SAP @ SONY; what can we learn from the latest SONY hack
So, SONY got their behind powned again, and quite hard this time. Interesting for outsiders is the fact that the hackers leaked GB’s of data. This blogpost is just a short summary of some first findings I did by going through the leaked documents.
As a SAP Security specialist this breach is quite interesting as we can now take a close look at what SAP specific data is in those leaked documents. Without publishing sensitive data here (other than can also be found in public sources, which these files actually are now ;-)), I will try to give a short summary of what you might find in there:
(CLICK THE IMAGES FOR A BETTER VIEW)
- Sensitive information on the infrastructure like SAP hostnames/IP-adresses, SAP system ID’s, used Operating Systems and Database types and versions in files like these:
- MANY username/password combinations of SAP systems in for example personal password files of employees like these:
- Information on the used Password policy:
- Useful insider workarounds 😉
- IT Security assessment reports. These come in handy as they often show the weak spots that where found during an audit
- The external (So published on the internet) SAProuter IP-address. A short NMAP scan revealed it is really there:
- The installed base of products (For example Ariba, Business Objects, SAP BW and R/3)
- And many, many more sensitive data about SONY’s SAP users, infrastructure and systems.
After reading the above it’s obvious that nobody wants these kind of files leaked to the internet. Securing yourself from this is often a difficult challenge and I won’t go into detail about that here (I said this would be a short post).
But to kick in some specific SAP related open doors:
- Passwords are bad and old, get rid of them where possible: Passwords data is being stored by end-users, often not in safe ways, think about implementing Single-Sign-On solutions to prevent this
- SAP infrastructure data is wanted by attackers, make sure to store it in a protected place, not in unprotected excel files. This includes data like IP-addresses, hostnames, System ID’s, Used OS versions, Database versions, etc.
- Make sure that you know what is going on in your systems, so implement at least some kind of monitoring that can detect strange behavior
- Know where your risk lies in the complete SAP infrastructure. So do a risk assessment and mitigate at least the high risk vulnerabilities.
- Perform periodic vulnerability assessments, manually or automated ones to stay in control