News of the first confirmed breach to originate from an SAP vulnerability exploitation demonstrates how years of warnings about SAP flaws need to be heeded.

May 14, 2015

3 Min Read
SAP Vulnerability Showcases Need for Managed Security

By Ericka Chickowski 1

With so many of today’s businesses dependent on SAP as the core technology platform for some of their most critical business functions, it would follow that IT organizations would dedicate significant effort in securing SAP systems. But the truth is that SAP and other enterprise resource planning (ERP) software remain largely forgotten by even the most security-conscious organizations today. And the attackers have found this gap.

For years now, security researchers have warned of hefty security vulnerabilities in SAP that make it possible to create ghost accounts, change records in some of the most sensitive financial tracking applications and use the platform to break into other connected systems. And while security researchers and consultants confirm that attackers are already exploiting these vulnerabilities for malicious purposes, these attacks have largely gone unreported to the public. That all changed this week.

According to a report by Nextgov.com over the weekend, a high-profile breach at US Investigations Services, a government contractor in charge of background checks for federal employees and contractors with access to classified information, was pinned by forensic examiners as starting from the exploit of an SAP system. The 2013 breach was particularly messy for the organization and partially contributed to it having to shut its doors this year.

No excuse to not assess and monitor business-critical applications like SAP

“SAP cyber breaches are gaining notoriety,” says Ezequiel Gutesman, director of research for Onapsis. “The USIS is living proof that they have been a reality for more time that we can think of. The belief we often hear from SAP administrators of SAP systems being ‘only accessible through internal networks’ is showing its weakness and is no longer an excuse not to asses and monitor business-critical applications such as SAP.”

Onapsis is one of two big vendors involved in researching and reporting SAP and other ERP system vulnerabilities to the security community. Its researchers and researchers from competitor ERPScan have actively evangelized for improved security in this area for the better part of a decade.

Most common SAP attack techniques

Just last week at the SAPPHIRE conference, Onapsis warned of the three most common attack patterns used against SAP, based on its experience helping organizations deal with real-world SAP attacks. Among them was the technique used at USIS, which was pivoting from vulnerable SAP systems into other systems connected to that platform. Also on the list were customer and supplier portal attacks that create backdoor users in the SAP J2EE User Management engine, as well as direct attacks through SAP proprietary protocols.

Meanwhile, ERPScan also last week released guidelines for one of the most exploited types of flaws in SAP, cross-site scripting (XSS) vulnerabilities. ERPScan CTO Alexander Polyakov says that in addition to flaws within SAP itself, the other big difficulty with these environments is all of the custom code layered on top of these systems.

SAP’s customization means greater complexity

“SAP is more like a framework on top of which organizations build their own systems,” says Polyakov, who says that about 50 percent of SAP implementations are custom code. “Which means that every SAP system in organization is different.”

All of this stacks up as a Greenfield opportunity for managed service providers and managed security service providers. Both Onapsis and ERPScan have infrastructure in place to work with MSPs, and as breaches like USIS continue to come to the forefront it’s likely that demand in this area will continue to grow.

Read more about:

AgentsMSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like