A strong warning bell goes out for all organizations using SAP systems globally. As per a recent study published by Onapsis - the reputed security firm, more than 95 percent of SAP systems are suffering from vulnerabilities that have the capability of compromising on the security of the organization’s business processes and data.
Today, SAP is integrated in day-to-day operations by over 250,000 customers across the world, which includes 98 percent of the top 100 most valued brands, and 87 percent of organizations belonging to the list of Global 2000 companies. In general, SAP systems are hosting valuable and sensitive data linked to these organizations, but then, they aren’t protected from concerning cyber threats in entirety, particularly through traditional security approaches.
According to a spokesperson from Onapsis, "These attack vectors put intellectual property, financial, credit card, customer and supplier data, as well as database warehouse information, at risk for the world's largest companies." Furthermore, this security firm has thrown light on the three most commonly available cyber attack vectors that are responsible for compromising the security of SAP business systems and tools at the application layer.
One of the commonest cyber attack vectors linked to SAP (Systems Applications and Products) happens to be the usage of pivots positioned between different systems. It is important to note that the attack originates within a pivot system that is grappling with lower security, and moves on to a critical system for the purpose of executing harmful and remote modules that impact the destination system.
Additionally, supplier and customer portals are being targeted frequently. Typically, backdoor users are being created within the SAP J2EE User Management Engine. These hackers can exploit a vulnerability and gain access rights to Process Integration platforms and SAP Portals, along with creating negative impacts on internal, connected systems.
Thirdly, database warehousing attacks generally take place via SAP proprietary protocols. According to Onapsis, these kinds of attacks are performed when particular users use their privileges to execute operating system commands and exploit the vulnerabilities existing in the available SAP RFC Gateway. Herein, hackers have the capability of obtaining and potentially modifying any sensitive business information or data present in the SAP database.
As per Mariano Nunez, co-founder and CEO of Onapsis “The big surprise is that SAP cyber security is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP Operations team and the IT Security team,” he adds, “The truth is that most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications."
Along with the concerns mentioned above, their research study has diagnosed that most companies happen to be exposed to vulnerable protracted patching windows that average 18 months or more. 391 security patches had been released by SAP in the year 2014 alone, a figure that transforms to over 30 per month. And yes, approximately 50 percent of the same have attained the Rank of “high priority” by the security tools of SAP.
Nunez continued, “This trend is not only continuing, but exacerbating with SAP HANA, which has brought a 450 percent increase in new security patches specifically affecting this platform. With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms must now be protected both in the cloud and on-premise.”
Onapsis has urged organizations running critical and data sensitive business processes in SAP Business Suite applications and solutions to keep in step with the latest in SAP Security Notes. The act will ensure that their systems are well configured to meet all compliance requirements and will bring forth heightened levels of security.