In a digital world, there will always be threats, and since businesses running SAP applications are ripe targets for malicious interference, they are likely to be among the first targeted. In a recent study released in July 2018, Onapsis and Digital Shadowson revealed that a growing number of cyber-attacks are focusing on ERP applications directly. These applications form the backbone of many ERP systems and store a lot of sensitive information, so the frequency and sophistication of these attacks have had many businesses that invest in SAP applications perturbed.
How Attacks Occur
Because of the nature of the data housed in these ERP applications, the apps themselves provide a rich target for attackers. More so, they are an easy gateway into the system if the hacker can manage to get past the security on the application or “borrow” its footprint and spoof itself to the security system. Some of the angles that are preferred by cyber attackers are:
- Exploiting Unpatched Systems: Some companies don’t update their SAP installation on time, or leave their update windows for quite a large period of time. This large update window allows hackers to take advantage of holes in security that haven’t been patched in order to gain access to the system through ERP applications.
- Attacking Old Persistent Locations: In the older days of ERP, the security systems that existed weren’t as advanced as they are at current. Sadly, as systems evolved, some of these old holes in the fence were left unpatched and now they provide a very wide entry point for hackers looking to get into a company’s network.
- Under the Hood Exploitation: Companies that employ an ERP usually do it in order to facilitate easy and efficient operation. It’s understood that data for a certain client doesn’t change unless that data is changed by an authorized user. However, hackers can change data (for example, bank accounts of known clients into their own) to redirect automatic payments and so gain from automated business practices. It may be some time before the users realize what has been happening, especially in the case of automated payment systems.
- Using Complexity Against a Complex System: ERP applications are built on a framework that utilizes already installed components on the system to function properly. Because of the close internal working of these component, the security between them is lax or non-existent and hackers are learning how easy it is to insinuate themselves into systems by exploiting these glaring holes in application functionality.
The Threat of the Internet
As anyone who has dealt with computers can tell you, the Internet is a hotbed for the breeding and dissemination of malicious code. With ERP applications using in investment banks, having them exposed to the Internet while being unpatched and vulnerable for exploitation is already a bad decision. The July 2018 study found that as many as 17,000 components were exposed to the Internet overall, showing how many systems are openly available for exploitation and how many businesses are leaving their customer data at risk without even being aware that the practices of their ERP apps are dangerous. Additionally, the study found that:
- Applications have been exposed that didn’t need to be: Sometimes in testing, a company may develop a test application and grant it the ability to communicate over the Internet and then forget about it without revoking that access. Then, through their own understanding, new developers would include that step of Internet communication in code they write, opening those applications to the Internet that don’t need to be connected. This leads to exposure for exploitation.
- Non-productive Environments are exposed to the Internet: More often than not, these systems ought not to be openly exposed as they have lower security than productive systems. They provide a highway into the system and allow exploitation of productive systems through them.
- Obsolete components: Older versions of applications were still functional and those older versions were open doors to hackers looking for a loophole to exploit.
Take Note of ERP Applications
ERP applications are not fragile, but are becoming points of entry for hackers. In order to ensure that a company does not fall prey to these malicious practices, the applications they use should be carefully monitored and dataflow and access for these applications should be noted. Older apps should be disabled and patches should be applied to systems as soon as possible to ensure older applications no longer have privileges granted to them. Older security systems may need to be revamped as well. This malady doesn’t have an easy fix to deal with it, but rather a constant ideal of vigilance in dealing with data access through the network and application access to the Internet.