ERPScan’s SAP Cyber Threat report indicated 36000 systems potentially exposed to cyberattacks

Palo Alto, CA – August, 1 ERPScan, the most credible business application security provider, released the first comprehensive SAP Cybersecurity Threat Report.

While SAP Security specialists started to examine such systems almost 10 years ago, not all security experts, not speaking about the wider public, were familiar with the topic.The years 2015-2016 was game-changing for SAP Cybersecurity. Nowadays, top security experts agree on the importance of SAP Security (it was listed as a beyond 2016 trend at the Gartner Summit), SAP Security Incidents were covered in the world’s leading media,and several guidelines on securing SAP systems were released. Nonetheless, the industry still lacks an in-depth research of different parts of SAP Cybersecurity.

To close this gap, ERPScan research team decided to slightly change the concept of its annual “SAP security in figures” research. The new SAP Cybersecurity Threat Report covers 3 main angles of SAP Cybersecurity, namely SAP Product Security,SAP Implementation Security, and SAP Security Awareness.

In 2011, when we published the annual research for the first time, SAP Security was in its initial state. The study was a proof what it is not only theoretical comprehensible but based on actual numbers and metrics. However, times have changed, and our research team always keeps up with the latest trend. We did not exclude the statistics, as it is very important, but added some important parts, gathering together the history of all SAP security incidents, analyzing threats by conducting a worldwide scan for vulnerable SAP systems. The analysis of the effect of SAP Security reports on security systems is worth mentioning. The research revealed that the number of talks on security conferences directly affects the level of SAP Security in a particular country. This means that our presentations in more than 30 countries (from the United States and Germany to Hungary and Iceland) and this report series were not in vain.

Key findings

SAP Product Security

  • The average number of security patches for SAP products per year has slightly decreased. However, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one.
  • The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA. Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA.
  • There are vulnerabilities in almost every SAP module: CRM takes the leading position among them. According to our study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps, as they attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional modules.
  • The number of vulnerabilities in industry-specific solutions has grown significantly.SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in these solutions. The most vulnerable types of industry-specific solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.

SAP Implementation Security

    • Worldwide threat landscape grew up to more than 36000 systems. Most of those services (69%) should not be available directly via the Internet.
  • Critical Infrastructures and IoT devices are at risk. SAP does not only manage enterprise resources but also acts as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.

SAP Security Awareness

    • Almost half of unnecessarily exposed services is located in 3 countries where wide adoption of new technologies takes place (such as USA, India, and China).
  • The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (Comparing to the total number of implemented systems).
    Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.
“We used our own scanning method to gather information about SAP systems. Protocols used to interact with and between SAP servers are often proprietary and not well-known outside of the SAP IT world. It means that open scan resources don’t include those specific protocols in their scans. What’s why we built a database of probe requests and then matches probe response to determine the state of the service. When we perform a check for a vulnerability; if there is no friendly payload, we try to fingerprint the version of a remote service to compute potential statistics.”

– commented Mathieu Geli, Director of SAP Threat intelligence

Our reports of the series always help in decreasing the number of SAP systems exposed to cyber threats. We hope the current edition won’t be an exception.