Applying Defensive Strategies to Secure Systems

ERP systems, such as SAP’s ECC, face a multitude of potential threats. Within the past few years, security consulting companies such as ERPScan and Onapsis have been heralding that the once-perceived impenetrable SAP systems are susceptible to hacking attacks.  Given the financial, customer, supplier, credit card, employee and production data that reside in an ERP system, SAP is indeed a juicy target for all sorts of malicious hackers.  Last week, news about attackers breaking into the USIS through an exploit in an SAP system spread into the SAP user community. Due to the potential threats that SAP ERP systems face, security strategies driven by regulatory compliance that companies employ are no longer adequate. Organizations should alter their approach to securing their SAP systems and implement a holistic defensive strategy that protects the entire SAP technology stack.

An excellent structure that can be used in the defensive strategy  is the approach that I learned in my Defensive Hacking course at Carnegie Mellon University, which follows a functional flow of information defense: hamper identification of targets, then block establishment of an initial compromise, and then exacerbate the difficulty of attack progress, and finally facilitate response to identified attacks.

Deception. A deception strategy is usually used as a first line of defense. It can either make an adversary’s attack “no one’s problem” or “somebody else’s problem.” Examples of security controls to deceive an attacker are honeypots and tarpits, minimizing the footprint of critical assets and hiding the nature of your organization. From an SAP-specific standpoint, one of the tools that can be used is Core Security’s HoneySAP, a “low-interaction research honeypot aimed at learning the techniques, tactics and motivations behind the attacks against SAP systems.

Frustration. If the attacker defeats the deceptive tactics, the next layer should frustrate the attacker from getting access to critical assets. Its goal is to deny the attacker the initial access necessary for his/her attack by blocking what you can. Firewalls and router access control lists will prevent the information flows that are critical to the attacker. Minimizing services on servers can also play this part as it reduces the attack surface that the attacker can exploit. This control is especially useful for SAP since it is known to have a huge attack surface. Some of the controls used to frustrate attackers are the removal of unnecessary services and network ports, the use of demilitarized zones (DMZs), use of application-level gateways to supplement firewalls, and installing SAProuter on a firewall host.

Resistance. Resistance strategies inhibit the progression of an attack by limiting its propagation on a server or across the network. The main objective is to make it as difficult as possible for the attacker to pursue his/her target. Resistance tactics require active maintenance of the controls, such as the frequent change of passwords, regular review of policies, and regular application of patches to applications and servers. Since these require more time and effort, it always makes sense to focus on the controls that provide protection on assets that have the highest risks.  Implementing critical Security Notes, hardening the application layer, configuring security parameters, adhering to Secure Programming Guidelines, implementing security baselines, and encrypting network communications are some of the controls that will hinder the advancement of an attack.

Recognition/Recovery. This last defensive strategy requires the quick identification of attack and the rapid recovery from the attack on its normal and secure state.  To identify an attack, an organization must have resources and processes in place to recognize indicators and warnings and investigate the impact and scope of the intrusion. Recovering from an attack is an important part of this strategy since the organization must be able to resume normal operations after an attack.  Countering attacks against SAP systems requires proactive monitoring of comprehensive and up-to-date event logs covering network, system, table, and user domains. This control enables the detection of actions often associated with system intrusions and the blocking of attempted attacks in real-time. Effective logging and monitoring also acts as a deterrent against internal threats and enables organizations to trace quickly the origin of successful breaches, assess the impact and contain the damage resulting from attacks.

Note that the tools and techniques mentioned above are SAP-specific. The layered security model can also be applied to any business application or any system in the base infrastructure (operating system, database, and network) that hosts the application.

Featured Post

Motivations towards Shadow IT

A logical place to understand the problems posed by shadow IT is to understand why the practice exists in the first place. One must know the users’ needs and motivations for getting external cloud … Continue Reading