Protiviti's risk-based approach for ramping up SAP security
Despite all the efforts made by SAP to help customers with secure their infrastructure, SAP systems and modules remain vulnerable to cyber-attacks. Roy Mutsaers and Tiede-Jan de Jong from Protiviti explain where the majority of vulnerabilities sit and how a risk-based approach can be effective in overcoming them.
SAP systems are a business-critical asset for most organisations, as SAP contains and processes valuable business data. Business continuity could be at risk when these systems are not available, when data in these systems is breached or when data is manipulated.
During the past years, SAP has invested a lot in the security of SAP systems by patching vulnerabilities (security notes), and developing tools and solutions to secure the SAP landscape. In addition, SAP provides its customers security guides and a security baseline template (the SAP security baseline template V2.0) which can be used as a starting point for securing SAP.
However, SAP landscapes are often still vulnerable to cyber-attacks. Some of the examples we encounter in practice:
- SAP landscapes (SAP applications, the operating systems & databases) are highly complex environments, where individual components often are maintained within different teams (e.g. SAP basis teams, system administrators, network administrators) with a different mindset regarding security;
- Individual components are often insecurely configured (think about the ABAP stack, the JAVA stack, SAP MMC but also database components and the operating systems);
- Basis teams are not able, or do not have the time to, properly fix publicly known vulnerabilities. These vulnerabilities are in a security note, but they cannot be fixed automatically by implementing the note, as this is a ‘manual correction’. We still see a lot of customers struggling with these fixes (think of securing the RFC Gateway);
- During implementations/upgrades, companies often assume that SAP systems (like the new S/4 HANA) are fully secured by design. This is not true. Every SAP customer must maintain and configure system -and company specific security settings to secure their SAP system(s);
- The SAP Security Baseline Template is an extensive document which companies want to adopt. Often companies don’t know where to start or as they lack SAP security knowledge;
- Companies have recently started to implement security notes, as this was never the top priority. Because the amount of security notes has increased rapidly over the past years, we often see that there remains a lot to be done in this field.
What can be done?
At Protiviti, we believe in a risk-based approach for securing SAP, as in our experience, there is no one-size-fits-all approach. Basically, adopting literally every item described in the security baseline template without understanding the risk & impact is in many cases not realistic, is cost inefficient and it can give a false sense of security when these items are not monitored periodically (compliance).
Start with performing an SAP security assessment (combined with an SAP penetration test). This assessment will evaluate the current state of security and will help to determine if and to what extent SAP security is embedded in your organisation (determine the SAP security maturity level). The results and knowledge gained from this assessment will be the starting point to determine your SAP security roadmap.
In the assessment identify what kind of SAP threats are most relevant and are considered as the highest risk. After this has been identified, it is time to test the security. Stimulate a real-life attack on your SAP landscape (all SAP systems and its infrastructure), scenario based, using different penetration testing techniques (black, grey and white boxed approach).
The results of the assessment are factual findings (identified vulnerabilities) which may lead to a direct business impact when these vulnerabilities are used by an threat actor to attack your SAP landscape.
Then, visualise attacks in an attack path. An attack path makes the findings understandable as an attack path shows how the self-designed attacks worked. It helps to understand the attacks, and the stages involved, which will in turn help you to better defend yourself.
Overall, the recommendations and technical insights gained from the above steps will enable you to mitigate the identified business risks and determine the ideal SAP security roadmap.