ASUG82900 - Securing SAP Software Systems From Cyberattacks
ASUG82900 - Securing SAP Software Systems From Cyberattacks
ASUG82900 - Securing SAP Software Systems From Cyberattacks
May 7 – 9, 2019
About the Speakers
Cheryl Bogenschutz Emery Streit
• Sr. Director, Advisory Services, • Practice Manager, SAP Solution Manager,
itelligence, inc. itelligence, inc.
• Cheryl has been in IT leadership / CIO • Emery has over 20 years of IT experience
positions, for over 30 years focused on with specific focus on IT Service
strategic initiatives to leverage Management and ITIL processes.
technology to transform business Currently responsible for collaborating
processes impacting the way the with customers on understanding the
company, and sometimes the industry value and usage of SAP Solution
operates Manager and its associated Application
• Cheryl is an Adjunct Professor at the Lifecycle Management processes.
University of Cincinnati where she leads • Emery is an avid drone photographer and
the CIO Forum Masters course spends a lot of his free time with his DJI
Mavic 2 Pro.
Key Outcomes/Objectives
1. Understand Potential Risks to SAP Systems
2. Identify Vulnerabilities within your SAP Systems
3. Understand SAP Patch Management to enhance
ongoing protection
Agenda
• Highlight real security concerns for SAP systems
• Understand potential vulnerabilities to your SAP
systems
• How to monitor and leverage SAP Security Patch
Management through SAP Solution Manager
• SAP Solution Manager Options
Real SAP System Security Concerns
• Hackers are actively attacking ERP applications
• Malware developed to attack the internal, “behind-the-
firewall” ERP applications
• Nation-state sponsored actors have targeted ERP
applications for cyber-espionage and sabotage
• Dramatic increase in exploits for SAP applications in dark
web and cyber-crime forums
• Attack vectors mainly leverage known ERP vulnerabilities
vs. zero- days
Real SAP System Security Concerns
• Invoker Servlet vulnerability
– Gain Remote Access
– No Need for Valid SAP User
– Attacker only needs a Web browser and the
domain/hostname/IP address of the target SAP
system
7
4/25/2019
Why the increase in SAP Security Concerns?
• Company competitive proprietary data
• Customer information
• Employee or Consumer's PII (personally
identifiable information)
• Physical assets are increasingly online
Understanding the SAP Security Risks/Impact
• New Technology
• Cloud
• Patching
• Standard Security
• RFC’s / Interfaces / Entire Landscapes
• IoT
Understand SAP System Security Vulnerabilities
© 2016 itelligence
4/25/2019
Solution Manager Functionality
Process Management Test Suite / BPCA / SEA Change Control Mgt Custom Code Mgt
Example 1 Example 1
Single Source of Truth for Process and Testing and Change Impact Analysis tool Tools to ensure quality transport and Lorem ipsumofdolor sit
Lorem ipsum dolor sit
Detailed analysis and transparency
Technical Documentation. Define to facilitate testing and identify impacted deployment control. Governance of amet,and
custom code. Ensures quality consectetur
template for usage. code due to a transport or upgrade. amet, consectetur
approval and release processes. criticality are appropriate.
IT Service Management Data Volume Mgt Application Operations Business Process Ops
Example 1 Example 1
ITIL compliant Incident and Problem Lorem
Detailed ipsum
analysis anddolor sit
transparency of your Proactively identifies problems in your Lorem
Monitor ipsum dolor
key business sit
processes to ensure
Management ticketing tool. data footprint and consumption
amet, consectetur rates. environment through monitoring and smooth operations and process
amet, consectetur
alerting. improvement.
21
4/25/2019
already implemented SAP Notes
22
© 2016 itelligence
4/25/2019
SAP Solution Manager System
Recommendations
SAP Solution Manager Tools to Ensure Security
Patches are Applied
• Configuration Validation –
Based on Target Systems
• Cross-System BW
reporting based on
System
Recommendations
• Validate if selected notes
have reached production
systems
• Measure quality of patch
processes
SAP Solution Manager Interface Monitoring
Managed by customer
Application Application Application
Data Data Data
Managed by provider
O/S O/S O/S
Managed by customer
Managed by provider
Virtualization Virtualization Virtualization
Servers Servers Servers
Storage Storage Storage
Networking Networking Networking
28
S/4HANA
Cloud
SAPSAP S/4HANA
(On-Premise)
© 2016 itelligence
29
4/25/2019
30
© 2016 itelligence
– Customer must connect to the itelligence Solution Manager as a Service platform
4/25/2019
31
http://goo.gl/3CGDCX
• Request a webinar or
contact
4/25/2019
SAP Security Patch Webinar Additional
Information
• ASUG presents a Security Patch Day Webcast Every Month
with SAP Security Expert Frank Buchholz!
• Planned Dates for 2019 SAP Security Patch Days
– https://support.sap.com/en/my-support/knowledge-
base/security-notes-news.html
• Summary of the critical security issues from past webinars
delivered by our security expert since 2014 here:
(https://support.sap.com/content/dam/support/en_us/library
/ssp/offerings-and-programs/support-services/sap-security-
optimization-services-
portfolio/SAP_Security_Notes_Webinar.pdf)
SAP Security Patch Webinar Additional
Information
• Available for US customers via the Americas SAP User Group (ASUG)
– First need to register with the ASUG here:
https://www.asug.com/events#!/events/cal?keyword=Security&categories=webinar&startDate=
2017-12-31&endDate=2018-02-11&period=month
– Once registered you can join the ASUG Security SIG:
https://discuss.asug.com/community/sig_communities/business_integration__technology_&_in
frastructure/security_sig
– Please check the ASUG Security SIG events calendar for dial-in details.
• Learn more on the Learning Hub - Only customers with one of the following maintenance agreements
are eligible to access the support edition: SAP Enterprise Support, Cloud Edition, SAP Product Support
for Large Enterprises (PSLE) and SAP Premium Engagement customers.
• You need to register for access to SAP relaunched learning platform SAP Learning Hub:
https://support.sap.com/en/offerings-programs/enterprise-support/enterprise-support-
academy/learn.html to gain access to all learning resources here:
https://support.sap.com/en/offerings-programs/enterprise-support/enterprise-support-
academy/learn.html
• A valid S-user is required to attend Expert Webinar sessions
References
• SAP Security Notes & News - https://support.sap.com/en/my-support/knowledge-
base/security-notes-news.html
• SAP Security Patch Process -
https://support.sap.com/content/dam/support/en_us/library/ssp/offerings-and-
programs/support-services/sap-security-optimization-services-
portfolio/AGS_Security_Patch_Process.pdf
• Common Vulnerability Scoring System Standards -
https://www.first.org/cvss/specification-document
• Onapsis and Digital Shadows Research Report -
https://www.onapsis.com/research/reports/erp-security-threat-report
• National Cybersecuity and Communications Integration Center Official Alert -
https://www.us-cert.gov/ncas/alerts/TA16-132A
• Invoker Servlet -
https://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513
597ec/frameset.htm
Take the Session Survey.