SAP security must be holistic

Read time 2min 40sec

SAP security in terms of enterprise resource planning (ERP) systems needs to go beyond the segregation of duties controls, as, while necessary, these are not enough.

Over 95% of evaluated SAP systems were exposed to espionage, sabotage and fraud attacks.

Juan Perez-Etchegoyen, CTO at Onapsis

This is according to Juan Perez-Etchegoyen, CTO at ERP security company Onapsis. Speaking at ITWeb's 7th annual Security Summit yesterday, he said ERP systems store the most critical business information in the organisation, and so security must be looked at holistically.

He added that if the SAP platform is breached, an intruder can perform different attacks. These include espionage, where private information is accessed; sabotage, by shutting down the system or deleting critical information; and fraud, where information is modified and tampered with.

Vulnerabilities rising

Perez-Etchegoyen says, five years ago, SAP security was regarded as a synonym of “Segregation of Duties (SOD) controls” so that employees could only do what they're supposed to.

“This was mapped to a SOD matrix with SAP transactions/authorisation objects. Most large organisations had “SAP security” in place. They were spending hundreds of thousands/millions of dollars on SAP security yearly by having a dedicated team of SAP security professionals and SOD software (usually costing $500 000 to $2 million or more).”

The CTO said the status quo was doing fine, but in 2005, Onapsis was hired to do a Webapp pentest. “Suddenly, we started discovering vulnerabilities that were not in the apps, but in the SAP framework itself. We checked online; they were not reported. We presented the results of our research at BlackHat EU 2007. Back then, the total number of reported SAP vulnerabilities was 90.”

Security notes usually address one or more vulnerabilities. The current number of SAP security notes is 2 068.

Maximum exposure

For this reason, Perez-Etchegoyen said SAP security is a complex discipline that must be addressed holistically.

“While most SAP systems were only reachable internally a decade ago, now it's common for SAP systems to be connected to the Internet. Attackers know how to find them using regular search engines. Even if companies believe they are not online, many of them are. When you acquire the SAP software licence, the agreement specifies that you have to allow remote access through a special component called SAProuter.”

The CTO said that, since 2005, Onapsis was engaged to perform numerous SAP penetration tests. “We have evaluated more than 550 SAP Application Servers in total. Over 95% of the systems were exposed to espionage, sabotage and fraud attacks. Only 5% of the evaluated SAP systems had the proper security audit logging features enabled. None of the evaluated SAP systems were fully updated with the latest SAP security patches. In most cases, the attack vectors that lead to the initial compromise resulted from the exploitation of vulnerabilities that have been publicly known for more than five years.”

See also