Drawing on research into common SAP security, Alexander Polyakov says large companies need to consider where their systems may be vulnerable to exploitation by cybercriminals.
For large companies, there are some areas of security which are underestimated by many. While there’s a lot of buzz about mobile technologies, SCADA and cloud, we forget about key elements of IT infrastructure that store and process all corporate data.
With the IT infrastructure of every large company consisting of core systems such as ERP or CRM, which are connected with each other by enterprise service business solutions to process critical data (HR and financial documents, customer data and so on), the security of those business applications is therefore one of the main aspects of corporate security. According to the Association of Certified Fraud Examiners (ACFE), between 2006 and 2010, losses caused by internal fraud amounted to 7 per cent of yearly revenue on average.
While the use of SAP systems can help companies to automate business processes and run better, unfortunately, every great solution, after becoming popular, may attract the attention of bad guys.
Cyber-attacks are real and their number is growing faster and faster, particularly the areas of cyber-espionage and fraud. An example of a new type of cyber-espionage weapon is an AutoCad worm that steals files with interesting drawings and sends them to China. These are targeted attacks focused on stealing corporate secrets, and it is not an isolated example: there are many worms looking for PDF files with interesting content and sending them to authors.
Nowadays, the targets for cyber-attacks are mostly countries and their essential infrastructure, but critical business applications such as ERP systems can also become the target of espionage and fraud – and very little attention is paid to them now. As the heart of any large company, an ERP houses vitally important data, and any illegal access to it can cause enormous losses.
Improving attention to SAP vulnerabilities
Our ‘SAP Security in Figures’ survey shows that the situation has changed significantly since early 2000s, when there was not enough information about the vulnerabilities of these systems, and what information was available was fragmented. Back in 2000, SAP’s security consisted of segregation of duties. By 2012, the interest in SAP has grown immensely in the security community, with 20 unique reports being released every year containing research related to SAP vulnerabilities.
SAP AG also started paying a lot of attention to this area, increasing the security of their products and conducting internal security conferences with external guest experts.
According to the statistics on vulnerabilities found in business applications, there were more than 100 vulnerabilities patched in SAP products in 2009, and this grew to more than 500 in 2010. By August 2012, there were more than 2700 SAP security notes about vulnerabilities in various SAP components. Most of these vulnerabilities allow an unauthorised user to gain access to critical business data, so it is necessary to think about the main attack vectors and the ways to secure those highly critical systems.
We are working closely with SAP on discovering and patching security issues, so the process is underway. But the main issue is that the responsibility for securing business applications now falls to administrators, who should implement all the applications securely, take customisation into account and prioritise security updates.
SAP itself can be securely configured, but it is not an easy task, especially if you do it manually and deal with a lot of systems, and each of them can have thousands of configurations related to security. We also need to understand that SAP is not the only solution: there are Oracle and Microsoft business applications, and their security is not much better.
Recently we presented at the BlackHat conference some of our findings in Oracle and Microsoft applications which can be used to completely stop business of a company remotely or get access to secret data. What is more dangerous is that most PeopleSoft applications are connected to the internet for providing access to suppliers. Simple Google search strings can find about 500 internet-enabled PeopleSoft applications. The same research related to SAP systems shows us over 3000 SAP systems with web access.
Apart from the web interfaces that should be available via the internet because of various business needs, such as SAP Portal, SAP SRM or SAP CRM solutions, there are some services that should not be available externally at all. Not only do they bring a potential risk, but they have real vulnerabilities and misconfigurations which are well-known and well-described in public resources.
The scan was performed across 1000 sub-networks of companies that use SAP worldwide and at least one third of them had vulnerable services which could be accessed from the internet. The results were shocking even for us – guys who see hundreds of insecure deployments – but we didn’t expect such poor security configuration from outside.
So what is our conclusion? ERP is a perfect target for cyberweapons because it is much easier now to find bugs and to exploit them, compared to OS or browsers. They are the targets of many cybercriminals. ERP systems also store all data that you need, so you do not need to design special complex exploits such as Stuxnet which was used for attacking SCADA systems.
A recent example of a high-profile attack on an SAP system was an anonymous attack on the Greek Ministry of Finance in November 2012. The perpetrators used an exploit on the SAP system, and published critical internal documents on the internet, which led to a scandal.
Not only activists but other large companies too can be interested in attacks on ERP, stealing corporate secrets, or executing DoS attacks on a competitor’s infrastructure. I spoke to some commercial organisations that sell and buy exploits for private and government companies (security intelligence services), and I was interested if there is a market for ERP exploits. They say that there is interest from both sides.
Also, there are forums that sell access to botnets with IP ranges of specific companies. Nowadays, large companies sometimes have more power than governments, so corporate wars are one of the possible scenarios, and business critical systems can be the most useful targets. If there have been no examples made public yet, in most cases it is because very few organisations monitor malicious activities, so even if their system was compromised, they are not ready for forensic investigation and cannot expose the fact of compromise.
So are there any solutions that can help companies to automate this task? We are trying to increase awareness in this area by putting all the threats together and designing the best approach for securing business applications such as SAP.
For example, there are many areas which should be analysed, such as backdoors in custom source code or logging of all relevant events for forensic investigation. Putting it all together and combining different methods, we also collect information for the project EAS-SEC, which is focused on the security of business-critical applications. Soon a document will be released with the list of areas that should be covered for securing SAP.
Alexander Polyakov is chief technology officer at ERPScan, which provides a full range of services in the area of SAP security, including vulnerability assessment and SAP security monitoring focused on preventing cyberattacks. This article was first published in Inside SAP Yearbook 2014.