The most important part of every big company is its ERP system. ERP has to do with all critical business processes, including purchases, payments, delivery, as well as HR management, sales, production, etc. All information kept by ERP systems is very important. Any unauthorized access may lead to enormous financial and reputations losses.
The common belief that ERP security is simple Segregation of Duties matrix is not relevant anymore. Within the past 3 – 5 years, SAP security specialists have presented numerous reports describing different attacks on SAP subsystems, like the RFC data exchange protocol, SAP router, web applications, and client workstations that use SAP GUI. Interest in this matter grows exponentially every year.
Many hacking tools have been released recently, expanding the attack surface and bringing new possibilities of launching successful attacks against SAP systems. At the same time, the number of security notes related to vulnerabilities present in different SAP products is also growing. These vulnerabilities and misconfigurations may allow unauthorized intruders to access all critical business data of the company. Business owners even start to think about using specialized solutions that focus on protecting SAP subsystems.
As you may know, SAP regularly issues internal documents called SAP Security notes. Such notes usually inform us about new vulnerabilities found in SAP products or possible configuration mistakes that may pose a security risk to SAP subsystems. The first such note was issued long ago in 2001. Sad but over the last decade, the number of security notes has grown exponentially.
Most of the security problems (about 70%) are marked as a high priority. It means that about 2/3 of the known vulnerabilities should be fixed immediately. The most dangerous of these vulnerabilities are those that can be found online in various databases. Popular security focused websites regularly publish detailed descriptions of new vulnerabilities and how to exploit them. They also include info about exploit kits and other hacker tools that may help to exploit new vulnerabilities.
For example, SecurityFocus publishes detailed descriptions of vulnerabilities and sometimes even info about PoC exploits. Sad but all vulnerabilities listed in this database have a very high chance of exploitation.
Another site like this is called The Exploit Database. Here you can find a lot of ready-made exploits. You can use them without any changes. Newborn hackers without any tech knowledge already using them. It is important to note that vulnerabilities listed in this database are highly critical and should be dealt with within 24 hours timeframe.
However, plenty of security gurus are unfortunately completely unaware of how to protect business apps such as SAP. The problem also sits in the fact that protection and security responsibilities are imposed not on the CISO, but on the owners and operators of the system, they actually have to control themselves. Consequently, nobody is actually responsible for the security aspects of the most important parts of the system.
It is also worth describing less critical problems:
- Lack of competent experts. In many organizations, SAP security is recognized by SAP experts basically as a SOD Security experts understand SAP cyber threats superficially. They also lack skills of fine-tuning SAP security features.
- Hundreds of fine-tuning options. A typical system includes more than 1,000 basic variables along with a massive number of fine-tuning settings. It also includes options to differentiate the rights and privileges of different objects like tables, transactions, RFC procedures, etc. For example, there can be more than a thousand different web interfaces to access the system. It can be a non-trivial task to ensure the security of the system with all these fine-tuning options.
- Custom settings. There no 2 identical SAP systems. Almost all settings get sharpened by the client. In addition, they add their self-written and third party security solutions like VPN. The safety of this software should be taken into account too.
Recently, SAP security issues have gained increased attention at different security conferences like HITB and BlackHat. Beginning in 2010, this tendency has moved also to other technical conferences. More and more researchers and companies publish their SAP security research papers. Yes, many reports were initially dedicated to classical infosec issues touching the SAP infrastructure: web application security, client security, trojans, and backdoors. Recently the focus has shifted to specialized threats and SAP vulnerabilities like ABAP code issues, SAP Kernel problems, SQL injections, vulnerabilities in the J2EE engine and buffer overflow.
I may conclude that the mass interest in SAP protection and security overall is increasing substantially. Given the progressing growth of the amount of vulnerabilities and a large number of SAP systems accessible through The Internet, I anticipate that SAP systems will be attacked more and more and not merely by APT’s masters (advanced persistent threat), but via mass untargeted campaigns as well, involving worms and other malware that use several vulnerabilities simultaneously.
Today security experts and net admins are responsible for protecting SAP systems. They need to study numerous manuals and learn how to set up safe configurations, install all updates, and audit the code on a regular basis.