Security gaps in 95 percent of all SAP systems
SAP security specialist Onapsis has identified the three most common approaches to cyberattacks on SAP applications. These attack vectors put intellectual property, financial, credit card, customer and supplier data, and information stored in databases of the world's largest companies at high risk.
For their study, Onapsis Research Labs examined hundreds of SAP installations. Ninety-five percent of these SAP systems had vulnerabilities that allowed hackers to gain complete access to the business data and processes of the affected companies.
18 months until a patch is implemented
In addition, researchers found that most organizations take 18 months or longer to implement patches for vulnerabilities they find.
In 2014 alone, SAP released 391 security patches - an average of more than 30 per month! Almost 50 percent of these patches were given a high priority by SAP.
Who is responsible?
"The topic of SAP cyber security is not pursued seriously enough by many companies because it is not clear who is responsible for it - the SAP operations team or the IT security team. This really surprised us"
says Mariano Nunez, CEO and founder of Onapsis.
Most of the patches applied are not security-relevant, come late or open new vulnerabilities for the operation of the SAP system. Every day, new data leaks become known without Chief Information Security Officers (CISOs) knowing about them - because they lack visibility into their SAP applications.
The three most common SAP attacks
- Customer and credit card information threats that exploit exchanges between SAP systems: The attacks start at a system with low security settings and shimmy their way to a business-critical system by executing remotely controllable function modules in the target system.
- Attacks on customer and supplier portals: This involves creating backdoor users in the SAP J2EE user management module. By exploiting a vulnerability, the hackers can gain access to SAP portals and process integration platforms as well as related internal systems.
- Attacks on databases via proprietary SAP protocols: For this attack, operating system commands are executed with the rights of specific users and vulnerabilities in the SAP RFC gateway are exploited. The hacker gains access to any information stored in the SAP database and can modify it.
Conclusion
"The Hana real-time database actually makes the situation worse. The number of new security patches specifically affecting this new platform has increased by 450 percent.
In addition, Hana is placed at the center of the SAP ecosystem as a core component. Data stored in SAP platforms now needs to be protected both in the cloud and in the enterprise," Nunez elaborates.
Action Plan for Chief Information Security Officers (CISO)
Companies that run business-critical processes through Business Suite solutions should be sure to follow the latest SAP security guidance. They should also ensure that their systems are properly configured to meet applicable compliance requirements and increase security levels. These activities should follow an action plan that establishes SAP cyber security as part of the corporate strategy and roadmap:
- Implement visibility in SAP-based components to identify values at risk.
- Take precautions against security and compliance issues through continuous monitoring.
- Identify new threats, attacks and anomalous user behavior as Indicators of Compromise (IOC) and respond with appropriate measures.
DE
EN
ES
