©2024 Onapsis | All rights reserved
- Threat Research
The ability to prioritize is an essential part of vulnerability management. Discovering vulnerabilities and ending up with a lengthy to-do list of problems simply isn’t enough. Context and insight into each vulnerability or issue’s severity and potential business impact is critical, so you can make a decision on how to respond. Does it need to be fixed immediately? Can it be deprioritized? In some cases, you can even decide it’s not severe, and you are comfortable accepting the risk it poses.
Industry standard to rate the criticality of vulnerabilities is the Common Vulnerability Scoring System (CVSS), which is maintained by The Forum of Incident Response and Security Teams (FIRST). This system provides a score from 0.0 (no issue at all) to 10.0 (most critical).
If you are interested in learning more about CVSS Score and how the Onapsis Platform leverages this score to assess and prioritize vulnerabilities within SAP and Oracle applications for customers, read this blog.
We’ve addressed that not all vulnerabilities are equal and new ones are constantly being discovered, so having a solution and process to stay on top of them is critical as part of a larger security strategy. Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
No matter the industry or size of your organization, every business can benefit from a vulnerability management solution. An effective vulnerability management program regularly checks for vulnerabilities, provides information around criticality and business impact, and supports remediation of vulnerabilities by aligning security, IT, and DevOps teams.
At the center of every enterprise organization are certain critical applications for core functions such as finance, manufacturing, human resources, sales, and supply chain management. Whether they exist on premises, in the cloud, or as a mix of both, an attack against any of them has the potential for a devastating impact across the entire organization. To protect these SAP and Oracle applications, enterprise organizations commonly employ a “defense-in-depth” security model (i.e., applying layers of technology to protect critical systems), but, unfortunately, not enough consideration is given to the last layer of security for the critical application itself, especially since these systems are frequently managed by information technology professionals focused more on development and continuity rather than security.
An attack against a business application could weaponize the rights and privileges of an administrator. If an administrator role is hijacked, the attacker could bypass all controls of the application, as well as its business data and processes. Successfully exploiting a vulnerable system allows an attacker to execute a wide range of malicious activities—from impacting supply chains and manufacturing processes to redirecting financial payments to compromising highly sensitive data, most of which is subject to compliance regulations. The need to have a solution in place that is tailored to protect your SAP and Oracle systems is more urgent than ever before.
Business-critical applications like SAP and Oracle (or the “crown jewels” as they are often referred to) hold the most valuable business data, such as patents, processes, financial data, customer and employee data, and other sensitive information. Traditionally, best practices were to keep these systems on-premises and to install layers of security around them, creating a theoretical and impenetrable fortress of castle walls and moats. However, the shift of the traditional on-premises perimeter to a distributed hybrid cloud model, and the need for every organization to transform how it does business digitally has changed this paradigm.
Supply chain digitization is accelerating at a pace of 3 to 4 years sooner than planned, according to McKinsey.
Digital transformation projects were underway before 2020, but the global impact of the COVID-19 pandemic accelerated the digitization of business across all fronts. From customer demands for increased digital interactions to completely remote workforces, the COVID-19 pandemic has given digital transformation a new sense of urgency as well as a mandate to prioritize digital readiness above all else. This shift has left organizations vulnerable to new risks, both because of a larger number of externally-facing critical systems and far fewer resources to implement security best practices. According to a global survey of executives, companies have accelerated the digitization of their customer and supply chain interactions and their internal operations by three to four years. The share of digital or digitally-enabled products in their portfolios has accelerated by seven years.
Digitized operations and products means business applications and their data now reside in cloud-based, often public-facing systems and not within on-premises infrastructure. This has greatly increased the risk of exploitation. Organizations trying to keep up with the fast pace of acceleration may also be overlooking risks that potentially leave them susceptible to exploits, including the due diligence of security best practices.
50% OF RESPONDENTS TO FORRESTER’S JANUARY 2021 REPORT, THE KEY TO ENTERPRISE HYBRID CLOUD STRATEGY, ADMIT THAT UPGRADE DELAYS RESULT IN SECURITY VULNERABILITIES
Migrating applications like SAP and Oracle to either public-cloud infrastructure or a hybrid, on-prem/cloud infrastructure increases enterprise risk. A recent survey of IT professionals found that 85% of firms surveyed stated that on-premises is a critical part of their hybrid cloud strategy, noting that cloud infrastructure cannot accommodate all workloads and performance environments.
More concerning is that many of the same organizations surveyed also admitted they were delaying upgrades to their on-premises systems, and 50% responded that these delays resulted in security vulnerabilities. There is an interesting dichotomy taking place—diminishing budgets and staffing yet increasing urgency to implement digitization projects faster. The COVID-19 pandemic accelerated the pace of digitizing everything across the business—from supply chains to customer interactions to workforce resources simultaneously. This has resulted in security best practices frequently falling by the wayside. Limited IT resources are being allocated to transform—not secure—organizations and their most critical applications.
Yet there can be significant consequences when focusing on speed instead of security. Overlooked security vulnerabilities are often related to misconfigurations, user access, and user privileges and can be easily exploited. For example, a default setting that gives a user access to perform any function within a critical application can be overly applied to many users. Default credentials and passwords that may be reused can remain in place despite their ability to be easily exploited by an attacker to gain entry to a business application. An exploited vulnerability in one of these on-premises systems could lead to a compromise for that unpatched critical system with far-reaching consequences.
Vulnerabilities in business-critical applications like SAP and Oracle can be exploited by bad actors, and the risk to organizations has been growing over time. According to the United States Department of Homeland Security Cyber and Infrastructure Security Agency (CISA), there have been five US-CERT alerts about SAP and Oracle applications since 2016. US-CERT is the US Cyber Emergency Readiness Team and part of CISA. US-CERT is responsible for disseminating cyber-threat warning information as well as analyzing cyber threats and vulnerabilities. The organization collaborates with governmental agencies as well as the private sector. Onapsis Research Labs has been at the forefront of developing the research behind these alerts.
It is critical for organizations to understand the risks presented by these vulnerabilities. CISA has issued multiple US-CERT alerts for business-critical systems, noting that affected organizations could be subject to “theft of sensitive data, financial fraud, disruption of critical business processes, ransomware, and halt of all operations.” However, it is still challenging to implement effective vulnerability management processes even for organizations that are well aware of these risks. This is due to the decreased amount of time between a vulnerability being identified and disclosed and a bad actor taking advantage of the vulnerability.
Onapsis research has found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. Many organizations do not have security best practices, tools, or staffing levels in place to address vulnerabilities within this accelerated time frame. Bad actors are not only exploiting vulnerabilities in business-critical systems, they are doing so at a faster pace than ever before.
The concept of building a secure fortress around the “crown jewels” of SAP and Oracle applications and data is a longstanding security strategy. However, the traditional security layered stack approach of metaphorical high walls and a moat around the kingdom no longer offers sufficient protection. Although organizations should absolutely deploy a defense-in-depth strategy, a vulnerability can still be (and frequently is) found and exploited within any one of these layers of defense.
Ransomware (and malware), misconfigurations, or stolen credentials can be leveraged to breach any layer of security in front of the application layer, allowing a threat actor to move laterally to infiltrate business applications. Some threat actors are even knowledgeable enough to attack the application layer directly.
60% OF IT AND SECURITY PRACTITIONERS CITE APPLICATION PROTECTION AS A TOP OBJECTIVE
Identifying vulnerabilities across an IT landscape is a manual, laborious effort. This is why many, if not close to all, organizations deploy traditional vulnerability management solutions that scan for known threats and vulnerabilities. These solutions focus on a broad range of systems and applications, including network security systems, the layers of protection that surround SAP and Oracle applications, and data. Vulnerability management tools commonly perform scans and compile a list of highlighted vulnerabilities and recommendations for remediation, mitigation, or acceptance. Unfortunately, by design, they are designed to highlight issues across many systems and are ill-equipped to scan SAP and Oracle applications for vulnerabilities that may be used as attack vectors. These traditional solutions are ineffective at identifying a large number of application vulnerabilities such as misconfigurations, overprivileged roles, or unapplied patches. More critically, there’s still the human element. Even if a vulnerability is found, the time to resolve it is long. The average time it takes to fix critical cybersecurity vulnerabilities is 205 days.
IT TAKES AN AVERAGE OF 205 DAYS TO FIX CRITICAL CYBERSECURITY VULNERABILITIES
Gartner predicts that nearly $4B of global security and risk management will be allocated to application security in 2021. Regardless, budgets are finite and even with a substantial hiring budget, there is often a lack of qualified candidates. Even an organization with a well-staffed team is challenged with limits on their time as they prioritize workloads.
Complex security notes with multiple vulnerability patches and instructions and varying levels of severity are released on a monthly basis. This makes it extremely challenging especially for enterprises managing dozens of applications in production.
ACCORDING TO GARTNER, $4 BILLION WILL BE SPENT ON APPLICATION SECURITY GLOBALLY IN 2021
Managing all of these patching efforts is a time consuming process and an additional burden for the team. This can result in a rushed or sometimes complacent patch management process. Critical patches may be ignored or deprioritized (in relation to other jobs to be done). Additionally, there may be long backlogs and lead times until patches are actually implemented and verified. Patch management is only one part of mitigating risk for business-critical applications like SAP and Oracle. Misconfigurations or overprivileged “all-access” roles are also viable threat vectors used to gain access. All of these leave enterprises vulnerable to attack.
Because business applications are at the core of every organization, an exploitation of a vulnerability has significant consequences. Due to the valuable data these systems contain, there has been a rise in threat actors targeting their vulnerabilities. The accelerated pace of digital transformation and the rapid migration from on-premises to hybrid and cloud infrastructure have dramatically increased the risk to these systems. Yet despite the increased risk, these applications are often out-of-scope for traditional vulnerability management tools and security teams. They are typically managed by information technology professionals who are focused on development and uptime as opposed to security. This further compounds the complexity associated with protecting these applications from vulnerabilities.