Penetration test – the simulated attack on an SAP system
A so-called SAP Penetration Test, better described as „Simulated Attack on an SAP System“, is a controlled review of the security state of your SAP system. Using the tools of the trade of a hacker, controlled attack scenarios are driven against a selected SAP system to determine the vulnerability of the SAP system.
In recent years, this type of security review of an SAP system has become established, often as a supplement to or preparation for an SAP audit, but also as a requirement of the auditors themselves to determine the security status of an SAP system.
The SAP area is perhaps the most critical area for IT security. As a rule, all business processes or all critical business processes converge here. Without many years of knowledge and a profound understanding of SAP environments, security reviews such as a pen test with conventional tools will miss the point. A pen tester is not a hero of Internet technologies, breaking everything and then celebrating. On the contrary, a pen test in the SAP environment requires that, together with the customer, the vulnerabilities that are mission critical are identified and uncovered. This can only be done together as a partner with the customer or the network specialist of the customer
Ideally, the pen test is preceded by a risk assessment that defines risk clusters. In the financial industry, with its emphasis on payments and payments, threat vectors are completely different from those of a spy-endangered industrial firm with a lot of design expertise. A specific threat risk in a given risk context is extremely seriously for one customer, where it does not matter in another industry context.
Variations of a Pen test
There are three variations of a pen test
(1) Black Box Test
The pen tester gets no informations upfront. He must be able to penetrate completely from the outside without any help. But he may very well exploit all possibilities such as phishing (fake emails) Waterholing (targeted attacks of specialist groups such as SysAdmins in a company) or such things as smuggling USB sticks, etc. However, this must be documented in legal terms, and possibly involved business areas such Corporate communication (simulated phishing email to all employees) agreed. Such black box tests are very expensive and often take several months. This approach is mostly used on cloud attacks
(2) Grey Box & White Box Test
The normal, common understanding when performing an SAP penetration test is a gray or white box test on site: The pen tester brings a laptop and register the MAC address. The laptop has a virus scanner and defined hacker software as well as a SAP scanner installed, which are all documented and create appropriate records. The attacker attempts to hack the SAP systems through the internal infrastructure that is accessible. This scenario corresponds to an intruder coming from inside (SysAdmin etc) but has no access to the SAP system itself.
In addition, the Pen Tester gets access and an administration user on the system, mostly by means of a so-called SAP scanner, which is available in various forms on the market. This scanner is used for qualified control and analysis of the system. Qualified considerations of individual configurations can also be done this way. The „white box test“ is usually done as follow-up and verification after a „black box“ or „gray box“ test. An up-to-date SAP scanner checks the system for approximately 1500 known vulnerabilities and provides a complete, static image of the security state of an SAP system. This scan must be accompanied by an active, customer-specific single check, since a standardized scan often does not sufficiently take into account the customer’s own environment.
(3) Offensive Pen Test
In this variant variants, tools and attack vectors from real hacker attacks are used. These hacks have a goal to conquer the goal and sometimes also use destructive techniques. This variant is the acid test, because here is simulated with the weapons of the attacker. This includes denial-of-service attacks, but also exploit attacks that crash a system or server to take that moment into the game.
The pen tests for SAP usually take place only at the infrastructure level. This means that the network view and the external view of the database, application server and message server as well as services such as SAP Gateway, etc. are the targets of attack. In addition to a manual analysis of the customer-specific details of the network and the basic server, the testing of the infrastructure also includes the use of standardized system scanners, analogous to the white box test of the SAP environment.
Every profession has its own toolbox. It’s the same with hacking and penetration testing. The set of personal tools that a security expert uses is an expression of their own work style and their own experience. The tools described in this chapter have proved to be suitable tools in practice. Which one of them finds its way into your own personal work fund is a question of your own workflow and your own style. ,
Our tools offer everything needed to complete a complete pen test in just a few hours. This tool can be installed on any desktop or laptop or completely pre-installed on the laptops of our consultants.
Conventional attack methods, as implemented in web applications, are completely meaningless in the area of SAP because SAP as the runtime environment never falls into an unsecured state. Therefore, such a procedure can not work either. This is exclusively about source analysis. For this purpose, tools such as the SAP Code Inspector are available in SAP. This is usually not part of a classic penetration test.
A serious penetration tester will always document all steps and provide all additional information such as log files, etc. The results are all documented and for each attack point that is found, there is also a guide to rectification („mitigation“)
There are several sessions taking place. First, the results are discussed with the SAP base group of the IT center. Above all, it is important to evaluate here against a baseline to be defined, which must be determined jointly.
At the same time, security aspects of the optional SAP Code Scan have to be discussed with application programming.
The results must then be translated by the pen tester into a general assessment and completion report that is agreed with all parties involved. It is important here that, above all, critical assessments are discussed with the company, whether „critical“ also applies in the respective security context