White Papers

Blueprint for CIS Control Application: Securing the SAP Landscape

Download

A SANS Whitepaper | Written by Barbara Filkins

Any data breach can be expensive, but the potential cost rises with the value orexploitability of the data targeted in an attack.

Serious attacks aimed directly at large-scale ERP systems rather than more peripheral systems may generate extraordinary costs, whether they are simple denial-of-service attacks or sophisticated efforts to compromise data that is confidential or strategically important. A 2014 IDC study on the cost of system downtime among the Fortune 1,000 found that the average cost for the failure of a critical application is between $500,000 and $1 million per hour.

Direct attacks on ERP systems have been relatively rare, or at least very rarely disclosed publicly. Since 2012, groups including hacktivist collective Anonymous have claimed to have successfully attacked government organizations using zero-day exploits affecting SAP systems.2 The only clear and public example of compromise, however, was in May 2015, when Nextgov.com, a site that focuses on news about federal IT, broke the story that an SAP installation may have been the initial attack vector in a breach that netted files containing tens of millions of highly detailed and personal data points.3 The attack in question was the notorious U.S. Office of Personnel Management (OPM) breach.

According to Nextgov.com, an internal investigation had uncovered evidence that attackers had broken into United States Investigations Services Inc. (USIS), a contractor that conducts background checks for most federal agencies, by exploiting a flaw in an SAP system.

Back to White Papers
?>