PenTest: ERP Software Pentesting

Description

Dear PenTest Readers,

In the current issue, we would like to take a closer look at three spheres of cybersecurity, which have been definitely gaining importance recently. First of them is ERP security. With the recent publications on 10KBLAZE PoC exploits for old SAP configurations, all eyes in the infosec world turned to risk of severe attacks directed to the most popular ERP software system. Our contributors will provide you with insight into SAP security - optimization, procedures, and regulations, and the security of E/C systems.

Secondly, one of the highlights of this issue is the article on the topic of Insider Threats and a White Hat approach to it. Mr. Mike Muscatell, a seasoned IT veteran and acclaimed author, presents the comprehensive, diligent, and innovative perspective on this type of threat. We are under an impression that Insider Threats are an underestimated topic in cybersecurity media, so with this publication we want to give the incentive for further and more vivid discussion about this type of danger.

Thirdly, we start our series of publications related to Threat Modeling, which is going to be continued in the next issue as well. Threat Modeling is a fascinating topic to study and - without any doubt - crucial to our readers. Our contributors discuss the most common challenges associated with it, analyze it in the context of IoT and popular software.

Last but not least, let’s not forget about articles on the other topics. Bruce Williams, one of our regular contributors, emphasizes the importance of critical thinking in pentesting, discussing the aspect of motivation for hacking. Jose Rodriguez covers areas which are explored in the process of Red Team engagement from the perspective of the Blue Team.

As you can see, we have included loads of various topics for you this time. We hope you enjoy it!

Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.

If you are already a subscriber get your copy here

---

Table of Contents

---

How to Optimize Your SAP Security

by Christoph Nagy

No application is ever invulnerable, even SAP. Attackers will always be changing their attack vectors, and signatures are, by default, a retroactive response to a known threat. There will always be unknown threats, applications that simply cannot be patched, and custom code that contains vulnerabilities for which there are no commercial patches. Experienced security advisors therefore work with a risk-based approach. Gaining actionable intelligence about the risky actions conducted within the daily operations is one key aspect of the task. To complete the picture, SAP systems can create detailed protocols, although many important pieces of security information are not recorded automatically, therefore, the system administrator needs to activate the recording.

---

White Hat Approach to Insider Threats   [FULL ARTICLE INSIDE THE FREE PREVIEW VERSION]

by Mike Muscatell

Several publications reference the employee as the prime concern for any organization when talking about insider threats. While this is true, the focus most of the time is on those who are disgruntled and former employees but what about the ones that do not fit those characterizations? What about the employee that is curious coupled with too much access? These employees are typically well known, dependable and trusted. While this would be considered a "good" employee, the "bad" part of it is also the fact that they are trusted, dependable and in some cases out of sight. Some of these individuals could be referred to as malicious insider hackers. This could be anyone!

---

SAP Security Response - The Firefighters of SAP Security

by Rohit Nambiar

The response team is not entirely internal to SAP. At SAP, we work as a team with security researchers from around the world to ensure our products remain secure. We interact daily with several security organizations/researchers, discussing their findings on our products. We share a sense of mutual respect with them wherein they come to us to report a security vulnerability, and we in turn work with them to get it fixed and roll it out to our customers. In addition, we also publicly acknowledge their efforts towards keeping us secure.

---

The Security of E/C Systems

by Hanno Horrmeyer

It is the nature of E/C systems to contain crucial company data and provide multiple departments of a company with appropriate functionality. This increases the imposed threat by an attack-scenario tremendously with loss of highly sensitive data to a denial of service of the entire company operations being two examples. The financial damage that goes along with an E/C system attack can be estimated to be at the very top of the imaginable worst cases that can occur to a business.

---

Threat Modeling Common Challenges

by Sandeep Kumar Singh

Due to the intricacies involved, threat modeling could be quite a challenging task, not just for beginners but even for the experienced professional. Delivering a meaningful threat model requires a lot of time, effort and focus. There are no easy shortcuts to achieve this; though a disciplined approach and strong analytical ability will surely aid you in making a good threat model. There are multiple other operations and technical aspects that could impact the quality of threat modeling being delivered.

---

Easy Threat Modeling with the Microsoft Threat Modeling Tool

by Mauricio Harley

I created a sample model for this article. My application consists of a two-tier web application. The user interacts with the web server through a browser. This web server, in its turn, talks to a database server through SQL. There is also some communication with external actors, such as another user, a device and another system. This “another system” can be interpreted as another application.

---

Importance of Threat Modeling in Current IoT World Scenario

by Jalasutram Sai Praveen Kumar

There are various other famous threat models currently existing in the IoT information security domain. Some of them include S.T.R.I.D.E (Spoofing of user identity, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege), P.A.S.T.A. (Process for Attack Simulation and Threat Analysis), O.C.T.A.V.E. (Operationally Critical Threat, Asset, and Vulnerability Evaluation), C.V.S.S. (Common Vulnerability Scoring System), V.A.S.T. (Visual, Agile, and Simple Threat modeling), and many more. Depending on the needs and requirements of any company, it can strategize its own threat model to meet the required information security compliance standard.

---

IoT and Its Security Challenges

by Manish Kumar Yadav 

Most of the IoT gateway technology that has processing capabilities runs on flavors of the Linux operating system while using different kinds of processor architectures. It is using the latest industrial package edge computing capabilities called microservices and deploying them within containers on IoT gateways or fog nodes. Containers provide security through isolation and they also serve as deployment units that simplify lifecycle management through less interdependency and complexity.

---

Critical Thinking in Cybersecurity

by Bruce Williams

My background was to protect IP. I would track loss and take action under a Breach of Confidentiality law. It had three elements. Information not in the public domain, information that was treated as confidential and acquired during the course of employment. The same motivation exists today, and the following section shows why it is important. I think of two types of targets, IP business and general. The first is IP.

---

The Red of Blue

by Jose Rodriguez

This article covers some areas typically explored when performing a Red Team engagement, however, from a Blue side perspective. This would allow the defenders a more proactive approach to threat hunting and securing the environment, in addition to discovering what already has taken place and is unknown to the Blue Team.

---