The security of ERP systems involves the application of a wide range of measures to protect ERP systems from unauthorized access to the system, as well as ensuring the availability and integrity of system data. ERP-system is a computer program designed to combine all the information necessary for the effective management of the company, including such aspects of activity as production, supply chain management, accounting, warehouses, transportation, personnel, work with clients. The most popular ERP-systems are SAP , Oracle E-Business Suite , Microsoft Dynamics . In addition, 1C: Enterprise is popular in Russia.
Content
Overview
The core of every large company is the ERP system; It includes all business-critical processes, ranging from purchasing, payment and delivery, to the management of human resources, products and financial planning. All information stored in ERP-systems is essential, and any unauthorized access to it can incur enormous losses, including stopping a business. [1] It is important to conduct a comprehensive assessment of the security of the ERP system, checking the ERP servers for software vulnerabilities, configuration errors, authority conflicts, compliance with current standards and recommendations, including manufacturer recommendations. [one]
Causes of ERP system vulnerabilities
Difficulty
The complexity of ERP systems leads to security vulnerabilities. ERP systems process a large number of different transactions and implement complex mechanisms that provide different levels of access to different users. For example, in SAP R / 3 there are hundreds of authorization objects that allow different users to perform different actions in the system. In a medium-sized organization, there can be about a hundred types of transactions; each transaction usually requires at least two authorization objects. If the company has 200 users, then there are approximately 800,000 (100 * 2 * 20 * 200) ways to configure the security settings of the ERP system. With increasing complexity increases the likelihood of errors and conflicts of authority. [2]
Specificity
Vulnerabilities are found monthly in popular OS and applications, as they are under the constant hacker's sight. As a result, popular applications become safer. Internal business applications are closed to prying eyes, and this leads to the illusion of "safe, as it is classified." Because of this, trivial and extremely dangerous security vulnerabilities are found in specific business applications that are rarely found in popular products. [3]
Lack of qualified professionals
Most ERP systems specialist training programs are designed to learn how to use the capabilities of the system and pay little attention to security and ERP auditing. [2] In most companies, understanding security system ERP threats is, at best, superficially. [4] Many companies do not pay enough attention to the security of the ERP-system. Implementation consultants, as a rule, are only concerned with deploying the system on time and meeting the specified budget. Security issues are considered secondary. Because of this, the security of the system is weak, and identifying and correcting security problems is a difficult and expensive exercise. [2]
Lack of security auditing tools
Most of the tools delivered in ERP packages do not provide the means to effectively audit the security of a system. Because of this, the security audit of the ERP system is usually performed manually. Manual auditing is a complex and lengthy process in which it is easy to make a mistake. [2]
A large number of tweaks
In the standard system settings, there are thousands of parameters and tweaks, including the delineation of rights to various objects, such as transactions and tables. In all this mass of settings, the task of ensuring the security of even one system is not an easy task. In addition, most of the settings of the ERP system somehow sharpens for the customer, as a result there are no two identical ERP systems. In addition, programs are being developed, the safety of which should also be taken into account in integrated assessment. [4] For this reason, it is difficult to develop a unified approach or methodology for conducting security audits.
ERP Security Issues
Security issues in the ERP system can arise at different levels. [five]
Network layer
Ability to intercept and modify traffic
- lack of data encryption
In 2011, experts from Sensepost analyzed the DIAG protocol used in the SAP ERP system for transferring data between the client and the SAP server. As a result, two utilities were published that allow you to completely intercept, decrypt and modify client-server requests containing critical information on the fly, thus opening the way for various Man-in-the-middle attacks. The second utility works as a proxy and is created more to search for new vulnerabilities, allowing you to modify requests to the client and server and search for new vulnerabilities. [6] [7]
- password transfer in clear text (SAP J2ee Telnet / Oracle listener old versions)
The SAP ERP system has the ability to administer via Telnet protocol , which does not encrypt passwords. [eight]
Vulnerabilities in encryption or authentication protocols
- hash authentication
- XOR password encryption (SAP DIAG)
- imposing the use of old authentication protocols
- incorrect authentication algorithms
Vulnerabilities of network protocols such as the RFC protocol in SAP ERP and Oracle Net in Oracle e-Business Suite. SAP ERP uses the Remote Function Call (RFC) protocol for communication between two systems via TCP / IP. An RFC call is a function that can call and execute a function module located on another system. In ABAP, which is used for writing business applications in SAP, there are functions for making RFC calls. Several major vulnerabilities were found in the SAP RFC Library versions 6.x and 7.x [9] :
- The RFC function RFC_SET_REG_SERVER_PROPERTY allows you to define an exclusive use of the RFC server. Exploiting the vulnerability will result in denial of access to legitimate users. Thus it is possible to conduct a denial of service attack.
- Error in RFC function "SYSTEM_CREATE_INSTANCE". Exploiting the vulnerability allows you to execute arbitrary code.
- Error in RFC function "RFC_START_GUI". Exploiting the vulnerability also allows you to execute arbitrary code.
- Error in RFC function "RFC_START_PROGRAM". Exploiting the vulnerability allows you to execute arbitrary code or get information about the configuration of the RFC server.
- Error in the RFC function "TRUSTED_SYSTEM_SECURITY". Exploiting the vulnerability allows you to get information about existing users and groups on the RFC server.
OS level
OS software vulnerabilities
- Any remote vulnerability in the OS can be used to gain access to applications.
Weak OS passwords
- possibility of remote password recovery
- empty passwords for remote management tools such as RAdmin and VNC
Insecure OS settings
- NFS and SMB. SAP data can be accessed by an anonymous user via NFS or SMB.
- File permissions. Critical SAP and Oracle data files often have insecure access rights, such as 755 or 777
- Insecure rhosts settings. Trusted hosts can register servers to which an attacker can easily get.
Database Vulnerabilities [10]
Every ERP system contains many databases. Therefore, one of the security problems of ERP are software vulnerabilities of the DBMS.
- buffer overflow
Buffer overflow is an attack, which is based on the program writing data to memory outside of the buffer allocated for them. This may allow an attacker to download and execute arbitrary machine code on behalf of the program and with the rights of the account from which it runs.
- format string
format string is a type of vulnerability that allows to execute malicious code. The problem arises from the use of unfiltered user input as a format string in some C function that performs formatting, such as printf () . An attacker can use the% s or% n format specifiers to write arbitrary data to an arbitrary area of memory.
- Passwords
- multiple default passwords
- the ability to select passwords and users (no blocking by default)
- A huge number of opportunities to enhance the privileges within the database
- High default privileges
- PL / SQL injection
SQL injection is one of the most common ways to hack websites and programs that work with databases, based on the insertion of arbitrary SQL code into a query. SQL injection, depending on the type of DBMS used and the deployment conditions, may enable an attacker to perform an arbitrary database query (for example, read the contents of any tables, delete, modify or add data), be able to read and / or write local files and execute arbitrary commands on the attacked server. An attack of the type of SQL injection may be possible due to incorrect processing of input data used in SQL queries.
- Cursor snarfing
The cursor for SQL is a number that indicates the area of memory where the database server stores data about the query, query variables and rights. In a normal situation, the cursor is created and exists until it is explicitly destroyed. If an error occurs while executing any SQL procedure, the cursor may not be destroyed. The attacker can use this kurosorm to make a request with the rights of this unsuccessfully completed procedure. [eleven]
Application Vulnerabilities
ERP systems transfer more and more functionality to the level of web applications where there are a huge number of vulnerabilities:
- All possible web application vulnerabilities ( XSS , XSRF , SQL Injection, Response Splitting, Code Execution)
- Buffer and format string overflows in web servers and application servers (for example, SAP IGS, SAP Netweaver, Oracle BEA Weblogic)
- Insecure Access Privileges (SAP Netweaver, SAP CRM, Oracle E-Business Suite)
Role-based access control
In most modern ERP systems, to allow users to perform only well-defined transactions and access only certain business objects, the RBAC (Role-Based Access Control, role-based access control) model is used. [12] In the RBAC model, user access decisions are made based on the functions that the user performs in the organization. These functions are called roles. For example, a bank role is a cashier, accountant, loan officer, etc. A role can be understood as a set of transactions that a user or group of users can perform in an organization. A transaction is some procedure for converting data in the system, plus data on which this procedure can be performed. Each role corresponds to a set of users who belong to this role. A user may have several roles. Roles can be hierarchical, for example, the role of "cashier" is also the role of "employee". One of the advantages of the RBAC model is the ease of administration. After roles are established in the system, transactions corresponding to each role rarely change. The administrator only needs to add or remove users from roles. When an employee comes to an organization, the administrator gives him a membership in one or more roles. When an employee leaves the organization, the administrator removes him from all roles in which he was. [13]
Separation of powers
Separation of powers (Separation / Segregation of Duties, SoD) is a concept that a user cannot complete a transaction without the assistance of other users. For example, a user alone cannot add a new supplier, issue an invoice, or pay a supplier. This reduces the risk of error or fraud. [14] The use of SoD is an important, albeit insufficient [3] , condition for the security of the ERP system. SoD policy can be implemented using RBAC mechanisms. For this, the concept of mutually exclusive roles is introduced. For example, to pay a provider, one user must initiate a payment, and another must confirm it. In this case, the initiation of payment and confirmation are mutually exclusive roles. The separation of powers may be static or dynamic. With Static SOD, a user cannot belong to two mutually exclusive roles. With dynamic separation of powers (Dynamic SOD), a user can belong to two mutually exclusive roles, but cannot execute them within the framework of a single transaction. The advantage of SSOD is simplicity, DSOD is great flexibility. [15] Typically, the separation of powers is described by the SoD matrix. Along the X and Y axes of the matrix are roles in the system. If the two roles are mutually exclusive, then a flag is set at the intersection of the corresponding column and row.
ERP security scanners
An ERP system security scanner is a computer program designed to search for vulnerabilities in ERP systems. The scanner analyzes the configuration of the ERP system for the presence of unsafe authentication parameters, access control, encryption, checks whether the latest versions of the components are installed, searches for components of the system that are known to be unsafe. In addition, the scanner checks the system parameters for compliance with the manufacturer's recommendations and ISACA audit procedures . The result of the security scanner is a report that presents the detected vulnerabilities and the degree of criticality of each of them. [1] Known scanners:
Notes
- ↑ 1 2 3 http://www.dsec.ru/products/erpscan Archived copy dated October 10, 2012 on Wayback Machine Digital security
- ↑ 1 2 3 4 Archived copy (inaccessible link) . The date of circulation is November 21, 2012. Archived March 4, 2016. Security issues in ERP
- ↑ 1 2 http://www.dsec.ru/press_releases/pdf/business.pdf (not available link)
- 2 1 2 SAP security in figures / Digital Security company blog Habrahabr
- ↑ http://dsec.ru/press_releases/infosec2009/infosec2009_polyakov_erp.pdf (not available link) ERP Security
- ↑ Digital Security warns of new threats to the DIAG protocol in SAP - ERPScan SAP security scanner (inaccessible link)
- ↑ SensePost - SapCap Archived October 29, 2012.
- ↑ Administering the SAP J2EE Engine Using Telnet (SAP Library - SAP NetWeaver Technical Operations Manual)
- Xakep Online> Multiple Vulnerabilities in the SAP RFC Library
- ↑ Alexander Polyakov (2009). Oracle security through the eyes of an auditor. Attack and defense. DMK Press. ISBN 978-5-94074-517-4
- ↑ Archived copy (inaccessible link) . The appeal date is November 21, 2012. Archived June 19, 2012. Cursor snarfing
- ↑ http://www.utdallas.edu/~bxt043000/Publications/Journal-Papers/DAS/J46_Security_for_Enterprise_Resource_Planning_Systems.pdf
- ↑ http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf Role-Based Access Controls
- ↑ ComplianceTutorial.com - How to build segregation of duties Archived January 11, 2013.
- ↑ Simple search (inaccessible link) . The appeal date is November 22, 2012. Archived February 26, 2015.