A partner account manager can help. Contact us today.
SAP Enterprise Central Component (also known as SAP ERP, earlier – as SAP R/3) is a heart of Enterprise Resource Management. It is undoubtedly one of the major elements of any business as it enables effective management, storage and processing of such critical information as personal data of employees, financial and tax reports information about material resources and more, depending on the modules enabled. Unauthorized access to this system can result in disruption of key business processes and data corruption.
There are multiple risks related to SAP ERP systems. Some of them are listed below.
Having access to the Material Management (MM) module enables an attacker to modify material recourses data in any way that’s beneficial, for example one can manipulate any data that has to do with the quantity of material resources in stock or being delivered; or pilfer from warehouses in collusion with organization’s employees.
By means of VD01 transaction in Sales and Distribution (SD) module an attacker can create fake vendor to generate sales orders on behalf of this vendor via VA01 transaction. The outcome would most probably be money embezzlement.
Access to Sales and Distribution module would give an attacker the opportunity to change limits for credit operations by using FD32 or F.34 transactions. Thus, when there would be no limits for purchasing on credit it could cause an organization to fall into a money pit.
Using access to Sales and Distribution module an attacker can also substitute the data used for product cost assignment. Products pricing in SAP is processed automatically by measuring multiple criteria: monetary value of the transaction, customer type, season, discount availability, markups, etc. These actions are managed by VK11, VK12 and VK14 transactions. Due to the fact that the price is calculated automatically, pricing determination processes may be incomprehensible to an executor. Thus, actions of product cost manipulation may even remain unnoticed.
There are many tables in Sales and Distribution module that store credit card data: VCKUN, VCNUM, CCARDEC and more than 50 others. Besides material losses to your organization, stealing credit card data would jeopardize business credibility.
SAP ECC System uses SAP NetWeaver Application Server ABAP as its main platform. Therefore, it is subject to all the risks of the platform and that counts more than 1000 risks. Additionally, there are about 350 specific vulnerabilities in different modules of SAP ECC. Some of them were revealed back in 2007 and are still relevant to many systems. In particular, the latter remains true to a vulnerability in the Gateway service that enables unauthorized access to SAP server and execution of any OS commands.
ERPScan Security Monitoring Suite for SAP contains a wide range of checks aimed to discover security issues specific to SAP ERP Systems. The solution’s leading position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution on the market to identify, analyze and remediate all SAP security issues and to enable powerful protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security: vulnerability management, source code review for custom programs and segregation of duties (SoD).