There are many reasons why SAP deserves a special treatment in terms of security. Some of them are:
- An extensive network of expert consultants. SAP has always relied in a wide environment of partners, specialized in the different functional modules and technical areas. This approach allowed SAP to become the absolute ERP leader worldwide, but that comes with a price in security: the inner architecture of SAP is well known, and a lot of detailed information is available. A good SAP consultant can easily become a dangerous black hat.
- Many users at different levels. When an ERP of SAP is implemented in a company, normally many users are entitled to access to it at different levels: from financial managers to blue-collar operators, from IT engineers to trainees, a relevant percentage of employees or external workers can be SAP users, which increases the risk of internal hacking. This fact is even more dangerous combined with the next one:
- A complex authorizations structure, not always correctly implemented. Normally, an initial SAP implementation includes a proper design of roles and profiles, which determines the access control to different functionalities and organizational scopes. But along the years, the organizations change, and the ERPs evolve, so it is not rare that, after some years, the authorization structure contains security holes. A disloyal employee with good SAP skills can discover those holes and use them. Also, a hacker can take advantage of it to escalate privileges in an attack.
- Difficulty of updating: It is not technically easy to keep SAP ERP updated with security patches, so many implementations keep the vulnerabilities unfixed during long periods after they were discovered.
On top of everything, hacking an SAP system can be very interesting for a black hat, due to the nature of the information stored in it: financial data, confidential information of clients, vendors and employees, production procedures…
Therefore, it is clear that we must be especially careful to protect our SAP environment, and Ethical Hacking is one of the most powerful tools to do it, but as we stated, SAP deserves a special treatment, so a penetration test on an SAP system has also some specific characteristics:
- As any other SAP project, the Ethical Hacking must be performed by certified ethical hackers who are also SAP Partners. SAP provides its partners with access to patches and security notes, as well as extensive material to build sandboxes and test vulnerabilities.
- Internal Penetration Test is very important, due to the risk of internal hackers as well as vulnerability to social engineering.
- Deep review on the authorization roles and profiles is a must. A weak definition of roles will make escalation of permissions very easy, which joint to the risk of internal hacking, makes a dangerous combination
- SAP systems are complex, and the system administrators are not always aware of the running functionalities. Therefore, white-box pentesting should be dealt as grey-box, challenging the information provided by the administrators.
- In addition to the usual pentest tools, some ad-hoc scripts are required, focused on the specific vulnerabilities. E.g. in the following picture, a script from Santa Marta AB has been run on a test SAP system, to find accessible users and detect their permissions. In the example, the script has found two powerful standard users keeping their default passwords. Both users can also create new users, which is useful for maintaining access and covering tracks.