Category: SecurityBridge

[By Christoph Nagy, SecurityBridge]

In the high-stakes world of cybersecurity, even a tiny miscue can lead to giant consequences. Human error, whether it be something as small as a misplaced password or a misconfigured Amazon S3 Bucket, can compromise the data of millions of customers—and incur many millions more in fines and penalties after a successful attack takes place.

As new threats evolve, companies must concentrate on reducing attack surfaces and not leaving doors open to give bad actors easy wins. There are no small mistakes—every mistake in cybersecurity is potentially catastrophic.

Several oversights that have quietly grown into some of the most significant cybersecurity missteps can be found within SAP software configurations and include underestimating security risks, being overconfident that native SAP security is good enough, and assuming prior patches are all that is needed to harden the system well into the future.  These seemingly small oversights often promote significant cybersecurity gaps.

A False Sense of Security

Despite SAP software housing some of the most sensitive company data imaginable (most notably customer and financial data), SAP-specific cybersecurity is a lower priority at an alarming percentage of organizations.

The fact is SAP dramatically increases the attack surface a company must safeguard—it follows, then, that additional security measures should be applied. Mistakenly, organizations believe that out-of-the-box SAP security is good enough, redirecting the vast majority of the cybersecurity budget to other systems.

That disconnect between where the most risk is and where security resources are deployed is an enormous hole in a company’s defense; hackers are penetrating networks at lightning speed and quickly finding the easy-entry security holes. If companies ignore that they are exposing their enormous SAP data trove, it’s only a matter of time before a breach happens.

The Biggest Mistake

To close these security gaps, companies must consider SAP as core to every cybersecurity initiative. Unfortunately, when organizations regularly install patches to keep their software landscape current, they often push off many SAP patches to be handled later. In other words, SAP cybersecurity is considered last among other core IT operations.

This is a mistake that can cost companies dearly. Any IT system could be attacked from the very second it’s activated. If patches or security updates don’t happen until a later date, that interim is putting the systems at a much higher risk. Given the number of trouble tickets at most organizations, it’s not unusual for security updates that aren’t considered a priority to languish on the “to-do” list for a long time. And when such an essential data source, like an SAP system, goes improperly guarded for that long, it’s only a matter of time before a hacker discovers this weakness.

How to Avoid That Mistake

Simply put, SAP cybersecurity needs to be established as an ongoing process across all IT departments and be well-staffed. Sure, every department head loves to argue that they could use more staffing, but remember that SAP cybersecurity is often at the core of many companies. During an attack, nearly everything shuts down, and business is ceased as all focus goes into stopping the intruders and assessing the damage. Suppose you aren’t putting the people and the funding into SAP cybersecurity. In that case, it doesn’t matter how much you pour into the other parts of the company—it all grinds to a halt if there aren’t intelligent people with security tools capable of keeping up with cybercriminals.

Conclusion 

Cybersecurity is not solely infrastructure security; complex business applications like SAP that run on top of the infrastructure bring vulnerabilities to the IT risk scenario. Even though those systems are often valuable targets for cybercriminals, thanks to the sensitive nature of their data, many organizations don’t adequately work security for these platforms into their processes. As previously mentioned, SAP’s out-of-the-box security does not provide adequate protection. SAP system landscapes have their architecture, which requires unique solutions and tactics to protect them.

Organizations aware of the potential SAP risk can find a fix through third-party solutions that can utilize automation, establish baselines, and harden the framework to shrink attack surfaces—rather than performing much of this work manually.

About the author:
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

The post The Biggest SAP Cybersecurity Mistake Businesses Make—And How To Prevent It appeared first on Cybersecurity Insiders.

By Christoph Nagy, SecurityBridge

So your SAP system has been breached.

While this is not an unusual occurrence, it’s still a serious issue that needs your immediate attention. Since SAP is one of the most widely used systems by organizations around the globe and houses a lot of business-critical and thus valuable information, hackers constantly try to find backdoors and vulnerabilities for exploitations.

The more time that elapses before the breach is dealt with, the longer hackers have access to the data your company houses in the SAP platform, and the more damage they can do.

The first step is to determine where the cybersecurity breach occurred, and then walk through the steps of addressing it. And when the immediate attack is dealt with, putting in place resources to prevent it from happening again is a wise course of action. Let’s start with the kinds of SAP breaches that might befall your company.

The Most Common Attack Vectors

We’re defining a breach as any exploitation of the vulnerabilities of a system resulting in unauthorized access to that system and its data. The most common (and sizable) damages to a company that is successfully attacked is financial damage (in the form of fines, the cost of addressing the breach, among other expenses) and a hit to the company’s reputation. Customers are less likely to stick around when they don’t feel their business or confidential data is being safeguarded properly.

When a breach occurs, it’s most likely tied to one of the following:

Vulnerabilities in code. All applications are subject to vulnerabilities, and it’s possible for custom SAP applications to provide a window for attackers to access the overall system.

Unapplied security patches. Patches for SAP applications are extremely important, since they address known flaws that could be exploited in a breach attempt. Companies that delay implementing these patches leave themselves exposed.

System misconfigurations. When settings in an SAP application are misconfigured—or keep unused functions active—attackers can exploit this mistake and gain unauthorized access. You see this most often when applications are left on default settings or someone goes in and makes changes that they shouldn’t.

Inside jobs. Occasionally, someone with at least some level of access already, like an employee, can clear a path for attackers to gain entry into the system. More often than not, it’s the employee’s account, but not the employee themselves causing the breach. The employee account could be taken over by bad actors through phishing or social engineering tactics—the MGM Grand/Caesar’s breach provides a perfect example of this type of attack.

How to Respond to an Attack

When you’ve identified where the threat has come from and what vulnerability has been exploited, it’s time to take decisive action. Reacting quickly but also in the right way will help reestablish your company’s security posture. For most breaches, the following steps will be the most effective means of getting a handle on the situation:

  • Lock down any compromised user accounts and cut off access to the network and system by any third parties such as partners or clients that are involved in the attack. If such a tactical approach doesn’t work, you might need to isolate the full SAP system, going into full lockdown or cutting off its access to the internet so unauthorized users can’t keep finding their way in while you address the issue.
  • Put together a team of stakeholders—executives, your best tech leads, SAP admins, and any other experts available—to assess the damage of the threat and make a plan to deal with it.
  • Make sure to keep all SAP logs relating to security and put them under forensic analysis. It can be useful to look at these logs, such as the Security audit log, JAVA audit log, and HANA audit log within the timeframe of the attack.
  • Use those logs to assess the details of the vulnerability that was exploited and identify the critical events and activity patterns during the key time periods.
  • Install fixes and patches as needed to shore up vulnerabilities and adopt the appropriate security configurations to stop the attack and prevent that specific vulnerability from being exploited again.
  • Only then should you return, one application at a time, to normal SAP operations. Monitor your SAP security logs following this return to make sure operations are now secure.

While all of the above is happening, be sure to comply with all legal requirements for communications with affected or relevant parties. Especially if there is ever a legal investigation on your company’s actions during and after a breach, transparency and timely notification to affected parties so they can take appropriate action will work in your favor.

Future Actions

Once the immediate threat is over, most companies should shift to prevention mode: making it so such a breach can’t happen again. Perhaps those fixes and patches can be extended to other SAP applications. Following NIST and other common SAP security frameworks is recommended.

Further SAP process improvements can help provide preventative measures or early alerts of a potential attack. Some features can detect anomalies in SAP systems or include automation capabilities that can make changes to protect a system on the fly. You can even set up the capability to alert users when their credentials might be compromised—like if they were just used to sign in from an unusual geographical location or were exposed due to a hack elsewhere. In those cases, contacting the SAP security team immediately could make a big difference in preventing authorized accounts from being misused.

There’s never a good time to experience an SAP breach, but companies that have a plan to address it quickly and effectively will fare better in both the short and long term than those that don’t. SAP’s systems are critical for many companies, so ensuring the strongest possible security posture for those applications is an equally critical task that organizations should prioritize.

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

The post A Guide to Handling SAP Security Breaches appeared first on Cybersecurity Insiders.