Business systems finally under attack
Feb 15th, 2014 by Jesper Kråkhede
I have returned to the problems with not testing the business systems during a pen-test. ‘They are way too critical for us to take the risk of a test. Beside they are way too complex for a hacker to understand.’ When has that ever stopped a hacker?
During an architectural review a few years back I showed that a security setup up with zones was faulty. They had put the servers in one zone and the clients in another. The way the thoughts went was that the servers contained all the critical data and that the client could only access the server after logging onto it. I described how I, with a trojan, could get full access to their SAP system and register myself as a valid consultant and that I should have full access to all their buildings.
Interesting enough it took quite a few hours of explaining before they understood that with a client you could access the server and that it wasn´t about sorting through a database and try to insert the right data into it but using the standard flow in their SAP-installation.
Funny enough Trojans have started to appear that targets SAP.