Enterprise resource planning (ERP) systems are the backbone of many large organizations and are critical to successfully...
running business operations.
However, many ERP systems are very complex with a diverse set of stakeholders throughout the enterprise. They have also been in place for decades in some enterprises and may have accumulated many years of technical debt -- making ERP security difficult and costly to maintain.
These reasons could be significant contributors to the list of SAP vulnerabilities identified by Onapsis Inc. in a recent report. Yet, the findings of the report should not dissuade enterprises from using ERP systems, nor scare information security teams when addressing security for SAP systems. If a number of best practices are followed, ERP systems can be beneficial and secure.
In its report, Onapsis researchers found more than 95% of SAP systems are exposed to vulnerabilities that could lead to a detrimental compromise of enterprise data and processes.
These issues were identified through hundreds of security assessments of SAP systems.
Researchers stated there appears to be a disconnect between enterprise information security teams and SAP operations teams; the SAP vulnerabilities identified support this assertion given the vulnerabilities are basic information security issues that have likely been addressed in other parts of an enterprise's information security program.
According to the Onapsis report, the top three most common attack vectors on SAP systems that threaten ERP security are:
- A low-security customer Web portal;
- Malicious accounts being used in customer or supplier portals; and
- Vulnerabilities in the underlying database protocols.
All three of these issues contribute to the technical debt in securing an SAP system.
In the first vector, for example, a lower-security customer Web portal that is exposed to the Internet could be set up to allow customers to connect from anywhere to place orders. However, this customer Web portal can be used as part of an attack, with the attacker pivoting from the lower-security system to other more critical systems, and eventually the entire SAP system.
In the second attack vector, customer and supplier portals could potentially be infiltrated; backdoor users could pivot the SAP portals and other platforms to continue on and attack the internal network.
In the third attack vector, an attacker can exploit insecure database protocol configurations that would allow them to execute commands on the operating system. At this point, the attacker has complete access to the operating system and can potentially modify or disrupt any information stored in the database.
Note that these are all common attack methods and should not be surprising to any information security professional.
Best practices for SAP and ERP security
While enterprises need to include all systems in an information security program, the specific resources devoted to securing a particular asset should correspond to the system's value to the organization. These value assets should be established through a business impact analysis.
In addition, though enterprises might be hesitant to make any changes to production systems, all systems must have basic information security hygiene in place to prevent security incidents. These basic steps are necessary to prevent, mitigate, defend and monitor for security incidents. SAP has a security guide and SearchSAP has many resources on the basic security controls necessary for a SAP system -- including vulnerability management, patch management and role-based access control. Vulnerability management can be implemented in an SAP system by periodically scanning application, Web, database and other associated servers, and then feeding that data into a patch management program for testing and deployment. And while role-based access control is critical for application security, it should also extend to other aspects of the system so proper separation of duties is upheld to limit the risk of rogue use.
Given the critical nature of SAP systems, one major concern for ongoing security controls has been the potential for downtime from security. If an SAP system can't be "down" for business reasons, plans should be in place on how to apply patches or make other security changes without disrupting operations. This might include ensuring a high-availability system is in place, such as a backup system that automatically takes over when the primary system is being patched or is having changes made.
Another consideration to keep in mind is that other security technologies -- such as an intrusion detection system, monitoring tools, among others -- which should be in place, can be specifically tuned to monitor an SAP system.
Additionally, monitoring SAP application logs is necessary to identify compromised accounts or other malicious activity at the application level. Using the concept of least privilege -- including restricted network access throughout -- will make it more difficult for an attacker to find an exploitable vulnerability to gain complete access or to easily identify other systems to attack.
Again, enterprises need to ensure all systems are part of their information security program -- including SAP systems. Excluding SAP systems in the past is what has allowed for these basic security vulnerabilities to still be present in SAP systems today.
Some of these vulnerabilities have been well known in the information security community for decades, so applying the processes and fixes found outside SAP systems can significantly improve SAP security and prevent more severe incidents from affecting critical business operations.
About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Lewis received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.
This SAP security guide from SearchSAP and SearchSecurity can help make your SAP system bulletproof