Layer Seven Security

Layered Defenses in Oracle 12c: The New Benchmark for Database Security

Oracle databases support more than two thirds of SAP deployments in mid to large size enterprises. Oracle’s domination of the SAP database market is due to a widely regarded performance edge in areas such as compression, availability and scalability. Oracle databases are also optimized for SAP technology as a result of a long-standing partnership between Oracle and SAP that includes joint software development. Oracle development teams work closely with SAP developers in Walldorf, Germany to performance test Oracle releases against SAP systems and incorporate new Oracle features in SAP releases. Dedicated Oracle technical support teams are also based at SAP HQ in Walldorf to respond to escalated database issues reported by SAP customers.

Database security has improved markedly since the first R3 release on Oracle in 1992. Oracle pioneered Transparent Data Encryption (TDE) and granular access controls through the Database Vault for Release 2 of Database 10g. The latest generation of the flagship Oracle database incorporates more security enhancements than any previous release. Launched by Oracle on July 1, Database 12c introduces redaction capabilities designed to protect the display of sensitive data. Redaction masks sensitive data in real time based on user, group, application, IP address or other variables configured in declarative policies. Since redaction is context-dependant rather than universal, organisations are able to conceal sensitive data displayed in applications from specific groups while revealing it to others. Redaction compliments TDE used to protect sensitive data at the database level by extending data protection to the application level. Redaction can be used to partially or fully transform displayed information without altering data in buffers, caches or storage. It is enforced directly in the database kernel.

Oracle 12c also introduces an important enhancement to the Database Vault through Privilege Analysis. This feature can be used to identify unused permissions based on an analysis of the actual usage of roles and privileges. Enabling the new privilege capture mode through the Vault triggers an advanced logging feature that tracks the use of privileges granted to users and applications. This allows organisations to identify and remove unused permissions and roles and enforce access based on the principle of least privilege.

The third major innovation introduced in 12c is Conditional Auditing. The ability to configure precise, context-dependant logging should reduce the performance overhead associated with database auditing and enable more effective analysis of audit logs. Conditional Auditing supports highly selective logging policies that minimize log entries to specific events such as particular SQL statements including the actions CREATE or ALTER originating from outside specific application servers identified by IP address. Other variables include programs, time periods and connection types. Conditional Auditing also introduces AUDIT_ADMIN and AUDIT_VIEWER roles to better protect the integrity of policies and logs which are now part of single unified architecture. Database auditing in 12c can be integrated with the Oracle Audit Vault and Database Firewall, used to control and monitor SQL network activity. Unlike standard packet filter firewalls that operate at layers 3 and 4 of the OSI model, the Oracle Database Firewall performs highly accurate analysis of SQL traffic at layer 7 and can block SQL injection attacks.

Database 12c introduces Data Discovery and Modelling (DDM) and Sensitive Data Discovery (SDD) functions to scan for sensitive data. Once discovered, organisations are provided with built-in tools to protect information through a combination of encryption, redaction, masking and/or auditing.

12c also includes an improved authorization framework that incorporates the use of ACLs to control operations such as SELECT, INSERT, UPDATE and DELETE for database objects based on users or roles.

Taken together with pre-existing database security features such as TDE, privileged user management using schemas and roles based on protective zones known as realms, whitelisting for SQL statements using the Oracle Firewall, data labeling, online patching and configuration scanning, Oracle 12c provides a comprehensive suite of functions to counteract a wide array of internal and external threats while balancing requirements for performance and high availability. 12c sets a new standard for database security and should strengthen Oracle’s position as the preferred database for SAP customers.

Organisations are not effectively addressing IT security and compliance risks according to accounting professionals

The results of the 2013 Top Technology Initiatives Survey revealed that securing IT environments against cyber attack and managing IT risks and compliance are rated as two of the three greatest challenges in technology by accounting professionals in North America. The survey was performed jointly by the AICPA and CPA, the largest accounting organisations in the United States and Canada. The survey sampled approximately 2000 members from the public accounting, business and industry, consulting, government and not-for-profit sectors. Members of both the AICPA and CPA placed securing the IT environment as the second highest priority for organisations in the area of information technology. Managing IT risks and compliance was ranked third by AICPA members and fourth by CPA members.

U.S respondents expressed average confidence levels of just 51 percent in organisational initiatives designed to manage IT security and 47 percent in initiatives addressed at managing IT and compliance risks. Confidence levels have fallen drastically in 2013 due to the wave of recent well-publicized data breaches. In 2012, U.S confidence levels for securing IT environments and managing IT risk and compliance were 62 and 65 percent. However, according to the Chair of the AICPA’s Information Management and Technology Assurance (IMTA) Division, The decline in confidence levels may mean professionals are making more knowledgeable assessments of the ability of organizations to achieve technology goals. This more realistic assessment indicates that the goals may be more challenging than originally thought, and that organizations must have the focus, commitment and drive to achieve them.

Layer Seven Security assist organisations worldwide to identify and remove vulnerabilities that expose SAP systems to cyber attack and impact the ability to comply with the requirements of IT control frameworks. To learn how we can assist your organisation manage SAP risks and stay compliant, contact Layer Seven Security.

Introducing the ABAP Test Cockpit: A New Level of ABAP Quality Assurance

The ABAP Test Cockpit (ATC) is SAP’s new framework for Quality Assurance. It performs static and unit tests for custom ABAP programs and introduces Quality-Gates (Q-Gates) for transport requests.

ATC was unveiled at last year’s SAP TechEd. The entire session including a live demo can be viewed below. Following a successful pilot, it was released for NetWeaver 7.0 SP12 and NetWeaver AS ABAP 7.03 SP05 in September and October 2012, respectively. General guidelines for configuring and running ATC are available at the SAP Community Network for both developers and quality managers.

ATC integrates directly with the ABAP Workbench and is accessible through SE80, SE24, SE38, SE11 and other Workbench tools. The existing iteration of the tool focuses almost exclusively on performance checks for exceptions such as runtime errors. However, SAP has revealed plans to deliver a new Security Scan Solution (SLIN_SEC) as an add-on for the Extended Program Check (SLIN) in ATC. This will enable security vulnerability checks for custom code. The introduction of the Security Scan Solution should improve the general security of ABAP programs and lower the risk of code-level vulnerabilities in ABAP systems including insufficient authority checks and code injections arising from uncontrolled input. You can learn more about the solution at session SIS261 scheduled on October 24 during this year’s SAP TechEd.

The alternative to the SAP Security Scan Solution is Virtual Forge CodeProfiler. CodeProfiler also integrates with ATC and performs a patented static code analysis for any type of ABAP program. CodeProfiler provides comprehensive performance and quality testing and is SAP-certified for integration with SAP NetWeaver.

The Brand-New ABAP Test Cockpit – A New Level of ABAP Quality Assurance

The Brand-New ABAP Test Cockpit: A New Level of ABAP Quality Assurance

A Dangerous Flaw in the SAP User Information System (SUIM)

Customers that have yet to implement Security Note 1844202 released by SAP on June 10 should do so immediately. The Note deals with a vulnerability that could be exploited to bypass monitoring controls designed to detect users with privileged access, including the SAP_ALL profile. This profile can be used to provide users with almost all authorizations in SAP systems. The vulnerability arises from a flaw in the coding of the RSUSR002 report accessible through the SAP User Information System (SUIM) or transaction SA38. RSUSR002 is a standard built-in tool used by security administrators and auditors to analyse user authorizations. A side-effect of Note 694250 was the insertion of the following line into the algorithm for RSUSR002:

DELETE userlist WHERE bname = “”

As a result of the insertion, users assigned the name “” are excluded from the search results generated by RSUSR002. This could lead to a scenario in which users are assigned SAP_ALL or equivalent authorizations without detection through regular monitoring protocols. However, the user “” would remain visible in UST04 and other user tables. The implementation of Note 1844202 will close the vulnerability in RSUSR002. Customers can also prevent the assignment of the username “” using customizing lists. For detailed instructions, refer to Note 1731549.

Lloyds 2013 Risk Index: Cyber Risk Rated as the Third Most Significant Risk by Board Executives

The recent wave of sophisticated and targeted data breaches has led global business leaders to recognize cyber risk as one of the most significant threats faced by corporations today. According to the Lloyds 2013 Risk Index released this week, “Cyber security now sits squarely towards the top of the agenda for boards around the world”.

The Index is based on a global survey of almost 600 C-suite and board level executives performed by Ipsos MORI, a leading market research company. Respondents represented both small companies with revenues below $499M and larger organizations with revenues above $500M. They were drawn from a variety of geographic zones including Asia-Pacific, Europe and North America.

Respondents were asked to rate risk categories and specific risks within each category according to corporate risk priorities and degree of business preparedness to manage risks. Cyber risk is rated higher by respondents than the risks of inflation, legislative and regulatory changes, changes to the cost and availability of credit, climate change and failed investments. The only two risks rated higher on the index than cyber security are taxation and the loss of customers.

As expected, smaller companies reveal a low level of risk preparedness. However, large organizations appear to over-estimate their ability to deal with cyber risks that include code injection, denial of service and Web-based attacks. Although insurers offer a suite of products to deal with the costs related to data breaches including forensic analysis and public relations services, the report concludes that preventative measures provide the greatest degree of protection against cyber risks. It references the 2012 study by the Ponemon Institute that places the average cost of a data breach at US$ 8.9M based on an analysis of 56 reported breaches. According to the study, data breach costs range between US$1.4M and $US 46M.

Exploring the SAP DIAG Protocol

One of the most memorable events at last year’s BruCON in Belgium was Martin Gallo’s expose of the SAP DIAG protocol. The session can be viewed in its entirety below. DIAG (Dynamic Information and Action Gateway) is a proprietary protocol supporting client-server communication and links the presentation (SAP GUI) and application (NetWeaver) layer in SAP systems. During the conference, Gallo presented the findings of his ground-breaking research that led directly to the identification of several denial-of-service and code injection vulnerabilities arising from security flaws in the DIAG protocol, patched by SAP in 2012.

Most researchers have focused on identifying weaknesses in the compression algorithm that scrambles payloads and other data transmitted through DIAG. The most notable research in this area was performed by Secaron in 2009. Secaron demonstrated that it is possible to intercept and decompress DIAG client-server requests including usernames and passwords. Subsequent research performed by SensePost revealed that the LZC and LZH compression methods used by SAP for DIAG are variants of the Lempel-Ziv algorithm. Furthermore, since both methods are also used in the open-source SAP MaxDB, the compression and decompression code-base is publically available. SensePost created a custom protocol analysis tool in Java using MaxDB code capable of compressing and decompressing DIAG messages. The tool could be used to intercept, read and modify client-server traffic in SAP.

Gallo’s research provides an unprecedented insight into the inner workings of the DIAG protocol. The vulnerabilities revealed by the research can be exploited through both client and server-side attacks. Deep inspection of DIAG packets can be performed through the SAP Dissection plug-in developed by Gallo for Wireshark, a popular network protocol analyzer. The research underscores the importance of strong countermeasures in SAP systems. This includes restricting access to the Dispatcher service responsible for managing user requests, SNC encryption for client-server communication, disabling SAP GUI shortcuts used by attackers to execute commands in target systems, effective patch management, and periodic vulnerability assessment and penetration testing.

Securing Your SAP Systems: How to Counter Every Current and Emerging Threat

One of the highlights of the Sapphire conference earlier this month was the insightful session on SAP security delivered by Gordon Muehl, Senior Vice President of Product Security at SAP. A recording of the session can be viewed below. The session highlighted the threat presented to Internet-enabled SAP systems by external agents and stressed the importance of protecting systems against Web-based attacks such as verb tampering. According to SAP, such measures should include secure software development procedures and training for developers, as well as independent code reviews performed by specialized security resources to validate programs before release. SAP also recommends a proactive patch management strategy that includes regular monitoring of SAP Security Notes and the rapid application of high priority patches.

Layer Seven Security leverage leading SAP-certified solutions to secure SAP systems against external threats, identify code-level vulnerabilities and detect critical missing Security Notes. To learn more, contact a representative now.

Securing Your SAP Systems: How to Counter Every Current and Emerging Threat

Verizon Data Breach Investigations Report (DBIR) 2013: ‘This isn’t a threat you can afford to ignore’

The breadth and depth of the 2013 Verizon Data Breach Investigations Report (DBIR) is unprecedented. Released this Monday, the reports brings together the investigations performed by nineteen law enforcement agencies, research institutions and private security firms that combat data breaches including the European Cybercrime Centre (EC3), U.S Secret Service and the Department of Homeland Security. The global study represents the most comprehensive assessment of the drivers of information leakages. The findings and recommendations in the study are based on the analysis of 47,000 security incidents and over 600 confirmed breaches. They provide an unparalleled insight into attackers and their methods, enabling organizations to establish more effective countermeasures against such threats.

Verizon DBIR 2013 Key Fin

Threat Actors

The study categorizes threat actors into three key groups: Organized Crime, State-Affiliated and Activists. These groups tend to originate from distinct regions, target different types of assets and data, and employ distinctive attack methods. Organized crime actors, for example, generally stem from Eastern Europe and North America and target financial information in companies within the finance, retail and food industries using methods such as hacking and malware.

Verizon DBIR 2013 Threat Actor Profiles

Activists comprise the largest group and are generally opportunistic. Organized criminals are more targeted but not as targeted and relentless as state-sponsored spies that use the most sophisticated methods to steal intellectual property, financial data or insider information from organisations. The graph below demonstrates that state-sponsored actors target a variety of sectors including education, finance and utilities. Nearly three-quarters of espionage attacks were targeted not at the public sector but at companies within manufacturing, professional services and transportation industries.

Verizon DBIR 2013 Victim Industries

Threat Actions

All threat actors employ hacking and malware methods to varying extents. This includes brute force attacks, spyware, backdoors, SQL injection, and the use of stolen credentials. Hacking involves attempts to access information systems usually through bypassing logical security measures, whereas malware is the use of malicious software, scripts or code, designed to alter the performance of systems. Both methods are increasingly scalable, automated and anonymous due to the greater accessibility of systems through the Internet and interconnectedness between systems and organizations.

Verizon DBIR 2013 Threat A

Recommendations

According to the DBIR, “All kinds of organizations, from government agencies to iconic consumer brands, internet startups to trusted financial institutions have reported major data breaches in the last year. Nobody’ immune, no target is too small, or too large. The methods used by hackers to gain access to data are numerous, wide-reaching and ever-growing. This isn’t a threat you can afford to ignore”.  Although attacks may be inevitable, there are clear, concrete measures that organisations should undertake to prevent such attacks from leading to data breaches. Breaches not only have the potential to cause financial and reputational harm, they increasingly require public disclosure: the European Union is expected to introduce mandatory reporting requirements this year. Forty-six states of the U.S have already done so. Furthermore, SEC reporting requirements mandate public companies to disclose the nature and extent of cybersecurity incidents to shareholders through corporate filings.

Organisations should implement common security measures to minimize the risk of a data breach, as well as detect and contain successful attacks. The specific recommendations made by the study include the implementation of the 20 Critical Security Controls (CSC) advocated by the Consortium for Cybersecurity Action (CCA). The controls are listed in the table below.

rizon DBIR 2013 CCA CSC

The following table maps the CSC to the most common threat actions identified by the DBIR and demonstrates that effective data breach prevention strategies require a combination of measures in the areas of people, process and technology.

Verizon DBIR 2013 CCA and Threat Actions

The majority of the 20 Common Security Controls are directly applicable to SAP systems. The improper configuration of SAP applications, platforms, programs and clients can expose such systems to many of the threats identified by the DBIR and the risk of a data breach. The consequences can be disastrous when poorly configured systems are combined with inadequate boundary and malware defenses, insecure network and landscape architectures, ineffective access controls, and the absence of regular vulnerability assessment and penetration testing. Layer Seven Security has developed a comprehensive white paper to guide SAP customers on measures required to secure SAP systems against data breaches. The paper advocates a strategy based on the concept of defense in depth. You can download the paper here.

Countering the Threat of Corporate Espionage

According to the results of a survey released by HBGary during the recent 2013 RSA Conference in San Francisco, more than 70 percent of American investors are interested in reviewing the cybersecurity practices of public companies and nearly 80 percent would not invest in companies with a history of cyberattacks. The survey of 405 U.S. investors also found that more than 66 percent of investors are likely to research whether a company has been fined or sanctioned for data breaches before making an investment decision. The survey underscores the fact that today’s investors are acutely aware of the impact of a successful breach on brand reputation and financial performance. This includes the breach of both customer data and intellectual property (IP).

Although the former tends to attract more public attention, the latter has a more pervasive effect on corporate competiveness and performance. A 2012 FBI report entitled Economic Espionage: A Foreign Intelligence Threat to American Jobs and Homeland Security revealed that the cost of IP theft to U.S companies resulting from commercial espionage was over $13 Billion in the last fiscal year. IP-intensive industries account for almost 35 percent of U.S. gross domestic product (GDP) and over 60 percent of merchandise exports. Furthermore, they support 40 million jobs in the United States.

Legal protections such as copyrights, patents and trademarks do not effectively protect intellectual property that is susceptible to theft to regions in which such protections are ineffectively enforced. The importance of IP to the national economy and the difficultly of enforcing rights outside the U.S has led the Department of Homeland Security to brand IP theft as one of the most dangerous threats to national security. In the words of the Assistant Director of the FBI’s Counterintelligence Division, “with each year, foreign intelligence services and their collectors become more creative and more sophisticated in their methods to undermine American business and erode the one thing that most provides American business its leading edge; our ability to innovate.” In a statement to a subcommittee of the House of Representatives last year, the Assistant Director cited the efforts of a foreign corporation to extract information related to the production of titanium dioxide from the DuPont Corporation in 2011. DuPont is an industry leader in the market for titanium dioxide, estimated to be worth $12 Billion.

Although IP theft is far from new, it is amplified by globalization, the increasing interconnectedness of business partners and the accessibility of electronically-stored intellectual property.

In response, the U.S Government Accountability Office (GAO) recommends a variety of technical controls designed to manage access to information, ensure system integrity and encrypt sensitive data. This includes measures to safeguard network boundaries, enforce authentication and authorization, protect against malware, secure communication paths, and analyze, detect and patch vulnerabilities.

The protection of intellectual property within SAP environments requires a combination of countermeasures covering the triad of people, process and technology. The importance of the first and second of these areas should not be understated. Data breaches often result not from the absence of effective technical controls but employee actions or inactions caused by a lack of awareness and training. Therefore, data protection policies and procedures, including incident response plans, are an important component of strategies to safeguard intellectual property. Process-level measures should include risk assessments to isolate and classify IP, and to identify relevant threats.

Technical countermeasures should include secure landscape architectures. Firewalls and proxy servers should be used to filter access to SAP systems with properly configured ingress and egress rules. Furthermore, network traffic should be monitored and controlled through in-line intrusion prevention systems and Security Information and Event Management (SIEM) systems capable of detecting and responding to certain types of attacks. Data Leak Prevention (DLP) technologies can also be deployed to block the exfiltration of confidential data. Unfortunately, network-level controls are often side-stepped by targeted and sophisticated attacks. DLP, for example, can be by-passed by encoding, encrypting and transmitting data out of corporate networks using protocols such as VOIP rather than methods such as SMTP and FTP, commonly monitored by DLP systems.

Therefore, technical countermeasures must be applied within multiple, interdependent areas to safeguard SAP assets. This includes application, platform, program and end-user areas. Layer Seven Security’s new white paper, Defense in Depth: An Integrated Strategy for SAP Security, outlines a layered approach to protecting data in SAP systems. The paper discusses methods to secure SAP applications, programs, servers, databases, and other components against attacks that attempt to exploit common weaknesses in such environments and extract proprietary, sensitive and valuable forms of intellectual property from organizations.

International Corporate Espionage: Annual Cost of Intellectual Property Theft Estimated at $250 Billion for U.S Economy

According to NSA Director General Keith Alexander, cyber-espionage has led to “the greatest transfer of wealth in history.” This is supported by not only a recent report by Symantec, which places the cost of intellectual property theft in the United States at $250 billion a year, but a prominent report on cyber-espionage released by Mandiant Corporation in February this year.

The report is based on security breaches investigated by Mandiant at nearly 150 organizations between 2006 – 2013. It focuses upon the cyber-espionage activities of one of the more than twenty prolific Advanced Persistent Threat (APT) groups in the world. The group labeled as APT1 is believed to be state-sponsored and operating from the Pudong area of Shanghai. It is considered to be a branch of Unit 61398 of the People’s Liberation Army of China. The official mandate of the unit is vaguely defined as ‘computer network operations’ but there is considerable evidence to suggest that the actual mission is the collection of political, economic, and military intelligence. APT1 is estimated to control a large physical infrastructure comprised of thousands of Command and Control servers. Given the size of the infrastructure, the group is believed to be staffed with several hundred resources that are required to be proficient in network and information security and the English language.

According to the report, APT1 compromised at least 141 companies in 20 major industries since 2006. Almost nine out of ten victims were headquartered in countries where English is the native language. The industries targeted by the group “match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan” (Mandiant, 2013). Graph 1.1 below demonstrates that the targets span a wide range of industries including Information Technology, Aerospace, Public Administration and Energy, but also, less expectedly, Manufacturing, Media, Advertising & Entertainment, Financial Services and Healthcare. Graph 1.2 displays the geographical distribution of companies compromised by APT1.

Industries Compromised by APT1 Attacks

1.1 Industries Compromised by APT1 Attacks (Source: Mandiant Corp, 2013)

Geographic Location of APT1 Victims

1.2 Geographic Location of APT1 Victims (Source: Mandiant Corp, 2013)

The compromises led directly to the theft of several forms of intellectual property including technology blueprints, manufacturing processes, business plans, policy and procedure documents, partnership agreements, pricing information, parts lists, test results, meeting agendas and minutes, emails and contact lists. They also led to the theft of information related to network architectures and resources and user credentials for business systems. One of the most notable breaches involved the loss of 6.5 terabytes of data over a ten month period from a single organisation.

APT1 employ a signature attack methodology that begins with a spear phishing campaign to penetrate an organization’s network. Emails are targeted at specific employees or groups of employees and appear to be from names that are familiar to recipients. Furthermore, the subject lines and contents of emails usually contain information that is directly relevant to the target. They are delivered with malicious attachments or hyperlinks to malicious files. Files names are personalized and are carefully constructed to appear harmless. Examples include Employee-Benefit-and-Overhead-Adjustment-Keys.zip, Updated_Office_Contact_v1.zip and Oil-Field-Services-Analysis-And-Outlook.zip.

The opening of a malicious file releases an executable that installs a backdoor in the recipient’s system. This enables APT1 to send commands to the compromised system remotely. “APT intruders employ this tactic because while network firewalls are generally adept at keeping malware outside the network from initiating communication with systems inside the network, they are less reliable at keeping malware that is already inside the network from communicating to systems outside” (page 30).

Initial backdoors are beachheads designed to establish a foothold in the network, perform reconnaissance, retrieve files and pave the way for the installation of standard, more powerful backdoors that communicate over HTTP or custom protocols. APT1 deploy standard backdoors to create, modify, delete and execute programs, upload and download files, create and remove directories, start and stop processes, capture screenshots, keystrokes and mouse movements, discover systems and users, and extract passwords. Backdoors are usually installed on multiple systems to maintain a presence in the network. Communication between backdoors and Command and Control servers is difficult to distinguish from regular traffic and is often hidden in encrypted SSL tunnels.

The installation of standard backdoors is followed by privilege escalation usually through the breaking of password hashes for target systems in order to obtain legitimate user credentials. Stolen credentials are used to logon directly to systems, VPNs and portals. Compromised data and objects are packaged in archive files and transferred out of networks through backdoors or protocols such as FTP.

In the words of the report, ATP1’s “ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships” (page 27). SAP environments are archetypal models of such environments. Systems in these environments and landscapes are configured with numerous trusted connections, often using the most privileged user profiles. Trust relationships in SAP systems have well-known security concerns and should only be used for connections between systems with identical security classifications and established with minimal authorisations. You can read more about securing SAP trust relationships in our white papers. The papers also include guidance on measures to protect SAP servers and clients against unauthorized remote access, password attacks and other malicious actions by groups such as APT1.