2-DAY TRAINING 6: SAP Cyber Security

DURATION: 2 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: ONLINE REGISTRATION IS CLOSED

PRICE: EUR1499 (early bird)

EUR1999 (normal)

Early bird registration rate ends on the 14th of February

Overview

In the present, all the big business have come to depend greatly on SAP’s Enterprise Business applications. These systems store and process all of the companies’ critical data. Unfortunately, there exists very little information about security of these systems, how to break them during penetration tests, and how to configure them securely to prevent cyber attacks. This training will help you to learn a new topic – SAP Cyber Security.

Who Should Attend

This class can essentially benefit two categories of people. First one is penetration testers and security consultants who want to learn how to assess SAP Applications. Another category consists of Security engineers, administrators who are responsible for the security of business-critical SAP applications such as ERP systems.

Key Learning Objectives

Participants will learn:

  • How to provide security assessment of SAP systems
  • How to Secure SAP systems from attackers
  • Practical experience from world-known experts

Prerequisite knowledge

  • Basic IT Security knowledge

Hardware / Software requirements

  • Laptop with at least 4 GIGs of RAM
  • Wi-Fi on board
  • Windows 7 or higher on laptop or in Virtual machine
  • Software:
  • SAPGui 7.3
  • Firefox with TamperData
  • Burp Proxy
  • Perl
  • Python
  • Nmap

Agenda (day 1 / day 2) including topics covered

  • Introduction to SAP Security
  • Why we should care;
  • History of SAP security;
  • Current situation in SAP security;
  • SAP attack features;
  • SAP defense features;
  • Methodologies for ERP/SAP security (EAS-SEC);
  • Network level;
  • Open ports;
  • Protocol security;
  • Trusted systems;
  • Securing network;
  • OS level SAP Security
  • SAP-specific OS vulnerabilities;
  • Critical SAP data in OS;
  • From OS to SAP;
  • From SAP to OS;
  • Securing OS;
  • Database level Security
  • Critical database data;
  • Attacking database;
  • From database to SAP;
  • From SAP to database;
  • Securing database;
  • Client-side security
  • Attacking ActiveX components;
  • GUI scripting attacks;
  • Collecting critical data;
  • Advanced attack combinations and Trojans;
  • NetWeaver Application Server ABAP – Services
  • SAP Gateway;
  • SAP Message Server;
  • SAP Dispatcher;
  • SAP ICM;
  • SAP ITS;
  • SAProuter;
  • SAP HostControl;
  • Other services;
  • NetWeaver Application Server ABAP – Authorization Model
  • Authorization concept
  • Problems of SAP tools for checking authorizations
  • Critical Transactions
  • Critical Reports
  • Access to OS
  • Access to Tables
  • Segregation of Duties (SoD)
  • NetWeaver Application Server ABAP – ABAP Code security
  • Secure development
  • Improper Authorization
  • Injections ABAP/SQL
  • Access to OS/Traversals
  • Generic calls
  • Backdoors
  • NetWeaver Application Server JAVA
  • Visual Admin;
  • Web applications;
  • SAP Portal;
  • SAP SDM;
  • SAP Log Viewer;
  • SAP Business Objects
  • Apache Tomcat
  • Web application Container
  • CMS (Central Management Server)
  • SIA (Server Intelligence Agent)
  • Version Management
  • Database
  • SAP HANA
  • Database
  • XS Engine
  • Trexnet
  • Encryption
  • SAP Mobile Platform
  • SAP Control Center
  • SAP SQL Anywhere (can be any other database)
  • SAP Mobile server services
  • SAP Afaria
  • Administrator console
  • XcListener
  • AfariaIphoneServer
  • Afaria API (http)
  • Securing SAP Systems
  • Penetration testing
  • Security Assessment
  • Compliance
  • SAP Security Guidelines
  • ISACA Guidelines
  • DSAG Guidelines
  • EAS-SEC Guidelines
  • Code Security
  • SoD
  • Forensics

TRAINING
Location: NH Krasnapolsky Date: May 24, 2016 Time: 9:00 am - 6:00 pm Dmitry Chastuhin Mathieu Geli