Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/26/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Reasons SAP Security Matters

New research shows many organizations may not realize the threat posed by vulnerabilities in SAP applications.

SAP enterprise applications play a mission-critical role at countless organizations around the world, yet relatively little is discussed about the potential consequences of successful cyberattacks on these apps.

Unlike the continuous spotlight on Windows vulnerabilities -- and increasingly on Android malware -- flaws in enterprise platforms like SAP have remained largely under the radar despite the potentially bigger consequences of an attack.

New research conducted by the Ponemon Institute on behalf of Onapsis Inc., shows that a majority of IT and IT security professionals are aware of the risks of a SAP cyber breach but that senior executives are underestimating it greatly. Of the 607 technology professionals that Ponemon surveyed, 60% feared that the impact of an attack on their SAP applications would be catastrophic. But only 21% of senior leadership were aware of the risk or shared that concern.

“Worryingly, while survey data indicates SAP breaches are expected to increase, there is no single group or job function most accountable,” Larry Ponemon, chairman and founder of the Ponemon Institute said in a statement. “It appears that SAP cybersecurity is falling through the cracks between the SAP security teams and InfoSec teams, who need to step up to bridge the gap and make it a priority.”  

Here are five key takeaways from the Ponemon report:

SAP applications can be buggy.

Seventy percent of IT and IT security professionals think it is either very likely or likely that their SAP platforms have at least one and possibly more malware infections. Survey respondents ranked SAP’s content and collaboration applications as the most vulnerable to attack followed by its data management, CRM, and ERP technologies. Enterprises on average experienced two SAP-related breaches every 24 months.

According to a paper presented by Onapsis at the RSA Conference in 2015, SAP released a total of 391 security patches in 2014, nearly 46% of which it considered as “high priority.” Onapsis claimed that 95% of the SAP applications that it has reviewed are exposed to vulnerabilities that could lead to a total compromise of a company’s data and business processes.

Breaches of SAP applications are unlikely to be detected quickly.

Only 25% of the survey respondents said they were "confident" or "very confident" of being able to discover a SAP application breach immediately. In a majority of the remaining cases, respondents suggested their organizations would take a significantly longer time to discover a SAP data breach. For example, 41% of respondents expressed confidence about being able to detect a SAP breach in one month, while 53% said they felt most confident about finding a breach within one year.

Enterprises don’t apply SAP application patches quickly.

Many organizations are really reluctant to deploy SAP security patches because of fears of service disruption, says Mariano Nunez, CEO of Onapsis. Though SAP has been responding faster to security problems in its products, the same is not true of the enterprises running the company’s apps, he says. 

“We have in fact seen some organizations that have never applied SAP security patches at all, and only increase the security of the platforms when they do functional upgrades, which is usually once or twice a year,” he says.

Part of the reason is that SAP is used in such business-critical processes that enterprises often are more concerned about a faulty patch breaking critical applications and resulting in direct revenue loss.

No one really owns SAP security.

“Our research shows that many organizations don’t have one person, function, or department with overall responsibility for SAP security,” Ponemon says.“This may be due, at least in part, to shadow IT pressure and migration to the cloud.”

When respondents in the survey were asked who within their organizations would be responsible if a SAP system breach occurred, 30% said no one would be responsible. About 26% said it would be the CIO, while 18% pointed to the CISO. Based on the survey results “the CIO organization and lines of business appear to be the most likely “owners” of SAP security today,” Ponemon says.

Somewhat surprisingly, 54% said it was SAP’s responsibility -- not their organization's -- to ensure the security of the application and platform.

Attacks against SAP platforms will increase.

This is somewhat of a given considering the rapidly evolving threat landscape, But 47% of the respondents expected the frequency of attacks against their SAP infrastructure to increase over the next two years, while 54% expected such attacks to become more sophisticated and stealthy.

Adding to the concerns is the proliferation of IoT, Big Data, cloud, and mobile applications -- all of which will increase the SAP attack surface, according to the survey respondents.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
sergy12
50%
50%
sergy12,
User Rank: Apprentice
2/28/2016 | 1:00:03 PM
right
It is very important and good reson.I agree with everywords.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.