Down the rabbit hole of SAP Security

Wake up, Neo …

Just like Neo’s search for the truth about the Matrix in the ’90s blockbuster film The Matrix, we encourage organisations to re-evaluate the security of their SAP landscape. But how does one protect themself against the Agent Smiths of the cyber world? 

There are several cyber risk domains that are critical in the evaluation of an organisation’s capabilities and readiness for ERP. To name a few: data privacy and protection policies, identity and access management protocols, process control and application security design. 

Application security measures are taken to improve the security of an application layer — for example, within an ERP software like SAP — in order to reduce the risk of malicious attacks. Common safety measures, such as role-based access control (controlling user access to functions and data by using security roles) and API security (implementing secure authentication and authorisation mechanisms), are nowadays widely used among organisations. On top of that, keeping the personnel (especially core users) educated and alert at all times is key to security success.

This blog, however, focuses on infrastructure and application security from one angle. Keep in mind that this is only the tip of the iceberg that makes up SAP security.

The Matrix has you …

Let us start where an attacker, Agent Smith, would start: enumeration — or, to put it simply, finding suitable targets and collecting information. The attacker might already have a clear target in mind, but that does not mean they want to stop there. Instead, they can simply head to Google.com or any other search engine and start searching.

Depending on the type of the attack, the commonly necessary information for a successful attack is the system name, open ports and operating system (release information). With these the attacker can start a ‘classic’ reverse shell (a virtual shell initiated by the victim’s computer, allowing a connection with the attacker’s computer) or a Metasploit attack (a database and command line tool of known exploits) in order to gain a foothold in the infrastructure and start moving laterally.

Google, in all its glory, provides millions of search results for ‘SAP portal login’. To understand what is going on and why attackers use these three little search words, here is a bit of background: 

SAP portal logins are interfaces from various SAP landscapes that offer a login page, typically for business customers and vendors, but also used for internals, such as an HR/HCM portal. With a little bit of knowledge, an attacker can simply call the directory (URL) that will provide access to an admin panel and the attacker will automatically be granted monitoring permission. This results in the disclosure of IP addresses, net-names, SAP system information, the operating system type and patch level, the SAP kernel and its patch information, system runtime, open ports and protocols, the existence of access control lists and more.

If the attacker knows what he or she is looking for, it does not take long for him or her to learn and locate SAP portals leaking internal company data right into his or her hands. This is a solid attack vector.

Follow the white rabbit …

We once again turn to Neo who is encouraged to follow the white rabbit in order to seek out the truth. Similarly, Deloitte helps organisations to find their truth: how to be secure and resilient, and how to protect valuable assets in their SAP system.

Just like many other types of software, SAP solutions often have internet-facing components or connections outside of the local network. When a system that can be reached externally does not follow the minimum-security necessities, it is vulnerable. And yes, that means that, down the line, the system’s databases are vulnerable too.

There are endless possibilities for an attacker to fly under the radar of detection. Using Google is just one path. Directory enumeration is a separate field with its own automated tools in the Swiss army knife of modern red teams and real cyber threats. After latching on to one data point, the attacker can rapidly expand his or her territory, find loopholes and accumulate his or her power within the software or establish a foothold in the operating system and move laterally within the network.

Thus, it is important for companies to be alert and secure their weaknesses as they have a risk of exposing their web-dispatchers via Google, Shodan.io and other similar tools.

The red or blue pill? How mature is your SAP security? 

Securing SAP systems is a long journey and the prioritisation of key steps is important. SAP security is more than authorisation concepts and GRC (governance, risk management and compliance). Deloitte can offer ‘the red pill’ by helping organisations start with assessing their SAP landscapes and providing action recommendations based on the results. We have bundled the expertise and experience required to assess this maturity with a comprehensive method derived from the general cybersecurity maturity models, like the one provided by SANS or the C2M2 developed by the US DOE.

“There is a difference between knowing the path and walking the path.”
— Morpheus, The Matrix

SAP and other ERPs can be assessed holistically to give an overview of how mature their security stance really is. This factors in the cyber risk domains and elevates the view away from an ‘in application’ level in order to reveal the complete attack surface. The landscape’s network, operating system, databases and connected applications (such as backup, archive and mail) might all pose a threat to the confidentiality, integrity and availability of the systems.

Contact Deloitte and we will show you how deep the rabbit hole goes and help you secure it against the Agent Smiths out there!