Johannesburg, 19 Feb 2016
Last week, during the Valentine's period, members of the World Hacker Team, one of Anonymous' subdivisions, took it on themselves to send a love gift to South Africa's Department of Water Affairs (DWA) by breaching the department and releasing leaked data, including real names, e-mails, and ID numbers of over 5 800 government employees and collaborators, as part of the group's #OpAfrica and #OpMonsanto campaigns.
#OpAfrica is an Anonymous social campaign launched to highlight the situation of child labour and government corruption in African countries.
Earlier in the year, I wrote about Turning the Tides on Cybersecurity in 2016; Lessons learnt from 2015, and examined some notable cyber incidences that occurred in 2015, sighting the South African government's Wikileak on confidential and top secret information as a grave example of a 2015 Africa hack, says Tunde Ogunkoya, Consulting Partner, Africa at DeltaGRiC Consulting.
In less than a month after the story, another situation now arises again in SA, where more than 5 800 HR and procurement data records have been displayed online as an evidence of cyber hacks to the Department of Water Affairs in SA.
With the model of this attack, it is very likely the attackers may have taken advantage of trusted connections, integration points and/or universal users' privileges on the already compromised systems to get into the SAP systems, leveraging published/zero-day vulnerabilities to plot further attacks and exploitation of the SAP ERP landscape (if not already done). Obviously, SAP security still proves a huge challenge for most organisations.
In order to prevent these types of attacks, it is important to begin to see more collaboration between IT security and SAP security as the way forward to protecting SAP landscapes. Also, executive commitment without bias needs to be given to SAP cyber security programmes and guided investments into technologies that can help prevent cyber attacks and also monitor SAP security.
Today, there is no existing guiding framework to govern the actual investigation and prosecution of these types of attacks in SA or even the whole of Africa. Hence, the repercussions arising from such cyber incidents are not only about reputation damage, but also largely involve negative financial implications, because:
* There is reputation damage to the DWA (especially at a time where drought hits SA and confidence in the government dwindles);
* It could lead to huge litigation costs to the DWA, as we cannot rule out the fact that the contractors and/or business partners whose names have been published and whose fundamental rights of privacy have been breached as a result of DWA's carelessness could go ahead to sue for damages (POPI Act violation by DWA);
* It definitely will cost taxpayers of the Republic of South Africa a huge chunk in recovery programmes, plus ill-guided cyber investigations; and
* Whatever perspective we look at this incident, it gives rise to an increase in the already huge premium on cyber insurance for the government - a liability that SA cannot afford in these hard economic times.
Avail me the liberty to share some quick and very important pointers necessary to reducing SAP attack surfaces on SAP landscapes below:
* Network filtering:A fundamental requirement for secure systems based on the SAP NetWeaver Application Server component. It reduces the attack surface to the least number of services required to be accessed by end-users.
* Password management:Default passwords, weak password policies, and old password hashes can lead to insecure systems and must be configured in a secure way.
* Secure HTTP (HTTPS) and secure network communication:Cryptographically secured network communication is recommended to mitigate risks of interception of communication containing business data and user credentials (passwords, SAP logon tickets, and so on). Protection of cryptographic keys is also required.
* Remote function call (RFC) connectivity with ABAP programming language:Security of SAP software systems relies on separation of systems of different security classifications (such as development, test and production). If interconnectivity between systems of different security classification is required, it should be done considering guidelines to ensure the security of systems with higher classification.
* Gateway security and message server security:Secure configuration of gateways and message servers is required to mitigate the risk of unauthorised access to SAP software systems.
* Security patch management for ABAP:Security notes must be implemented to ensure identified security vulnerabilities are closed and cannot be misused by attackers.
* Security configuration monitoring:As system configuration may change, monitoring of security configuration is essential to ensure systems remain in a secure state.
Of course, while there may be potential political undertone from this attack, one thing is sure: It is important for SAP-run businesses to take the data of their business as well as their stakeholders (employees, contractors and other business partners) seriously and invest in technologies that can assist them to have a clean SAP cyber slate.
DeltaGRiC Consulting remains the only consultancy in Africa dedicated solely to helping organisations running on SAP prevent cyber security and compliance violations on their landscape. For information on automating the process of securing SAP landscapes, be sure to write to DeltaGRiC Consulting on info@deltagricconsulting.com.
Share