SANS maps SAP cybersecurity to the CIS Critical Security Controls list

The CIS Critical Security Controls are a set of internationally recognized standards outlining the most important cyber hygiene actions that every organization should implement to protect their IT networks.

They are highly regarded by the global IT community as they are developed, refined, validated, and updated by experts who pull data from a variety of public and private threat sources; and are transforming security in government agencies and other large enterprises by focusing spending on the key controls that block known attacks and find the ones that get through.

“Direct attacks on ERP systems such as SAP are being disclosed more frequently, validating the assumption that even complex applications housed in secure facilities need specific protection and that safeguarding them should be a top priority. Attacks aimed directly at complex, mission-critical applications result in extraordinary costs and impact to the business,” according to Barbara Filkins, a senior SANS analyst.

“To protect an SAP system, start by looking retroactively at current configurations to be sure they’re up to date with the latest patches and that they are continually monitoring unauthorized user behavior and advanced threats,” Filkins added.

SAP cybersecurity

Following recent attacks aimed at SAP systems, SANS maps SAP cybersecurity to the Critical Security Controls list for the first time. They advise on an approach that is largely application-oriented, but also applies network restrictions to underlying network devices and firewalls, in addition to closing loopholes through operational procedures and training.

Step 1: Tailor Enterprise Processes (CIS Control: 1, 2, 3, 4, 5, 6, 10, 13, 14, 16).
Step 2: Secure the Landscape (CIS Control: 3, 7, 9, 10, 11, 12, 18).
Step 3: Configure the Technical Controls (CIS Control: 2, 3, 4, 5, 6, 8, 13, 14, 16).
Step 4: Create the Human Action Framework (CIS Control: 17, 19, 20).

“This initiative from SANS is an extremely important step of integrating SAP cybersecurity into the complex security management process. Along with our colleagues, we have been putting emphasis of the significance of this area since 2007. SAP Cybersecurity was a topic of great importance and certainly the level of awareness was rather high, nonetheless, until the recent incidents people who were interested in SAP security did not have any convincing source to refer to, which will make C-level managers support the initiative,” Alexander Polyakov, CTO at ERPScan, told Help Net Security.