According to a data security firm, more than 95 percent of SAP systems currently used in enterprises are exposed to vulnerabilities that may lead to a complete compromise of business data.
A surprising fact is that many of these vulnerabilities have existed for years, as noted my Mariano Nunez, CEO of data security firm Onapsis.
In 2014 alone, SAP issued 391 security patches, with an average of 30 per month. An astonishing 50 percent of those patches were considered ‘high priority’, as well. The Boson-based company that specializes in SAP security audits also found that the average time-to-patch for SAP vulnerabilities is more than 18 months. That’s 12 months for SAP to issue fixes and a further 6 months for companies to deploy and implement them.
These numbers reveals that many companies are falling behind on SAP security, despite the same systems holding some of their most critical and confidential information.
With SAP systems being absolutely key to essential business functions while running in the background, IT security professionals are hesitant to patch because the risk of disrupting the system or taking it offline even for maintenance is greater than keeping a known vulnerability unpatched.
“From our perspective, IT security professionals shouldn’t patch everything,” Nunez said. “[When they perform their first vulnerability scan] they will get a report with hundreds of thousands of vulnerabilities. They should analyze those vulnerabilities and prioritize based on the likelihood of someone exploiting them and criticality of the vulnerability and its patch.”
Canvassing through hundreds of security assessments, Onapsis determined that the most likely attack scenarios for compromising SAP systems are:
- Going from a lower-security system to a critical one to execute remote function modules.
- Creating backdoor accounts on the SAP J2EE User Management Engine by exploiting vulnerabilities to gain access to SAP portals and other internal systems.
- Exploiting vulnerabilities in the SAP RFC Gateway to execute operating system commands with SAP admin privileges to ascertain and change information in SAP databases.
According to Onapsis, the most common cyber-attack vectors are:
- Customer and supplier portal attacks.
- Direct attacks through SAP proprietary protocols.
- Customer information and credit card breaches using pivoting between SAP systems.
To prevent these attacks, Nunez stressed the importance of patching, while noting that the most critical vulnerabilities need to be dealt with immediately.
“[IT security professionals] need to make [patching] a recurring practice,” he said. “They need to move SAP into their system vulnerability management programs and into their risk management programs. SAP continues to be a blind spot for them, so they need to create new processes and different techniques.”
Despite this, one of the challenges organizations face is that they can’t reliably use vulnerability management solutions and products for SAP, as they do with other IT systems. This is according to Carsten Eiram, Chief Research Officer at vulnerability intelligence firm Risk Based Security.
“The reason is that tracking SAP product vulnerabilities is very difficult due to SAP’s antiquated policy regarding disclosure: They provide information about vulnerabilities to customers only via an access restricted portal,” Eiram said. “Furthermore, customers are not permitted to share this information with other parties like vulnerability databases.”
It is a concern that needs to be looked into, with the staggering percentage of companies’ business data and processes at risk due to vulnerabilities that have existed for years within SAP systems.