise Resource Planning Internal: HR1, HR2 Internet: no ICS: MES System Partners: no Mobile: no Low Mike. PROD :PRD SAP ECC 6.0 NetWeaver AS 7.3 ABAP CRM Customer Relationship management Internal: ERP Internet: yes ICS: no Partners: no Mobile: no Very High PROD :PRD SAP CRM 6.0 NetWeaver AS ABAP 7.0

15 How to use? Inventory of Assets 15 What information do we handle and what are the requirements? - Personal data (GDPR) - Financial information (GLBA) - Customer data, Contracts, Marketing How to plan and carry out security activities? - Patch Management - Risk Management - Vulnerability Management - Compliance What to secure in SAP? o SAP services: MMC, SAP Host Control can t be found in SOLMAN, 30+ o SAP components (CRM, BW, FI, ) set of ABAP programs, transactions and reports, 100+ o Web Applications, 1000+

16 Business Environment 16 To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships Implementation: Identify business context Prepare SAP Continuity Plans Maintain supplier catalogue Outcomes: Business Context SAP Continuity Plans Supplier Catalogue

17 Business Environment. Business Impact Analysis 17 Process Stakeholder SAP System Outage Impacts Estimated Downtime Pay vendor invoice Joseph R. ERP Costs: $ / day Operations: moderate Image: moderate MTD RTO RPO 72 hours 48 hours 12 hours (last backup) Hire to retire Dorothy F. HR Image: High 72 hours 48 hours 12 hours (last backup)

18 Supplier Risks 18 Do you know if your suppliers are protecting your company s sensitive data as diligently as you do? Require suppliers to implement specific SAP security controls Review data flows (RFC, XI, DB, SOAP, HANA DB, )

19 Governance 19 To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes Implementation: Establish SAP Cybersecurity Policy Develop SAP security processes Implement control procedures Outcomes: SAP Cybersecurity Policy SAP Security Processes Control Procedures

20 Governance Structure 20

21 Vulnerability Management 21 To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors Implementation: Regularly perform SAP security audits and penetration testing Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds Outcomes: Scan Plans Scan Profiles Remediation Plans

22 Vulnerability Management. Analysis 22 Remediation constraints: complete within 3 months address vulnerabilities with high risk remediation types: no kernel patch Priority: - ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc. - impact of a successful exploitation: full disclosure and OS-level access or just revealing of technical data? - prevalence of the vulnerability among SAP systems - importance of the SAP systems with the vulnerability.

23 Vulnerability Management. Remediation Plan 23 Remediation Priority Vulnerability Vulnerability Risk Remediation Type Remediation 1 SSEA_ : External RFC server registration An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information High Update configuration Effort level: medium (~2d, downtime 4h) To resolve this issue, it is recommended to configure the RFC server correctly Links: RFC/ICF Security Guide 2 SSCA_00130: SSL encryption for ICM connections Medium Update configuration Set the icm/server_port_nn parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack. Effort level: easy (~4h, downtime 2h) 3 SSCA_00223: Central application server that maintains the system log Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks. Medium Update configuration Effort level: easy (~4h, downtime 2h) The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges. Links: BOOK "Security, Audit and Control Features (SAP ERP 3rd edition)" p. 413 check DOC rslg/collect_daemon/host - Central Log Host

24 Risk Management 24 To make decisions on addressing possible adverse impacts from the operation and use of SAP systems Implementation: Create threat model for SAP systems Assess likelihoods and estimate business impacts of cybersecurity risks Automate risk management and develop risk response plans Outcomes: Threat Model Risk Register Risk Responds

25 From SAP to Plant 25

26 Risk Management. Oil & Gas ERP Risks 26 SAP Module Asset Threat Consequences SCM Supply chain schema Rerouting supply chain HRM PM MII SCM HR data Oil and gas mining systems control data Field data Midstream and downstream assets Stealing employees data (personal, salary, experience, etc.) Disrupting SCADA logic and processes Stealing coordinates and volumes of exploratory and production wells Stealing information about equipment and transportation Theft of crude oil and refined products Identity theft, headhunting Service outage, equipment damage, workers injuries Losing competitive advantage Facilitating theft and sabotage PP Production line control data Disrupting SCADA logic and processes Production suspension SD Prices Stealing price formation schemas Losing partners FICO Finance transactions Creating fraud transactions Monetary losses

27 Secure Development 27 To ensure security during SAP systems development and acquisition Implementation: Develop basic security requirements to configuration of servers, networks, SAP applications and endpoints Create secure development standards and processes Automate secure development processes Outcomes: SAP Security Requirements Development Standards and Processes Security Plans

28 Secure Development. Code Vulnerability Usage 28 Type Cause Exploiter Code Injections Security ignorance Hackers Backdoors Missing authorization checks Obsolete statements Desire to simplify development Intent to control a system Negligence Natural obsolescence of code Developers Insiders Administrators (unintentionally)

29

30 Predict SAP Breaches 30

31 Further actions How to use SAP Cybersecurity Framework?

32 For Industry Assess your SAP security capabilities 2. Make business case for SAP security initiative 3. Conduct SAP security audit 4. Ensure compliance of SAP systems with GDPR/GLBA/PCI DSS requirements 5. Implement & automate relevant SAP security processes

33 For Consulting Include SAP systems in scope of your existing services GDPR audit ISMS implementation for SAP systems in scope Threat detection and SAP SIEM integration 2. Prove your selling proposition is unique with ROI of SAP security 3. Create a 360-degree image of an SAP security provider

34 34

35 Professional Services 35 Predict SAP data breach SAP Penetration Testing SAP Security Audit SAP Vulnerability Management as a Service

36 Thank you 36 Rex Tumminia Director of Sales, North America USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA Phone Michael Rakutko Head of Professional Services Join our group linkedin.com/groups/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 EU: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone erpscan.com