Enterprise resource planning (ERP) can be viewed as the backbone of an organisation. ERP houses many of the core business processes and — depending on the organisation — a lot of data flows through it: production, warehouse and logistics, purchase orders and invoicing, payroll data etc. Imagine what could happen if this backbone, or any part of it, was under attack.
Just like Neo’s search for the truth about the Matrix in the ’90s blockbuster film The Matrix, we encourage organisations to re-evaluate the security of their SAP landscape. But how does one protect themself against the Agent Smiths of the cyber world?
There are several cyber risk domains that are critical in the evaluation of an organisation’s capabilities and readiness for ERP. To name a few: data privacy and protection policies, identity and access management protocols, process control and application security design.
Application security measures are taken to improve the security of an application layer — for example, within an ERP software like SAP — in order to reduce the risk of malicious attacks. Common safety measures, such as role-based access control (controlling user access to functions and data by using security roles) and API security (implementing secure authentication and authorisation mechanisms), are nowadays widely used among organisations. On top of that, keeping the personnel (especially core users) educated and alert at all times is key to security success.
This blog, however, focuses on infrastructure and application security from one angle. Keep in mind that this is only the tip of the iceberg that makes up SAP security.
Let us start where an attacker, Agent Smith, would start: enumeration — or, to put it simply, finding suitable targets and collecting information. The attacker might already have a clear target in mind, but that does not mean they want to stop there. Instead, they can simply head to Google.com or any other search engine and start searching.
Depending on the type of the attack, the commonly necessary information for a successful attack is the system name, open ports and operating system (release information). With these the attacker can start a ‘classic’ reverse shell (a virtual shell initiated by the victim’s computer, allowing a connection with the attacker’s computer) or a Metasploit attack (a database and command line tool of known exploits) in order to gain a foothold in the infrastructure and start moving laterally.
Google, in all its glory, provides millions of search results for ‘SAP portal login’. To understand what is going on and why attackers use these three little search words, here is a bit of background:
SAP portal logins are interfaces from various SAP landscapes that offer a login page, typically for business customers and vendors, but also used for internals, such as an HR/HCM portal. With a little bit of knowledge, an attacker can simply call the directory (URL) that will provide access to an admin panel and the attacker will automatically be granted monitoring permission. This results in the disclosure of IP addresses, net-names, SAP system information, the operating system type and patch level, the SAP kernel and its patch information, system runtime, open ports and protocols, the existence of access control lists and more.
If the attacker knows what he or she is looking for, it does not take long for him or her to learn and locate SAP portals leaking internal company data right into his or her hands. This is a solid attack vector.
When a system that can be reached externally does not follow the minimum-security necessities, it is vulnerable.
We once again turn to Neo who is encouraged to follow the white rabbit in order to seek out the truth. Similarly, Deloitte helps organisations to find their truth: how to be secure and resilient, and how to protect valuable assets in their SAP system.
Just like many other types of software, SAP solutions often have internet-facing components or connections outside of the local network. When a system that can be reached externally does not follow the minimum-security necessities, it is vulnerable. And yes, that means that, down the line, the system’s databases are vulnerable too.
There are endless possibilities for an attacker to fly under the radar of detection. Using Google is just one path. Directory enumeration is a separate field with its own automated tools in the Swiss army knife of modern red teams and real cyber threats. After latching on to one data point, the attacker can rapidly expand his or her territory, find loopholes and accumulate his or her power within the software or establish a foothold in the operating system and move laterally within the network.
Thus, it is important for companies to be alert and secure their weaknesses as they have a risk of exposing their web-dispatchers via Google, Shodan.io and other similar tools.
Securing SAP systems is a long journey and the prioritisation of key steps is important. SAP security is more than authorisation concepts and GRC (governance, risk management and compliance). Deloitte can offer ‘the red pill’ by helping organisations start with assessing their SAP landscapes and providing action recommendations based on the results. We have bundled the expertise and experience required to assess this maturity with a comprehensive method derived from the general cybersecurity maturity models, like the one provided by SANS or the C2M2 developed by the US DOE.
“There is a difference between knowing the path and walking the path.”
— Morpheus, The Matrix
SAP and other ERPs can be assessed holistically to give an overview of how mature their security stance really is. This factors in the cyber risk domains and elevates the view away from an ‘in application’ level in order to reveal the complete attack surface. The landscape’s network, operating system, databases and connected applications (such as backup, archive and mail) might all pose a threat to the confidentiality, integrity and availability of the systems.
Contact Deloitte and we will show you how deep the rabbit hole goes and help you secure it against the Agent Smiths out there!
Christian liittyi Deloitte Suomen palvelukseen syksyllä 2021 työskenneltyään ensin Itävallan SAP-järjestelmien parissa vuosikymmenen ajan. Christianilla on lähes 15 vuoden kokemus SAP Basis -konsulttina työskentelystä. Hänellä on kokonaisvaltainen tapa lähestyä turvallisuusasioita, ja tämä pätee myös kaikkeen SAP:iin liittyvään. Briefly in English: Christian joined Deloitte Finland in autumn 2021 after securing the federal SAP systems of Austria for roughly a decade. Christian has nearly 15 years of experience working as a SAP Basis inhouse consultant, and embraced his passion for security during this journey. His general approach to security is a holistic one, and this is true also for anything SAP related.