if i want a perfect cyberweapon i'll target erp - erpscan ?· if i want a perfect cyberweapon i'll...

Download If I Want a Perfect Cyberweapon I'll Target ERP - ERPScan ?· If I want a perfect cyberweapon i'll target…

Post on 22-Jun-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Invest in securityto secure investments

    If I want a perfect cyberweapon i'll target ERP

    Alexander PolyakovCTOERPScan

    If I Want a Perfect Cyberweapon I'll Target ERP

    Alexander PolyakovCTOERPScan

  • Alexander Polyakov

    CTO of the ERPScan company

    EAS-SEC.org project leader

    Business application security expert

    R&D Professional of the year by Network Product Guide

    Organizer of ZeroNights conference

    a.polyakov@erpscan.com

    Twitter: @sh2kerr

    2erpscan.com ERPScan invest in security to secure investments

  • ERPScan

    Develop software for SAP security monitoring

    Provide SAP/ERP Security Trainings and consulting

    Leader by the number of acknowledgements from SAP (150+)

    Invited to talk at 50+ key security conferences in 20+ countriesin all continents (BlackHat, RSA, HITB)

    Most acknowledged ERP Security vendor (18 awards)Research team with experience in different areas of security from ERP and web security tomobile, embedded devices, and critical infrastructure, accumulating their knowledge on SAPresearch.

    3erpscan.com ERPScan invest in security to secure investments

    Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities

  • Intro

    I hate CYBER talks and this buzz

    I usually do more technical presentations

    But I we talk about it why do we skip this area?

    Im about Business Applications and ERP systems

    4erpscan.com ERPScan invest in security to secure investments

  • Intro

    Intro

    Big companies and critical systems

    What was happen

    How easy is that

    What can happen

    Forensics

    What we can do

    Conclusions

    5erpscan.com ERPScan invest in security to secure investments

  • Big companies

    Oil and Gas

    Manufacturing

    Logistics

    Financials

    Nuclear

    Retail

    Telecommunication

    etc

    6erpscan.com ERPScan invest in security to secure investments

  • Big companies inside

    erpscan.com 7ERPScan invest in security to secure investments

    Portal

    HRLogistics

    Warehouse

    ERP

    Billing

    SuppliersCustomers

    Banks

    InsurancePartners

    Branches

    BI

    Industry

    CRM

    SRM

  • If business applications are popular?

    SAP

    More than 246000 customers worldwide

    86% of Forbes 500

    Oracle

    100% of Fortune 100

    Microsoft

    More than 300,000 businesses worldwide choose MicrosoftDynamics ERP and CRM software

    8erpscan.com ERPScan invest in security to secure investments

  • What can happen

    Espionage Stealing financial information Stealing corporate secrets Stealing supplier and customer lists Stealing HR data

    Sabotage Denial of service Modification of financial reports Access to technology network (SCADA) by trust relations

    Fraud False transactions Modification of master data

    9erpscan.com ERPScan invest in security to secure investments

  • Autocad virus (Industrial espionage)

    Autocad virus

    Stealing critical documents

    Send them potentially to china

    http://www.telegraph.co.uk/technology/news/9346734/Espionage-virus-sent-blueprints-to-China.html

    10erpscan.com ERPScan invest in security to secure investments

    http://www.telegraph.co.uk/technology/news/9346734/Espionage-virus-sent-blueprints-to-China.html

  • Peoplesoft vulnerabilities (Sabotage)

    Presented on BlackHat USA

    Old and New issues

    Old one was a buffer overflow in a login page

    Over 500 systems can be found by Googling

    New issues were from information disclose to unauthorized system access

    Potential to steal 20mil customer data

    11erpscan.com ERPScan invest in security to secure investments

  • US Department of Energy Breach

    Sabotage

    Real example of stealing

    14000 of records

    Target: HR system (Maybe Peoplesoft)

    unauthorized disclosure of federal employee Personally Identifiable Information

    12erpscan.com ERPScan invest in security to secure investments

  • Istanbul Provincial Administration

    Unauthorized disclosure of federal employee Personally Identifiable Information

    Erase people debts

    13erpscan.com ERPScan invest in security to secure investments

  • Potential Anonymous attack

    14erpscan.com ERPScan invest in security to secure investments

    Now, it adds, We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they... Anonymous claims to have a sweet 0day SAP exploit, and the group intends to sploit the hell out of it.

    * This attack has not been confirmed by the customer nor by the police authorities in Greeceinvestigating the case. SAP does not have any indication that it happened.

  • Fraud

    Invoice company for a greater number of hours than worked

    Ghost employees of the vendor

    Vendor employees billed at amounts higher than contract rate

    Vendor employees billed at higher job classification than actual work performed (skilled vs. non-skilled labor rates)

    Invoice company for incorrect equipment or materials charges

    Vendor charges for equipment not needed or used for the job performed

    Vendor charges for materials not used or materials are for the personal benefit of company employee

    Vendor charges for equipment or material at higher prices than allowed by the contract

    Invoice company incorrectly for other services

    Vendor charges for services performed where work is not subject to audit clause

    Vendor charges include material purchases from or for work performed by related companies at inflated prices

    http://www.padgett-cpa.com/insights/articles/fraud-risks-oil-and-gas-industry

    15erpscan.com ERPScan invest in security to secure investments

    http://www.padgett-cpa.com/insights/articles/fraud-risks-oil-and-gas-industry

  • Fraud

    The Association of Certified Fraud Examiners (ACFE) survey showed that U.S. organizations lose an estimated 7% of annual revenues to fraud.

    Real examples that we met:

    Salary modification

    Material management fraud

    Mistaken transactions

    16erpscan.com ERPScan invest in security to secure investments

  • Fraud

    PWC Survey: 3000 org in 54 countries 30%were victims of economic crime in prev 12 month

    Average loss per organization for fraud $500k + collateral damage

    asset misappropriation -83%

    accounting fraud 33%

    17erpscan.com ERPScan invest in security to secure investments

  • Internet-Trading virus (Fraud)

    Internet-Trading virus (Fraud)

    Ranbys modification for QUIK

    troyan-spy.win32.broker.j. for QUIK (stealing keys)

    http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/

    http://www.securitylab.ru/news/439695.php

    18erpscan.com ERPScan invest in security to secure investments

    http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/http://www.securitylab.ru/news/439695.php

  • Project Mayhem (Fraud)

    Hacker could manipulate financial data and change entries to move funds to an outside account.

    alter the remittance address on vendor records,

    create a new vendor and manual check entry,

    change general ledger accounting records,

    increase customer credit limit

    credit the balance in a customer account in order to get a refund.

    19erpscan.com ERPScan invest in security to secure investments

  • Fraud in Oil And Gas

    FRAUD and other infractions in Nigerias critical oil and gas industry are

    enough to derail any stable economy, going by the report of the Petroleum

    Revenue Special Task Force by a former chairman of the Economic and

    Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu.

    20erpscan.com ERPScan invest in security to secure investments

  • SAP Security

    21erpscan.com ERPScan invest in security to secure investments

    What can happen?

  • Ho to make it more Cyber/Danger

    Breach + Worm

    Multiple attacks on same type

    Against one country

    22erpscan.com ERPScan invest in security to secure investments

  • What can be next?

    Just imagine what could be done by breaking:

    One ERP system

    All Business applications of a company

    All ERP Systems on particular country

    23erpscan.com ERPScan invest in security to secure investments

  • SAP Security

    24erpscan.com ERPScan invest in security to secure investments

    How easy is that?

  • Ease of development

    Price of vulnerability is low

    Patching is nightmare

    Vaporization is easy

    Interconnection is high

    Availability via internet

    25erpscan.com ERPScan invest in security to secure investments

  • Price of vulnerability

    Price for typical vulnerabilities in flash and browsers going higher.

    Security of applications and OS is growing

    It is much easier to find architecture issue in ERP

    2000 vulnerabilities closed only by SAP during 3 years

    And this issue will work for years

    26erpscan.com ERPScan invest in security to secure investments

  • SAP Security notes by year

    erpscan.com 27ERPScan invest in security to secure investments

    0

    100

    200

    300

    400

    500

    600

    700

    800

    900

    2001 2002 2003 2004 2005 2006 2007 2008