Penetration Test: The quieter you become the more you are able to hear
When my little but big company, that I started 10 years ago and foster ever since, started the venture last year to change the scope of our company from SAP PI, Basis, Data Center Consulting and helping managing complex SAP landscapes on an European scale to SAP Security, it was a feeling like in the good old Internet times. It was a timewarp to the change of the Millennium or to the appearance of the Apple II and IBM PC in the 80s. Exciting times.
Approached by IBM to become a strategic partner in the IBM/SAP Security world, we were very pleased that such a “big” company was really trusting us to work with them in the major league.
We looked also at the surrounding economy, the world of Pen Testing, Security Administration and Operation and SIEM (Security Information and Event Management) in the so little, so big SAP Universe.
(Just to explain what a Pen Test is: It is a Penetration Test, where dedicated security personal is trying to break the SAP-System and get their way into it. This breach attempt is made on all levels: Network, Infrastructure, Basis hacks, RFC Hacks, SAPGUI hacks, but also social hacks like email phishing and password sniffing).
We also choose our prefered vendor for SAP penetration testing. But to make a long story short and to come to my actual point, it is easy to say “We make now Security”, especially in the SAP world, to choose a product and go ahead try to hack the planet.
A good security breach is more than a tool. Like everything else, it is a deep knowledge about networks, infrastructure, attack vectors and the tools needed and used. If you don’t want to use a commercial tool, than you still have a good choice.
One of the tools you need, when you start pen testing, is the KALI distribution, maintained by the folks of Offensive Security.
The Linux KALI distribution is Open Source and has a long history started as a tool collection long time ago. They also have an online class with a certification that is commercial, but everybody in the industry will agree that it is a very demanding certificate with a tough exam. This means, that it will prove a work like experience and hands-on expertise.
But besides the certificate, these are the “tool of the trade” and you should be able to make any pen test even without commercial tools. There is a great companion book, and if you really want to start looking at the Pen test World, get the KALI distro on your laptop, get the book, start NMAP and practice.
But even if you try to learn the “Top 10 Tools” that KALI emphasizes, you will need a lot of practicing to become fluent in a pentration test workflow.
(If you are by coincidence at your customer site, try to run an NMAP full scan by plugging in your private laptop in the corporate switch and count the time until security stands at your desk. If this is more than 15 minutes, give them a security session). (OK, this is maybe not the brightest idea, but you got the story).
Kali has also invented the motto: “The quieter you become, the more you are able to hear”. And this is really true, not only for all security matters in the SAP world, but in the other corporate IT world as well.
Security needs a very thorough understanding not only of large data center infrastructure and the surrounding networks, but also a lot of patience, listening and exploring. No tool will replace your knowledge and your abilities to map a complex SAP Network. And the SAP world adds big twist to Pen Testing. I have seen the one or the other Pen tester (usually right out of college, but sold as the security consultant) from outside of the SAP world, using an open source tool and then asking around: “OK, looks like I am in with SAPALL, but what do I do now?”
Things like hacking via RFC and SMGW/Gateway means knowledge of programming, ABAP and Java the like.
It is one part to be a loudspeaker, touting all your hacker experience in the world, go with a tattoo on the forehead to Blackhat Las Vegas and pretend to be the coolest kid in the universe. Like someone said, maybe your little teen sister is impressed, but not the CISO.
I had a longer conversation with some partners about a good way of approaching my customers and I thought of things like a German Blog, Twitter, weekly reports on threads and new findings. But at the end, this would be just noise. After a short while, nobody would listen anymore. We decided, that the quiet way, the conservative but most trustworthy approach was just to call, meet and talk. Talk about the needs, their local threats and findings and how to handle all these large and small security issues.
Security, especially Penetration Testing and discovering true vulnerabilities that could make or break a company in its hardest case (see my blog) makes a trustworthy relationship a base requirement for every customer situation. Showing first and foremost that you are a responsible person, guiding the customer on the risk assessment through the differentiation of hype or real risk is a demanding task in the SAP world of large installations. Knowing the hack is one thing, but waging the risk, the cost of the process to fix the gaps and making everything fit into an overall security strategy is a complete different world.
I like the challenge of this professional spread: Between the fun of serious hacking and testing on the one side and the serious presentation on the other end – to put on your black suit and put the findings in a real perspective.
(edited for content grammar and political correctnes)