Insights for Evaluating, Identifying, and Executing Cybersecurity for Your SAP Systems

by Jhansi Bandaru, PMP-Certified IT SAP Security/Compliance Lead

 The sheer volume of data in SAP systems that demands optimum protection is increasing at unprecedented levels. As a result, also on the rise is the need for advanced, sophisticated cybersecurity mechanisms built on people, processes, and technology to prevent attacks aimed at compromising that information.

With private sector companies compelled to take on cybersecurity, it is forecasted that some one trillion dollars will be spent on remedial measures through 2021. Currently, public sector organizations — for example, multinationals such as Bank of America and J.P. Morgan Chase — invest around $500 million a year on cybersecurity. Since SAP systems are considered some of the most mission-critical systems that organizations run, they will comprise a significant percentage of the cybersecurity market.

This blog provides advice for companies running SAP software for methods to best ensure their networks are secure, and it outlines the steps necessary to evaluate, identify, and craft effective cybersecurity umbrellas for SAP systems.

Step #1: Evaluate Your Security Blanket

Many systems managers consider SAP systems secure and robust because they have built-in authorization features. While this is partially correct, due to default installations and misconfigurations, there can be serious security issues that require remediation. These issues can be addressed and treated using modern software that are solution-specific and appropriate for the issues that companies experience.

Phishing, ransomware, social engineering, malware, and the inherent vulnerabilities in web applications and networks that make up a SAP data landscape each have their own weaknesses that must be tackled for any anti-piracy protocol to be effective.

To detect the vulnerabilities within SAP systems, IT professionals need to conduct assessments to identify serious security risks and uncover the vulnerabilities that are not included in SAP systems, such as databases, hosts, and network architecture.

Like an individual’s personal health regimen, regular security check ups are essential to identifying these access issues before they spiral out of control, mitigating the risk from control deficiencies, and ensuring security administrators are following best practices. In an SAP environment, assessments of a system’s health include periodic appraisals of key application-layer IT general controls (ITGC) related to user access. Companies need to cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC a system may evaluate.

These essential evaluations encompass a wide range of frameworks that identify system gaps and deliver cues and directions to seal security gaps in common vulnerabilities — such as risks of SAP NetWeaver Application Server for Java and cross site scripting (XSS) attacks.

Beyond just SAP applications, it is crucial to evaluate every component of an existing security blanket, appraise options, and implement an enhanced security strategy utilizing tools such as Nmap (Network Mapper), Burp Suite, and Nessus vulnerability scanner. Similarly, there are many other tools available on the market to assess and evaluate any other application that an organization has interfaced with SAP software. In particular, Sapyto is a potent tool that provides support to information security professionals in executing the SAP penetration testing operations.

This protocol simulates ‘dummy’ cyber-attacks on an organization’s IT infrastructure to find the loopholes and gaps within existing systems and determine whether the systems are sufficiently secure.

Step #2: Identify Your Weak Points by Performing SAP Penetration Tests

Many factors are involved in identifying the nature and methodology of SAP penetration tests. When effectively applied, they can help locate a myriad of vulnerabilities in SAP components, services, and work processes.

In addition, they can identify misconfigurations lurking within a system, assist in implementing effective methods to uncover and decode the behavior of potential hackers, and provide the enough knowledge to prioritize the remedial approaches.

Missing SAP security codes; users with default passwords or access to administration services; unsecured SAP gateways, SAP authentication, or SAP message service; insecure remote function call (RFC) interfaces or SAP routers, and the use of SAP network filtering or SAP web applications are some examples of the potential weak points in the average system uncovered during a routine SAP penetration test.

For example, during one penetration test, it was discovered that though the SAP infrastructure was securely separated from the users’ network, it was still possible to attack the network by gaining access to a user’s work station, which, in turn, provided ready access to the SAP servers.

Step #3: Execute Penetration Testing from the Outside In

SAP penetration testing can be complicated and requires crafting an intelligently designed course of action that includes effective management and operational oversight.

According to Frederik Weidemann of Virtual Forge, “SAP security patches stick to the ‘downwards compatible’ policy. If these activities are not applied, the patch is not active, and the system remains vulnerable.”

During his presentation “Going from the Outside In: The Truth About Penetration Testing” at the June 2018 Cybersecurity for SAP Customers conference in Prague, Weidemann suggested, implementing thorough security patching as “SAP security patches stick to the ‘downwards compatible’ policy.” This means that applying security patches in many cases will require manual post-installation activities. “If these activities are not applied, the patch is not active, and the system remains vulnerable,” he says.

Weidemann also recommended establishing, monitoring, and enforcing an SAP security baseline. “Before going forward with a penetration test, use the SAP security baseline template security guide to help you detect any simple and well-known issues related to areas such as standard passwords, critical basis authorizations, insecure profile parameters, remote function calls (RFC), RFC gateway, and RFC callback security.”

He also strongly suggested “validating the first two challenges and finding the right person to do the penetration test: A general penetration tester may not be proficient in working in an SAP system; you need to use an SAP specialist who knows the SAP language.”

Strengthen Your Weakest Link

It’s a fact: cyber-criminals and hackers will infiltrate companies through their weakest link. Taking stock and knowing a company’s vulnerabilities are the first steps toward cyber security. Planning ahead for a guaranteed attempt by hackers to infiltrate the company’s system is the best way to thwart them.

At the same time, it is critical to understand the nature of the business and conduct research regarding all possible threats that might harm the corporation. Companies should plan systematic audits to keep their environments clean from all sorts of viruses and should build a detailed overview of the rules and regulations that all employees have to follow to ensure the safety of the business.

After compiling the results of a rigorous SAP penetration test, companies should develop and implement security strategies accordingly to reduce the risks that have been uncovered before they are exploited by those cyber pirates that are up to no good.

 

About the Author:

Jhansi R Bandaru is a PMP-certified IT SAP Security/Compliance Lead with over 12 years of experience and expertise in design and implementation of SAP security, SAP HANA, SAP Business Warehouse (SAP BW), governance, risk, and compliance (GRC), audit, and controls. In addition, Jhansi has worked on several SAP ECC, SAP BW, and GRC upgrade and support-related projects and has managed several SAP security and GRC projects and teams. For more information, please email: jhansiratna@gmail.com.