Why You Need Vulnerability Management for Business-Critical Applications: Part 3

This blog is the third of a five-part series on the importance of protecting business-critical applications. In part one and part two, we share how rapid digital transformation projects and cloud migration have left organizations’ most critical systems vulnerable to new risks. In this blog, we discuss the rise of cybercrime and the increasing risk to your enterprise systems. Read more in our whitepaper, Five Reasons Why You Need Vulnerability Management for Business-Critical Applications

Reason 3: The Increasing Risk from Bad Actors 

Low Barriers to Entry

Cyberattacks have been on the rise and it seems that not a day goes by where cybercrime isn’t in the headlines. Going back a decade or so, hacking knowledge was limited to individuals that understood the technology, but in recent years, it’s been easier and easier to get into the cybercrime game:

  • As-a-service: Cybercriminals have remodeled their business for greater efficiency. Through an organized business model, threat actors sell or loan out their hacking tools and services to people on the dark web. This model is highly lucrative for both the provider and the distributor.
  • Availability of stolen credentials: According to Forbes, there are more than 15 billion stolen credentials, from 100,000 data breaches, available to cybercriminals. Doing the math, this is essentially two sets of account logins for every person on the planet. Since the average price for these logins is around $15, it has never been cheaper for threat actors to take over accounts.
  • Large number of targets: There are billions of people using the internet. Emails and instant messages are easy to send in bulk and if a cybercriminal sends thousands, they only need a small number of victims to click a malicious link to make a profit. And even the smartest people, when busy or distracted, may click a suspicious link and unknowingly download malware.

According to Cybersecurity Ventures, cybercrime is the fastest growing crime in the United States. There’s a great deal of money to be made and it’s never been easier to get into the cybercrime industry. 

Incentive

Cybercrime is a $6 trillion annual industry, making it the world’s third largest economy after the U.S. and China. Security firm Bromium estimates that some cybercriminals are earning up to $2M a year. Take a look at the numbers: the average ransomware payment climbed 82% in the first half of 2021 to $570,000,1 the number of stolen credentials has risen 300% from 2018,2 and the FBI reported 791,790 fraud and theft complaints in 2020.3

The numbers make some sense when you consider that, compared to other criminal activities, cybercrime has relatively low risks. Threat actors have a lower chance of getting caught, and often receive smaller penalties if they are apprehended. A vast majority of cybercrimes aren’t reported and gathering evidence can oftentimes be difficult due to the anonymity of users. In the U.S. in particular, jurisdictional issues can slow down or block the enforcement of laws. Being able to operate from anywhere with internet access also allows scammers to bypass law enforcement by working in countries with limited digital crime laws. 

All of these realities draw in more threat actors, lead to increased specialization, and increase the efficiency of the industry as a whole. Just like any industry, cybercrime has continued to evolve to become niche, focused, specialized, and targeted.

Increasing Sophistication 

The level of sophistication in attacks is increasing and threat actors are now able to narrowly and successfully target the applications that businesses use to run their everyday operations. There have been five US-CERT alerts specifically about business-critical applications since 2016 and one on SAP security risk. For the last decade, Onapsis Research Labs has been at the forefront of research around these critical applications.

Business-critical applications like ERP, SCM, CRM, SRM, PLM, HCM, and BI support essential business functions and processes of the world’s largest commercial and governmental organizations, including supply chain, manufacturing, finance, sales and services, and human resources. Recent research from Onapsis and SAP tracked the emerging techniques that threat actors are using to infiltrate and exploit business-critical SAP applications. SAP in particular is used at more than 400,000 organizations worldwide, including 92% of the Forbes Global 2000, and touches 77% of the world’s transaction revenue. Attackers gaining access to SAP applications means they can access personal identifiable information (PII), financial records, and banking details as well as disrupt critical business processes like supply chain management by corrupting data or deploying ransomware.    

Let’s dig into some of the threat research findings.

From mid-2020 until April 2021, Onapsis researchers recorded more than 300 successful exploit attempts on unprotected SAP applications. These threats are persistent, pervasive, and ongoing. Our team found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. These attackers are sophisticated; advanced threat actors were observed to patch the SAP vulnerabilities they exploited and reconfigure systems so they would go undetected by SAP administrators. 

To combat the increasing risk from malicious actors, Onapsis and SAP recommend that organizations assess systems in their SAP landscape and apply patches immediately. We also advise enterprises to implement an application-focused protection program as part of their overall cybersecurity strategy. Learn more about why you need a vulnerability management solution to secure your business-critical applications.

There’s a better way to protect your business-critical applications. Onapsis Assess provides comprehensive vulnerability management for organizations’ most business-critical applications such as SAP and Oracle. Onapsis Assess provides deeper visibility, automated assessments, detailed solutions and descriptions of associated risk and business impact. Learn more about how Onapsis Assess can play an integral part of your vulnerability management program.

More Reasons Why

1 https://www.paloaltonetworks.com/blog/2021/08/ransomware-crisis/    
2 https://www.securitymagazine.com/articles/92772-number-of-stolen-and-exposed-credentials-has-risen-300-from-2018
3 https://www.securitymagazine.com/articles/95387-the-new-threat-economy-a-guide-to-cybercrimes-transformation-and-how-to-respond