Layer Seven Security

New Whitepaper: NIS2 Compliance for SAP Solutions

The Network and Information Security (NIS2) Directive takes effect on October 17 and imposes significant requirements on organizations for cybersecurity and incident reporting. NIS2 mandates strict standards for cybersecurity and incident reporting for organizations that are based in the European Union or provide services within the EU. It is targeted at essential and important organizations in specific sectors considered part of the supply chain for critical infrastructure in member states.

The Directive includes requirements for protecting the confidentiality, integrity and availability of data in network and information systems against cyber threats, as well as detecting and reporting significant security incidents within prescribed time frames. This includes data and incidents impacting business-critical SAP solutions.

The newly-released whitepaper from Layer Seven Security simplifies the path to NIS2 compliance by providing guidance for complying with the Directive for SAP solutions. This includes sources for hardening standards to comply with cybersecurity requirements, and threat detection and response mechanisms to comply with the incident reporting requirements of the Directive. The guidance includes specific recommendations for solutions in SAP RISE.

Cybersecurity Extension for SAP version 5.1

S/4HANA Access Risk Analysis, SAP RISE Compliance, SAP ETD Benchmarking and More

The new release of the Cybersecurity Extension for SAP is scheduled for general availability in May and includes several important enhancements.

Version 5.1 includes coverage for critical access and segregation of duties in SAP S/4HANA. It performs more than 700 checks for access to sensitive transactions and conflicting combinations of transactions for business processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in S/4HANA. Exclusions can be maintained for users and groups to tune checks and exclude permitted users. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for S/4HANA. The checks are included in the new areas S/4HANA Critical Access and S/4HANA Segregation of Duties. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.

The new release also includes support for monitoring the compliance of SAP RISE systems with information security standards defined by SAP Enterprise Cloud Services (ECS) in note 3250501. The standards include required settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must comply with for RISE solutions managed by ECS.

Version 5.1 includes several new threat detection patterns to bridge the gap with SAP Enterprise Threat Detection Cloud Edition (ETD CE). As a result, the Cybersecurity Extension for SAP now provides coverage for the same patterns as ETD CE. It also includes more than 750 patterns that are not included in ETD CE. Similar to ETD CE, the Cybersecurity Extension for SAP is available as Software-as-a-Service (SaaS) for RISE customers.

Finally, the new release includes new tiles for Actively Exploited Vulnerabilities and Known Exploited Vulnerabilities. The former can be used to display open vulnerabilities that have associated alerts. The latter can display calculated security notes for systems that are required to address Known Exploited Vulnerabilities (KEV) for SAP solutions in the CISA KEV catalog.

New SEC Rules For Cybersecurity Incident and Risk Management Disclosures

The Securities and Exchange Commission (SEC) issued a final rule on July 26, 2023 that will require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of discovery. In addition, the SEC will now require public companies to disclose on an annual basis in Form 10-K their process for assessing, identifying and managing material risks from cybersecurity threats, as well as information on how companies’ boards and officers govern cyber risk management.

The incident reporting requirements become effective for companies, other than smaller reporting companies, on December 18, 2023. Smaller reporting companies will not be subject to the rule until June 15, 2024. All reporting companies will be subject to the disclosure rules covering their cybersecurity risk management process in annual reports for fiscal years ending on or after December 15, 2023.

For purposes of both the new Form 8-K requirements and the required annual risk management disclosure, a “cybersecurity incident” is defined as “an unauthorized occurrence, or a series of unauthorized occurrences, on or conducted through the registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The rules also define a “cybersecurity threat” as any potential occurrence that could result in a cybersecurity incident. The rules cover all “information systems” which is defined to include electronic information resources owned or used by the registrant that are used to collect, process, maintain, use, share, disseminate, or dispose of information used to maintain or support the registrant’s operations.

The new rule adds item 1.05 to Form 8-K covering “material cybersecurity incidents.” When the rules become effective, public companies will have to disclose information relating to a material cybersecurity incident four business days after they determine they have experienced one. The disclosure must include the following information: (i) a description of the material aspects of the nature, scope, and timing of the incident and (ii) an assessment of the material impact or reasonably likely material impact of the incident on the company, including the financial impact and the impact on operations. However, companies need not disclose “specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” The adopting SEC release notes that, in assessing the impact of the incident, companies should consider qualitative factors (impact on reputation, actual or potential litigation or regulatory investigations, or competitiveness) as well as quantitative factors.

The determination of materiality relies on the standard securities law formulation that considers whether there is a substantial likelihood that a shareholder would consider the information important in making an investment or whether the information would significantly alter the “total mix” of information available about the company. The determination must be made “without unreasonable delay” following discovery of the incident and the filing must indicate if any required disclosure has not been determined or is not available at the time of the filing. That said, the SEC advises that while the determination “need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure.” Significantly, the release notes that the fact that the full extent of the incident is not yet known or that further investigation will be necessary “should not delay the company from determining materiality.” Examples of unreasonable delay include delay in scheduling a board committee meeting to determine materiality or revision of internal policy to extend assessment deadlines or to change the criteria used to determine incident reporting to management or the board.

The rule identifies two circumstances in which a disclosure delay is permissible. First, the Form 8-K filing may be delayed if disclosure would pose a substantial risk to national security or public safety. The delay is permissible if the U.S. Attorney General has notified the SEC that a substantial risk exists, in which case a delay of up to 30 days is permissible with additional extensions possible if the substantial risk continues to exist. Second, for a company subject to the breach disclosure rules of the Federal Communications Commission relating to customer proprietary network information, disclosure may be delayed if the company notifies the SEC no later than the day disclosure would otherwise be required under the SEC rules.

The SEC also adopted new Item 106 to Regulation S-K that will require a reporting company to provide disclosure in their annual report that identifies “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”

This formulation represents a revision of the rule included in the March 9, 2022 proposed regulations which would have required a more granular discussion of a company’s cybersecurity risk management structure. The agency agreed with commenters who argued that a more detailed level of disclosure went beyond the level that is material to investors and could increase vulnerability to an attack by revealing important operational details of the risk management process.

The final rule also focuses on a non-exclusive list of three areas of disclosure that will help investors to place the disclosed cybersecurity processes in context:

  • Whether and how the cybersecurity processes have been integrated into the registrant’s overall risk management system or process;
  • Whether the registrant engages consultants, auditors or other third parties in connection with their cybersecurity processes; and
  • Whether the registrant has a process to identify material risks from cybersecurity threats associated with the use of third-party service providers.

Separately, the new rules will require disclosure about the board’s oversight of the company’s cybersecurity risk. Specifically, the disclosure must include information on how the board manages the oversight process, i.e., through a board committee or subcommittee, and the process whereby the board or board committee is informed about such risks. The agency dropped language in the proposed regulations that would have required disclosure of board level cybersecurity expertise.

The disclosure must also identify management’s role in assessing and managing material risks from cybersecurity threats with a focus on three areas:

  • Identification of the management positions and committee that are responsible for assessing and managing cybersecurity risks and the relevant expertise of such persons or committee members;
  • The process by which such persons are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
  • How such persons report information about cybersecurity risk to the board and/or the appropriate board committee.

Source: Kilpatrick Townsend & Stockton LLP

Cybersecurity Extension for SAP

The Cybersecurity Extension for SAP (CES) enables organizations to secure mission-critical SAP solutions from cyber threats that may require public disclosure in accordance with the new SEC rules. CES implements industry-leading vulnerability management, patch management, threat detection and response for SAP to minimize the risk of cybersecurity threats and enable the detection and investigation of security incidents.

Securing the Journey to SAP S/4HANA

Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.

Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.

Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.

The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.

Security Analytics with SAP Focused Run

SAP Focused Run delivers real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers that need to monitor customer SAP installations from a central platform. It leverages the power of SAP HANA to support centralized monitoring for thousands of systems in high-volume environments. Focused Run is intended to complement SAP Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. However, Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the capabilities of the Advanced Configuration Monitoring (ACM) scenario in Focused Run. Scenarios such as Advanced Event and Alert Management (AEM), Advanced Integration Monitoring (AIM) and Advanced User Monitoring (AUM) will be discussed in later posts. ACM includes Configuration and Security Analytics (CSA), accessed from the Fiori launchpad of Focused Run. CSA enables SAP users to analyze the configuration of applications, databases and hosts and automate audits for security compliance. The following short video from SAP provides a quick introduction to CSA: Advanced Configuration Monitoring

CSA analyzes configuration data collected and transferred via the Simple Diagnostics Agent (SDA) from SAP systems. Focused Run does not include a built-in Business Warehouse (BW). Therefore, unlike Solution Manager, configuration data is stored in HANA database tables starting with CCDB_DATA_ rather than BW InfoCubes.  This simplifies the architecture and improves the performance for configuration analysis. The tables are read by the Configuration and Change Database (CCDB). Configuration changes are tracked to support change and trend analysis. This includes changes to security-relevant parameters, services, RFC destinations, and user privileges. The CCDB contains snapshots of SAP systems. The configuration data is structured in containers known as config stores. The stores can be updated every hour to maintain up-to-date snapshots of SAP systems. The stores can be queried using the search option in CSA. The config store below displays the current values for all profile parameters in system FR1.

The following store contains details of user assigned critical profiles. User related stores can be customized to extract details for specific profiles, roles, user types, authorizations, and combinations of roles and authorizations.

CSA can be used to configure and apply policies that analyze config stores to audit systems and automate compliance checks. Policy Maintenance in CSA enables users to create XML policies. Policies can also be converted from target systems in Configuration Validation from SAP Solution Manager. Policies can be exported and imported as XML files or transported between Focused Run installations. SAP recommends limiting the number of checks in single policies to 100 to restrict the number of SQL statements. However, single policies can be combined into composite policies to execute thousands of checks in parallel. In the example below, the composite policy ABAP Parameters includes multiple single policies for reviewing security-relevant parameters in ABAP systems.

In order to apply a generated single or composite policy to audit SAP systems, you must first define the scope of systems. Systems can be grouped by Customer ID, Data Center, IT Admin Role (Environment) and other variables (see below). Customer ID can be used to group systems by company or business group.

The next step is to select and apply the required single or composite policy. The results below summarize the compliance status of systems in the L7_FRUN group against the ABAP Parameters composite policy.

Users can drilldown into the findings for each system to focus on parameters that failed the policy check.

You can click on the icon at the end of each rule to view further details.

The current value of the parameter is displayed in the Value column. The results can be exported to Excel for offline analysis.

Policy checks can be scheduled for hourly, daily or weekly intervals in Policy Management.

The results of the scheduled checks can be displayed in Trend Analysis. This provides a graphical analysis of compliance levels for each interval of the report.

Focused Run does not include the equivalent of System Recommendations in SAP Solution Manager for discovering and applying security notes. SAP periodically publishes policies for security notes to GitHub. The policies can be downloaded and imported into Focused Run to check for the implementation status of relevant notes in each system. This approach can lead to inconsistencies between System Recommendations and Focused Run since calculated notes may not align between the solutions. The Cybersecurity Extension for SAP Focused Run from Layer Seven Security integrates System Recommendations with Focused Run to ensure calculated notes are consistent between both platforms. The CSA policy below displays all security notes calculated by System Recommendations. The results can be filtered by system and priority. With this approach, SAP customers do not need to manually update FRUN with new policies for security notes. Calculated notes are updated automatically daily.

The beta release of the Cybersecurity Extension for SAP Focused Run is scheduled for Q3 2022 and will include additional config stores to supplement the security content in the CCDB, preconfigured single and composite policies for ABAP, HANA and Java systems, and monitoring templates to support alerting for SAP logs including the Security Audit Log and the HANA audit log.  

CISA Issues Directive for Actively Exploited SAP Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 on November 3 to compel government departments and agencies to remediate specific vulnerabilities with known exploits. According to CISA, the vulnerabilities pose a significant risk to information systems. This includes several vulnerabilities for SAP applications that must be remediated by May 3, 2022. Agencies have 60 days to review and update their vulnerability management policies in accordance with the Directive.

The Directive addresses weaknesses with the Common Vulnerability Scoring System (CVSS) used for rating Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD). CVSS does not take into account active exploitations for vulnerabilities. Most critical CVEs are highly complex and have no known exploits. The Directive shifts the focus to CVEs with active threats. These vulnerabilities are prioritized for remediation and are classified in the CISA catalog for Known Exploited Vulnerabilities (KEV).

The catalog includes six CVEs for SAP applications.

CVE-2010-5326 is for the invoker servlet implemented in the InvokerServletclass within the Web Container of the J2EE for SAP NetWeaver Application Java (AS Java). The invoker servlet is vulnerable to authentication bypass, enabling remote attackers to execute arbitrary code via HTTP or HTTPS requests. The servlet is disabled by default in higher versions of AS Java. Refer to SAP note 1445998 for disabling the relevant property of the servlet_jsp service on server nodes. SAP also recommends scanning or reviewing application code to identify the usage of servlets with the prefix “/servlet/”. Applications should use local servlets only that are defined in web.xml files. Auth constraints in web xml files are recommended to restrict the invoking of the servlet to users with an administrative role.  

CVE-2016-3976 relates to a directory traversal vulnerability in AS Java that could be exploited to read arbitrary files from servers remotely and without authentication using CrashFileDownloadServlet. Note 2234971 provides a patch for the LM-CORE to address the CVE.

CVE-2020-6287 is for the RECON vulnerability in the LM Configuration Wizard of AS Java. Attackers can exploit a missing authentication check in the CTCWebService to perform administrative functions such as creating privileged users. Note 2934135 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2018-2380 relates to a directory traversal vulnerability in SAP CRM.  There is a publicly-available exploit for the CVE that could be deployed to perform remote code execution through log file injection. Note 2547431 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2016-9563 is for a Denial of Service vulnerability in a BPM service within AS Java. This CVE also has a publicly-available exploit. Note 2296909 disables the resolving of external entities during XML parsing to address the CVE.

CVE-2020-6207​ relates to a missing authentication check for the SAP EEM servlet in SAP Solution Manager. A module for the Metasploit penetration framework automates the exploitation of the CVE. This could be exploited to execute OS commands on connected SMDAgents via the /EemAdminService/EemAdmin page for User Experience Monitoring. Note 2890213 includes a patch for the impacted LM-SERVICE software component and instructions for a temporary workaround involving enabling authentication for the EemAdmin service in the Java stack of Solution Manager.

The Cybersecurity Extension for SAP is an SAP-certified solution that automates the discovery of applications vulnerable to the CVEs for SAP applications in the KEV catalog. It also monitors SAP logs to detect the signature of exploits targeting the CVEs and provides mechanisms to investigate and respond to the exploits.  

Security Monitoring with Focused Insights for SAP Solution Manager

Focused Insights is an advanced dashboard framework that was previously available only for MaxAttention customers as part of the MaxAttention Next Generation Add-On (MANGO) but is now available for all SAP customers. Focused Insights can now be installed in SAP Solution Manager 7.2 without any additional SAP licensing or user and usage restrictions.

Focused Insights for SAP Solution Manager provides ready-to-use templates for monitoring a range of KPIs for SAP landscapes. Customers can select from over 800 best practice KPIs for multiple use cases. The framework is organized in three levels: Operational, Governance and Strategic. Security metrics are monitored primarily in the Tactical Dashboard, accessible from the Focused Insights Launchpad.

The Tactical Dashboard can monitor several instances. Instances are groups of systems geared for different users or groups. Instances are setup and maintained using the TAC Configuration option. This includes relevant systems, scenarios and thresholds for KPIs.

The current version of the dashboard supports eleven scenarios such as Availability, Performance, Operations, and Security. Each scenario is rated green, red or yellow based on the thresholds and options maintained in the configuration.

The Dashboard is refreshed automatically every 10 minutes but the frequency can be changed from 5 to 30 minutes and maintained separately for each instance.

The security scenario supports monitoring of security metrics for ABAP, HANA, and Java systems and the SAP Web Dispatcher.  It reports the number of very high (hot news) and high rated security notes that are unapplied in each system, users with critical privileges including the SAP_ALL profile, systems that are open for direct changes, insecure client settings, RFC destinations configured with privileged users, and misconfigurations in specific security-relevant profile parameters. Notes information is sourced from System Recommendations in SAP Solution Manager. The results of other security checks are derived from Configuration Validation using target systems supplied by SAP.

Focused Insights 2.0 SP7 and higher supports the integration of custom target systems with the security scenario in the Tactical Dashboard. This can be used to support monitoring for additional security checks beyond the SAP standard delivery.  

Compliance Reporting for the SAP Security Baseline

The SAP Security Baseline is a widely used benchmark for securing SAP applications. The benchmark includes SAP recommendations for system hardening, authentication and authorization, logging and auditing, and other areas. The recommendations draw on SAP security notes, guides and whitepapers.  The SAP Security Baseline was updated by SAP earlier this year and provides an up-to-date framework for safeguarding SAP ABAP, HANA and Java systems against known vulnerabilities and threats. Note 2253549 includes a link to the latest version of the framework.

The Cybersecurity Extension for SAP Solution Manager performs automated gap assessments for SAP systems against the SAP Security Baseline. The extension identifies compliance gaps in SAP systems to highlight configuration, user and other issues that do not meet SAP requirements defined in the baseline. The extension eliminates the need for periodic, manual audits and supports on-demand compliance reporting.

Control gaps are automatically discovered via daily background jobs. The gaps are reported in the Compliance Report application, accessible from the Fiori launchpad for SAP Solution Manager.

The SAP Security Baseline template can be selected from the list of supported frameworks.

There are optional filters to select specific baseline requirements and systems based on environment or priority. Reports can also be filtered to include or exclude requirements based on risk rating and compliance result.  Once the framework and system is selected, users can select Go to view the results.

The overall compliance level for the system is displayed the report header. The results for each requirement of the SAP Security Baseline are displayed in the main body of the report.  

Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.

Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.

Users can also save shortcuts for prefiltered reports to the Fiori launchpad.

Automating SAP Audits with Solution Manager

According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders.

Compliance Reporting in SAP Solution Manager enables organizations to automate audits for SAP systems and reallocate resources to projects and audits focused on other organizational goals. The continuous monitoring powered by the application also enables auditors to identify compliance gaps immediately rather than at the end of a reporting period. This can reduce regulatory risk by providing owners with more time to remediate control gaps.

Compliance Reporting is accessed from the Fiori launchpad in SAP Solution Manager. Results are automatically updated by daily scheduled scans.

Compliance frameworks and systems are selected in the report filter. There are optional filters to select specific control requirements and systems based on environment or priority. Reports can also be filtered to include or exclude controls based on risk rating and compliance result.  

Compliance Reporting currently supports the frameworks below. This includes CIS, IT-SOX, NIST and PCI-DSS. Support for additional frameworks including GDPR and NERC CIP is expected at the end of Q2 2020. Customers can import custom frameworks to automate auditing for internal security policies and other requirements.

Results for applications and databases are reported in separate columns. The report provides an overall compliance score based on the selected framework and systems. Results are summarized for each requirement.

Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.

Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.

Prevent Configuration Drift with SAP Solution Manager

Maintaining system security in dynamic SAP environments is a constant challenge. New users are added every day. Permissions for existing users are constantly updated to keep up with changing requirements. Software updates, transports and other changes introduce new components or developments and often necessitate changes to system settings. With each change, even hardened systems can become less secure and more vulnerable to intrusion.  

To some extent, the risk of configuration drift can be managed through regular vulnerability scanning. However, scan results only identify the consequences of changes, not the root cause. Periodic audits of system and user changes can also help to address the risk. Audits can uncover compliance gaps against change management protocols, but are limited in scope since they are usually performed manually.

Change Analysis in SAP Solution Manager provides an automated response to the risk of configuration drift in SAP systems. The application tracks changes in systems including ABAP, HANA, Java parameters, database and operating system settings, user privileges, notes, software updates, and transport requests. The tool maintains a history of changes performed in each system for two years.

Change Analysis is accessed from the Root Cause Analysis work center in the Fiori launchpad for SAP Solution Manager.

Scope selection supports filtering of changes by system, type or environment.

Results can be filtered further to focus on changes within a specific time frame.

The filtered results are summarized in the dashboard below.

The dashboard supports drilldown from summarized results by system and category into detailed changes. In the example below, the results reveal that the value of parameter gw/accept_timeout was modified in system AS2 at 3.00PM on February 11, 2020.

In another example, the results reveal that the profile SAP_ALL was assigned to the user ATTACKER9 on the same day in the identical system.

Notifications for changes to critical areas can be configured using the monitoring and alerting framework within Solution Manager. The notification below is an alert for changes to RFC destinations. Email and SMS notifications for changes are also supported. Alerts can be integrated with SIEM systems or incident management systems for automated ticketing.

Change Reporting can be used to compare the configuration of different systems.

It can also be used to compare the configuration of the same system using different timestamps. In the example below, we are comparing the configuration of system ECP on February 6 with January 22 to identify changes that occurred in the system during the interval.

The comparison tool is useful for identifying not only changes that may lead to configuration drift within systems but also differences between settings in production environments and other environments such as quality or development. The comparison results are displayed in the Result Details and can be exported for analysis. According to the results below, the SAP_UI component was upgraded in ECP from version 751 to 753 during the interval.