SAP security ‒ security for standardised ERP software is possible [Part 2]

Author
Michel Kühne
Published
09. October 2019

The SAP system is often one of the most important applications in the entire company. You can use certain SAP components to gain an overview of the entire company, be it purchasing, warehousing, development, production, shipping, and invoicing ‒ SAP can view and control all of these processes. Therefore, it's no wonder that cyber criminals are becoming increasingly interested in using vulnerabilities in SAP systems to their advantage. In this article, we will show you what the weak points are, and how to protect SAP against attacks.

Cybercrime is on the rise and targeting the heart of every company, which means in many cases the SAP system landscape. This is where data with tough requirements in terms of integrity, confidentiality and availability is processed. This means that it has to be an important goal for any company to ensure that these systems are secure. The reasons why this is not always the case have been explained in a previous article. You will also discover that a holistic approach to security is the only way to meet security requirements.

SAP Security a challenge for many companies

SAP is one of the world's leading ERP solutions ‒ and this is also true in Switzerland. An SAP system typically processes and stores critical data and in many cases even the company's intellectual “crown jewels”. This means that it is vital to ensure that all system components and data are adequately protected and that the level of protection is tailored to suit the risk exposure. The SAP software's high degree of flexibility and scalability provides enormous benefits, but (as is so often the case) also some major drawbacks. The software can be extensively customised to meet customer-specific requirements, but the complexity and therefore susceptibility to errors also increases at the same time, which often leads to "compromises" or vulnerabilities in terms of security. In addition, many SAP solutions are enhanced by users' in-house developments, which are often insufficiently tested for their quality and security aspects. The proliferation of SAP system networks, for example in international supply chains, offers potential hackers and cybercriminals even more vectors of attack.

Therefore, in cyber security, SAP security should be far up on the list of priorities. However, we experienced the focus to be only on access authorisations and automated controls for business processes in the production client. The threats or points of an attack originating from other levels, e.g. the operating system and the database, are often neglected, as they are often only seen as a cost factor and are not the focus of specialist departments. However, if issues related to security are not given sufficient consideration, the SAP authorisation concept can be "leveraged".

Recently it has been discovered, that around 90 % of SAP systems (or in other words 50,000 SAP customers worldwide) are endangered because a fictitious application server can be connected remotely using the so-called 10KBlaze exploit, allowing access to the SAP system with unrestricted access rights. This enables an attacker to view and change, sensitive business data, going all the way up to completely compromising SAP systems. This affects information from applications such as SAP Business Suite, SAP ERP, SAP S4/HANA, SAP CRM and SAP HCM.

Is there a possibility that you have been compromised? You have to do this now!

This vulnerability is not located in the SAP code, it is in incorrectly configured SAP Netweaver installations. If you are using SAP yourself, we strongly recommend that you check the following actions and SAP Notes and implement them immediately:

  • Limit access to SAP Message Server
    • SAP note 1408081 and 821875: Limit the allowed hosts via ACL file on the gateway (gw/acl_mode und secinfo) and Message Server (ms/acl_info).
    • SAP note 1421005: Separation of internal/public message server traffic: rdisp/msserv=0 rdisp/msserv_internal=39NN.
    • Prevent access to the internal message server port (tcp/39NN) by Internet clients.
    • Activate secure network communications (SNC) for clients.
  • Scan for exposed SAP components
    • SAP systems (particularly Gateways and routers) should only be accessible via predefined paths.
    • Publicly accessible services (e.g. unused SAP router installations) should be switched off or backed up.

SAP interfaces, the target of choice for attackers

Interfaces between SAP and other ERP systems are increasingly becoming a focus of cyberattacks. Generally speaking, SAP systems' risk depends on the deployment scenario. An isolated SAP system is usually less susceptible to attacks than a system that is made available via public networks. But even in internal networks, a lack of protection at the network or SAP system level can lead to unauthorised access and use. It should also be remembered here that so-called "insiders" are responsible for a high proportion of critical security incidents. If an attacker (or even a malicious insider) can gain access to the SAP system database, they can modify or misuse the SAP data as they wish. In some cases, network access is all that is required to launch attacks such as these. Even having a restrictive authorisation concept at SAP level will not prevent an attack of this kind or minimise the potential damage.

The use of web technologies, such as http(s)-based access options and web applications with Internet connectivity have significantly increased the risk posed by SAP systems. Because of the connection to the public network, inappropriate or incorrect configuration can result in considerably greater risks for companies. This also applies to miss or incompletely implemented processes, especially with outsourcing scenarios.

A holistic approach is the only way to achieve the best possible SAP security

A holistic approach to implementation should be adopted to make sure that it is impossible to undermine the authorisation concept. The SAP solution portfolio is made up of complex software that requires security resources and security specialists with SAP experience. This is because the key components of SAP security are extremely extensive and comprehensive:

  • SAP configuration settings
  • Secure configuration of authentication mechanisms and access vectors
  • Security of the SAP Gateway
  • Security of the basic infrastructure (operating system: OS depending on on-premises installation, cloud)
  • Quick implementation of security updates (OS, DB and applications)
  • Platform and application firewall (e.g. SAP HANA Firewall)
  • Privileged and non-privileged user authorisations (OS, DB and applications)
  • Collection and assessment of log data (OS, DB and applications)
  • Taking manufacturer recommendations into account
  • Regular vulnerability checks
  • Encryption of data transmissions
  • Dealing with cyber risk throughout the supply chain
  • Data verification and validation in the data exchange process
  • BCM emergency processes

Therefore, it makes sense to involve experts not only during implementation but also for them to operate the systems secure and reliable. The following key questions need to be answered:

  • Are we fully aware of the information security status of our SAP systems?
  • How well are the operational and security processes around our SAP systems designed?
  • What about the security of the operating systems and databases of our SAP systems?
  • Have the new risks associated with SAP HANA been identified and addressed?
  • What interfaces to external systems are there and how well are they protected?
  • What access vectors are there for our SAP systems and how strong are the corresponding authentication mechanisms?

To answer these questions, all levels need to be considered: SAP Basis (SAP authorisation concept, SAP Standard Users and Passwords, SAP web applications, SAP Gateway and SAP Message Server), databases, operating systems, networks, processes and staff. However, the security of an SAP system is not a one-off issue and can only be guaranteed in the long term, if the critical security aspects are checked on a regular basis. This way, wrong configurations and vulnerabilities can be detected and corrected.

Share article