The SAP security specialists with Onapsis, today, reported that in a study of hundreds of SAP installations examined by their researchers, over 95 percent were exposed to vulnerabilities that could lead to the full compromise of an organization's business data and processes. Run by a quarter of a million customers worldwide, SAP products form the backbone of critical technology infrastructure of 87 percent of Global 2000 companies. And yet, SAP remains a cybersecurity backwater for most infosec programs.
"SAP systems are inherently complex by nature as they are the backbone of business systems and the processes that run the enterprise. It is difficult to find and remediate issues because today's security measures -- segregation of duties (SoD) and access controls -- do not protect organizations from cyber attacks," says Juan Pablo Perez-Etchegoyen, CTO and Head of Research for Onapsis. "In fact organizations don't even know they are being attacked in most cases. These security programs focus on the processes, people, and infrastructure and are not looking at SAP systems as part of this picture."
Since Onapsis broke into the scene at Black Hat in 2007 with one of its first eye-opening talks on SAP vulnerabilities, its research team has continued to put the microscope on these applications. This week it put together a comprehensive study of many of the findings over the past few years. Though the full report is only available to its customers, it did release some eye-opening facts gleaned from the study. For example, it found that the average patch window for SAP at companies is 18 months or longer. And yet SAP only continues to accelerate the pace of patches for these systems, with an average of 30 released per month, with nearly 50 percent ranked high-priority by SAP. Most startling, though, is the fact that Onapsis has finally gathered enough evidence in real-world situations to show that the bad guys really are using these vulnerabilities to get to the most sensitive information that enterprises own.
As Mariano Nunez, CEO and co-founder of Onapsis, explained, one of the first questions he was asked by people at that first Black Hat was, 'Yes, but are these vulnerabilities really being exploited?'
"At that point we didn't have enough data to answer them, but over the last couple of years we've been part of SAP incident response projects and we see more and more people using SAP-specific exploits to break into business-critical data and disrupt business critical processes," he says.
As his team started analyzing attacks, they began to put together a picture of the criminal's attack patterns. According to Onapsis, there are three most common ways SAP vulnerabilities are being exploited. The first is using pivoting between SAP systems to steal customer information, including credit card information. The second is customer and supplier portal attacks, where the attackers create backdoor users in the SAP J2EE User Management engine. And the third is direct attacks through SAP proprietary protocols.
In order to combat these attacks, enterprises must be able to bridge the gap between security teams and SAP operations teams to start improving patch cycles and SAP security strategy.
"In order to bridge the gap between CISO’s and CIO’s, it is important to have an agreement that security and IT share the same goals of availability and that the information security program will not be at the expense of operations and uptime," says Renee Guttmann, vice president for the Office of the CISO at Accuvant and a member of the Onapsis board of advisors. "Once the CISO and CIO agree, they must collaborate to develop the SAP security plan to which the business owners must also agree as they are the ultimate stakeholders. This can be a win/win/win for everyone as long as there are common goals and transparency."