How I taught South Africans to protect SAP

    We are opening the Infosectravel section , we will write notes about trips to conferences and information security exhibitions around the world such as Kuwait, Africa, Australia, etc. Although European and American events such as BlackHat and Confidence, and others, too, will not be ignored.

    Welcome suggestions and comments. The format is completely new, although there have already been a couple of attempts ( Kuwait , BlackHat , Confidence ) and we ourselves do not know yet what will turn out in the end.

    It so happened that on the May holidays I did not go to Turkey to rest, but to work in Africa :)
    In a nutshell, from May 7 to 9 in Johannesburg - the capital of South Africa - the international exhibition and conference on security ITWEB was held. This year, we decided to take an active part in it, make a presentation and communicate with clients whom you often do not see firsthand. The trip seemed all the more tempting because my colleagues refused to go due to the increased criminal situation in the region.

    First impressions

    The first thing I saw when I checked into the hotel was IT. Sorry for the quality of the photo - I used what was at hand for shooting.
    image

    Great, new broker. And I heard that in Africa children are starving ... Then there were maserati and Bentley, but it was not so epic anymore.

    The first impression of South Africa is that it looks no different from America, the same shopping malls, the same buildings and roads, about the same number of African-Africans. But I still had two days not to wander around the streets, but to defend a stand at the exhibition from the invasion of zombie mutants to talk about the advantages of our product.

    ITWEB is a fairly large event. Of course, this is not RSA or BlackHat and not even Infosecurity, but it will be typed in its 50 exhibitors. According to this indicator, the exhibition is significantly larger than the average European counterparts. Although if you consider that the conference is designed more for business, it’s clear where so many stands come from. About half of the exhibitors are well-known international brands (RSA, Splunk, IBM, Kaspersky) and the other local companies are consultants and resellers. By the way, I was pleasantly surprised that Sensepost, known for its technical drawings, has a headquarters in South Africa and is successfully developing a second office in England.
    Unfortunately, I can’t say anything intelligible in the program, since I was not present at any speech except my own, and nothing supernatural was expected, except perhaps The Grugq, which, incidentally, is from South Africa.

    Day Two
    On the second day of the exhibition, I was pleasantly surprised by the news that our company and I, in particular, were awarded the Hot Companies And Best Products Award, which were then awarded in Las Vegas .

    image

    I got a gold prize in the R&D category Professional of the Year, and our product received bronze in the categories of “Information Security and Risk Management” and “Security Software”, which is not bad, especially considering that the competitors were Net Optics, Cenzic, RedSeal, Norman, Application Security Inc and even SAP with the Afaria platform.
    In order to celebrate this event, I treated visitors to the exhibition Beluga. The people at first were slightly surprised, but then eagerly joined the holiday.
    image
    On the whole, the exhibition was not particularly impressive: as elsewhere, SIEM and various magical “prevention from cyber attacks and APT” prevailed among the presented solutions. It was nice, therefore, to hear from one visitor such a review about us: “Well, at least something interesting, otherwise cyber-something-there, everywhere is the same.”

    Report

    It is time to talk about the report. This time he was not very technical, as the audience was appropriate. And the area that we are investigating recently - incident investigation and attack analysis in SAP - is not about vulnerabilities at all, but quite the opposite: how to detect traces of these vulnerabilities using various log files, traces and other specific things. I’ll tell you about the report in general.
    Since the topic of SAP security is still new for the region, I had to devote half of my speech to common things, however, taking into account South African specifics. For example, individual figures were presented based on the results of scanning the Internet for open SAP ports this year. In South Africa, as it turned out, there are quite a few IS threats associated with routers: about 20% of these devices are vulnerable to information disclosure, and 5% to authentication bypass. As for other services, on average, the situation looks worse than global statistics by about 2–3 times (we are talking about unsafe services offered via the Internet).

    Actually, the main thesis of the report was this: “you won’t be protected from everything, but it is necessary to analyze system events in order to quickly detect attacks and, if possible, quickly respond to them.”
    Why is this important for SAP systems? Firstly, the thesis is applicable to any systems. Secondly, about six months ago, the news came about that how the Anonymus hacked the Greek Ministry of Finance through a 0-day vulnerability in SAP and published secret information on the Internet. Despite the fact that no official confirmation of the fact of hacking has been received either from the organization or from SAP, I can safely say that such a scenario is more than likely. And finally, thirdly, how many companies can really claim that they have not been attacked from the SAP system?
    On the one hand, even if an event took place, it is unlikely to be made public. On the other hand, the results of our audits demonstrate that a very small percentage of companies can detect an attack. Even such a simple thing as logging, few people include. We did a little research, and here are the results: about 70% of companies have a configured HTTP log for SAP, and only because it is configured by default. As for other magazines, everything is much sadder there. The percentage of different logs, respectively: Security audit log in ABAP - 10%, Table access logging - 4%, Message Server log - 2%, SAP Gateway access log - 2%.
    Looking at these numbers, you understand that it is unlikely that everyone can get a clear picture of possible hacking attempts. More importantly, even with configured logging, only a small percentage collects information centrally in a place inaccessible for modification, it also processes events and has the ability to correlate.

    Attacks on SAP Portal and J2EE applications

    Now relatively special cases. In this report, we examined in detail only attacks on the SAP Portal, since this application is critical because of its accessibility from the Internet and has connections to other systems. In fact, it is the first link in the chain of a possible attack on internal SAP resources.
    In general, attacks come down to two types of detection methods. The first is simple attacks that can be tracked in the standard HTTP request log, where headers are stored. The second - more advanced attacks that are contained in POST requests and do not fall into the standard log.

    To analyze attacks of the second type, the easiest option is to configure advanced logging of all requests. However, in this case, a huge amount of unnecessary information will be written, including the Cookie and Jsessionid fields and passwords transmitted in forms. In addition, it is unsafe. Naturally, there are settings that allow you not to save the field data, which you can see in more detail in the report, but still this solution is not the best option if there are no corresponding additional tools to analyze this entire stream of POST requests.

    But if you do not analyze the POST request, then what then? Several alternative methods have been shown that are also difficult to call ideal. For example, you can use the analysis of indirect events.
    In SAP Portal and WebDynpro applications, all data is transmitted in a huge “sheet” of POST requests, reaching hundreds of parameters, and in the logs any action looks like accessing the same service with a link to its URL. That is, in the general case, it is not possible to understand what was happening without analyzing the POST requests.
    Various tricks come to mind, for example this. The portal interface has various icons that are often found next to critical actions, including changing the level of event logging or disabling logs, or uploading files to the server. Both of these can be used by an attacker for such attacks as loading an HTML file with a COOKIE hijacking script into a shared directory or trying to disable logging. Such actions create a request to the web server for loading the corresponding icon, which is clearly displayed in the log files and makes it possible to indirectly detect the fact of an attack.
    It is typical that ordinary users do not load images when performing such actions, since they are already loaded into the browser cache (with the exception of the first time), due to which we will see only illegitimate calls, which will allow us to talk about a possible attack.

    Naturally, there are a lot of nuances and false positives, as well as ways to circumvent such a mechanism, but, firstly, not knowing what it is, you would hardly have guessed to circumvent it, and secondly, if you correctly combine it with other details, you can set up a pretty good system, alternative to full logging or combine recording full logs only if there are such events, so as not to store all the data.
    In general, since the topic is quite new, there are tons of options for SAP, and I have outlined only basic things, but my colleagues will probably tell about others during the presentation on Confidence.

    PS
    After the conference, I decided to relax a bit by visiting the beautiful J-Bay beach - one of the best surfing spots in the world, with perfectly long waves, where you can surf with dolphins until they are eaten by albatrosses. There was no one to shoot me, so that only an empty beach with small waves, since in normal times there was no time for filming.
    image

    image
    On the coast, the atmosphere is very friendly and relaxed, and the food is very tasty and cheap, so I don’t understand why to go to Egypt and such places when there is so much beauty in the world.
    Naturally, there is crime in South Africa. For example, the center of Johannesburg, in principle, is not recommended for visiting, since there is no police there, people are simply killed without any questions. In the best case scenario, you’ll be left without clothes with a knife wound and you’ll tell all your life what kind of robbers you had to meet.
    Thank you all, reports from the conference can be downloaded here , wait for the next post from Australia.

    Also popular now: