SAP Cyber-Security for IT Security Practitioners

Presented By: Jordan Santarsieri

SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, managing suppliers / customers, material management, releasing payments to providers, credit cards processing, business intelligence, etc.

This training provides the latest information on SAP specific attacks and remediation / protection activities.

This training starts with an introduction to SAP (No previous SAP knowledge is required), you will learn through several hands-on exercises and demos! how to perform your own vulnerability assessments, audits and penetration tests on your SAP platform,  you will be very well equipped to understand the critical risks your SAP platform may be facing, how to assess them and more importantly, you will know which are the best-practices to effectively mitigate them, pro-actively protecting your business-critical platform.

We take pride in creating the most comprehensive SAP security agenda!

The 2 day course will take place on the 10th & 11th September 2019 in London.
The price is £1,300 (inc VAT). Book your place in our shop now.

Learning Objectives

  • Learn the fundamentals of the SAP Architecture
  • Learn the main default misconfigurations that will allow anyone to completely compromise a vanilla SAP Installation
  • Learn more about the obscure SAP proprietary protocols
  • Learn about the SAP Components and how they collaborate with each other
  • Learn how to attack an SAP system without causing business disruption
  • Learn how to defend an SAP, preventing the most common attacks and hacking techniques

Course Outline

Day 1:

  • Introduction to SAP
  • What SAP security used to be in the past
  • What SAP security is nowadays
  • Introduction to SAP security tools (the open-source way)
  • Securing the SAP Infrastructure
  • SAP Router
  • SAP Web-dispatcher
  • The role of a firewall
  • How to attack and secure: SAP & Windows
  • How to attack and secure: SAP & Unix
  • How to attack and secure: SAP & Oracle
  • How to attack and secure: SAP & HANA
  • Evolution of Hana
  • HANA Internals
  • What is S/4HANA?
  • Authentication mechanisms
  • User Security
  • Password Policy
  • Authorizations
  • SAP Gateway & RFC
  • SAP Message Server
  • SAP Management Console

Day 2:

  • SAP Solution Manager
  • SAP System Landscape Directory
  • ABAP Security
  • SAP Back-doors
  • SAP Updates
  • Encryption
  • SAP ICM (Continued)
  • SAP J2EE
  • Understanding the J2EE Framework
  • Different SAP Web J2EE Applications
  • J2EE Authentication Mechanisms
  • SAP Security Audit Trail
  • How to react in case of an SAP Intrusion
  • SAP Lab – Packet wars! (Game subject to time constraints!!)

Target Audience

Security employees, from both blue teams who wishes to learn how to protect these so-far obscure ERP system and red teams who wishes to learn how to attack this highly critical assets.

Security Consultants who are looking to expand their IT-Security portfolio, SAP administrators / auditors who wishes to learn more about the technical aspects of SAP security.

Student Requirements

The course assumes a reasonable level of familiarity with Linux basics and eagerness to learn new things!

What to Bring

  • Working laptop where you have enough rights to install new software, connect to a wireless network and change your own IP address

Software Requirements

  • Everything you need will be provided by your instructor

Students will be provided with

  • A fully working virtualized platform containing everything you will need for the training!

About the Trainer

Lead Instructor – Jordan Santarsieri (@jsantarsieri)

Mr Santarsieri is a founder partner at Vicxer where he utilizes his 12+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world.

He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer’s customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats.

Jordan has also discovered critical vulnerabilities in Oracle and SAP software and is a frequent speaker at international security conferences such as Black-Hat, Insomnihack, YSTS, Auscert, Sec-T, Rootcon, NanoSec, Hacker Halted, OWASP US, 8dot8, DragonJAR and Ekoparty.

Book your 44CON 2018 training course now!