Andrea Danti - Fotolia


Fight SAP cybersecurity risks with patches, research

No system, not even SAP ERP, is immune to security risks -- more than 400 SAP vulnerabilities have been identified. Here are tips for battling threats to SAP cybersecurity.

Cybersecurity breaches have been a hot news item, and no system is immune -- not even SAP ERP systems, as evidenced by the USIS breach disclosed in May 2015. According to experts, both older systems and HANA-based systems are at risk, and approximately 400 vulnerabilities have been discovered in SAP. However, you can mitigate SAP cybersecurity risk by knowing where the vulnerabilities lie and being vigilant about patching, despite the time commitment required.

Experts have identified several SAP cybersecurity vulnerabilities as potential entry points for hackers. SAP Portal, because it's open to the Internet, is an easy-to-find opening for hackers, according to Alexander Polyakov, CTO and co-founder of ERPScan based in Palo Alto, Calif. Essentially, the vulnerability allows a miscreant to create a user in the system without authorization and become an administrator. Another possible access point, Polyakov said, is SAP Router, which SAP uses to send updates -- but which can be exploited by using scanning software to find an IP address.

Another potential problem can arise when engineers connect development, testing and production systems, Polyakov said. The connections store user names and passwords that malfeasants can use to access data in the system, and testing and development systems are usually less secure than production systems. "We usually see in security assessments that the development systems are weak," he said. "A hacker can easily access [user names and passwords] and use that information to get into the production system, a two-step attack."

RFC connections can be a weak point

Remote function call (RFC) connections also open up SAP systems to attack, according to Aman Dhillon, SAP security architect at Layer Seven Security in Oakville, Ont. The vulnerability is common, he said, and the one most likely to be exploited because it connects not just SAP systems with each other, but also external systems.

One pixel Security vulnerability management
even more important today

"You can write an entire textbook on how to secure RFC connections," Dhillon said. However, it can be boiled down to securing the gateway server. Otherwise, hackers can register machines on the gateway server, add them to the RFC communications hub, invoke standard SAP services at the host level and gain complete control over corporate systems, hijacking the database. The main way to prevent that is with a proper gateway filter, he emphasized.

Another measure is to be mindful of how RFC destinations are configured, according to Dhillon. Although no rule says you shouldn't use trusted connections and stored credentials, these can open up your SAP systems to hackers, and he advised staying on top of SAP cybersecurity recommendations for these. For example, enterprises should never have a trusted RFC connection between a high-level system and a lower-level system, he said.

Finally, knowing what type of RFC to use is critical. "Unfortunately, many companies use a generic RFC for multiple destinations," Dhillon said. Each connection needs a unique user to properly set access controls and authorizations. Generic users end up providing too much RFC access. Although it's not a simple process to create unique users for each connection, it's one that's worth the effort for security purposes, he added.

Patch early, patch often

Custom code may make patching a painful process, but SAP's own patches, released monthly, are an important line of defense in securing the system. Although SAP usually sticks to a schedule -- the second Tuesday of every month -- the company also may release patches out of schedule. Regardless, companies need to have a process and dedicated teams for installing those patches as quickly as possible, according to J.P. Perez-Etchegoyen, CTO of Boston-based Onapsis Inc.

Unfortunately, the skill set required for patching resides in different, often siloed teams, Perez-Etchegoyen noted. But it's necessary to establish a well-defined process that enables communication between the Basis team that manages the systems, the SAP security team that focuses on authorization, and the IT security team that understands exploits and threats. That way, companies will have a better understanding of the system vulnerabilities and be in a better position to implement the patches as they are released, he said.

Use existing SAP controls to mitigate risk

Although third-party products can be useful, Dhillon points to SAP's own included alarm system, Solution Manager, as a way for enterprises to secure their SAP systems without adding to the budget. Administrators can use Solution Manager to create security policies and automatically review security settings for all the systems against the security policy, then identify where vulnerabilities exist based on the policies. Solution Manager also includes change analysis tools that let administrators compare different system configurations to identify vulnerabilities and how those vulnerabilities arose, he said.

Security is a joint effort. In order to manage an end-to-end security approach, SAP includes its customers as key contributors.
Hilmar ScheppSAP's head of strategic innovation and global corporate communications

Additionally, companies can set up text message and email alerts and dashboards in Solution Manager to monitor vulnerabilities and compliance levels, Dhillon said. Solution Manager also allows administrators to review access control in gateway servers and RFC connections to ensure trusted connections are being used properly. Using Solution Manager is one of SAP's recommendations for combatting security threats, Dhillon said.

But bolstering SAP cybersecurity isn't limited to SAP systems, Dhillon said. Also required is IT security knowledge: For example, having strong password policies and hash algorithms that are so difficult to hack that hackers will move on to another target. Because SAP systems are so connected with other technologies, security can't just be about the SAP layer, he said.

Indeed, this dovetails with SAP's own recommendations, which include patching -- but also running antivirus software and intrusion detection systems, and educating staff about security risks, according to Hilmar Schepp, SAP's head of strategic innovation and global corporate communications. "Security is a joint effort," he said. "In order to manage an end-to-end security approach, SAP includes its customers as key contributors."

Next Steps

Steps to implementing SAP security

Understanding the importance of cybersecurity

SAP SQL Anywhere upgrade hits security

Dig Deeper on SAP security