Operations

2/26/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Reasons SAP Security Matters

New research shows many organizations may not realize the threat posed by vulnerabilities in SAP applications.

SAP enterprise applications play a mission-critical role at countless organizations around the world, yet relatively little is discussed about the potential consequences of successful cyberattacks on these apps.

Unlike the continuous spotlight on Windows vulnerabilities -- and increasingly on Android malware -- flaws in enterprise platforms like SAP have remained largely under the radar despite the potentially bigger consequences of an attack.

New research conducted by the Ponemon Institute on behalf of Onapsis Inc., shows that a majority of IT and IT security professionals are aware of the risks of a SAP cyber breach but that senior executives are underestimating it greatly. Of the 607 technology professionals that Ponemon surveyed, 60% feared that the impact of an attack on their SAP applications would be catastrophic. But only 21% of senior leadership were aware of the risk or shared that concern.

“Worryingly, while survey data indicates SAP breaches are expected to increase, there is no single group or job function most accountable,” Larry Ponemon, chairman and founder of the Ponemon Institute said in a statement. “It appears that SAP cybersecurity is falling through the cracks between the SAP security teams and InfoSec teams, who need to step up to bridge the gap and make it a priority.”  

Here are five key takeaways from the Ponemon report:

SAP applications can be buggy.

Seventy percent of IT and IT security professionals think it is either very likely or likely that their SAP platforms have at least one and possibly more malware infections. Survey respondents ranked SAP’s content and collaboration applications as the most vulnerable to attack followed by its data management, CRM, and ERP technologies. Enterprises on average experienced two SAP-related breaches every 24 months.

According to a paper presented by Onapsis at the RSA Conference in 2015, SAP released a total of 391 security patches in 2014, nearly 46% of which it considered as “high priority.” Onapsis claimed that 95% of the SAP applications that it has reviewed are exposed to vulnerabilities that could lead to a total compromise of a company’s data and business processes.

Breaches of SAP applications are unlikely to be detected quickly.

Only 25% of the survey respondents said they were "confident" or "very confident" of being able to discover a SAP application breach immediately. In a majority of the remaining cases, respondents suggested their organizations would take a significantly longer time to discover a SAP data breach. For example, 41% of respondents expressed confidence about being able to detect a SAP breach in one month, while 53% said they felt most confident about finding a breach within one year.

Enterprises don’t apply SAP application patches quickly.

Many organizations are really reluctant to deploy SAP security patches because of fears of service disruption, says Mariano Nunez, CEO of Onapsis. Though SAP has been responding faster to security problems in its products, the same is not true of the enterprises running the company’s apps, he says. 

“We have in fact seen some organizations that have never applied SAP security patches at all, and only increase the security of the platforms when they do functional upgrades, which is usually once or twice a year,” he says.

Part of the reason is that SAP is used in such business-critical processes that enterprises often are more concerned about a faulty patch breaking critical applications and resulting in direct revenue loss.

No one really owns SAP security.

“Our research shows that many organizations don’t have one person, function, or department with overall responsibility for SAP security,” Ponemon says.“This may be due, at least in part, to shadow IT pressure and migration to the cloud.”

When respondents in the survey were asked who within their organizations would be responsible if a SAP system breach occurred, 30% said no one would be responsible. About 26% said it would be the CIO, while 18% pointed to the CISO. Based on the survey results “the CIO organization and lines of business appear to be the most likely “owners” of SAP security today,” Ponemon says.

Somewhat surprisingly, 54% said it was SAP’s responsibility -- not their organization's -- to ensure the security of the application and platform.

Attacks against SAP platforms will increase.

This is somewhat of a given considering the rapidly evolving threat landscape, But 47% of the respondents expected the frequency of attacks against their SAP infrastructure to increase over the next two years, while 54% expected such attacks to become more sophisticated and stealthy.

Adding to the concerns is the proliferation of IoT, Big Data, cloud, and mobile applications -- all of which will increase the SAP attack surface, according to the survey respondents.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sergy12
50%
50%
sergy12,
User Rank: Apprentice
2/28/2016 | 1:00:03 PM
right
It is very important and good reson.I agree with everywords.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10008
PUBLISHED: 2019-04-24
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login a...
CVE-2019-9950
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file checks credentials agains...
CVE-2019-9951
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php...
CVE-2018-10055
PUBLISHED: 2019-04-24
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.
CVE-2018-7577
PUBLISHED: 2019-04-24
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.