Operations
2/26/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Reasons SAP Security Matters

New research shows many organizations may not realize the threat posed by vulnerabilities in SAP applications.

SAP enterprise applications play a mission-critical role at countless organizations around the world, yet relatively little is discussed about the potential consequences of successful cyberattacks on these apps.

Unlike the continuous spotlight on Windows vulnerabilities -- and increasingly on Android malware -- flaws in enterprise platforms like SAP have remained largely under the radar despite the potentially bigger consequences of an attack.

New research conducted by the Ponemon Institute on behalf of Onapsis Inc., shows that a majority of IT and IT security professionals are aware of the risks of a SAP cyber breach but that senior executives are underestimating it greatly. Of the 607 technology professionals that Ponemon surveyed, 60% feared that the impact of an attack on their SAP applications would be catastrophic. But only 21% of senior leadership were aware of the risk or shared that concern.

“Worryingly, while survey data indicates SAP breaches are expected to increase, there is no single group or job function most accountable,” Larry Ponemon, chairman and founder of the Ponemon Institute said in a statement. “It appears that SAP cybersecurity is falling through the cracks between the SAP security teams and InfoSec teams, who need to step up to bridge the gap and make it a priority.”  

Here are five key takeaways from the Ponemon report:

SAP applications can be buggy.

Seventy percent of IT and IT security professionals think it is either very likely or likely that their SAP platforms have at least one and possibly more malware infections. Survey respondents ranked SAP’s content and collaboration applications as the most vulnerable to attack followed by its data management, CRM, and ERP technologies. Enterprises on average experienced two SAP-related breaches every 24 months.

According to a paper presented by Onapsis at the RSA Conference in 2015, SAP released a total of 391 security patches in 2014, nearly 46% of which it considered as “high priority.” Onapsis claimed that 95% of the SAP applications that it has reviewed are exposed to vulnerabilities that could lead to a total compromise of a company’s data and business processes.

Breaches of SAP applications are unlikely to be detected quickly.

Only 25% of the survey respondents said they were "confident" or "very confident" of being able to discover a SAP application breach immediately. In a majority of the remaining cases, respondents suggested their organizations would take a significantly longer time to discover a SAP data breach. For example, 41% of respondents expressed confidence about being able to detect a SAP breach in one month, while 53% said they felt most confident about finding a breach within one year.

Enterprises don’t apply SAP application patches quickly.

Many organizations are really reluctant to deploy SAP security patches because of fears of service disruption, says Mariano Nunez, CEO of Onapsis. Though SAP has been responding faster to security problems in its products, the same is not true of the enterprises running the company’s apps, he says. 

“We have in fact seen some organizations that have never applied SAP security patches at all, and only increase the security of the platforms when they do functional upgrades, which is usually once or twice a year,” he says.

Part of the reason is that SAP is used in such business-critical processes that enterprises often are more concerned about a faulty patch breaking critical applications and resulting in direct revenue loss.

No one really owns SAP security.

“Our research shows that many organizations don’t have one person, function, or department with overall responsibility for SAP security,” Ponemon says.“This may be due, at least in part, to shadow IT pressure and migration to the cloud.”

When respondents in the survey were asked who within their organizations would be responsible if a SAP system breach occurred, 30% said no one would be responsible. About 26% said it would be the CIO, while 18% pointed to the CISO. Based on the survey results “the CIO organization and lines of business appear to be the most likely “owners” of SAP security today,” Ponemon says.

Somewhat surprisingly, 54% said it was SAP’s responsibility -- not their organization's -- to ensure the security of the application and platform.

Attacks against SAP platforms will increase.

This is somewhat of a given considering the rapidly evolving threat landscape, But 47% of the respondents expected the frequency of attacks against their SAP infrastructure to increase over the next two years, while 54% expected such attacks to become more sophisticated and stealthy.

Adding to the concerns is the proliferation of IoT, Big Data, cloud, and mobile applications -- all of which will increase the SAP attack surface, according to the survey respondents.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sergy12
50%
50%
sergy12,
User Rank: Apprentice
2/28/2016 | 1:00:03 PM
right
It is very important and good reson.I agree with everywords.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.