One of the most critical SAP applications in terms of cyber attacks is SAP Portal, which is based on J2EE engine because it is usually available from the Internet and provides access and connections to other internal SAP and legacy systems. It is necessary to increase awareness in this area, especially after the Anonymous attack on Greece Government where an SAP 0-day vulnerability probably was used, but are you sure that your system has not been compromised? If we talk about SCADA attacks, they are mostly focused on sabotage, which is easy to recognize; attacks on financial systems like banking are focused on money stealing; but if we talk about SAP, the most critical attack is probably espionage, and it is hard to understand if there was espionage because there is no direct evidence of compromise except logs. In this talk, the security architecture of Portal itself and custom applications like iViews will be reviewed, and we will demonstrate how SAP Portal can be attacked. But the main area of the talk will be focused on forensics and finding attack patterns in logs traces and other places to understand if it is possible to completely reverse complex attack patterns. Finally, we will look at how an attacker can try to hide their attacks and how it is possible to deal with it.
There have been a lot of talks covering attacks, but now we will move to the understanding of how to deal with them in the cyber-crime era.SAP Portal Hacking and Forensics at Confidence 2013