April 8, 2016 By Charlie Singh 4 min read

A recent independent study conducted by the Ponemon Institute, “Uncovering the Risk of SAP Cyber Breaches,” revealed some startling information about the threat of a SAP cyber breach and how companies are managing the risk of information theft, modification of the data and disruption of business processes.

To understand what makes SAP systems the perfect target for a cybercriminal, you don’t have to look far. Ask yourself: Which system runs the most business-critical processes in my company? Which system stores the most business-sensitive information? Which system is the company most dependent upon?

The answer unanimously comes back to the enterprise resource planning (ERP) system your company runs. In today’s world, a majority of the Fortune 500 companies rely on SAP as their ERP system. This single ERP system has become a critical and crucial lifeline to companies across all industries, ranging from health care, utilities and oil and gas to telecom, insurance and financial services.

Takeaways From the SAP Study

Recent high-profile cybersecurity breaches still have not served as a wake-up call in many corporate boardrooms. Some excerpts from the Ponemon Institute’s independent study highlight some interesting perceptions about SAP cybersecurity risk.

First, nearly 76 percent of respondents said their senior leadership understands the importance and criticality of SAP installations to profitability. However, 63 percent of respondents also said C-level executives underestimate the risks associated with insecure SAP applications.

If SAP systems are taken offline, the expected average financial consequence for companies is $4.5 million. These costs were estimated to include direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunity.

The majority of the respondents believe it is difficult to secure SAP systems. One possible reason is a lack of clear ownership over these systems. When asked which function was most accountable for security, 25 percent claimed that no one group was responsible. Meanwhile, 21 percent said IT infrastructure was responsible, 19 percent said a dedicated SAP security team and 18 percent said information security. Risk executives, audit professionals and boards of directors all collected less than 10 percent of the vote.

Source: Ponemon Institute, “Uncovering the Risk of SAP Cyber Breaches”

When asked what was most important for achieving security, 83 percent of respondents indicated that detecting zero-day vulnerabilities is vital for their organizations.

Despite this thirst for security knowledge, most organizations don’t believe they have the power to detect an incident. About 47 percent of respondents were “not confident” or claimed “no confidence” that they could detect a breach within a year if their company’s SAP platform was compromised.

Additionally, 65 percent of respondents said it is very likely (33 percent) or likely (42 percent) that their company’s SAP platforms have one or more malware infections.

Source: Ponemon Institute, “Uncovering the Risk of SAP Cyber Breaches”

Three SAP Security Myths and Realities

Because the threat to business-critical information is increasing, it is essential for companies to separate myths from reality. These myths typically fall into three different categories:

  • Myth One: SAP systems are only accessible internally within the organization’s network.Reality: There is no such thing as an internal network anymore. Many SAP systems are connected to the Internet via Web apps, HANA, mobile solutions or cloud deployments. Try to Google “inurl:/irj/portal” and see how many hits are returned, or check for SAP using the SHODAN search engine.
  • Myth Two: Only SAP production systems should be audited.Reality: Pivoting using existing SAP vulnerabilities between SAP systems provides access from a low security (e.g., a development or QA system) to a critical system (e.g., a production system) to execute SAP remote function modules in the destination system.
  • Myth Three: Patch and change management process provide adequate security controls.Reality: It takes an average of 18 months from when a vulnerability is identified to when the patch is finally deployed.

Key Considerations for SAP Security

A cybersecurity program should be incorporated into the existing enterprise risk management (ERM) process of the company. This will help establish your overall SAP security governance program.

Many companies invest heavily in SAP security audits that barely scratch the surface, such as segregation of duties (SOD) checks, basic firefighter log reviews, security log reviews, system parameter reviews, table logging checks and the auditor-favorite SUIM command. Companies should consider investing in more comprehensive and in-depth examinations of their SAP platforms and solutions on a regular basis, including vulnerability assessments and penetration testing.

Periodic SAP vulnerability assessments should be conducted to identify known vulnerabilities, malware infections, missing patches and notes, insecure configurations, unencrypted interfaces, weak credentials and default settings. This is in addition to the regular SOD checks, custom T-code checks, program analysis and logging regular user activity.

Involve the business in security workshops and ask the relevant questions. Who is responsible for preventing a cybersecurity breach? Have we had a SAP security breach? How can our company be sure?

Look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection. This will help drive visibility into the cyber world and demonstrate a high level of confidence with your internal and external auditors.

Conclusion

Protecting SAP from cyberthreats begins with a shift in beliefs about accessibility, vulnerability and responsibility. A cybersecurity program is only effective when it begins with the appreciation that everything is now connected and therefore accessible. SAP systems and applications, whether in development or production, are as much at stake as any other system.

Extending the same (or better) assessments, auditing procedures and tests that you would for any other enterprise platform or application is no different when you consider your valuable investments in and reliance on ERP systems such as SAP.

Download the Trends in SAP Cybersecurity white paper

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today