SAP Security Today: What Is the Threat?
Traditionally, best practices were to keep business-critical SAP systems on-premises and to install layers of security around them, creating a theoretical and impenetrable fortress of castle walls and moats. However, the shift of the traditional on-premises perimeter to a distributed hybrid cloud model, and the recent need for every organization to transform how it does business digitally has changed this paradigm. SAP is no longer in a lockbox, and threat actors have taken notice, targeting SAP with fast, sophisticated, and increasingly successful attacks. Organizations need to be aware and equipped to face the increased threats facing their most critical systems.
Accelerated Digital Transformation Is Emphasizing Speed Over Security
Digital transformation projects were underway well before 2020, but the global impact of the COVID-19 pandemic accelerated the digitization of business across all fronts. From customer demands for increased digital interactions to completely remote workforces, the COVID-19 pandemic has given digital transformation a new sense of urgency as well as a mandate to prioritize digital readiness above all else. This shift has left organizations vulnerable to new risks - both because of a larger number of externally-facing critical systems and far fewer resources to implement security best practices. According to a global survey of executives, companies have accelerated the digitization of their customer and supply-chain interactions and their internal operations by three to four years. The share of digital or digitally-enabled products in their portfolios has accelerated by seven years.
Digitized operations and products means business-critical applications and their data now reside in cloud-based, often public-facing systems and not within on-premises infrastructure. This has greatly increased the risk of exploitation. Organizations trying to keep up with the fast pace of acceleration may also be overlooking risks that potentially leave them susceptible to exploits, including the due diligence of security best practices.
Increased Outsourcing and Reliance on Third Parties Introduces Unknown Risk
Hiring IT staff, especially application developers and managers who have experience with business-critical platforms like SAP, is a challenging task. According to United States labor statistics by the end of 2020 the global talent shortage amounded to 40 million skilled workers worldwide and this shortage is expected to continue. Enterprises continue to hire outsourced consultants, contractors and system integrators in order to try to fill this gap. According to a Harvey Nash/KPMG CIO survey, 41% of organizations have plans to increase their spending on software outsourcing.
However, bringing on additional resources to help meet project deadlines for development and digital transformation is not without its challenges. Organizations need a way to validate the work of these third parties to make sure they are setting up SAP environments correctly and writing high quality and secure code. Internal company application leaders need visibility and automation capabilities for assessing the code, transports, configurations, and patching efforts from third parties, so they can ensure corporate standards are met, security checks aren’t interfering with their team’s ability to meet project timelines, and critical security issues aren’t being introduced to their most critical systems.
Attacks on SAP Are Increasing and Threat Actors Are Smarter and Faster Than Ever
The shift to cloud models, accelerated pace of digital transformation, and increased reliance on third parties discussed above have left business-critical SAP applications more vulnerable than ever - and threat actors have taken notice. Malicious cyber activity targeting SAP has increased over the last several years and those efforts appear to be paying off for the cyberattackers, with 64% of organizations reporting a breach of their critical SAP systems within the last 24 months.
Threat actors not only have the sophisticated domain knowledge to target SAP through a variety of attack vectors, but they are doing so at a faster pace than ever before. Onapsis research has found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available.
Beyond malicious activity targeting unpatched SAP applications, Onapsis researchers also observed evidence of attacks against known weaknesses in application-specific security configurations, including brute-forcing of high-privilege SAP user accounts. Additionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications.
Why This Matters:
The Business and Regulatory Compliance Impact of a Successful SAP Attack
The business impact of a successful SAP breach could be critical. In many scenarios, the attacker would be able to access the vulnerable SAP system with maximum privileges (Administrator/SAP_ALL), bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected SAP system, its underlying business data and processes. Having administrative access to the system would allow the attacker to manage (read/modify/delete) every record, file and report in the system. Successful exploitation of a vulnerable SAP system would allow an attacker to perform several malicious activities, including:
- Steal personally identifiable information (PII) from employees, customers and suppliers
- Read, modify or delete financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt critical business operations, such as supply chain management, by corrupting data, shutting processes down completely or deploying ransomware
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files
For many organizations, business-critical SAP applications are under the purview of specific industry and governmental regulations, financial and other compliance requirements. Any enforced controls that are bypassed via exploitation of threats discussed in this report might cause regulatory and compliance deficiencies over critical areas such as:
- Data privacy (e.g. GDPR, CCPA) due to unauthorized access of protected data, regardless of exfiltration
- Financial reporting (e.g. Sarbanes-Oxley) due to unauthorized changes to financial data or bypassing of internal controls causing inaccurate financial reporting
- Industry-specific regulations such as NERC CIP or PCI-DSS due to impact to regulated data
Having known vulnerabilities and misconfigurations in SAP systems that can allow unauthenticated access and/or the creation of high-privileged user accounts would be a deficiency in IT controls. For organizations that must meet regulatory compliance mandates, this would trigger an audit failure and violate compliance. The result could lead to potential disclosure of the violation, expensive third-party audits and penalties that could include fines and legal action.
3 Steps Toward Better SAP Security
Implement a vulnerability management program for SAP
Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical SAP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your SAP environment.
Build application security testing into development processes
Incorporating security checks into your SAP development and change management processes allows you to find issues in the shortest possible time. Fixing issues before they hit production is typically easier and less expensive, and helps avoid negative impacts to system security, compliance, performance, or availability.
Continuously monitor for internal and external threats
SAP is an attractive target for bad actors, both inside and outside the organization. Keeping an eye out for unauthorized changes, misuse, or attack indicators is crucial for identifying this type of malicious behavior early so actions can be taken to prevent serious consequences.