Securing SAP Systems from Cyber Attacks

Cheryl Bogenschutz, Sr. Director, Advisory Services, itelligence Inc.

Emery Streit, Practice Manager, SAP Solution Manager, itelligence Inc.
Session ID # 82900

May 7 – 9, 2019
About the Speakers
Cheryl Bogenschutz
• Sr. Director, Advisory Services,
itelligence, inc.
• Cheryl has been in IT leadership / CIO
positions, for over 30 years focused on
strategic initiatives to leverage
technology to transform business
processes impacting the way the
company, and sometimes the industry
operates
• Cheryl is an Adjunct Professor at the
University of Cincinnati where she leads
the CIO Forum Masters course
Emery Streit
• Practice Manager, SAP Solution Manager,
itelligence, inc.
• Emery has over 20 years of IT experience
with specific focus on IT Service
Management and ITIL processes.
Currently responsible for collaborating
with customers on understanding the
value and usage of SAP Solution
Manager and its associated Application
Lifecycle Management processes.
• Emery is an avid drone photographer and
spends a lot of his free time with his DJI
Mavic 2 Pro.
Key Outcomes/Objectives
1. Understand Potential Risks to SAP Systems
2. Identify Vulnerabilities within your SAP Systems
3. Understand SAP Patch Management to enhance
ongoing protection
Agenda
• Highlight real security concerns for SAP systems
• Understand potential vulnerabilities to your SAP
systems
• How to monitor and leverage SAP Security Patch
Management through SAP Solution Manager
• SAP Solution Manager Options
Real SAP System Security Concerns
• Hackers are actively attacking ERP applications
• Malware developed to attack the internal, “behind-the-
firewall” ERP applications
• Nation-state sponsored actors have targeted ERP
applications for cyber-espionage and sabotage
• Dramatic increase in exploits for SAP applications in dark
web and cyber-crime forums
• Attack vectors mainly leverage known ERP vulnerabilities
vs. zero- days
Real SAP System Security Concerns
• Invoker Servlet vulnerability
– Gain Remote Access
– No Need for Valid SAP User
– Attacker only needs a Web browser and the
domain/hostname/IP address of the target SAP
system
 7

Real SAP System Security Concerns

The Department of Homeland Security issued an alert
warning of rising hacker threats to ERP applications.

The report found “…100 percent increase of public exploits

for SAP and Oracle ERP applications over the last three
years, and a 160 percent increase in the activity and
interest in ERP-specific vulnerabilities from 2016 to 2017."

"Our recommendation to all of our

The report also found over 4,000 security patches for
vulnerabilities in SAP applications. In fact, the researchers
found about 50 exploits for SAP products that are being
traded on the dark web. An attacker can exploit these
vulnerabilities to obtain access to sensitive information.
customers is to implement SAP
security patches as soon as they are
available - typically on the second
Tuesday of every month - to protect
SAP infrastructure from attacks.”
-SAP spokesman

4/25/2019
Why the increase in SAP Security Concerns?
• Company competitive proprietary data
• Customer information
• Employee or Consumer's PII (personally
identifiable information)
• Physical assets are increasingly online
Understanding the SAP Security Risks/Impact

• Full control over SAP systems bypassing any other

SAP security controls
• Manipulation of data and data theft
• No traceability due to missing audit trail
• Unavailability of data and systems
Where are SAP System Security Vulnerabilities

• New Technology
• Cloud
• Patching
• Standard Security
• RFC’s / Interfaces / Entire Landscapes
• IoT
Understand SAP System Security Vulnerabilities

• Over 4,000 SAP security patches released to date

– Each security patch provides mitigation for one or
more vulnerabilities.
• Organizations need a well-defined process in
place to manage on-going mitigation
• Vulnerabilities exist despite being patched
Applying Intelligence/Process to SAP Security
Patch Management
• Review, Assess and Categorize Software
Vulnerabilities and SAP Patches
– Common Vulnerability Scoring System (CVSS)
– Software Patch Priority
– Vulnerability Type
– Software Correction Type
SAP System Vulnerability Scoring System
• CVSS – Common Vulnerability Scoring System
– Provides Standardized Vulnerability Severity Scores
– Open Framework
– Helps with Prioritization
– SAP Supports Base Score – intrinsic and
fundamental characteristics of a vulnerability
– Organizations should also provide risk assessments
What Makes up an SAP Patch CVSS Score?
• CVSS – Common Vulnerability Scoring System (0 – 10)
– Attack Vector (AV) – Network, Adjacent, Local, Physical
– Attack Complexity (AC) – Low, High
– Privileges Required (PR) – None, Low, High
– User Interaction (UI) – None, Required
– Scope (S) – Unchanged, Changed
– Confidentiality Impact (C) – None, Low, High
– Integrity Impact (I) – None, Low, High
– Availability Impact (A) – None, Low, High
How urgent is the SAP Software correction?

• Software Patch Priority

– Hot News (CVSS – 9.0 – 10.0)
– Correction with High Priority (CVSS – 7.0 – 8.9)
– Correction with Medium Priority (CVSS – 4.0 – 6.9)
– Correction with Low priority (CVSS – 0.1 – 3.9)
What Type of SAP Software Vulnerability?
• Vulnerability Type (Examples)
– Cross-Site Scripting
– Implementation Flaw
– Information Disclosure
– Authorization Check
– Denial of Service
– Buffer Overflow
– SQL Injection
What type of SAP Patch?
• Correction Type
– Automatic ABAP Correction
– Manual ABAP Correction
– Kernel/JAVA/HANA New Install Notes
– Notes on Other Components
– Other Manual Instructions
SAP Security Notes per Month
 19

What is SAP Solution Manager – Unique

Integration
Change
• Solution Manager is the only tool that is Test
ITSM Control
Suite
integrated with all aspects of Application Mgmt
Lifecycle Management
Business Custom
• Modules work hand-in-hand together and Process
Process Code
Mgmt Mgmt
Process Management is the foundation Monitoring

• Solution Manager has a tight technical

Data Landscape
integration with the managed systems App
Volume Mgmt
Operations
Mgmt.

© 2016 itelligence
4/25/2019
Solution Manager Functionality

Process Management
Single Source of Truth for Process and
Technical Documentation. Define
template for usage.
Test Suite / BPCA / SEA Change Control Mgt Custom Code Mgt
Example 1 Example 1
Testing and Change Impact Analysis tool Tools to ensure quality transport and Lorem ipsumofdolor sit
Lorem ipsum dolor sit
Detailed analysis and transparency
to facilitate testing and identify impacted deployment control. Governance of amet,and
custom code. Ensures quality consectetur
code due to a transport or upgrade. amet, consectetur
approval and release processes. criticality are appropriate.

IT Service Management Data Volume Mgt Application Operations Business Process Ops
Example 1 Example 1
ITIL compliant Incident and Problem Lorem
Detailed ipsum
analysis anddolor sit
transparency of your Proactively identifies problems in your Lorem
Monitor ipsum dolor
key business sit
processes to ensure
Management ticketing tool. data footprint and consumption
amet, consectetur rates. environment through monitoring and smooth operations and process
amet, consectetur
alerting. improvement.
 21

SAP Security Patch Management Service

SAP Patch Day System Recommendations Implementation Tools

Select system(s) to check for security patches

SAP releases security
patches on the
second Tuesday
every month • Assessment of
impact of relevant
SAP Notes is
provided
• Notes are applied to
System Recommendations identifies relevant patches and the SAP system
urgent SAP Notes based on actual status of system and

4/25/2019
already implemented SAP Notes
 22

System Recommendations – Unique Integration

Uses Usage Logging Uses BPCA to Integrated with

Uses ChaRM to
data to display calculate impact and Managed System to
seamlessly pass to
whether the note is do test scope seamlessly download
change management
changing objects in optimization on each and implemet into
process
use note the managed system

© 2016 itelligence
4/25/2019
SAP Solution Manager System
Recommendations
SAP Solution Manager Tools to Ensure Security
Patches are Applied
• Configuration Validation –
Based on Target Systems
• Cross-System BW
reporting based on
System
Recommendations
• Validate if selected notes
have reached production
systems
• Measure quality of patch
processes
 SAP Solution Manager Interface Monitoring

• Cross-system Connection Monitoring – RFC, HTTP,

HTTPS, IDOC, Web Services
• Automatically Generate Topology for Vulnerability
Discovery
• Continuously collect metrics on availability, usage
(destinations), configuration and performance
• Standard handling processes through Guided
Procedures.
SAP Solution Manager Security Optimization
Report
• Self Service
• Authentication
Configuration
• Authorization Auditing
– Basis Authorizations
– Change Management
Authorizations
– User Authorizations
 27

Solution Manager Options

On-Premise Hosted SMaaMS
1:1 Customer 1:1 Customer 1:M Customers

Managed by customer
Application Application Application
Data Data Data

Managed by provider
O/S O/S O/S
Managed by customer

Managed by provider
Virtualization Virtualization Virtualization
Servers Servers Servers
Storage Storage Storage
Networking Networking Networking
 28

Solution Manager as a Managed Service

On-premise or itelligence Cloud SAP Cloud
3rd Party Hosted
Web services

S/4HANA
Cloud

SAPSAP S/4HANA
(On-Premise)

© 2016 itelligence
 29

Solution Manager as a Managed Service - Subscription

• Subscription to access a fully configured, cloud-based Solution Manager operated by
certified consultants from itelligence (Run SAP Partner)
• Regular updates. Always current Solution Manager
• Value Added Reporting
• Application Lifecycle
Management Roadmap
Session
• Further Support from
Process Consultants
• Leverage some or all
functions with self or
full service

4/25/2019
 30

Example Security Patch Management Service

• Description: SMaaMS platform checks all relevant security notes/patches for customer systems,
assesses impact and easily applies them to keep customer systems up-to-date.
• Customer Benefits:
– Increase system security by keeping up to date with SAP Security patches
– Reduce risk of compromised data through SAP specific vulnerabilities
– Detailed recommendations based actual system usage and already implemented SAP notes
• Process: Every 2nd Tuesday of the month, SAP will release Security Notes. Utilizing Solution
Manager as a Service, Consultants can:
– Review released SAP security notes and patches
– Run change impact analysis and provide transactions and programs to be tested
– Apply agreed upon SAP Software Corrections to agreed upon environment
– Provide advice on non SAP Software Corrections
• Requirements:
– Customer must be on an active SAP Maintenance contract

© 2016 itelligence
– Customer must connect to the itelligence Solution Manager as a Service platform

4/25/2019
 31

Solution Manager as a Service – How to get started

• Visit our AddStore at

http://goo.gl/3CGDCX

• Request a webinar or
contact

4/25/2019
SAP Security Patch Webinar Additional
Information
• ASUG presents a Security Patch Day Webcast Every Month
with SAP Security Expert Frank Buchholz!
• Planned Dates for 2019 SAP Security Patch Days
– https://support.sap.com/en/my-support/knowledge-
base/security-notes-news.html
• Summary of the critical security issues from past webinars
delivered by our security expert since 2014 here:
(https://support.sap.com/content/dam/support/en_us/library
/ssp/offerings-and-programs/support-services/sap-security-
optimization-services-
portfolio/SAP_Security_Notes_Webinar.pdf)
SAP Security Patch Webinar Additional
Information
• Available for US customers via the Americas SAP User Group (ASUG)
– First need to register with the ASUG here:
https://www.asug.com/events#!/events/cal?keyword=Security&categories=webinar&startDate=
2017-12-31&endDate=2018-02-11&period=month
– Once registered you can join the ASUG Security SIG:
https://discuss.asug.com/community/sig_communities/business_integration__technology_&_in
frastructure/security_sig
– Please check the ASUG Security SIG events calendar for dial-in details.
• Learn more on the Learning Hub - Only customers with one of the following maintenance agreements
are eligible to access the support edition: SAP Enterprise Support, Cloud Edition, SAP Product Support
for Large Enterprises (PSLE) and SAP Premium Engagement customers.
• You need to register for access to SAP relaunched learning platform SAP Learning Hub:
https://support.sap.com/en/offerings-programs/enterprise-support/enterprise-support-
academy/learn.html to gain access to all learning resources here:
https://support.sap.com/en/offerings-programs/enterprise-support/enterprise-support-
academy/learn.html
• A valid S-user is required to attend Expert Webinar sessions
References
• SAP Security Notes & News - https://support.sap.com/en/my-support/knowledge-
base/security-notes-news.html
• SAP Security Patch Process -
https://support.sap.com/content/dam/support/en_us/library/ssp/offerings-and-
programs/support-services/sap-security-optimization-services-
portfolio/AGS_Security_Patch_Process.pdf
• Common Vulnerability Scoring System Standards -
https://www.first.org/cvss/specification-document
• Onapsis and Digital Shadows Research Report -
https://www.onapsis.com/research/reports/erp-security-threat-report
• National Cybersecuity and Communications Integration Center Official Alert -
https://www.us-cert.gov/ncas/alerts/TA16-132A
• Invoker Servlet -
https://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513
597ec/frameset.htm
Take the Session Survey.

We want to hear from

you! Be sure to complete
the session evaluation on
the SAPPHIRE NOW and
ASUG Annual Conference
mobile app.
 Presentation Materials
Access the slides from 2019 ASUG Annual Conference here:
http://info.asug.com/2019-ac-slides
 Q&A
For questions after this session, contact us at [email] and [email].
 Let’s Be Social.
Stay connected. Share your SAP experiences anytime, anywhere.
Join the ASUG conversation on social media: @ASUG365 #ASUG