Security requirements are constantly increasing, and securing critical data in an organization is one of the basic issues that ensure the continuity of basic business processes.
System environments are becoming more and more complex (communication with external systems, data exchange and continuous development of existing systems).
During a possible attack on the SAP system (no matter if the attack comes from inside or outside the organization) an attacker might gain access to valuable system information
therefore, it can use this information for further attacks to other SAP systems as well as obtain important company data (customer data, product information, e.g. recipes and drawings ttechnical data, salary data, etc.) unnoticed.
Managing security comes down to managing risk
First, to do it properly, all risks should be recorded and grouped according to prioritize so that the organization with the SAP system can learn and correct any possible threats to the SAP system (e.g. with the help of external support).
The research SAP security and compliance includes checking the network, operating system, database, parameters, and conflicts SoD in the SAP system based on the provided risk and conflict matrices.
6 basic risk areas
We have listed 6 basic risk areas that should be looked at first.
We divided the areas into two parts: technical and users.
1. Setting up the SAP configuration
Layer of configuration parameters that should correspond to the organization's security policy. These parameters should be monitored regularly.
login/password_expiration_time (default 0, our recommendation is 30)
The user has to change the password after a certain number of days (for parameter 0, enforcement is not enabled).
login/min_password_lng (default value 3, our recommendation is 8+)
Setting the minimum password length.
login/fails_to_user_lock (default value 12, our recommendation is 5)
Number of incorrect entered password to lock the user account.
2. Verification of events and settings "on" and "outside" the SAP layer
SAP Security Audit Log:
- main security log,
- some information is difficult to read from the security perspective,
- SAP user login * does not constitute a risk according to the log, while the risk is a wrong login password.
SAP Change Documents and Table Loggin:
- logging of document changes and changes to tables,
- low quality in the absence of archiving documents in time.
SAP System Log:
- główny log systemu SAP,
- logs written over after 14 days.
Levels beyond SAP
Operating system log Windows/UNIX -the problem is, for example, the fact that the administrator must have root privileges to read logs only
Database log – no possibility to analyze database settings from the SAP level (e.g. information about accounts and their authorizations)
Web Logs SAP Router/HTTP - the problem is the lack of standard solutions to redirect logs to syslog
3. Updating system patches
Every system is vulnerable to hacking, SAP is no exception, so it's important to regularly install system patches.
Thanks to them, information about break-ins with the use of known vulnerabilities appears.
Example 1 - a report by the US Department of Security pointing to intrusions into at least 36 global SAP systems using a known (and fixed) vulnerability since 2010. More at https://bit.ly/28Kpk5r
Example 2 - the annual meeting of the security community, the PWNIE Awards in 2015 awarded the first prize in the Best Server-Side Bug category for detecting a vulnerability in SAP, allowing for unauthorized access to the system https://bit.ly/29Se5hB
4. Default accounts
During the implementation of the SAP system default user accounts are created. They are used for the initial installation of the system, they are commonly known both by their name and password.
It is extremely important to properly protect these accounts.
The most critical account is SAP * (it allows for virtually unlimited access to and changes in the system)
Default account passwords should be changed and highly privileged profiles (such as SAP_ALL) should be removed.
The important thing is that if you delete the default account - it will be recreated automatically (with the default password).
The SAP account * should therefore have the password changed and the login / no_automatic_user_sapstar parameter set to 1 (no possibility to restore the automatic SAP account *).
5. Default profiles
As in the case of default accounts, SAP has (delivered with the installation) sets of authorization profiles allowing for wide access to the system. The use of these profiles should be very strictly managed, and their use should be limited to emergencies only.
The most important broad access profile is SAP_ALL - it allows you to perform any transaction, access to any object, function or action (there is a reason in the jargon of SAP administrators it is commonly referred to as "God on the system"). It is important that this profile is not assigned anywhere. The same applies to the SAP_NEW profile
6. Conflicts of Permissions
Inadequately providing users with access rights to different parts of the system increases the risk of fraud.
Example: if one person has both the option to change the bank account number and the ability to make a transfer - it is possible to bypass the organization's policies in order to transfer money outside.
To sum up: it is important to properly manage the privilege conflict matrix. Such a matrix allows, first of all, to identify existing conflicts, and verification of individual users' access will allow for risk assessment. The implementation of an effective data access policy in SAP is one of the most important elements of sealing the SAP environment in terms of risks, the main factor of which is user activity.
GOOD TO READ ABOUT SAP SECURITY: