Learn, hack!

URL

https://media.blackhat.com/bh-dc-11/Smith-Polyakov/BlackHat_DC_2011_Smith-Polyakov_Forgotten_World2-wp.pdf

File name

BlackHat_DC_2011_Smith-Polyakov_Forgotten_World2-wp.pdf

File size

406.9 KB

MD5

cdcc9367b33bc3f3c85410d78b5cbfc7

SHA1

c6374a22b8fae00b2a1a8e0b1a752bf2d48fef12

Do you know where are all critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can attacker sabotage or commit espionage against your company just having access to one system? Amidst SCADA, Win 7, and the Cloud there is a type of critical system no one is talking about. Enterprise Resource Planning (ERP). All that is needed is to gain access to the corporate business application infrastructure, specifically systems such as ERP, Customer Relationship Management (CRM), and Supplier Relationship Management (SRM). If an attacker seeks to gather critical financial, personnel, or other sensitive data, these are the types of systems where it is stored. These systems are often also trusted and connected to other secure systems such as banking client workstations as well as SCADA systems. These days most companies have strong security policies and patch management as it applies to standard networks and operating systems, but these rarely exist or are in place for ERP type systems. An attacker can bypass all of a companies investments in security by attacking an ERP system. We will show examples of different custom business applications including custom as well as the more popular ones and previously unknown vulnerabilities that can be exploited to gain unauthorized access to critical business data. Many of these type vulnerabilities cannot be easily patched because they are design flaws or business logic problems requiring a redesign of the system.