Warning bell for enterprises: Nearly all SAP systems remain vulnerable to attacks

Over 95 percent of SAP systems assessed contained vulnerabilities that could lead to full compromise of the company’s business data and processes, according to a new assessment released by security firm Onapsis . SAP is run by over 250,000 customers worldwide, including 87 percent of Global 2000 companies and 98 percent of the 100 most valued brands. Despite housing an organisation’s most valuable and sensitive information, SAP systems are not protected from cyber threats by traditional security approaches. [caption id=“attachment_2008095” align=“alignleft” width=“380”] Image: Reuters[/caption] “These attack vectors put intellectual property, financial, credit card, customer and supplier data as well as database warehouse information at risk for the world’s largest companies.” The firm revealed the three most common cyber attack vectors used for compromising SAP business systems at the application layer. One of the most common cyberattack vectors on SAP systems is the use of pivots between different systems. The attack begins with a pivot from a system with lower security to a critical system in order to execute remote function modules in the destination system. In addition, customer and supplier portals are often targeted. Backdoor users are created in the SAP J2EE User Management Engine and by exploiting a vulnerability, the hacker can obtain access rights to SAP Portals and Process Integration platforms – as well as their connected, internal systems. And, thirdly database warehousing attacks through SAP proprietary protocols. Onapsis said this attack is performed by executing operating system commands under the privileges of a particular user, and by exploiting vulnerabilities in the SAP RFC Gateway. The hacker is able to obtain and potentially modify any business information stored in the SAP database. “The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP Operations team and the IT Security team,” said Mariano Nunez, CEO and co-founder of Onapsis. “The truth is that most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications." In addition, the research study found that most companies are also exposed to protracted patching windows averaging 18 months or more. In 2014 alone, 391 security patches were released by SAP, averaging more than 30 per month. Almost 50 percent of them were ranked as “high priority” by SAP. “This trend is not only continuing, but exacerbating with SAP HANA, which has brought a 450 percent increase in new security patches specifically affecting this platform. With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise,” Nunez continued. Onapsis urged companies running critical business process in SAP Business Suite solutions to stay up to date with the latest SAP Security Notes, and ensure their systems are configured properly in order to meet compliance requirements and strengthened security.