One of the biggest cybersecurity surprises of note is the large number of breaches announced this year that, according to fact-finding at The Onapsis Research Labs, were exposed through SAP and other enterprise ERP systems.
A month ago, new evidence came to light about a high profile two-year-old breach at US Investigations Services (USIS), a contractor in charge of conducting federal background checks. The USIS breach made headlines because it was the first public proof that an SAP vulnerability was the origin of an attack leading to the theft of personal information about federal employees and contractors with access to classified intelligence.
Weeks later we heard about a new breach, this time directly against the Office of Personnel Management, compromising 4 million current and former federal employees’ personal information. Subsequent reports disclosed that the exposed information could be even more widespread. In a letter to OPM Director J. David Cox, national president of the American Federation of Government Employees (AFGE) claimed “Based on the sketchy information OPM has provided, we believe that the Central Personnel of Data File [CPDF] was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”
These are not isolated cases. And while I cannot confirm which kind of system OPM is using for the CPDF database, taking into account public information, most likely OPM is using an ERP-based system to hold and report federal employment statistics.
More concerning, the last weeks have shown that business-critical applications are rapidly becoming one of the most valuable targets for cybercriminals and cyberespionage. SAP and Oracle are releasing tons of patches every month, but are enterprises up to the task? As these enterprises contain complex infrastructures and patching and configuration are complex tasks, I have my doubts.
In order to properly secure these enterprise applications against these and other threats, many things need to happen within a company, among them:
- a strict patch management process
- security and configurations change management processes, and
- a security threats monitoring program.
There are also many actors within the SAP security landscape, all of whom need to understand the latest cybersecurity risks affecting SAP systems. Four key issues for key players include:
IT Security & CISO
If you are part of the IT Security staff, or even the CISO, then you are probably familiar with feeling a lack of control around the security of your SAP landscapes. Understanding the risks and how to mitigate them is a powerful tool necessary for gaining visibility into the most critical systems of the company.
SAP BASIS Administrators
System configurations, implementation of patches, system upgrades and other tasks are very relevant from a security standpoint, as they could have a big impact to how secure the systems eventually are over time. It’s important to understand which of the changes or actions you apply on the systems could actually have negative impact in terms of security.
If you are an auditor, you should know that most of the big auditing firms are already including SAP cybersecurity as part of their audits. Understanding how to audit the technical layer will eventually become a requirement for security audits of SAP systems.
While doing external or internal penetration tests, and depending on the scope defined by your client, you will likely find SAP systems connected to the network. Because SAP systems are part of a complex scenario, you need to understand all components, and how each one could be vulnerable, depending on the patches and configurations that were applied. This will clearly define how successful an SAP penetration test would be.
[Learn more from JP about how to assess, exploit and defend SAP platforms during his training session on SAP-specific attacks and protection techniques, Black Hat 2015, Las Vegas August 3-4.]