一级建筑师系统分析师_建筑师安全的ERP实施

一级建筑师系统分析师

ERPs and other enterprise business applications play a significant role in a company’s architecture and business processes. Unfortunately, these systems may easily fall victim to cyberattacks.

ERP和其他企业业务应用程序在公司的体系结构和业务流程中发挥着重要作用。不幸的是，这些系统很容易成为网络攻击的受害者。

什么是ERP？ (What is ERP?)

ERP is Enterprise Resource Planning System. As you can understand from this acronym, this system is responsible for managing all company’s resources. Many years ago, people used to store all information about employees, materials, products, clients, etc. on the paper, then, Excel spreadsheets were used, but later when the number of employees involved in business processes increased and the need for automation grew significantly, we met ERP systems. Those systems now store and process all the “crown jewels” of a company, however, they also pose a huge risk if not secured properly.

ERP是企业资源计划系统。正如您从该首字母缩写词可以理解的那样，该系统负责管理公司的所有资源。许多年前，人们习惯将有关员工，材料，产品，客户等的所有信息存储在纸上，然后使用Excel电子表格，但是后来随着业务流程中涉及的员工数量增加并且对自动化的需求增加，重要的是，我们遇到了ERP系统。这些系统现在可以存储和处理公司的所有“皇冠上的宝石”，但是，如果保护不当，它们也会带来巨大的风险。

A typical cyber kill chain consists of multiple steps such as initial reconnaissance, initial compromise, establishing foothold, escalating privileges, gaining access to the mission-critical system, internal recon, and, finally, stealing the data or changing some critical configuration parameters.

典型的网络杀伤链包括多个步骤，例如初始侦察，初始妥协，建立立足点，提升特权，获得对关键任务系统的访问权限，内部侦察，最后是窃取数据或更改某些关键配置参数。

There are plenty of security solutions (Firewalls, WAFs, endpoint protection systems, etc.) intended to detect or even prevent initial intrusions. They are mostly focused on the first stages of an attack, but some of them can aid as well when an attacker is already inside the system.

有很多安全解决方案(防火墙，WAF，端点保护系统等)旨在检测甚至阻止初始入侵。它们主要集中在攻击的第一阶段，但是当攻击者已经在系统内部时，其中一些功能也可以提供帮助。

Every year we witness more and more data breaches while most victim companies have common security mechanisms implemented. It seems to suggest that getting access to a corporate network is not a difficult task for skilled attackers. In my opinion, this situation will not change in the near future, as if something is valuable, someone will try to steal it.

每年，我们见证了越来越多的数据泄露事件，而大多数受害者公司都实施了通用的安全机制。似乎表明，对于熟练的攻击者而言，访问公司网络并不是一项艰巨的任务。我认为，这种情况在不久的将来不会改变，仿佛某些有价值的东西会被别人抢走。

So, the most reasonable strategy is to protect the most critical assets, and it is completely different task comparing to boundaries protection.

因此，最合理的策略是保护最关键的资产，与边界保护相比，这是完全不同的任务。

Imagine our network is a castle. The security measures are implemented: here is a moat swarming with crocodiles, castle ramparts, and towers with guards. It seems secure. However, if a mole digs a tunnel under the castle walls and gets inside, the intruder will get access to the treasure because there are almost no security equipment inside the castle.

想象我们的网络是一座城堡。实施了安全措施：这里有一条护城河，里面有鳄鱼，城堡城墙和带有守卫的塔楼。看起来很安全。但是，如果一个痣在城堡的墙壁下挖了一条隧道进入内部，入侵者将可以进入宝藏，因为城堡内几乎没有安全设备。

As a conclusion, it is obvious that we should focus at least on the following areas of cybersecurity:

得出结论，很明显，我们至少应重点关注以下网络安全领域：

Network security
网络安全
Web Application security
Web应用安全
Endpoint security
端点安全
Identity and access governance
身份和访问治理
Incident detection and response
事件检测和响应
Business application security
业务应用程序安全

The last topic deserves greater attention, as it is responsible for business critical processes. To tell the truth, all our networks, web applications, endpoints, and identity systems are here mostly to provide access to those business applications such as ERP systems. Without them, all IT infrastructure features turn out to be almost useless.

最后一个主题值得关注，因为它负责关键业务流程。实话实说，我们所有的网络，Web应用程序，端点和身份系统都在这里主要用于提供对那些业务应用程序(如ERP系统)的访问。没有它们，所有IT基础架构功能几乎都将无用。

There are different ERP Systems available on the market. The most common systems are SAP ECC, Oracle EBS, Oracle JDE, Microsoft Dynamics, Infor, etc. Despite the fact they are different in details, they are quite similar in general and represent a 3-tier architecture consisting of fat client or web browser, application server or multiple application servers with a load balancer, and a database as a backend.

市场上有不同的ERP系统。最常见的系统是SAP ECC，Oracle EBS，Oracle JDE，Microsoft Dynamics，Infor等。尽管它们在细节上有所不同，但是它们在总体上非常相似，并且代表由胖客户端或Web浏览器组成的3层体系结构，具有负载平衡器的应用程序服务器或多个应用程序服务器，以及作为后端的数据库。

我们为什么要关心呢？ (Why should we care?)

What can happen if somebody breaks into the most critical assets such as ERP as well as SCM (Supply Chain Management), PLM (Product lifecycle management)?

如果有人侵入最关键的资产，例如ERP以及SCM(供应链管理)，PLM(产品生命周期管理)，会发生什么？

Espionage (breach of confidentiality) includes theft of financial information, corporate trade secret, Intellectual property and customer data.

间谍活动 (违反保密规定)包括窃取财务信息，公司商业机密，知识产权和客户数据。
Sabotage (violation of availability) can be in form of intentional product quality deterioration, production spoilage, equipment corruption, manipulation with supply chain, compliance violations, and tampering with financial reports.

破坏 (违反可用性)的形式可能是故意的产品质量下降，产品损坏，设备损坏，供应链操纵，违规和篡改财务报告。
Fraud (violation of integrity).There are different kinds of fraud, which can relate to row materials, finished goods, financials, etc. Finally, terrorism (such as explosion) now is also among the cybersecurity risks. All this can happen because of a single vulnerability in ERP System.

欺诈 (违反诚信)。欺诈有多种类型，可能与行材，制成品，财务等有关。最后，恐怖主义(例如爆炸)现在也属于网络安全风险之一。由于ERP系统中只有一个漏洞，所有这些事情都可能发生。

What’s more important, they vary from traditional applications in the following options:

更重要的是，它们在以下选项上与传统应用程序有所不同：

Complexity. As a rule, complexity kills security. Just imagine, ERP system from SAP (238 Million lines of code as for 2007) contains more source code strings than Windows 7 + Mac OS Tiger + Debian 5 all together ( 85+ 65 + 40 million lines of code ). So, there may be many different vulnerabilities at all levels, from network to application. (http://www.informationisbeautiful.net/visualizations/million-lines-of-code/)

复杂。 通常，复杂性会破坏安全性。试想一下，SAP的ERP系统(2007年为2.38亿行代码)比Windows 7 + Mac OS Tiger + Debian 5(总共85+ 65 + 4000万行代码)包含更多的源代码字符串。因此，从网络到应用程序，各个级别可能存在许多不同的漏洞。 ( http://www.informationisbeautiful.net/visualizations/million-lines-of-code/ )
Customization. Every business application such as ERP is more like a framework, on top of which customers develop their own applications on a specific language. For example, programmers use the ABAP language to extend functionality of SAP System while for applications such as Oracle PeopleSoft they use the PeopleCode language;and the X+ language are used in Microsoft Dynamics to customize it.

定制化。 每个业务应用程序(例如ERP)都更像一个框架，客户可以在该框架上以特定语言开发自己的应用程序。例如，程序员使用ABAP语言来扩展SAP System的功能，而对于Oracle PeopleSoft之类的应用程序，他们使用PeopleCode语言；而Microsoft Dynamics中使用X +语言对其进行自定义。
Criticality. This software is rarely updated, as administrators are scared the systems can be broken during updates due to backward compatibility and connection with legacy systems. Sometimes instances of SAP systems being not updated for several years even occur. (http://news.softpedia.com/news/five-year-old-sap-vulnerability-affects-over-500-companies-not-36-504043.shtml)

危急程度。 该软件很少更新，因为管理员担心由于向后兼容性和与旧系统的连接，系统在更新过程中可能会损坏。有时甚至会发生几年未更新的SAP系统实例。 ( http://news.softpedia.com/news/five-year-old-sap-vulnerability-affects-over-500-companies-not-36-504043.shtml )
Closed nature. ERP systems are mostly available inside the company that is why business applications are considered a closed world. Very few security experts have access to them and spend their time to study these systems.

封闭的性质。 ERP系统通常在公司内部可用，这就是为什么业务应用程序被视为封闭世界的原因。很少有安全专家可以访问它们，并花时间研究这些系统。

In next article we will tell about typical attacks vectors on SAP systems.

在下一篇文章中，我们将介绍SAP系统上的典型攻击媒介。

翻译自: https://habr.com/en/company/dsec/blog/467173/

一级建筑师系统分析师

一级建筑师 系统分析师_建筑师安全的ERP实施

什么是ERP？ (What is ERP?)

我们为什么要关心呢？ (Why should we care?)

相关推荐

一级建筑师系统分析师_建筑师安全的ERP实施