Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/26/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Reasons SAP Security Matters

New research shows many organizations may not realize the threat posed by vulnerabilities in SAP applications.

SAP enterprise applications play a mission-critical role at countless organizations around the world, yet relatively little is discussed about the potential consequences of successful cyberattacks on these apps.

Unlike the continuous spotlight on Windows vulnerabilities -- and increasingly on Android malware -- flaws in enterprise platforms like SAP have remained largely under the radar despite the potentially bigger consequences of an attack.

New research conducted by the Ponemon Institute on behalf of Onapsis Inc., shows that a majority of IT and IT security professionals are aware of the risks of a SAP cyber breach but that senior executives are underestimating it greatly. Of the 607 technology professionals that Ponemon surveyed, 60% feared that the impact of an attack on their SAP applications would be catastrophic. But only 21% of senior leadership were aware of the risk or shared that concern.

“Worryingly, while survey data indicates SAP breaches are expected to increase, there is no single group or job function most accountable,” Larry Ponemon, chairman and founder of the Ponemon Institute said in a statement. “It appears that SAP cybersecurity is falling through the cracks between the SAP security teams and InfoSec teams, who need to step up to bridge the gap and make it a priority.”  

Here are five key takeaways from the Ponemon report:

SAP applications can be buggy.

Seventy percent of IT and IT security professionals think it is either very likely or likely that their SAP platforms have at least one and possibly more malware infections. Survey respondents ranked SAP’s content and collaboration applications as the most vulnerable to attack followed by its data management, CRM, and ERP technologies. Enterprises on average experienced two SAP-related breaches every 24 months.

According to a paper presented by Onapsis at the RSA Conference in 2015, SAP released a total of 391 security patches in 2014, nearly 46% of which it considered as “high priority.” Onapsis claimed that 95% of the SAP applications that it has reviewed are exposed to vulnerabilities that could lead to a total compromise of a company’s data and business processes.

Breaches of SAP applications are unlikely to be detected quickly.

Only 25% of the survey respondents said they were "confident" or "very confident" of being able to discover a SAP application breach immediately. In a majority of the remaining cases, respondents suggested their organizations would take a significantly longer time to discover a SAP data breach. For example, 41% of respondents expressed confidence about being able to detect a SAP breach in one month, while 53% said they felt most confident about finding a breach within one year.

Enterprises don’t apply SAP application patches quickly.

Many organizations are really reluctant to deploy SAP security patches because of fears of service disruption, says Mariano Nunez, CEO of Onapsis. Though SAP has been responding faster to security problems in its products, the same is not true of the enterprises running the company’s apps, he says. 

“We have in fact seen some organizations that have never applied SAP security patches at all, and only increase the security of the platforms when they do functional upgrades, which is usually once or twice a year,” he says.

Part of the reason is that SAP is used in such business-critical processes that enterprises often are more concerned about a faulty patch breaking critical applications and resulting in direct revenue loss.

No one really owns SAP security.

“Our research shows that many organizations don’t have one person, function, or department with overall responsibility for SAP security,” Ponemon says.“This may be due, at least in part, to shadow IT pressure and migration to the cloud.”

When respondents in the survey were asked who within their organizations would be responsible if a SAP system breach occurred, 30% said no one would be responsible. About 26% said it would be the CIO, while 18% pointed to the CISO. Based on the survey results “the CIO organization and lines of business appear to be the most likely “owners” of SAP security today,” Ponemon says.

Somewhat surprisingly, 54% said it was SAP’s responsibility -- not their organization's -- to ensure the security of the application and platform.

Attacks against SAP platforms will increase.

This is somewhat of a given considering the rapidly evolving threat landscape, But 47% of the respondents expected the frequency of attacks against their SAP infrastructure to increase over the next two years, while 54% expected such attacks to become more sophisticated and stealthy.

Adding to the concerns is the proliferation of IoT, Big Data, cloud, and mobile applications -- all of which will increase the SAP attack surface, according to the survey respondents.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
sergy12
50%
50%
sergy12,
User Rank: Apprentice
2/28/2016 | 1:00:03 PM
right
It is very important and good reson.I agree with everywords.
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17667
PUBLISHED: 2019-10-17
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.