What is SAP ERP?
SAP Enterprise Central Component (also known as SAP ERP, earlier – as SAP R/3) is a
heart of Enterprise Resource Management. It is undoubtedly one of the major elements of any business as
it enables effective management, storage and processing of such critical information as personal data of
employees, financial and tax reports information about material resources and more, depending on the
modules enabled. Unauthorized access to this system can result in disruption of key business processes
and data corruption.
SAP ERP Security Risks
There are multiple risks related to SAP ERP systems. Some of them are listed
material resources (Fraud)
Having access to the Material Management (MM) module enables an attacker to modify
material recourses data in any way that’s beneficial, for example one can manipulate any data that has
to do with the quantity of material resources in stock or being delivered; or pilfer from warehouses in
collusion with organization’s employees.
Embezzlement of funds
By means of VD01 transaction in Sales and Distribution (SD) module an attacker can
create fake vendor to generate sales orders on behalf of this vendor via VA01 transaction. The outcome
would most probably be money embezzlement.
Manipulation of credit
Access to Sales and Distribution module would give an attacker the opportunity to
change limits for credit operations by using FD32 or F.34 transactions. Thus, when there would be no
limits for purchasing on credit it could cause an organization to fall into a money pit.
manipulation (Sabotage, Fraud)
Using access to Sales and Distribution module an attacker can also substitute the
data used for product cost assignment. Products pricing in SAP is processed automatically by measuring
multiple criteria: monetary value of the transaction, customer type, season, discount availability,
markups, etc. These actions are managed by VK11, VK12 and VK14 transactions. Due to the fact that the
price is calculated automatically, pricing determination processes may be incomprehensible to an
executor. Thus, actions of product cost manipulation may even remain unnoticed.
Credit card data theft
There are many tables in Sales and Distribution module that store credit card data:
VCKUN, VCNUM, CCARDEC and more than 50 others. Besides material losses to your organization, stealing
credit card data would jeopardize business credibility.
SAP ERP Vulnerabilities
SAP ECC System uses SAP NetWeaver Application Server ABAP as its main platform.
Therefore, it is subject to all the risks of the platform and that counts more than 1000 risks.
Additionally, there are about 350 specific vulnerabilities in different modules of SAP ECC. Some of them
were revealed back in 2007 and are still relevant to many systems. In particular, the latter remains
true to a vulnerability in the Gateway service that enables unauthorized access to SAP server and
execution of any OS commands.
How can our software be of help to ensure SAP ERP Security?
ERPScan Security Monitoring Suite for SAP contains a wide
range of checks aimed to discover security issues specific to SAP ERP Systems. The solution’s leading
position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution
on the market to identify, analyze and remediate all SAP security issues and to enable powerful
protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security:
vulnerability management, source code review for custom programs and segregation of duties (SoD).