Insights for Executing Cybersecurity in Your SAP Systems
Your company's cybersecurity is only as strong as its weakest link — ensure that your SAP Systems are solid in their protection against cybercriminals today.
Join the DZone community and get the full member experience.Join For Free
The sheer volume of data in SAP systems that demands optimum protection is increasing at
unprecedented levels. As a result, the need for advanced, sophisticated cybersecurity mechanisms built on people, processes, and technology to prevent attacks aimed at compromising that information is also on the rise.
With private sector companies compelled to take on cybersecurity, it is forecasted that some trillion dollars will be spent on remedial measures through 2021. Currently, public sector organizations — for example, multinationals such as Bank of America and J.P. Morgan Chase — invest around $500 million per year on cybersecurity. Since SAP systems are considered some of the most mission-critical systems that organizations run, they will comprise a significant percentage of the cybersecurity market.
This blog provides advice for companies running SAP software for methods to best ensure their
networks are secure, and it outlines the steps necessary to evaluate, identify, and craft effective
cybersecurity umbrellas for SAP systems.
Step 1: Evaluate Your Security Blanket
Many systems managers consider SAP systems secure and robust because they have built-in
authorization features. While this is partially correct, due to default installations and misconfiguration, there can be serious security issues that require remediation. These issues can be addressed and treated using modern software that is solution-specific and appropriate for the issues that companies experience.
Phishing, ransomware, social engineering, malware, and the inherent vulnerabilities in web applications and networks that make up an SAP data landscape each have their own weaknesses that must be tackled for any anti-piracy protocol to be effective.
To detect the vulnerabilities within SAP systems, IT professionals need to conduct assessments to
identify serious security risks and uncover the vulnerabilities that are not included in SAP systems, such as databases, hosts, and network architecture.
Like an individual’s personal health regimen, regular security checkups are essential to identifying these access issues before they spiral out of control, mitigating the risk from control deficiencies, and ensuring security administrators are following best practices. In an SAP environment, assessments of a system’s health include periodic appraisals of key application-layer IT general controls (ITGC) related to user access. Companies need to cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC a system may evaluate.
These essential evaluations encompass a wide range of frameworks that identify system gaps and
deliver cues and directions to seal security gaps in common vulnerabilities — such as risks of SAP
NetWeaver Application Server for Java and cross-site scripting (XSS) attacks.
Beyond just SAP applications, it is crucial to evaluate every component of an existing security blanket, appraise options, and implement an enhanced security strategy utilizing tools such as Nmap (Network Mapper), Burp Suite, and Nessus vulnerability scanner. Similarly, there are many other tools available on the market to assess and evaluate any other application that an organization has interfaced with SAP software.
In particular, Sapyto is a potent tool that provides support to information security professionals in executing the SAP penetration testing operations. This protocol simulates ‘dummy’ cyber-attacks on an organization’s IT infrastructure to find the loopholes and gaps within existing systems and determine whether the systems are sufficiently secure.
Step 2: Identify Your Weak Points by Performing SAP Penetration Tests
Many factors are involved in identifying the nature and methodology of SAP penetration tests. When
effectively applied, they can help locate a myriad of vulnerabilities in SAP components, services, and
In addition, they can identify misconfigurations lurking within a system, assist in implementing effective methods to uncover and decode the behavior of potential hackers, and provide enough knowledge to prioritize the remedial approaches.
Missing SAP security codes, users with default passwords or access to administration services,
unsecured SAP gateways, SAP authentication, or SAP message services, an insecure remote function call
(RFC) interface or SAP router, and the use of SAP network filtering or SAP web applications are some examples of the potential weak points in the average system uncovered during a routine SAP
For example, during one penetration test, it was discovered that though the SAP infrastructure was
securely separated from the users’ network, it was still possible to attack the network by gaining access to a user’s workstation, which, in turn, provided ready access to the SAP servers.
Step 3: Execute Penetration Testing from the Outside In
SAP penetration testing can be complicated and requires crafting an intelligently designed course of
action that includes effective management and operational oversight. According to Frederik Weidemann of Virtual Forge, “SAP security patches stick to the ‘downwards compatible’ policy. If these activities are not applied, the patch is not active, and the system remains vulnerable.”
During his presentation “Going from the Outside In: The Truth About Penetration Testing” at the June 2018 Cybersecurity for SAP Customers conference in Prague, Weidemann suggested, implementing thorough security patching as “SAP security patches stick to the ‘downwards compatible’ policy.” This means that applying security patches in many cases will require manual post-installation activities. “If these activities are not applied, the patch is not active, and the system remains vulnerable,” he says.
Weidemann also recommended establishing, monitoring, and enforcing an SAP security baseline. “Before going forward with a penetration test, use the SAP security baseline template security guide to help you detect any simple and well-known issues related to areas such as standard passwords, critical basis authorizations, insecure profile parameters, remote function calls (RFC), RFC gateway, and RFC callback security.”
He also strongly suggested, “validating the first two challenges and finding the right person to do the
penetration test: A general penetration tester may not be proficient in working in an SAP system; you need to use an SAP specialist who knows the SAP language.”
Strengthen Your Weakest Link
It’s a fact: cyber-criminals and hackers will infiltrate companies through their weakest link. Taking stock and knowing a company’s vulnerabilities are the first steps toward cybersecurity. Planning ahead for a guaranteed attempt by hackers to infiltrate the company’s system is the best way to thwart them.
At the same time, it is critical to understand the nature of the business and conduct research regarding all possible threats that might harm the corporation. Companies should plan systematic audits to keep their environments clean from all sorts of viruses and should build a detailed overview of the rules and regulations that all employees have to follow to ensure the safety of the business.
After compiling the results of a rigorous SAP penetration test, companies should develop and implement security strategies accordingly to reduce the risks that have been uncovered before they are exploited by those cyber pirates that are up to no good.
Opinions expressed by DZone contributors are their own.