Page 89 - Cyber Defense eMagazine April 2023
P. 89

Access section. The SAP Debugger can also be a helpful tool in wiping the evidence of the SAP attack
            since  everyone  knows  the  SE16  trick:  How  to  edit  SAP  tables  in  Debug  Mode  using  SE16.
            (https://sapboost.com/how-to-edit-sap-table-in-debug-mode-using-se16 )

             This, of course, makes it more important to recognize an anomaly in usage behavior. It is even better if
            so-called indicators of compromise are detected at an early stage in order to be able to identify attacks.



            How can you protect yourself?

            Although these functions of the SAP Debugger can be restricted via authorizations, you will quickly notice
            that developers cannot work without extensive authorizations. Of course, the work of the SAP developer
            is mainly done in the development system. Therefore, there is no need to allow SAP Debug authorization,
            especially in combination with change permission of program variables in a system with productive data.
            So,  you  should  ensure  that  this  critical  authorization  combination  is  or  will  never  be  assigned  in  a
            productive SAP environment.

            Use  the  authorization  object  "S_DEVELOP"  and  prevent  object  type  "DEBUG"  in  combination  with
            activity:

               •  ‘02’ - Changing values of fields and (as of Release 6.10) the function >Goto statement, and
               •  ‘90’ Debugging of sessions of other users.



            You can achieve additional protection by regularly and promptly analyzing the activities in the associated
            SAP logs, in this case the SAP Security Audit Log (SAL).

             However,  this  can  be  very  time-consuming.  In  particular,  the  reliable  detection  of  anomalies  or  an
            indicator of compromise for the SAP system requires additional analyses. If you do not have time to do
            this manually, market solutions can help.




            About the Author

            Christoph  Nagy  has  20  years  of  working  experience  within  the  SAP
            industry. He has utilized this knowledge as a founding member and CEO
            at  SecurityBridge–a  global  SAP  security  provider,  serving  many  of  the
            world's leading brands and now operating in the U.S. Through his efforts,
            the SecurityBridge Platform for SAP has become renowned as a strategic
            security  solution  for  automated  analysis  of  SAP  security  settings,  and
            detection  of  cyber-attacks  in  real-time.  Prior  to  SecurityBridge,  Nagy
            applied  his  skills  as  a  SAP  technology  consultant  at  Adidas  and  Audi.
            Christoph can be reached online at [email protected].







                                                                                                              89
   84   85   86   87   88   89   90   91   92   93   94