Last Day to Save $200 on SANS Cyber Defense San Diego 2014

SANSFIRE 2014

Baltimore, MD | Sat, Jun 21 - Mon, Jun 30, 2014

Onapsis: Securing SAP Platforms - Hands-on Security Techniques to Protect Business-Critical Infrastructure from Cyber-attacks

This course provides the latest information on SAP-specific cyber-attacks and protection techniques. SAP platforms contain the business-critical information of the largest organizations in the world. While leading companies are protecting their businesses from modern threats against ERP systems, there are still many who are prone to SAP application-layer vulnerabilities that are exposing them to espionage, sabotage and financial fraud attacks. In this intensive hands-on course, with over ten (10) live demonstrations and numerous exercises (20), the training will help you answer the following questions:

  1. Do you know how to assess or check whether the organization├ó┬┬s SAP Platform is secure?
  2. What is the potential impact to the organization if its SAP Platform is attacked?
  3. Do you know how to prevent the attacks?
  4. What are the best practices to effectively mitigate them and protect business-critical information?

Utilizing ├ó┬┬FREE├ó┬┬ tools are an important part of the course and you will learn to master Onapsis├ó┬┬ Bizploit, the first open-source ERP penetration testing framework. You get real-time feedback on whether your systems are exposed to the critical attack vectors. The hands-on exercises will teach you the industry-standard methodology to perform SAP application vulnerability assessments, security audits, and penetration tests.

The training you will receive in this course is unique and valuable because the instructors have worked with some of the largest companies (thousands of SAP users) in the world, understand how SAP systems function in the real world, and stay up-to-date on common attacks and threats. They have evaluated over 2,000 SAP Application Servers, and 95% are exposed to espionage, sabotage, and fraud.

You will understand why Segregation of Duties controls (enforced by strict SAP user roles and profiles) are not enough to protect an SAP system, and how malicious hackers could break into unsecured systems anonymously, even without having a valid user. With a unique focus on the SAP application layer, you will learn the key security aspects of several SAP proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, WebAS and ITS), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, ABAP code vulnerabilities and much more!

Previous SAP expertise is NOT required!

Course Syllabus
Course Contents InstructorsSchedule
  HST.1: Day 1 Juan Perez-Etchegoyen, Marc Roy Sat Jun 21st, 2014
9:00 AM - 5:00 PM

CPE/CMU Credits: 8

Topics
  • Introduction to SAP
  • Threats
  • Onapsis Bizploit ├ó┬┬ The ERP Penetration Testing Framework
  • Security of the Environment
    • Secure Architecture
    • SAP Application Level Gateways
      • The SAProuter
      • The SAP Web Dispatcher
  • Security of the OS & DB
    • Security of SAP on Windows environments
    • Security of SAP on UNIX environments
    • Security of SAP with MS SQL Server databases
    • Security of SAP with Oracle databases
  • Security of the SAP Application Layer
    • Authentication Mechanisms
    • User Security
    • Password Policies
    • Authorization Concept

 
  HST.2: Day 2 Juan Perez-Etchegoyen, Marc Roy Sun Jun 22nd, 2014
9:00 AM - 5:00 PM

CPE/CMU Credits: 8

Topics
  • Security of the SAP Application Layer
    • RFC and Gateway Security
    • Encryption
    • ABAP (In)Security
    • SAP Backdoors and Rootkits
    • SAP Management Console
    • SAP Netweaver JAVA Application Server
  • SAP Web Application Security
    • SAP Internet Transaction Server (ITS)
    • SAP Web Application Server (WebAS)
    • SAP NetWeaver JAVA & Portal (EP)
  • Securing the Landscape
    • Transport Management System
    • Landscape Configuration
    • Solution Manager
  • Monitoring and Auditing
    • SAP Forensics
    • The Audit Security Log
    • The Audit Information System
    • Opensource and Commercial Software

 
Additional Information
 
  Laptop Required

Students Must Furnish:

  • Personal laptop
  • SSH client
  • SAPGUI

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Information Security Professionals
  • Security Managers
  • Information Assurance & Compliance Professionals
  • Internal Auditors
  • IT/Security Auditors
 
  Prerequisites

General Information Security knowledge. No SAP experience is required.

 
  What You Will Receive

Slides handouts, Cheat-sheets, DVD with free tools.