SAP is run by over 250,000 customers worldwide, including 98 percent of the 100 most valued brands. Despite housing an organization’s most valuable and sensitive information, SAP systems are not protected from cyber threats by traditional security approaches.
Based on assessments of hundreds of SAP implementations, the Onapsis Research Labs study found that over 95 percent of SAP systems were exposed to vulnerabilities that could lead to full compromise of the company’s business data and processes.
Most companies are also exposed to protracted patching windows averaging 18 months or more. In 2014 alone, 391 security patches were released by SAP, averaging more than 30 per month. Almost 50 percent of them were ranked as “high priority” by SAP.
“The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP Operations team and the IT Security team,” said Mariano Nunez, CEO of Onapsis.
The top three common cyber attack vectors on SAP systems:
Onapsis Research Labs analyzed thousands of vulnerabilities to identify the three most commonly used approaches for hacking into business-critical data hosted in SAP applications, as well as disrupting key business processes:
1. Customer and supplier portal attacks. Backdoor users are created in the SAP J2EE User Management Engine. By exploiting different critical vulnerabilities, the hacker can obtain access to SAP Portals and Process Integration platforms and their connected, internal systems.
2. Direct attacks through SAP proprietary protocols. This attack is performed by executing operating system commands under the privileges of the SAP administrator, and by exploiting vulnerabilities in the SAP RFC Gateway. The hacker is able to obtain and potentially modify any business information stored in the SAP database.
3. Customer information and credit card breaches using pivoting between SAP systems. The attack begins with a pivot from a system with lower security to a critical system in order to execute remote function modules in the destination system.
Retail, oil and gas, manufacturing, pharma and other Global 2000 organizations running critical business process in SAP Business Suite solutions are urged to stay up to date with the latest SAP Security Notes, and to ensure their systems are configured properly in order to meet compliance requirements and strengthened security. These should be part of an action plan to add SAP cybersecurity to the organization’s strategy and roadmap:
- Gain visibility into SAP-based assets to determine the “value at risk”
- Prevent security and compliance issues through continuous monitoring
- Detect and respond to new threats, attacks or user behavior anomalies as indicators of compromise (IOCs).