When you build a data center you look for a location in a safe but accessible area. You don’t typically choose locations next to chemical plants, high crime areas and you don’t advertise with your name on the outside of the building. Putting “My Fortune 500 Global Data Center Inside” would be easy for your vendors to locate you, but so could anyone else. Pretty soon the Google map car drives by and captcha codes are updated and now the whole wide web knows your data center location.
So if we protect our data centers from physical threats, why do so many companies not protect their systems from electronic threats? I hear responses like these:
• Security patches require testing and we don’t have time to test them
• Patches fix known issues, but we do not know what else might be impacted
• We had an issue with a security patch in 200x and so we only put them on with support packs
• Our data center is protected from physical threats and our firewall rules protect us from electronic threats
Anti-Virus software vendors send updates as threats are identified and solutions are developed to protect against them. On the second Tuesday of each month (and sometimes the fourth Tuesday also) Microsoft releases batches of security corrections. On Security Patch Day SAP also releases batches of notes that meet specific requirements related to CVSS scores and risk. As with any other correction they must be categorized correctly in order to be included.
From a process stand point, having the Microsoft and SAP patches released on the same day is a benefit to companies who are trying to implement a recurring patch process. So why would you implement Anti-Virus packages and Microsoft patches without reservation, but you go sometimes years without implementing SAP corrections. This week an SAP correction from 2010 was highlighted in an announcement from the US Department of Homeland Security. You can find that announcement here: https://www.us-cert.gov/ncas/alerts/TA16-132A.
This announcement identifies a risk which was corrected in October 2010 by SAP, but many companies which are running obsolete versions of NetWeaver never implemented the correction. If you review electronic data breaches in the US, you will find alarming statistics from sources such as The Identity Theft Resource Center. This does not include all data breaches but this alone included 378 incidents through 4.5 months of 2016. Most of these incidents were electronic data breaches. Whether you have impenetrable firewall rules or not, implementing security corrections needs to be on your best practices.
For several years Frank Buchholz of SAP has provided monthly webcasts to DSAG, ASUG and even Australian user groups. These webcasts highlight not only the importance of specific notes, he provides steps to analyze what kind of testing is required and informs attendees of changes in the SAP security processes. One of those included information that the RSECNOTE tool was obsolete and what you should be doing now.
Even with this additional communication from SAP, there are at least 36 known organizations with this vulnerability. However, the actual number is more likely much higher than this. If you are on NetWeaver 7.4 or 7.5 for all of your SAP landscapes then you know that you are not one of them. But what if you have a landscape running SAP NetWeaver, releases: 2004, 7.0, 7.1, 7.2 or 7.3? Do you have the Invoker Servlet disabled? If you have any of these releases within your environment, I would strongly encourage you to initially take action by disabling the Invoker Servlet, but as a second step you really need a periodic patch process. Maybe you cannot implement support packs, but applying security notes has to be on your radar. Many of the companies that have an electronic data breach think their firewall rules are rock solid. They never thought they would be in one of these reports.
I attempted to attach the .pdf from the note as an attachment but it is not allowed. I strongly encourage you to review the alert and the notes attachment. The link below to the identity Theft Breach report shows that cyber crime is a big issue. We have to do what we can to protect data. The loss of data whether intentional or accidental can cause great harm to your companies’ image. The time to protect it is always before it occurs. A firewall alone is not enough protection when more applications or connected to networks which are exposed to the Internet.
What is your excuse for not learning more about security patching or even applying them?