As SAP’s systems in this or that way interact with almost 75 percent of the world’s transaction revenue, they represent a very lucrative target for cybercriminals. However, they already have measures against these dangers in place – all you have to do is learn how to use them, like:
- The authorization profile SAP_ALL should not be assigned to any user unless it is an emergency. You need to define what an emergency is as well as back-up and recovery remedies.
- Activate the Security Audit Log (SAL)
- Use security source code scan tools to identify vulnerabilities in your custom coding
- Set dedicated ABAP profile parameters for password security, authentication, and encryption
- Have different zones on the network and separate high-security areas
This article will cover some of the most important ways of securing your SAP applications against such threats.
1. Establish a monitoring process
Watching out for attacks, both real and potential, should be an ongoing process, not an occasional effort. Somebody should be on the lookout for danger at all times, and all cases of non-compliance to security measures should be weeded out immediately. Among other things, this approach guarantees that what has been fixed in the past does not fall into disrepair once again.
2. Carry out regular penetration testing
Attack methods on SAP applications have considerably grown in sophistication over the last ten years. Today, cybersecurity in this sphere is a constant arms race between hackers and security specialists. Establishing effective protection is not enough – you have to regularly test it for vulnerabilities using the latest information in the field. It is most likely beyond the capabilities of your in-house IT people; the right decision would be to get in touch with Cyber Security experts specializing in this kind of work.
3. Establish strict rules concerning passwords
When an administrator creates a new user account, he/she assigns an initial password that the user is supposed to change immediately after the first login. However, the administrator should not let things run their course but take this into his/her own hands. He/she has to assume that the users will not follow the rules and use bad password practices if left unattended. Therefore, one should take measures to limit such a possibility: e.g., cut short the lifetime of initial passwords, impose rules on the number of characters in a password and so on.
4. Secure generic user accounts
SAP comes out of the box with a set of generic user accounts that are supposed to be used for installation and setup. Their names and default passwords are widely known, which means that if they are left unsecured, they pose a severe security risk. Therefore, you have to change their passwords and remove high-privileged profiles. It is not enough to just delete them, as they can recreate themselves with their default passwords, thus leaving the vulnerability in place. Make sure they remain in existence, but their passwords are strong.
5. Pay attention to the security of your custom code
One of the main sources of vulnerabilities in SAP environments is the custom code organizations build around their SAP systems, as it is often buggy, poorly optimized and rife with security issues. It is only natural, as developers are often (or, rather, habitually) under pressure to deliver the results as fast as possible and put expediency above careful testing and planning. Analyze all your code for vulnerabilities and ensure that security is not an afterthought but one of the primary design concerns.
6. Have a pre-existing crisis management plan
Organizations often put too much trust into their existing security systems and protocols, believing that just having them in place will protect them from dangers. However, the right approach is to have a plan of action in case the worst comes to worst: what has to be done, who is responsible for what, what is the chain of command and so on. Only be prepared for the worst possible outcome can give you any guarantee of avoiding it.
There are many ways to ensure the security of your SAP systems on top of the basic protocols. Follow these tips, and you will deal with the most common threats!
Please, share your thoughts about the securiy tips.