Download - Layer Seven Security
Download - Layer Seven Security
Download - Layer Seven Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SAP VULNERABILITY<br />
ASSESSMENT
SECURE THE HEART OF YOUR BUSINESS<br />
SAP drives your business. It stores and processes the most critical information in your company. This is well known by<br />
attackers. SAP has become one of the most lucrative targets for cyber criminals. More than 95% of SAP systems<br />
assessed by security professionals are vulnerable to attacks that could lead to fraud, espionage or sabotage resulting<br />
in severe nancial losses or reputational harm. Most of these systems are considered SOX or PCI compliant.<br />
SEGREGATION OF DUTIES IS NOT ENOUGH<br />
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> perform a complete assessment of the technical components of<br />
your SAP environment to identify vulnerabilities that could be exploited by attackers.<br />
The company uses state-of-the-art soſtware that automatically scans for over 400<br />
security weaknesses in SAP. The soſtware is certied by SAP for integration with<br />
Netweaver and has been successfully used by many Fortune 500 companies and<br />
organizations such as the U.S Army.<br />
HOW DOES VULNERABILITY ASSESSMENT WORK<br />
The service leverages a proprietary, professional-grade tool to automatically detect SAP components in your<br />
landscape. Once detected, the tool performs a non-obtrusive vulnerability scan of the components. The soſtware is<br />
certied by SAP for integration with Netweaver and eliminates the risk of service disruption by staggering the<br />
execution of queries against system components.<br />
IDENTIFY<br />
ASSESS ILLUSTRATE COMPLY<br />
Automatically discovers<br />
SAP components in your<br />
network and begins<br />
building the foundations<br />
for a comprehensive<br />
security analysis.<br />
Performs a fast, safe<br />
and non-obtrusive<br />
assessment of the<br />
identied<br />
components.<br />
Generates detailed<br />
reports that document<br />
the business impact and<br />
compliance breaches of<br />
vulnerabilities using<br />
non-technical terms.<br />
Provides step-by-step<br />
details on how to<br />
eectively close<br />
vulnerabilities.<br />
1
WHY DO WE NEED TO PERFORM A VULNERABILITY ASSESSMENT<br />
Many of the default security settings in SAP systems are insecure and highly<br />
vulnerable to internal and external attack. These vulnerabilities are widely known<br />
and could leave your organization open to fraud, espionage and sabotage. Firewalls,<br />
anti-virus applications and intrusion prevention systems do not adequately<br />
safeguard SAP systems against contemporary threats.<br />
Auditors and Compliance professionals are increasingly focusing upon technical<br />
risks in SAP when reviewing information security controls against SOX, PCI and<br />
other standards. There is a growing awareness that the existence of such risks may<br />
undermine the ability of companies to protect information from unauthorized<br />
changes and disclosure.<br />
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> will review the technical settings in your SAP environment and pinpoint weaknesses that need<br />
to be patched in order to protect your information assets. It will provide a risk assessment, map compliance gaps<br />
against SOX and PCI requirements and provide detailed, easy-to-follow instructions for remediation.<br />
The powerful, proactive assessment delivered by <strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> will assist your organization to secure critical<br />
SAP infrastructure against unintended service disruptions, productivity losses and data breaches.<br />
“<br />
“<br />
99% of intrusions result from<br />
exploitation of known vulnerabilities<br />
or configuration errors<br />
“<br />
- CERT CC, Soſtware Engineering Institute,<br />
Carnegie Mellon University<br />
Enterprises that implement a<br />
vulnerability management process<br />
experience 90% fewer successful<br />
attacks.<br />
“<br />
- Gartner Research<br />
VULNERABILITY DETECTION<br />
Many of the 400 vulnerabilities examined by <strong>Layer</strong><br />
<strong>Seven</strong> <strong>Security</strong> are deemed high risk by SAP and<br />
independent assessors. They include:<br />
• Insecure default congurations<br />
• Dangerous active services<br />
• Unauthorized remote command executions<br />
• Information disclosure<br />
• Use of unencrypted interfaces<br />
• Improperly applied security lters<br />
• Broad administrative user privileges<br />
• Weak access credentials<br />
• Missing SAP <strong>Security</strong> Notes and patches<br />
2
CHECKS PERFORMED BY<br />
AGAINST SAP SECURITY RECOMMENDATIONS IN THE WHITE PAPER SECURE<br />
CONFIGURATION OF SAP NETWEAVER APPLICATION SERVER USING ABAP<br />
PART 1<br />
HTTPS & SNC<br />
NETWORK FILTERING<br />
• Review of SNC encryption for RFC and<br />
SAP GUI communications<br />
• Check for HTTPS and review of TLS<br />
security conguration<br />
• Detection of unnecessary SAP services<br />
which can widen the attack surface.<br />
• Review of the SAProuter conguration<br />
including Route Permission Tables.<br />
• Review of security protocols for ABAP<br />
systems communication traffic<br />
• Access to tables storing cryptographic<br />
keys<br />
SAP GUI<br />
Review of the SAP GUI security conguration<br />
REMOTE FUNCTION CALLS<br />
• Analysis of trust relationships and<br />
detection of insecure interfaces<br />
• Review of RFC connections with stored<br />
logon credentials and between systems<br />
with diering security classications<br />
WEB SERVICES<br />
• Detection of dangerous active ICF services<br />
• Review of ICF services for stored logon<br />
data and missing authority ckecks<br />
3
CHECKS PERFORMED BY<br />
AGAINST SAP SECURITY RECOMMENDATIONS IN THE WHITE PAPER SECURE<br />
CONFIGURATION OF SAP NETWEAVER APPLICATION SERVER USING ABAP<br />
PART 2<br />
GATEWAY & MESSAGE SERVER<br />
MONITORING<br />
• Evaluation of reginfo and secinfo les for<br />
insecure rules<br />
• Review of Gateway and Message Server<br />
security conguration<br />
Evaluation of the security conguration of the<br />
entire SAP platform, detecting risks that may<br />
result in attacks to business-critical<br />
infrastructure<br />
• Check for the disabling of remote<br />
conguration and enabling of logging<br />
• Review of Message Server ports, ACL<br />
les and other settings<br />
PATCH MANAGEMENT<br />
• Check for implemented SAP security Notes<br />
PASSWORD MANAGEMENT<br />
• Review of the eectiveness of the patch<br />
management process<br />
• Review of password parameters against<br />
SAP hardening guidelines<br />
• Access to tables storing password<br />
hashes<br />
• Analysis of hashing mechanisms and<br />
downwards compatibility<br />
• Review of default passwords for<br />
standard users<br />
OTHER<br />
• Checks for hundreds of other SAP<br />
vulnerabilities not covered in the SAP<br />
white paper<br />
4
Secure your SAP systems against<br />
real-world threats and attacks<br />
FAST FACTS<br />
• Dramatically reduces security risks in your SAP<br />
environment<br />
• Leverages reliable and powerful SAP-certied<br />
soſtware based upon the world's largest<br />
knowledge base of SAP vulnerabilities<br />
• Supported by a world-renowned research lab that<br />
continuously investigates SAP vulnerabilities and<br />
updates the underlying soſtware with new modules<br />
• Lowers audit, compliance and security costs<br />
• Provides immediate results leading to improved<br />
response times<br />
• Comprehensive reporting that clearly demonstrates<br />
the business impact of technical risks<br />
• Integrated compliance management including gap<br />
analysis for SOX, PCI and SAP security<br />
recommendations<br />
• Detailed recommendations to close security gaps<br />
• Avoids the need to invest in soſtware, training,<br />
support and maintenance<br />
• Best in class service and support<br />
• Unparalleled SAP Expertise<br />
THE VULNERABILITY ASSESSMENT SOFTWARE USED BY LAYER SEVEN<br />
SECURITY IS CERTIFIED BY SAP FOR INTEGRATION WITH NETWEAVER<br />
5
LAYER SEVEN SECURITY<br />
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> specialize in SAP security. The company serves customers<br />
across the globe to protect SAP systems against internal and external threats and<br />
comply with industry and statutory reporting requirements. It fuses technical<br />
expertise with business acumen to deliver unparalleled implementation, consulting & audit services targeted at<br />
managing risks in contemporary SAP systems.<br />
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> employs a distinctive approach to SAP risk management that examines and manages<br />
vulnerabilities at the platform, application, program and client level. Through partnerships with leading soſtware<br />
developers, the company is able to develop SAP systems with Defense in Depth and perform integrated security<br />
assessments that improve the quality and lower the cost of SAP audits. <strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> leverage leading<br />
SAP-certied solutions to provide comprehensive and rapid results covering risks in every component of SAP<br />
landscapes.<br />
The company is privately owned and headquartered in Toronto, Canada.<br />
www.layersevensecurity.com<br />
CONTACT US<br />
Westbury Corporate Centre,<br />
75 Upper Middle Road East, Suite 101<br />
Oakville, Ontario, L6H 0C, Canada<br />
Tel. (Toll Free): 1 888 995 099<br />
Tel. (Office): 905 491 6950<br />
Fax.: 905 491 6801<br />
E-mail: info@layersevensecurity.com