Layer Seven Security

Three Steps to Prevent a Sony-Scale Breach of Your SAP Systems

The recent attack experienced by Sony Pictures Entertainment may well prove to be the most significant breach of the year. By all measures, the impact has been devastating for the organization, leading to the loss of almost 40GB of data to attackers. This includes not only proprietary intellectual property such as digital media, blueprints and schedules, but also social security numbers, bank accounts and payroll information. The loss of some of this information has led directly to several lawsuits against the company. It has also severely damaged and undermined the Sony brand. The attack has illustrated the vulnerability and unpreparedness of organizations in the face of sophisticated, targeted cyber threats.

The most surprising fact about the breach is that it is the second time in three years that Sony has been the victim of such a destructive attack. Therefore, the company has drawn has a great deal of criticism for alleged security practices that arguably should have been stamped out following the previous breach in 2011. In terms of the monetary impact of the recent attack, many experts estimate that impairment charges could range between $70M-$80M for Sony. Some place the cost closer to $100M.

The attackers compromised digital certificates used to authenticate Sony’s servers and released information related to over 1600 Linux/ Unix and 800 Windows servers at the company, as well as IP and MAC addresses and computer names of over 10,000 PCs within its network. This includes many SAP servers. An analysis of the leaked data performed by Joris van de Vis available on the SAP Community Network revealed that the data includes SAP server hostnames, IP addresses, SAP System IDs (SIDs), and version information for operating systems and databases. It also includes username and password combinations stored in unencrypted files. However, the most damaging revelation is that the leaked data includes the results of security assessments performed for SAP systems at Sony. Such reports could provide attackers with insights into vulnerabilities impacting these systems.

This particular revelation leads to the first recommendation for how to prevent a Sony-scale breach of your SAP systems. It is suspected that the attackers targeted security groups and users at Sony in order to access information that could be used to aid their attack. Therefore, it is imperative to secure such information within your network. The use of desktop-based tools to audit SAP systems and the circulation of the output from such tools in common file formats such as Excel and PDF can pose a serious security risk. You can remove this risk by ensuring that security-related data never leaves your SAP systems. This can be achieved by avoiding the use of third-party tools. A more secure option is to leverage vulnerability management components in Solution Manager such as Configuration Validation. This will ensure that access to security-related data on managed systems is secured using the SAP authorization concept directly within SAP systems.

The second recommendation is to reexamine your current cost-benefit calculations or risk-reward ratios when determining resource requirements and spend levels for security countermeasures. Sony’s experience has illustrated that traditional assumptions no longer apply. The impact of a breach is not just technical or even financial but strategic and can cause far-reaching harm to your organization. Security is no longer a question of ‘just enough’. It’s all or nothing.

Our final suggestion is not to focus exclusively on your network security. The most effective strategies are designed from inside-out rather than outside-in. According to a recent survey published by the Ponemon Institute, most organizations allocate 40% of their security budget to network security. In contrast, database security receives an average of just 19%. These ratios should change to reflect a greater emphasis at the application, host and database level for defense in depth.

In the view of McAfee Labs, we can expect to see more headline-capturing attacks next year. The research group’s 2015 Threat Predictions report forecasts an increase in cyber attacks as state-affiliated, criminal and terrorist actors grow in number and employ ever more sophisticated and stealthier techniques against their targets. You can read the report at McAfee for Business.

 

New SAP Guidance Recommends Configuration Validation for Security Monitoring

Some of the most critical recommendations issued by SAP in the recently released paper Securing Remote Function Calls include the use of configuration validation in Solution Manager to monitor RFC destination settings. This includes checks for destinations with stored credentials, trusted connections, and authorizations granted to RFC users in target systems. It also includes the review of profile parameters for RFC and secure network communication, as well as access control lists for RFC gateways. The SAP paper lends support for other security functions in Solution Manager such as management dashboards and alerts by pointing out that “an overview of the current security status can be provided in a security dashboard and alerts on noncompliance can be collected in the alert in-box” (p33).

The paper draws together leading practices and SAP recommendations into a single reference document for protecting one of the most vulnerable areas in SAP landscapes that is often targeted by remote attackers. RFC is a proprietary SAP technology that drives cross-system integration. Misconfigurations in RFC destinations and gateways that manage RFC communications can lead to the complete compromise of not just individual SAP systems but entire landscapes. Common mistakes include using destinations with stored logon credentials or trusted connections between systems with differing security classifications, using service or communication user types for RFC destinations rather than system users, granting excessive authorizations to RFC users, failing to limit access to remote-enabled function modules, and non-existent access control lists to control the registration and starting of external RFC servers.

The paper emphasizes the importance of established and well-known counter measures for securing RFCs based on the authorization concept. This includes not granting full access to objects such as R_RFC_ADM, S_RFC_TT, S_ADMI_FCD used to administer RFC destinations and other objects such as S_RFC , S_ICF and S_RFCACL that control access to remote-enabled function modules and logons in trusting systems. The paper also discusses enhancements delivered by SAP in the most recent release of NetWeaver AS ABAP, including unified connectivity (UCON). UCON blocks access to remote-enabled function modules using whitelists configured in so-called communication assemblies. According to SAP, “Typically, less than 5% of all available RFC function modules are used in customer software systems for remote RFC communication” (p14). It also outlines methods for performing short-term and long-term traces to identify authorizations checks performed during the execution of RFC-enabled function modules called remotely. This should be used to reign in access privileges for RFC users. Finally, the paper outlines how to control dangerous RFC callbacks and activate switchable authorization checks that are only enabled in specific RFC scenarios.

Contact an SAP Security Architect at Layer Seven Security for professional services to implement these and related SAP recommendations. Our SAP Cybersecurity Solution includes a gap assessment for all of the recommendations on RFC security issued by SAP in the paper.

To request a copy of the SAP paper Securing Remote Function Calls, email info@layersevensecurity.com.

Featured in SAPinsider: How to Build Security using SAP Solution Manager

Data breaches occur all too often and organizations are frequently left blindsided. As a result, cybersecurity has become a board-level issue across all industries. According to a recent survey of global business leaders, cyber risk is regarded as one of the most significant threats faced by corporations today, and is consistently rated higher than legislation, regulation, and other risks.

Even SAP systems are not immune from the anxiety surrounding cybersecurity. The architecture and complexity of SAP landscapes, as well as the form and volume of data typically managed within SAP systems, makes them targets for attackers. This was illustrated by the discovery of a modified Trojan that was targeting SAP clients in 2013. The malware targeted SAP GUI configuration files and was capable of malicious activities such as logging keystrokes; capturing logon credentials; and identifying, copying, and exporting files.

Responding to such threats is a daunting challenge. However, SAP customers do not have to look far for the tools to secure their systems from cyber threats. In fact, SAP offers a variety of tools with standard license agreements that can be leveraged immediately at zero cost.

Read more at SAPinsider

How to Secure SAP Systems from Password Attacks

Exploiting weak password hashes is one of the most common and successful attack scenarios used against SAP systems. The availability of open-source programs such as Hashcat and John the Ripper enables even novice hackers to perform attacks against SAP passwords. In fact, Hashcat is capable of breaking any SAP password encoded using the BCODE hash algorithm in a maximum of 20 hours, regardless of the length and complexity of the password.

SAP systems support a variety of cryptographic algorithms to convert passwords into hash values. These values are stored in table URS02. This is designed to prevent the storage of passwords in clear-text. During the logon procedure, passwords entered by users are converted to a hash value and compared to the value stored for the user in table USR02. The logon is successful if there is match between the two values.

Since hash algorithms are one-way, it is not possible to calculate passwords from hash values. However, it is possible to compare values generated by tools such as Hashcat to the values stored in SAP tables to break passwords providing both are encoded using the identical algorithm.

Therefore, it is critical to restrict the ability to read and extract password hash values in table USR02. This can be achieved by controlling direct access to database tables through SQL statements using firewall rules. The ability to read tables using generic table browsing tools accessible through transactions SE16, SE17 and SE11 should also be restricted and monitored.

Note that USR02 is not the only table containing password hash values. In some releases, hashes can also be found in tables USH02, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. Such tables should be assigned to the authorization group SPWD (refer to Note 1484692). Access to table USRPWDHISTORY should also be restricted since attackers are often able to guess current passwords based on former passwords if users employ variations of the same password.

There should be similar restrictions on debugging and transport authorizations since these can also be used to access or export SAP tables containing password hashes.

Users with access to multiple systems or systems in different environments should be required to use different passwords for each system and environment. Passwords for productive systems should not be identical to those used to access development or test systems.

SAP password code versions A-E are based on the MD5 hashing algorithm. The hash values generated through this mechanism are stored in the table column BCODE. All MD5 hashes are susceptible to brute force and other password attacks. Code versions F and G use the SHA1 algorithm. SHA1 hashes are stored in the PASSCODE column. They are less vulnerable than MD5 hashes but can be broken if passwords are short and relatively non-complex. The most secure hashing algorithm supported by SAP systems is iterated salted SHA-1 in code version H. This mechanism uses random salts and a higher number of iterations to mitigate password attacks. Iterated salted SHA-1 hash values are stored in PWDSALTEDHASH.

SAP kernels should be upgraded to 7.02 or higher to support PWDSALTEDHASH hash values. For added security, default iterations and salt sizes can be increased using the login/password_hash_algorithm parameter.

Once this is performed, the profile parameter login/password_downwards_compatibility should be set to 0 to ensure only the strongest possible hash values are generated. CUA systems can be excluded from this requirement if they are connected to systems that do not support PWDSALTEDHASH.

The report CLEANUP_PASSWORD_HASH_VALUES should then be run to discover and remove redundant password hashes. There is a clear security risk if this is not performed. Attackers may be able to use passwords encoded in BCODE and PASSCODE hashes if users employ identical or similar passwords encoded in PWDSALTEDHASH.

Enforcing single sign-on (SSO) for all dialog users provides the optimal level of protection against password attacks by removing the need to store hashes altogether. However, once SSO is enabled, direct logons should be blocked through the parameter snc/accept_insecure_gui=U and by ensuring users are not exempted from SSO through settings in user records maintained in the SNC tab of SU01.

Taken together, these countermeasures should safeguard systems from dangerous password attacks aided by well-known and easily accessible tools that can be leveraged to take full control of SAP systems.

Update: A new version of Hashcat capable of cracking SAP code version H password hashes encoded using SHA-1 is currently in beta testing. You can learn more at http://hashcat.net/forum/thread-3804.html

FBI Director James Comey Speaks out on the Threat of Cybercrime

During a candid discussion with host Scott Pelley of 60 Minutes at FBI headquarters in Washington DC, James Comey speaks out about the threat of cybercrime confronted by American citizens and corporations. Comey declares that cybercrime perpetrated by nation states, criminal syndicates and terrorist organizations has reached epidemic proportions and is directly costing the US economy billions of dollars a year.

Can’t access YouTube? Try Vimeo: https://vimeo.com/108513963

The following is a transcript of the excerpt:

James Comey: Cybercrime is becoming everything in crime. Again, because people have connected their entire lives to the Internet, that’s where those who want to steal money or hurt kids or defraud go. So it’s an epidemic for reasons that make sense.

Scott Pelley: How many attacks are there on American computer systems and on people’s credit card numbers and the whole mass of it? What does a day look like if you’re concerned with crime in cyberspace?

James Comey: It would be too many to count. I mean, I think of it as kind of an evil layer cake. At the top you have nation state actors, who are trying to break into our systems. Terrorists, organized cyber syndicates, very sophisticated, harvesting people’s personal computers, down to hacktivists, down to criminals and pedophiles.

Scott Pelley: What countries are attacking the United States as we sit here in cyberspace?

James Comey: Well, I don’t want to give you a complete list. But I can tell you the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry.

Scott Pelley: What are they trying to get?

James Comey: Information that’s useful to them so they don’t have to invent. They can copy or steal so learn about how a company might approach negotiation with a Chinese company, all manner of things.

Scott Pelley: How many hits from China do we take in a day?

James Comey: Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.

Scott Pelley: The Chinese are that good?

James Comey: Actually, not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.

Scott Pelley: How much does that cost the U.S. economy every year?

James Comey: Impossible to count. Billions.

Scott Pelley: Sounds like cybercrime is a long way from Bonnie and Clyde for the FBI.

James Comey: Bonnie and Clyde could not do a thousand robberies in the same day, in all 50 states, from their pajamas, halfway around the world.

Scott Pelley: The FBI’s had legendary problems upgrading its computer systems. Are you now to a place where you’re satisfied that you’re meeting the cybersecurity threat?

James Comey: We’ve made great progress coordinating better as a government. When I last left government, my sense of us was kind of like four-year-old soccer. So like a clump of four year olds chasing the ball, we were chasing it in a pack. We’re about high school soccer now. We’re spread out. We pass well. But the bad guys are moving at World Cup speed. So we have to get better.

Scott Pelley: Do people understand, in your estimation, the dangers posed by cybercrime and cyber espionage?

James Comey: I don’t think so. I think there’s something about sitting in front of your own computer working on your own banking, your own health care, your own social life that makes it hard to understand the danger. I mean, the Internet is the most dangerous parking lot imaginable. But if you were crossing a mall parking lot late at night, your entire sense of danger would be heightened. You would stand straight. You’d walk quickly. You’d know where you were going. You would look for light. Folks are wandering around that proverbial parking lot of the Internet all day long, without giving it a thought to whose attachments they’re opening, what sites they’re visiting. And that makes it easy for the bad guys.

Scott Pelley: So tell folks at home what they need to know.

James Comey: When someone sends you an email, they are knocking on your door. And when you open the attachment, without looking through the peephole to see who it is, you just opened the door and let a stranger into your life, where everything you care about is.

Scott Pelley: And what might that attachment do?

James Comey: Well, take over the computer, lock the computer, and then demand a ransom payment before it would unlock. Steal images from your system of your children or your, you know, or steal your banking information, take your entire life.

Scott Pelley: We have talked about a lot of menacing things in this interview. Do you think Americans should sleep well?

James Comey: I think they should. I mean, the money they have invested in this government since 9/11 has been well spent. And we are better organized, better systems, better equipment, smarter deployment. We are better in every way that you’d want us to be since 9/11. We’re not perfect. My philosophy as a leader is we are never good enough. But we are in a much better place than we were 13 years ago.

A Five Step Guide to Securing SAP Systems from Cyber Attack Without Breaking the Bank

With SAP solutions deployed by 85 percent of Forbes 500 companies, they are a prized target for cyber attackers. Watch our Webinar playback to discover how to secure your SAP systems against targeted cyber attacks that could lead to denial of service, financial fraud or intellectual property theft. The Webinar is hosted by John Corvin, a Senior SAP Security Architect at Layer Seven Security. The insights delivered during the Webinar are based on lessons learned from hundreds of front-line engagements, aligned with leading practices and SAP recommendations and delivered by experienced SAP security consultants. Learn how to:

Secure SAP networks and communications
Protect remote function calls
Control critical user authorizations
Build log forensics
Configure security-relevant parameters

The Webinar will also enable you to identify opportunities for your organization to continuously monitor the security of SAP systems using standard tools and components available in SAP Solution Manager without licensing costly third party software. This will empower your organization to unlock the potential of SAP software and maximize the ROI of SAP licensing, while minimizing software-related capex and opex.

 

Can’t access YouTube? Watch on Vimeo: https://vimeo.com/107386560

Three More Reasons for using Solution Manager to Secure SAP Systems from Cyber Attack

Our recent article outlining the advantages of using SAP-delivered components versus third party software resonated strongly with customers seeking an effective and cost-efficient solution to address cyber threats impacting their SAP systems. The article examined the five key benefits of a Solution Manager-based strategy that included lower costs through the avoidance of licensing and maintenance fees for third-party software, the ability to configure custom security checks to address system, company or industry-specific risks, alerting for critical security events, detailed reporting driven by SAP Business Warehouse, and the availability of SAP support. The article presented a compelling argument for selecting SAP Solution Manager over the host of competing solutions offered by independent vendors.

The benefits delivered by Solution Manager stem from the depth and volume of security-related data that is continuously pulled from managed systems into the platform. Solution Manager lays at the core of SAP system landscapes and therefore occupies a central vantage point to oversee the security of connected systems. In contrast, third party software solutions are not embedded within SAP landscapes to the same extent and therefore lack the connectivity and range of Solution Manager.

Aside from the advantages mentioned above, there are three other benefits delivered by Solution Manager for security monitoring. The first is the availability of security dashboards. SAP delivers three security apps through the standard WebDynpro dashboard application in Solution Manager, located in the Cross-Application section for dashboard apps. This includes the Security Overview app, which summarizes security policy compliance by system across landscapes, the Security Details app, which displays compliance levels for software, configuration and user categories, and finally, the Security List app, which conveys security compliance levels for every SAP System ID. Dashboards apps can be automatically refreshed as often as every 5 minutes to provide security information in near real-time.

The second is Solution Manager’s ability to deliver detailed metrics for analyzing changes. Like third party solutions, components such as Configuration Validation in Solution Manager are able to pinpoint differences between actual and recommended security settings. However, Solution Manager goes a step further by enabling users to drill-down into the underlying changes that created risks identified by security scans. This is performed through Change Analysis which provides timestamps for changes in managed systems and the original values for instance, profile or other parameters before the changes were implemented.

The third is Solution Manager’s flexibility to support security policies aligned to any compliance framework. This includes not only familiar frameworks such as SOX and PCI DSS but requirements that are unique to specific industries or sectors. The transparent security checks performed by Configuration Validation can be customized for all regulatory, statutory and other forms of compliance standards.

Organizations do not have to look far for the solution to remove security vulnerabilities in their SAP systems. Most are delivered with standard license agreements by SAP and can be leveraged immediately at zero cost. Tools such as Configuration Validation provide a powerful and cost-effective alternative to third party solutions. They are also fully supported by SAP. You can learn more about SAP Configuration Validation here or contact Layer Seven Security to unlock the value of your Solution Manager systems.

Cybersecurity Insurance: Is it Worth the Cost?

According to the most recent annual Cost of Cyber Crime Study by the Ponemon Institute, the average cost of detecting and recovering from cyber crime for organizations in the United States is $5.4 million. Median costs have risen by almost 50 percent since the inaugural study in 2010. The finding masks the enormous variation of data breach costs which can range from several hundred thousand to several hundred million dollars, depending on the severity of the breach. A growing number of insurance companies are offering cyber protection to enable organizations to manage such costs. This includes traditional carriers in centers such as London, New York, Zurich and elsewhere, as well as new entrants targeting the cybersecurity insurance market. Carriers in the latter category should be carefully veted since some new entrants have been known to offer fraudulent policies in order to exploit the growth in demand for cyber insurance.

Cybersecurity insurance has been commercially available since the late 1970s but was limited to banking and other financial services until 1999-2001.  It became more widespread after Y2K and 9/11. Premiums also increased after these events and carriers began to exclude cyber risks from general policies. More recently, the dramatic rise in the threat and incidence of data breaches has propelled cybersecurity into a boardroom issue and led to a growing interest in cyber policies from organizations looking to limit their exposure.

A 2011 study performed by PriceWaterhouseCoopers revealed that approximately 46% of companies possess insurance policies to protect against the theft or misuse of electronic data, consumer records, etc. However, this is contradicted by the findings of 2012 survey by Chubb Group of Insurance Companies which revealed that 65 percent of public companies forego cyber insurance. The confusion may be due to a general lack of awareness among survey responders of the exact nature of insurance coverage. Many responders appear to be under the impression that cyber risks are covered by general insurance policies even though this is no longer the norm.

The cybersecurity insurance industry is highly diverse with carriers employing a plurality of approaches. Some offer standardized insurance products with typically low coverage limits. Others provide customized policies tailored for the specific needs of each client. Furthermore, the industry is evolving rapidly to keep pace with evolving threats and trends in cybersecurity.

Policy premiums are driven primarily by industry factors. E-commerce companies performing online transactions while storing sensitive information such as credit card data are generally considered high risk and are therefore subject to higher premiums. Health institutions hosting data such as social security numbers and medical records are also deemed high risk.

Premiums typically range between $10,000 to $40,000 per $1 million and provide up to $50 million in coverage. However, most standard policies only provide coverage for specific third-party costs to cover losses incurred by a company’s customers or partners. This includes risks related to unauthorized access and the disclosure of private information, as well as so-called conduit injuries that cause harm to third party systems.

Polices that provide coverage for first-party areas such as crisis management, business interruption, intellectual property theft, extortion and e-vandalism carry far higher premiums and are therefore relatively rare. This limits the appeal of cybersecurity insurance and ensures organizations need to self-insure for such risks for the foreseeable future. The situation is unlikely to improve until actuarial data is more widely available and shared between carriers for cybersecurity risks. This may require the establishment of a federal reinsurance agency and legislative standards for cybersecurity.

Carriers are unlikely to offer full cover for all first and third party costs arising from security breaches. This is due to the moral hazard associated with such coverage. Organizations that completely transfer cyber risk have no incentive to invest in preventative and monitoring controls to manage security risks. However, most carriers have exclusions for breaches caused by negligence. Other exclusions include coverage for fines and penalties, often due to regulatory reasons.

Aside from industry considerations, other factors that drive premiums for cybersecurity insurance are risk management cultures and practices in organizations. Carriers often assess cybersecurity policies and procedures before deciding premiums. Organizations that adopt best practices or industry standards for system security are generally offered lower premiums than those that do not. Therefore, insurers work closely with clients during the underwriting process to measure the likelihood and impact of relevant cyber risks. This includes consideration for management controls. Carriers that decide not to assess the cybersecurity practices of prospective clients tend to compensate by including requirements for minimal acceptable standards within policies. These clauses ensure that carriers do not reimburse organizations that failed to follow generally-accepted standards for cybersecurity before a security breach. Cybersecurity standards for SAP systems are embodied in benchmarks that are aligned to security recommendations issued by SAP. This includes the SAP Cybersecurity Framework outlined in the white paper, Protecting SAP Systems from Cyber Attack.

Cybersecurity insurance is most valuable for organizations with mature cyber risk cultures including effective standards and procedures for preventing, detecting and responding to cyber attacks. It enables such organizations to transfer the risk of specific costs arising from security breaches that are more cost-effectively covered by third-party coverage rather than self-insurance. Cybersecurity insurance is not a viable option for companies with weak risk management practices. Even if carriers were willing to insure such high-risk organizations, the premiums are likely to outweigh the cost of self-insurance. Furthermore, the likelihood that organizations would be able to collect upon such policies is low.

Five Reasons You Do Not Require Third Party Security Solutions for SAP Systems

You’ve read the data sheet. You’ve listened to the sales spin. You’ve even seen the demo. But before you fire off the PO, ask yourself one question: Is there an alternative?

In recent years, there have emerged a wide number of third party security tools for SAP systems. Such tools perform vulnerability checks for SAP systems and enable customers to detect and remove security weaknesses primarily within the NetWeaver application server layer. Most, if not all, are capable of reviewing areas such as default ICF services, security-relevant profile parameters, password policies, RFC trust relationships and destinations with stored logon credentials.

The need to secure and continuously monitor such areas for changes that expose SAP systems to cyber threats is clear and well-documented. However, the real question is do organisations really need such solutions? In 2012, the answer was a resounding yes. In 2013, the argument for such solutions began to waiver and was, at best, an unsure yes with many caveats. By 2014, the case for licensing third party tools has virtually disappeared. There are convincing reasons to believe that such tools no longer offer the most effective and cost-efficient solution to the security needs of SAP customers.

The trigger for this change has been the rapid evolution of standard SAP components capable of detecting misconfigurations that lead to potential security risks. The most prominent of these components is Configuration Validation, packaged in SAP Solution Manager 7.0 and above and delivered to SAP customers with standard license agreements. Configuration Validation continuously monitors critical security settings within SAP systems and automatically generates alerts for changes that may expose systems to cyber attack. Since third party scanners are typically priced based on number of target IPs, Configuration Validation can directly save customers hundreds of thousands of dollars per year in large landscapes. The standard Solution Manager setup process will meet most of the prerequisites for using the component. For customers that choose to engage professional services to enable and configure security monitoring using Solution Manager, the cost of such one-off services is far less than the annual licenses and maintenance fees for third party tools.

The second reason for the decline in the appeal of non-SAP delivered security solutions is a lack of support for custom security checks. Most checks are hard-coded, meaning customers are unable to modify validation rules to match their specific security policies. In reality, it is impossible to apply a vanilla security standard to all SAP systems. Configuration standards can differ by the environment, the applications supported by the target systems, whether the systems are internal or external facing and a variety of other factors. Therefore, it is critical to leverage a security tool capable of supporting multiple security policies. This requirement is currently only fully met by Configuration Validation.

The third reason is security alerting. While some third party solutions support automated scheduled checks, none can match native capabilities in Solution Manager capable of the near-instant alerting through channels such as email and SMS.

The fourth and fifth reasons are shortcomings in reporting and product support when compared to the powerful analytical capabilities available through SAP Business Warehouse integrated within Solution Manager and the reach of SAP Active Global Support.

More information is available in the Solutions section including a short introductory video and a detailed Solution Brief that summarizes the benefits of Configuration Validation and professional services delivered by Layer Seven to enable the solution in your landscape. To schedule a demo, contact us at info@layersevensecurity.com.

M-Trends, Verizon DBIR & Symantec ISTR: Detecting and responding to cyber attacks has never been more important

The release of three of the most important annual threat intelligence reports earlier this month confirmed that 2013 was an explosive year for cybersecurity. All three reports point to rising incidences of cyber attack, increasing sophistication of attack vectors and a growing diversity of threat actors and targets.

The first of the reports is entitled M-Trends, compiled by the security forensics company Mandiant, now owned by FireEye. M-Trends is based on the analysis of incidence response data from organisations across 30 industries. While the analysis detected a slight improvement in the average number of days taken by organisations to detect a network breach, there was no discernable improvement in the ability of organisations to detect breaches without outside assistance. Only 33 percent of breaches are discovered by internal resources.

The analysis also revealed that cybercriminals are deploying a wider variety of attack methodologies against targets. Traditional approaches involve the detection and exploitation of vulnerabilities in Web applications which enable attackers to move laterally through connected systems after a successful compromise. According to M-Trends, attackers are shifting focus from Web applications to exploiting workstations and other systems infected with botnets and Trojans. These tools are designed to create backdoors for the installation and propagation of more powerful  forms of malware designed to seek out and extract sensitive data.

The report notes that sensitive data goes beyond proprietary intellectual property. State-sponsored attackers target a wide variety of information sources to understand how businesses work including emails, procedural and workflow documents, plans, budgets, organisational charts, and meeting agendas and minutes.

M-Trends concludes that the list of potential targets has increased, and the playing field has grown. Threat actors are not only interested in seizing the corporate crown jewels, but are also looking for ways to publicize their views, cause physical destruction, and influence decision makers.

The second report is also the most long-standing and well-known. The Verizon Data Breach Investigations Report (DBIR) is now in its eighth year and includes contributions from organisations such as the U.S Secret Service, US-CERT, Europol and the Council on Cyber Security. The 2014 DBIR analyzed over 1300 confirmed data breaches and 63,000 security incidents in 95 countries.

The highest number of security incidents analyzed by the DBIR affected organizations in the financial, retail and public sector. This is unsurprising since such organizations tend to store or process financial and other sensitive information. However, the DBIR did not observe any industry that was not impacted by security incidents that led to confirmed data losses. This underscore the DBIR finding that “everyone is vulnerable to some type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data. To illustrate, 30% percent of security incidents impacting manufacturing companies can be classified as acts of cyber espionage. In comparison, less than 1 percent of incidents in public sector organisations are caused by cyber espionage. However, public sector organisations experience three times as many incidents of insider abuse as manufacturing companies.

The third and final threat intelligence report released in April was Symantec’s Internet Security Threat Report which revealed a 62 percent year-on-year increase in data breaches with 8 breaches exposing more than 10 million identities each. According to the report, the industries most at risk of a targeted attack are mining, government and manufacturing. The likelihood that organisations in such industries will experience an attack are 1 in 2.7, 1 in 3.1 and 1 in 3.2 respectively.

The report also revealed that there were more zero-day vulnerabilities in 2013 than other year on record. The number of zero-day vulnerabilities discovered last year were 61 percent higher than the year before and more than the previous two years combined.

The report recommends multiple and mutually-supportive defense-in-depth strategies to guard against single-point failures. It also recommends continuous monitoring and automatic alerting for intrusion attempts, as well as aggressive updating and patching. These recommendations are echoed by both M-Trends and the DBIR. According to the former, organisations require “visibility into their networks, endpoints and logs. Organisations also need actionable threat intelligence that identifies malicious activity faster.

Layer Seven Security enable SAP customers to meet this challenge by hardening every component of the SAP technology stack for defense in depth including underlying networks, databases and operating systems. We also configure comprehensive network, system, table and user logs to enable organisations to track, identify and respond to cyber attacks. Finally, we unlock standard, powerful security monitoring mechanisms in SAP Solution Manager to automatically detect and alert of potential malicious activity.