If you want to check if the doors of a house are securely locked, it is best to try it yourself. The resident has an advantage over an intruder: he knows all doors and windows which can be used or misused as entry points. The same holds true for SAP systems: a penetration test is far more effective if an external attack (black box pen-testing) is combined with an analysis of possible vulnerabilities from within (white box pen-testing).
Wilma Flintstone: "Fred, is our door locked?"
Fred Flintstone: "I will take a look, Wilma!"
(The Flintstones, 30.09.1960.)
This conversation must have been held shortly after man climbed down from the trees to spend his nights in caves - and it was necessary for our ancestors' survival.
We owe the success of the human species to the ability to ask relevant questions and find the correct answers to them. Over the past 10.000 years, the questions of the worried Wilmas have become more and more complex, while the answer-finding strategy of the Freds more or less stayed the same:
"Is my SAP system secure, Fred?"
"I will perform a penetration test soon, Wilma!"
Even to think that such complex subjects can be reduced to a few indicators and that it would be enough to determine their values selectively or over a short time period is optimistic to say the least. This is one of the reasons why Fred Flintstone has to spend the night outside while his saber-toothed cat gets to sleep inside in the famous closing scene of the TV series. Fred securely locked the door but failed to predict that his saber-toothed cat could easily access the cave through the open window.
Does that mean it is not useful to conduct SAP penetration tests?
Well, of course it is! But it depends on which goals Fred is pursuing.
- If Fred wants Wilma to be able to relax in his arms, we recommend that he rattles a bit at the door to show his wife that everything is just fine.
- If Fred wanted to convince Wilma that the cave entrance needs to be renovated though, he should show her how easy it would be for a malicious intruder to get into their cave.
If the aim of a pen test is to determine the probability of a successful attack on a SAP system and to identify adequate measures to prevent this, we have to consider certain facts. Firstly, we have to realize that the attackers of 2017 are experienced professionals, who use special tools (acquired in the Deep Web) against SAP systems. They work collaborative according to their specialization (communication, networks, SAP access, theft and manipulation of data, data encryption and blackmail).
A hacked SAP system implies a huge profit for a hypothetical criminal and therefore one has to expect that a considerable amount of qualified resources, which by far exceed the budget of a penetration test, are invested in attacks.
The goal of our penetration tests has to be the anticipation of successful attack strategies and not the appeasing of worried system users and auditors. Due to this, we recommend SAP users the following:
- Consider SAP penetration tests as one measure amongst many.
- Hire service providers specializing on SAP attacks.
- In order to compensate the quantitative resource disadvantage, penetration tester should be given additional privileges which a attacker usually would not have, such as access to certain SAP settings
("grey box penetration testing").
Over the course of the years, we have examined the security of many SAP systems. In some instances, we have come upon well-protected systems, but in other instances, we have been reminded of Fred Flintstone's cave: no barred windows, no window panels and no curtains. In any case, we were able to determine and show the current state of security and subsequently plan improvements and help with their realization. Grey-box penetration tests as a first step have proven to be the most efficient technique to gain the undivided attention and the support of "Wilmas" for our cause. YABBA DABBA DOOO!
Author: Peter Maier-Borst,Virtual Forge GmbH