SAP Security for CISO. Part 4: SAP Security Myths
In the SAP Security area, some myths persist. Fortunately, some of them are dispelled nowadays. By this post, I will debunk them once again as I did more than six years ago at the SourceBarcelona security conference in 2010 where I delivered my presentation ERP Security Myths, Problems, Solutions.
Myth 1: SAP Systems are only available internally
This belief is common for all internal or legacy corporate systems. These systems are thought to be available only internally. Perhaps, in the mainframe era, one was able to use SAP only inside the company but not now we are living in the age of global communications. You need numerous connections with other offices’ customers, suppliers, SAP technical support, mobile users, OT network, ICS systems, and so on, not to mention new HANA and Cloud features where all your data are potentially available for everyone from the Internet. Even if you don’t have any external connections, there is still a door into your system. Users’ workstations have both access to SAP and connection to the Internet, which allows one to attack employees using malware and then connect to SAP Servers. Unfortunately, it’s much easier than you think, just type in Google search some special strings, say, /irj/portal which identifies the SAP login page and you will see hundreds of SAP Portal systems accessible online. Some of them may be vulnerable.
Myth 2: SAP Security is the vendor’s responsibility
A typical license states that a vendor is not responsible for any damage within vulnerabilities in its products.
In reality, the situation is rather better. If we divide all potential cybersecurity issues into two categories, we will see that vendors can solve program or architecture errors identified in their products, and they usually release updates sooner or later after an issue has been reported.
Of course, the vendors try to release patches as soon as possible, but if you stay without a patch at least for one day after vulnerability disclosure, an attacker is likely to exploit it and get access to your data. So, even if the vendor releases patches, your system is still at risk for this time. Don’t forget that the vendors are responsible only for two things: releasing software updates and guidelines. But these measures don’t provide a comprehensive security. An administrator is responsible for the significant part of the cybersecurity including implementation, secure configuration, human factor, patch management policies and procedures, access control implementation and security of custom developed programs.
Myth 3: Business application internals are very specific and not known for hackers
In a nutshell, here we are talking about security through obscurity. Traditional widespread products such as browsers were “reviewed” by hackers for years, thus making them more secure. SAP Systems were not in the scope of researchers. However, everything changes. Now more and more business applications such as SAP are exposed to the Internet or work in the cloud, which raises the interest of hackers and researchers. According to our research of SAP Security History, there were 100+ articles about SAP Security in the last five years, and this number is increasing.
Myth 4: ERP Security is limited to SoD
Many people, especially ERP-focused people, think that SAP security is all about SoD and nothing else. Configuring secure access control for Active Directory won’t help you to secure infrastructure and network. This approach is not only insecure but also irrational. It’s like buying a new engine for your car every year when a tire is punctured. This is how you act like when you spend all resources on configuring Segregation of Duties and implementing GRC products, but leave your system unpatched. For example, if one has perfect SoD controls but a portal is exposed to the Internet and has an authentication bypass vulnerability, attackers can penetrate into the system and cause irreparable damage.
I mean having an ERP system with configured SoD and nothing else is like spending all money on video systems, biometric access control with the back door opened for housekeepers.