Level 2: Knowledge is Power – Target Reconnaissance

1. In your opinion, what is the #1 tool to identify SAP systems exposed to the internet?

Best Answer: b. Google

For finding SAP systems connected to the internet, Google Advanced Search is a very powerful tool.

Many SAP systems are exposing the full application URL to the internet, so instructing google to search for splash pages or login pages with certain patterns in the URL will reveal – literally – tens of thousands of SAP systems with zero effort. Advanced searches and combinations of search terms help attackers narrow-down their target list.

Examples:

Advanced Google search

50K results for SAP Application Servers

 

 

15K for SAP NetWeaver Portal Servers

 

Recommendation: Customers should implement URL rewriting to hide any reference to SAP applications in the external-facing URLs and in links within the HTML of web-facing SAP applications.

Advanced Web Application Firewalls – or even better – bowbridge Secure Web Dispatcher for SAP applications (targeted for release in Q3/2020) can perform those translations.

2. In April 2019, hackers released several exploits (collectively referred to as 10KBLAZE by Onapsis) targeting SAP business applications by uploading these exploits to a public forum. These vulnerabilities primarily target:

Best Answer: b. Insecure default configurations of on-premise SAP Gateway and SAP Message Server

Insecure default configurations of on-premise SAP Gateway and SAP Message Server.

These SAP exploits released in April 2019 primarily target insecure default configurations of on-premise SAP Gateway and SAP Message Server, two components that many SAP business applications use, and that are common in many environments.

And yet, these configuration issues exist even in new SAP implementations in the cloud. Why? Because companies are not migrating SAP to the cloud with security in mind. For most organizations, basic SAP security is a huge challenge, and many don’t even understand what they face in the realm of cloud security.

3. What percentage of SAP implementations allow users to upload Microsoft Office documents containing potentially malicious macros?

Best Answer: d. 87%

87% of SAP implementations allow users to upload Microsoft Office documents containing potentially malicious macros.

In bowbridge’s research and testing, we discovered that 87% of the implementations we tested allowed uploading of Office documents with macros in the old format (CDF, pre-Office 2007) and 33% allowed uploading of documents with macros in the new format (OOXML).

In 99% of cases, simply blocking all macros in uploads into SAP applications is the most efficient prevention. The time saved by using macros for task automation is simply not worth the massive risk macros present to your cybersecurity, not just as pertains to SAP, but for your entire system. In addition to blocking macros, having an anti-virus solution specifically designed for SAP’s unique structure provides added protection.

So, how did you do? If you got all the answers right, well done! This next level, however, will really test your mettle – and your readiness for an intrusion on your SAP system. All set? Let’s go!