In-depth View of SAP

CYBERSECURITY
 INFORMATION AGE
• Disruptive Technology
• Ability to change existing business models.
• Allow you to do something better, faster, and cheaper.
• Internet is a major example.
• e-Commerce, e-Banking, e-Book, Social Media
• Netflix versus Blockbusters.
• Borders versus Amazon.
• With the advancement of PCs, tablets, smart phones and
computers in every devices => IOT. More funs with Blockchain &
AI over coming years
 WHAT DOES IT MEAN TO US

• Keep pace with technology

• Mindset to adopt and integrate with digital technology

• Benefits: Reduce waste (less paper) sustainable future, save time

(searching/ archiving) & costs.

• Go Digital

• Most of us (individual), businesses, Not for Profit organisations,

government agencies have financial, personal (HR Payroll, bank
account, address data) & procurements (purchasing/ invoices)
and business specific data/ information in digital form in various
software/ applications (e.g. excel, words, ERP such as SAP/ Oracle,
EDRMS etc.) = Digital Assets
 PROTECTING OUR DIGITAL ASSETS

• Our Digital Assets

• Can be trade secret or sensitive financial or personnel info which can affect our stock
price or market value/ reputation or safety.

• May have negative impacts to Australia’s economic potentials even at international

level if leaked.

• SAP ERP

• A familiar name in town – used by major agencies such as Defence, DHS (Services
Australia), Finance, Home Affairs, ATO, DFAT for delivering services from corporate
functions to revenue collection to disbursements. Critical to what we do! DTA signed WoG
contractual agreement
with SAP Australia on 29
• Rely on SAP platforms to handle their most critical business processes and information. September 2017.
Any criminal cyber attacks seeking to conduct espionage, sabotage, or financial
fraud, knows that these systems contain the jewels in the crown.
 BUSINESS CRITICAL

SAP ERP is business critical. If breached,

• Confidentiality
• Access to customers, vendors, HR, Finance (P&L, Balance
sheet)
• Integrity Data
• Alter information on Purchase orders, create new vendors and
bank account numbers etc.
• Availability
• Bring down SAP systems, interfaces with other systems
(customers, vendors) and sabotage critical information
 A LITTLE BIT ABOUT SAP ERP

SAP Enterprise Resource Planning (ERP)

• Currently ECC 6.0

• Released in 2006

• Most recent EHP 8 for ECC 6.0 in 2016

• Interesting statistics

• A Fortune 500 company, costs can easily exceed

$100 million (range $50 million -$500 million).

• Large companies can also spend $50 million to

$100 million on upgrades.

• Mid-sized companies (fewer than 1,000 employees) SAP Modules & Architecture snapshot

are more likely to spend around $10 million to $20

million at most.
 A LITTLE BIT ABOUT SAP ERP

The Next Generation Business Suite (S/4 HANA) is here!

Native SAP Integration for

Hybrid Cloud Scenarios

Ariba
Concur

SAP HANA 1.0 SAP HANA SAP HANA Released

Released Cloud Platform Enterprise Cloud Fieldglass
Released Released
hybris SuccessFactors
 LET’S DEEP DIVE

Key Useful Points

• Change and Transport System (CTS)

SOLMAN
• The CTS components play an important role in the
overall development and customization
environment.
• SAP Transport Management System (TMS) is a tool
within SAP ERP systems to manage software
updates, termed transports, on one or more
Dev QAS PRD
connected SAP systems.
• CTS is an instrument for
• Administering & controlling new development
requests. Dev QAS STG PRD
• Managing transports
• Recording of where and by whom changes are
made
• Configuring systems landscape. Dev QAS PRD
 POTENTIAL ATTACKS

• Statement
• Most SAP Security settings are left by default and many of the default settings are not
secure.
• Rush for delivery and deadlines.
• Many SAP systems out there are not secure.
• SoD is necessary but it is not enough

• Some potential attacks

• SAP Solution Manager (SOLMAN)
• Gateway
• RFC connections
• SAP default users
 SOLUTION MANAGER (SOLMAN)

• SAP Solution Manager (SOLMAN)

• Required in every SAP
implementation
• Central point for administration of
SAP systems
• Normally, connected to multiple
SAP systems within organisation
• No business data but technical info
about all SAP systems
• Administrators (SAP Basis Team)
connect to
• Manage users, incidents,
download and apply patches
etc.
 SOLUTION MANAGER (SOLMAN)

If an attacker breaks into it, all the connected system will be compromised.

SOLMAN is highly dependent on the Gateway

& several servers are registered by default. If
attacker knows/ can guess TPNAME and
Gateway is not protected (by default)..
 REMOTE FUNCTION CALL (RFC)

RFC
• Used to call function modules on
remote systems.
• Can be called remotely and
anonymously by default.
• Traffic sniffing
• SAP Port scanning
• Most port use a fixed
range of ports.
• Common ports: 32XX,3299
• SAP GUI configurations
Returns of info about remote SAP
Protection Application Server using
• Restrict connections to the RFC_SYSTEM_INFO function module

Gateway at the network level

• Protect against anonymous RFC
calls
• Refer to SAP Note 931252
 SAP DEFAULT USERS

Public Info
• Existence of default SAP user accounts
• Many are configured with high privileged
profiles.
• Also, many SAP web portal available. Just
Google search “/bc/gui/sap”

Protection
• Default users must be secured.
• SAP* should be deactivated.
• Use report RSUSR003 to check default user
status.
COMPLETE SAP ON AWS
HYBRID SAP ON AWS
 CONNECT SAP SYSTEMS WITH SIEM

SIEM SAP Enterprise Threat Detection

• Security Information and Event
Management.
• Collects security event information
throughout IT landscape. SIEM products
are already a long time in the market.
• SIEM solution are very good on the
operation system and network level (virus
scanner, IPS, IDS).
• Not one solution in the market, which can
protect everything.
• Use in conjunction with SAP Enterprise Threat
Detection to have a better picture.
 KEY TAKEAWAYS

Protection is better than Cure

• Configurations, Custom codes and Transports
• SOLMAN, Gateway, RFC, SAP Default users

Responsibility
• At country level, law enforcement bodies, GDPR
• At organisation level, collectively using policies, procedures, tech tools & applicable laws
under respective jurisdictions, PCI DSS, HIPAA
• At individual, education and training awareness in line with applicable legislations and
latest cybersecurity trends

ERP Checklist from US Government

• https://nvd.nist.gov/ncp/checklist/revision/2129
• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf