Ethical Hacking in SAP
The temporary inaccessibility of websites of popular online services such as Twitter, Spotify, Reddit or Paypal in October, the recently disclosed theft of 500 million customer records at Yahoo 2014, the repeated cyber attacks on websites of the Federal Chancellery and the Bundestag - news about incidents that point to the vulnerability of our thoroughly digitized world is felt to be in surplus.
More than ever, therefore, companies are required by self-interest, but also by the legislature, to IT-, communication and control technology-Infrastructures of their organization.
Two years ago, a self-test carried out by the Ettlingen-based Public utilities.
Within two days, a contractor succeeded in IT-experts to join the network of Public utilities to "hack" and take control of the control room.
"Ethical hacking", as the expert's working method in Ettlingen is also known, is regarded as a proven means of obtaining a situational picture of the effectiveness of one's own technical and organizational measures in terms of security.
For example, in security checks from BTC, subject matter experts who are certified as "Ethical Hacker" are certified, the hazard potential of IT-evaluate environments.
For this purpose, the procedure and the Technology criminal Hacker simulated to detect security vulnerabilities in critical areas before they are actually exploited by malicious attacks.
SAP: Complexity creates attack surfaces
The evaluation of the results of the security checks carried out by BTC in the companies shows that it is often small technical and organizational weaknesses that cause the Hackers make life - or more precisely, work - easier.
Frequently encountered shortcomings include, for example, the fact that roles and responsibilities for processes and systems are not clearly defined from a security perspective and that no central responsibility is institutionalized.
In SAP environments, for example, mission-critical production systems often share a common network segment with less critical office applications.
An ongoing topic are Passwords. Penetration tests show that especially for SAP systems in connection with development tasks or quality assurance, too simple Passwords and/or accounts are only used with preset access data (credentials).
The authorizations and group IDs that are assigned once and that are not deleted or changed when jobs or tasks are changed also pose a recurring risk.
This can lead to the (not so) amusing consequence that apprentices or trainees who pass through different departments have the most Access rights own
The growing complexity, especially in SAPInfrastructuresThe vulnerability due to negligent configurations is additionally increased, for example, by not applying patches or updates for Operating systems, Web–Server, databases and/or also SAP-Software.
What toughness even known Error develop at this point, shows the Invoker Serlet. A security vulnerability of the component from the Java-Server in SAP NetWeaver prompted in May of this year the US-CERT-(United States Computer Emergency Readiness Team), for the first time issued an official warning regarding SAP-Software to pronounce.
Mind you, this is a problem that has been known for six years, and at the time - although a patch has been available for a long time - it is still in the Infrastructures of at least 36 organizations worldwide was still to be found.
Poor configurations, inadequately protected network structures or overly simplistic account management make hacking easier.
At the Ettlingen municipal utility, for example, it was an open network port in the guest house that the Ethical Hacker used.
Combined with a little social engineering and analysis of communication patterns on the network, it was enough to eventually open the gateway to the control room.
To prevent this from happening in the first place, every company is well advised to carry out manual and automated analyses and tests at regular intervals with the support of Ethical Hackers to perform.
In this way, potential weaknesses in the structure and configuration of the SAP landscape can be identified in all architecture areas and precautions can be taken with suitable technical or organizational means.