12 Days of AppsMas: 2021 SAP Security Trends and Lessons Learned

In 2021, we saw a record number of cyberattacks on businesses, from manufacturing to healthcare to utilities, causing victims to get locked out of their critical systems and putting strain on supply chains. The impact has been substantial — disrupting operations, production, and shipping — and far reaching. As 2021 winds down, it’s a good time for business leaders to not only reflect on what we learned during the year, but also look ahead to 2022. Read on to learn three major SAP security trends and areas to focus on in the new year.

Trend 1: Accelerated Digital Transformation

Digital transformation projects were underway well before 2020, but the global impact of the COVID-19 pandemic accelerated the digitization of business across all fronts. From customer demands for increased digital interactions to completely remote workforces, the COVID-19 pandemic has given digital transformation a new sense of urgency as well as a mandate to prioritize digital readiness above all else. This shift has left organizations vulnerable to new risks — both because of a larger number of externally-facing critical systems and far fewer resources to implement security best practices. According to a global survey of executives, companies have accelerated the digitization of their customer and supply-chain interactions and their internal operations by three to four years. The share of digital or digitally-enabled products in their portfolios has accelerated by seven years. 

Digitized operations and products means business-critical SAP applications and their data now reside in cloud-based, often public-facing systems and not within on-premises infrastructure. This has greatly increased the risk of exploitation. Organizations trying to keep up with the fast pace of acceleration may also be overlooking risks that potentially leave them susceptible to exploits, including the due diligence of security best practices.

Trend 2: Increased Outsourcing and Reliance on Third Parties

Hiring IT staff, especially application developers and managers who have experience with business-critical platforms like SAP, is a challenging task. According to United States labor statistics, by the end of 2020, the global talent shortage amounted to 40 million skilled workers — and this shortage is expected to continue. Enterprises continue to hire outsourced consultants, contractors, and system integrators in order to try to fill this gap. According to a Harvey Nash/KPMG CIO survey, 41% of organizations have plans to increase their spending on software outsourcing. 

However, bringing on additional resources to help meet project deadlines for development and digital transformation is not without its challenges. Organizations need a way to validate the work of these third parties to make sure they are setting up SAP environments correctly and writing high quality and secure code. Internal company application leaders need visibility and automation capabilities for assessing the code, transports, configurations, and patching efforts from third parties, so they can ensure corporate standards are met, security checks aren’t interfering with their team’s ability to meet project timelines, and critical security issues aren’t being introduced to their most critical systems.  

Trend 3: Threat Actors Are Smarter and Faster Than Ever

The shift to cloud models, accelerated pace of digital transformation, and increased reliance on third parties discussed above have left business-critical SAP applications more vulnerable than ever — and threat actors have taken notice. Malicious cyber activity targeting SAP has increased over the last several years and those efforts appear to be paying off for the cyberattackers, with 64% of organizations reporting a breach of their critical SAP systems within the last 24 months. 

Threat actors not only have the sophisticated domain knowledge to target SAP through a variety of attack vectors, but they are doing so at a faster pace than ever before. The Onapsis Research Labs has found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available.  

Beyond malicious activity targeting unpatched SAP applications, Onapsis researchers also observed evidence of attacks against known weaknesses in application-specific security configurations, including brute forcing of high-privilege SAP user accounts. Additionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications.

The Business and Regulatory Compliance Impact of a Successful SAP Attack

The business impact of a successful SAP breach could be critical. In many scenarios, the attacker would be able to access the vulnerable SAP system with maximum privileges (Administrator/SAP_ALL), bypassing all access and authorization controls (such as segregation of duties, identity management, and GRC solutions). This means that the attacker could gain full control of the affected SAP system, its underlying business data, and processes. Having administrative access to the system would allow the attacker to manage (read/modify/delete) every record, file, and report in the system. Successful exploitation of a vulnerable SAP system would allow an attacker to perform several malicious activities, including: 

  • Steal personally identifiable information (PII)
  • Change banking details and financial records
  • Disrupt business processes

For many organizations, business-critical SAP applications are under the purview of specific industry and governmental regulations, financial, and other compliance requirements. Any enforced controls that are bypassed via exploitation of threats might cause regulatory and compliance deficiencies over critical areas such as data privacy (GDPR or CCPA), financial reporting (Sarbanes-Oxley), or industry-specific regulations (NERC CIP or PCI-DSS).

Having known vulnerabilities and misconfigurations in SAP systems that can allow unauthenticated access and/or the creation of high-privileged user accounts would be a deficiency in IT controls. For organizations that must meet regulatory compliance mandates, this would trigger an audit failure and violate compliance. The result could lead to potential disclosure of the violation, expensive third-party audits and penalties that could include fines and legal action.

Looking Forward: Steps to Take in 2022 for Better SAP Security 

  • Implement a vulnerability management program that specifically targets SAP: Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical SAP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your SAP environment. 
  • Build application security testing into development processes: Incorporating security checks into your SAP development and change management processes allows you to find issues in the shortest possible time. Fixing issues before they hit production is typically easier and less expensive, and helps avoid negative impacts to system security, compliance, performance, or availability. 
  • Continuously monitor for internal and external threats: SAP is an attractive target for bad actors, both inside and outside the organization. Keeping an eye out for unauthorized changes, misuse, or attack indicators is crucial for identifying this type of malicious behavior early so actions can be taken to prevent serious consequences. 

 

More SAP Security Resources

More 12 Days of AppsMas Blogs: