Lukardi

SAP security

Share

Security requirements are continuously increasing, and securing an organization's critical data is one of the fundamental issues that guarantee the continuity of core business processes.
System environments are becoming increasingly complex (communication with external systems, data exchange and continuous development of existing systems).

During a possible attack on the SAP system (whether the attack comes from inside or outside the organization) an attacker can gain access to valuable system information.
Therefore, it can use this information to further attack other SAP systems and also obtain important company data (customer data, product information such as recipes and technical drawings, salary data, etc.) unnoticed.

Security management boils down to risk management

First of all, in order to do this properly, all risks should be inventoried and grouped by priority so that an organization with an SAP system can learn about and correct any risks to the SAP system (for example, with the help of external support).
SAP security and compliance testing includes checking the network, operating system, database, parameters, SoD conflicts in SAP based on the risk and conflict matrices provided.

6 basic risk areas

We have listed 6 basic areas of risk that should be taken under the magnifying glass first.
We divided the areas into two parts: technical and users.
Technical layer

1. setting up SAP configuration

A layer of configuration parameters that should correspond to the organization's security policy. These parameters should be checked regularly.

Example:

login/password_expiration_time (default value 0, our recommendation 30)
The user must change the password after a certain number of days (for parameter 0, the forcing is not enabled).

login/min_password_lng (default value 3, our recommendation 8+)
Set the minimum password length.

login/fails_to_user_lock (default value 12, our recommendation 5)
The number of misspelled password to lock the user account.

2. verify events and settings "on" and "off" the SAP layer

SAP level

SAP Security Audit Log:

  • main security log,
  • some of the information is not very clear from a security perspective,
  • SAP* user login is not a risk according to the log, while the risk is a misspelled login password.

SAP Change Documents and Table Loggin:

  • Logging document changes and table changes,
  • low quality if documents are not archived over time.

SAP System Log:

  • SAP system master log,
  • Logs overwritten after 14 days.
Levels beyond SAP

Operating system log Windows/UNIX - The problem, for example, is that the administrator must have root privileges to read the logs alone

Database log - Lack of ability to analyze database settings from the SAP level (e.g., information about accounts and their authorizations)

SAP Router/HTTP network logs - the problem is the lack of standard solutions to redirect logs to syslog

3. update system patches

Every system is susceptible to hacking activities, SAP is no exception, so it is important to install system patches regularly.
Thanks to them, information about intrusions using known vulnerabilities is emerging.

Example 1 - a report by the U.S. Department of Security indicating that at least 36 global SAP systems were hacked using a vulnerability known (and patched) since 2010. Read more at https://bit.ly/28Kpk5r

Example 2 - annual meeting of the security community the PWNIE Awards in 2015 awarded the first prize in the Best Server-Side Bug category for the discovery of a vulnerability in SAP that allowed unauthorized access to the system https://bit.ly/29Se5hB

User layer

4 Default accounts

During the implementation of the SAP system default user accounts are created. They are used for the initial installation of the system, and are commonly known by both name and password.
It is extremely important to adequately protect these accounts.
The most critical account is SAP* (allows virtually unlimited access and changes to the system).

Default account passwords should be changed, and highly privileged profiles (e.g. SAP_ALL) should be deleted.
The important thing is that if you delete the default account - it will recreate itself automatically (with the default password).
The SAP* account should therefore have its password changed and the login/no_automatic_user_sapstar parameter set to 1 (no automatic SAP* account recovery).

5 Default profiles

As with the default accounts, SAP has (supplied with the installation) sets of authorization profiles, allowing broad access to the system. The use of these profiles should be very strictly managed and their use limited to emergency situations only.

The most important broad access profile is SAP_ALL - it allows you to execute any transaction, access any object, function or action (there is a reason why in the jargon of SAP administrators this profile is used to be referred to as "God on the system"). It is essential that this profile is not assigned anywhere. The case is similar with the SAP_NEW profile

6. conflicts of authority

Failure to adequately provide users with access rights to various parts of the system is an increased risk of embezzlement.

Example: if one person has both the ability to change a bank account number and the ability to make a wire transfer - it is possible to circumvent the organization's policies to move money out the door.

To sum up: it is important to manage the privilege conflict matrix properly. Such a matrix allows you to identify existing conflicts in the first place, and verification of individual user accesses will allow you to assess risks. The implementation of an effective data access policy in SAP is one of the most important elements of sealing the SAP environment against risks, the main factor of which is user action.

We Manage the Digital Transformation of Your Business

Do you want to secure your business from cyber attacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.