Recently ERPScan Research team has finished its series of blog entries on how to Secure SAP Systems from XXS vulnerabilities. Those entries prove themselves as a successful experience. Thus, I decided to launch a new series of articles "SAP Security for CISOs". You don't need to be a CISO to benefit from reading these articles. As far as they intended for everybody else, who is into security, but wants to know more about 'SAP Security' in particular, and doesn't know where to start from. However, this series of articles will provide a step-by-step dive into SAP Security for those who makes his first steps in this amazing adventure. I will try to keep it less technical due to the possibility of understanding the basics. So, all the CISOs, security engineers, administrators, security consultants, penetration testers, researchers and even basis team are welcome to read this blog.
First of all, let me introduce myself and my story of growing from security researcher, pentester and consultant to SAP Security expert. I think it may help you in your way of becoming an expert in this field too. I'm CTO and co-founder of ERPScan, a company providing services and solutions to assess and secure business applications such as SAP and Oracle from attacks and insider frauds. I'm also a founder and a president of EAS-SEC organization, which is focused on business application security.
My experience in SAP Security started in early 2007. At that time, I was an intern penetration tester at a consulting company and in my free time I was writing a book about Oracle Database security. This book was about to be finished and I was looking to dive into some other cybersecurity area, something as complex as database security or even more, when a sheer coincidence helped me understand what I would do in the future and have been doing till now.
During one of penetration tests of a large Oil organization, there was a server in our scope and this server was called SAP. At that time, I was not aware of these systems and their security, for me it was just yet another box which I needed to exploit, get access to OS, create a screenshot with root access and include it in the report along with hundreds of other servers. I also dreamed that access to this server would help me find any information such as usernames or even passwords with which I would try to access Domain Controller. It was the main target for this project as well as for most of the similar projects.
When all traditional tests such as OS vulnerabilities, SSH bruteforce, public exploits for different services, and other typical ways to get unauthorized access did not succeed, I tried to find some information about this system (which apparently was SAP ERP) from public sources. Unfortunately (or fortunately), there was almost nothing in SAP Security area except some articles about Segregation of Duties. All that was possible to find was some information about how to configure a user account to prevent executing two critical actions such as create payment order and then approve it. But there was nothing about ways how an attacker can get access to SAP without having any rights and how to analyze if those vulnerabilities exist in the system. Almost no information about public vulnerabilities except a couple of buffer overflows, again without any examples of working exploits. After that, I decided to explore this system myself as I already had experience in discovering 0-day vulnerabilities in Oracle database, dozens of web applications and CMS systems. Surprisingly, it took me 15 minutes to find a 0-day vulnerability in this system and I got full access to SAP. At that moment, for me it was just another "BOX" which I needed to "PWN", but the real understanding came later.
When we presented the results to management they were very surprised that we were able to break such an important system, that it was quite easy to do and that the system stored all mission-critical data of their company. After that, I realized that SAP system was something very critical for each company and, surprisingly, nobody cared about its security, and I decided that I definitely should learn more about this system.
Later on, I found out that it was an ERP system – Enterprise Resource Planning. According to Wikipedia, ERP is an integrated computer-based system used to manage internal and external resources including tangible assets, financial resources, materials, and human resource. Also, I understood that all business processes of an enterprise were generally contained in ERP systems. Any information an attacker, be it a cybercriminal, industrial spy or competitor, might want is stored in the company's ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim's ERP system and cause significant damage to the business.
But ERP is just one example since there are other systems which also store and process critical data and they are also developed by SAP. Most popular are provided by SAP in SAP Business Suite that consists of ERP, CRM, SRM, PLM, and SCM. Of course, SAP is not the only vendor who develops these types of products, but it's definitely the market leader. I found out that Oracle has a bunch of systems which provide similar functionality such as Oracle E-Business Suite, Oracle JDE, and Oracle PeopleSoft. There are also less popular systems such as Microsoft Dynamics or Infor. Some companies may have all business applications based on SAP while others can use a crazy mix of different solutions from various vendors that is very hard to manage.
All those large enterprise applications are connected with each other like a spider's web. It's not surprising that if you want to automate business processes you have to connect different applications. For example, you want to automatically generate an invoice in SAP System and send money to particular banking account via banking system, you need to connect ERP and Banking system. In reality, there are dozens of such type of connections and all of them can be critical in terms of cybersecurity. Most importantly, those systems are connected not only inside corporate network but also with partner networks or with other providers such as banks or insurance companies via the internet. Some of these systems are connected directly with ICS/SCADA network and unauthorized access to them can lead to industrial sabotage.
After I saw all this new world of Business applications, the world which was totally closed for most of the security experts, I understood the main idea – "Why would any smart attacker be interested in hacking Domain Controller or network equipment of workstations where defense is becoming smarter if it's much easier to directly target enterprise business applications, which are weak to nothing in regards to security but provide you the easiest way to commit fraud within a couple of mouse clicks". This idea completely changed my conception of infrastructure security. It is these systems that store and process all critical data, and we should protect them first while nowadays it is often vice versa.
I hope that this intro was informative and motivating enough to follow this series of articles. Next article will be a beginner's guide into SAP, so follow us on Twitter, LinkedIn and Facebook to get the latest information about our research.