Layer Seven Security

Monitoring Access to Sensitive Data using SAP RAL

The disclosure of up to 200,000 classified documents belonging to the NSA by Edward Snowden in 2013, together with the release of over 750,000 U.S Army cables, reports and other sensitive information by Bradley Manning in 2010, has drawn attention to the need to control and monitor access to confidential data in corporate systems. For this reason, the general availability of the latest version of the SAP NetWeaver Application Server in May could not have been more well-timed.

NetWeaver AS ABAP 7.40 includes a new component known as Read Access Logging (RAL) to register and review user access to sensitive data. The momentum for RAL is driven not only by well-publicised information leakages but data protection requirements impacting industries such as e-commerce, healthcare and financial services. RAL is also in demand with organisations that have a relatively open authorization concept and therefore are more susceptible to data misuse. Aside from enabling organisations to verify user access to sensitive data and respond to potential abuses before they lead to the mass exfiltration of information, RAL acts as a deterrent for such abuse if users are aware that their actions are logged and monitored.

RAL supports calls though RFC, Dynpro, Web Dynpro and Web service channels. It is not enabled by default and therefore must be activated by selecting the Enable Read Access Logging in Client parameter in the Administration tab of the RAL Manager accessed via transaction SRALMANAGER. However, prior to enabling RAL, customers should follow several predefined configuration steps using the SAP_BC_RAL_CONFIGURATOR and SAP_BC_RAL_ADMIN_BIZ roles and associated authorization objects delivered by SAP. The first involves defining logging purposes to create logical groupings of log events based on the specific requirements of the organisation.  The second step is creating log domains to group related fields. For example, a domain for customer-specific information could be created to band together fields such as address, date-of-birth, SSN, etc.

Steps one and two establish the overarching structure for log information. The actual fields to be logged are identified during step three through recordings of sessions in supported user interfaces. Once identified, fields are assigned to log conditions and domains in step four. SAP will initiate RAL when the Enable Read Access Logging in Client parameter is selected which represents the final step of the configuration process.

Logs can be accessed through transaction SRALMONITOR or the Monitor tab of SRALMANAGER. Log entries include attributes such as time of the entry, user name, channel, software component, read status, client IP address and details of the relevant application server. Extended views provide more detail of log events than default views. The log monitor supports complex searches of events and filtering by multiple parameters.

RAL configuration settings can be exported to other systems through an integrated transport manager accessed through transaction SRAL_TRANS. Furthermore, logs can be archived using standard Archive Administrative functions in SAP NetWeaver via transaction SARA.

Although RAL is currently only available in NetWeaver AS ABAP 7.40, a release is planned for version 7.31 in the near future. Layer Seven Security can enable your organisation to leverage the full benefits of Read Access Logging and safeguard confidential information in SAP systems. To learn more, contact our SAP Security Architects at or call 1-888-995-0993.

New malware variant suggests cybercriminals are targeting SAP systems

Security researchers at last week’s RSA Europe Conference in Amsterdam revealed the discovery of a new variant of a widespread Trojan program that has been modified to search for SAP systems. This form of reconnaissance is regarded by security experts as the preliminary phase of a planned attack against SAP systems orchestrated by cybercriminals. The malware targets configuration files within SAP client applications containing IP addresses and other sensitive information related to SAP servers and can also be used to intercept user passwords. Read More

The program is adapted from ibank, a Trojan that is most well-known for targeting online banking systems. Ibank is one of the most prevalent Trojans used in financial attacks, based on number of infected systems. It is often deployed together with the Zeus Trojan to harvest system credentials and is assigned a variety of names including Trojan.PWS.Ibank, Backdoor.Win32.Shiz, Trojan-Spy.Win32.Shiz and Backdoor.Rohimafo. Once installed, the program operates within whitelisted services such as svchost.exe and services.exe and is therefore difficult to detect. It also blocks well-known anti-virus programs. Ibank installs a backdoor on infected systems, enabling remote control of infected hosts. It also provides spying functions and the ability to filter or modify network traffic and change routing tables.  The program uses a wide number of APIs to log keystrokes, capture logon credentials, identify, copy and export files and certificates, and perform other malicious activities.

SAP customers are strongly advised to secure SAP installations against the threat of such an attack. Layer Seven Security use SAP-certified software to identify and remove vulnerabilities that expose SAP systems to cyber-attack. This includes misconfigured clients, unencrypted interfaces, and remotely accessible components and services targeted by attackers. Contact Layer Seven Security to schedule a no-obligation proof-of-concept (PoC).  PoCs can be performed against up to three targets selected from a cross-section of SAP systems and environments. Read More