The global and independent platform for the SAP community.
Business Management, MAG 16-12

Ethical Hacking in SAP

Digitalization makes critical infrastructures vulnerable. One way to check the level of security is through security analyses by so-called "ethical hackers". With professional help, security gaps are identified in good time before "real" hackers cause real damage.
Christian Bruns, BTC
November 25, 2016
Content:
Ethical hacker on blue
avatar
This text has been automatically translated from German to English.

The temporary inaccessibility of websites of popular online services such as Twitter, Spotify, Reddit or Paypal in October, the recently disclosed theft of 500 million customer records at Yahoo 2014, the repeated cyber attacks on websites of the Federal Chancellery and the Bundestag - news about incidents that point to the vulnerability of our thoroughly digitized world is felt to be in surplus.

More than ever, therefore, companies are required by self-interest, but also by the legislature, to IT-, communication and control technology-Infrastructures of their organization.

Two years ago, a self-test carried out by the Ettlingen-based Public utilities.

Within two days, a contractor succeeded in IT-experts to join the network of Public utilities to "hack" and take control of the control room.

"Ethical hacking", as the expert's working method in Ettlingen is also known, is regarded as a proven means of obtaining a situational picture of the effectiveness of one's own technical and organizational measures in terms of security.

For example, in security checks from BTC, subject matter experts who are certified as "Ethical Hacker" are certified, the hazard potential of IT-evaluate environments.

For this purpose, the procedure and the Technology criminal Hacker simulated to detect security vulnerabilities in critical areas before they are actually exploited by malicious attacks.

SAP: Complexity creates attack surfaces

The evaluation of the results of the security checks carried out by BTC in the companies shows that it is often small technical and organizational weaknesses that cause the Hackers make life - or more precisely, work - easier.

Frequently encountered shortcomings include, for example, the fact that roles and responsibilities for processes and systems are not clearly defined from a security perspective and that no central responsibility is institutionalized.

In SAP environments, for example, mission-critical production systems often share a common network segment with less critical office applications.Christian-Bruns-BTC-Technology

An ongoing topic are Passwords. Penetration tests show that especially for SAP systems in connection with development tasks or quality assurance, too simple Passwords and/or accounts are only used with preset access data (credentials).

The authorizations and group IDs that are assigned once and that are not deleted or changed when jobs or tasks are changed also pose a recurring risk.

This can lead to the (not so) amusing consequence that apprentices or trainees who pass through different departments have the most Access rights own

The growing complexity, especially in SAPInfrastructuresThe vulnerability due to negligent configurations is additionally increased, for example, by not applying patches or updates for Operating systems, WebServer, databases and/or also SAP-Software.

What toughness even known Error develop at this point, shows the Invoker Serlet. A security vulnerability of the component from the Java-Server in SAP NetWeaver prompted in May of this year the US-CERT-(United States Computer Emergency Readiness Team), for the first time issued an official warning regarding SAP-Software to pronounce.

Mind you, this is a problem that has been known for six years, and at the time - although a patch has been available for a long time - it is still in the Infrastructures of at least 36 organizations worldwide was still to be found.

Poor configurations, inadequately protected network structures or overly simplistic account management make hacking easier.

At the Ettlingen municipal utility, for example, it was an open network port in the guest house that the Ethical Hacker used.

Combined with a little social engineering and analysis of communication patterns on the network, it was enough to eventually open the gateway to the control room.

To prevent this from happening in the first place, every company is well advised to carry out manual and automated analyses and tests at regular intervals with the support of Ethical Hackers to perform.

In this way, potential weaknesses in the structure and configuration of the SAP landscape can be identified in all architecture areas and precautions can be taken with suitable technical or organizational means.

https://e3mag.com/partners/btc-business-technology-consulting-ag/

avatar
Christian Bruns, BTC

Christian Bruns is Information Security Manager at BTC


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.