by Sükrü ilkel Birakoglu, Senior Director
Business Critical Systems house a wealth of business-critical data relating to supply chains and product life cycle management amongst a whole host of other databases. When SAP is disconnected from other security systems, and visibility is limited or non-existent, that culminates in a whole host of problems including insider threats.
Of course, one of, if not the biggest threat is from the outside making the need for an SAP system that is fully protected imperative. So how do you protect passwords and access to passwords to SAP systems, a good place to start is understanding how they are accessed – How does an SAP user login, what happens then, where does it go, and how does an intruder gain access to these passwords?
Why SAP Systems can be targets of cyber-attacks and how do users login securely?
In short, an SAP system is a goldmine of data. SAP is an integrated business system that supports the most critical business processes of a company and in most cases, it’s integrated with other business solutions. As a result, SAP Systems contain a huge volume of sensitive business data. These characteristics of SAP Systems and SAP Databases make them a target for security breaches with the objective of obtaining access to sensitive information and performing fraudulent activities.
Like with any other system, users have logins and passwords. SAP has Secure Login, which is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment.
The SAP user can log on to an SAP System via SAP GUI (Graphical User Interface) using Single Sign On or using a user/password combination. These password hashes are then saved in user master tables in the database of an SAP System. An intruder having access to password hashes can crack especially weak or generated passwords using dictionary attack or collision attack techniques. This raises an important question.
How does an intruder bypass access control mechanisms of SAP to obtain password hashes?
The first way to access password hashes in a production SAP System is to browse database tables using transaction SE16 especially if appropriate access controls to tables are not established. Access to sensitive password and business data can be prevented by assigning proper Authorization Groups to database tables. This is unfortunately not the case in many SAP implementations and too many users have access to database tables holding sensitive data. The password hashes can be displayed and downloaded using transaction SE16.
The ability to debug programs in production environments offers another way to obtain password hashes. Debug mode makes it possible to look at the values being processed and obtain password hashes. Executing a basic report, such as RSUSR200—List of Users According to Logon Date and Password Change, which reads a table that contains user-related data, could be sufficient to obtain a hash in debug mode.
We can count many other ways of obtaining password hashes and sensitive business information like connecting to SAP Systems from external programs using RFC enabled function modules or accessing to database of an SAP System directly using database connectors.
Logpoint SIEM’s role in protecting your SAP Systems.
It’s vital to catch unauthorized access to critical database tables, execution of critical programs or debugging in production systems in real-time and correlate them with other security-related events and show alerts in an integrated SIEM (Security Information and Event Management) tool. Typically, SAP systems are disconnected from IT security monitoring. This means, that SAP data does not get correlated with other events in the IT network and this lack of integration creates a severe security gap that can only be overcome by bringing SAP data into the central monitoring solution.
By merging BCS for SAP and SIEM technologies, we bridge the security gap by onboarding SAP security into SIEM. Here data gets correlated with other events in the IT network, providing contextual insight and delivering full threat visibility throughout the entire landscape.
You can get more information about our SAP Security Monitoring Solutions on our website and download our BCS for SAP brochure using this link.