Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Connect Directly
E-Mail vvv

Why We Need In-depth SAP Security Training

SAP and Oracle are releasing tons of patches every month, but are enterprises up to this complex task? I have my doubts.

One of the biggest cybersecurity surprises of note is the large number of breaches announced this year that, according to fact-finding at The Onapsis Research Labs, were exposed through SAP and other enterprise ERP systems.

A month ago, new evidence came to light about a high profile two-year-old breach at US Investigations Services (USIS), a contractor in charge of conducting federal background checks. The USIS breach made headlines because it was the first public proof that an SAP vulnerability was the origin of an attack leading to the theft of personal information about federal employees and contractors with access to classified intelligence.

Weeks later we heard about a new breach, this time directly against the Office of Personnel Management, compromising 4 million current and former federal employees’ personal information. Subsequent reports disclosed that the exposed information could be even more widespread. In a letter to OPM Director J. David Cox, national president of the American Federation of Government Employees (AFGE) claimed “Based on the sketchy information OPM has provided, we believe that the Central Personnel of Data File [CPDF] was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

These are not isolated cases. And while I cannot confirm which kind of system OPM is using for the CPDF database, taking into account public information, most likely OPM is using an ERP-based system to hold and report federal employment statistics.

More concerning, the last weeks have shown that business-critical applications are rapidly becoming one of the most valuable targets for cybercriminals and cyberespionage. SAP and Oracle are releasing tons of patches every month, but are enterprises up to the task? As these enterprises contain complex infrastructures and patching and configuration are complex tasks, I have my doubts.

In order to properly secure these enterprise applications against these and other threats, many things need to happen within a company, among them:

  • a strict patch management process 
  • security and configurations change management processes, and 
  • a security threats monitoring program.

There are also many actors within the SAP security landscape, all of whom need to understand the latest cybersecurity risks affecting SAP systems. Four key issues for key players include:

IT Security & CISO
If you are part of the IT Security staff, or even the CISO, then you are probably familiar with feeling a lack of control around the security of your SAP landscapes. Understanding the risks and how to mitigate them is a powerful tool necessary for gaining visibility into the most critical systems of the company.

SAP BASIS Administrators
System configurations, implementation of patches, system upgrades and other tasks are very relevant from a security standpoint, as they could have a big impact to how secure the systems eventually are over time. It’s important to understand which of the changes or actions you apply on the systems could actually have negative impact in terms of security.

System Auditors
If you are an auditor, you should know that most of the big auditing firms are already including SAP cybersecurity as part of their audits. Understanding how to audit the technical layer will eventually become a requirement for security audits of SAP systems.

Penetration Testers
While doing external or internal penetration tests, and depending on the scope defined by your client, you will likely find SAP systems connected to the network. Because SAP systems are part of a complex scenario, you need to understand all components, and how each one could be vulnerable, depending on the patches and configurations that were applied. This will clearly define how successful an SAP penetration test would be.

[Learn more from JP about how to assess, exploit and defend SAP platforms during his training session on SAP-specific attacks and protection techniques, Black Hat 2015, Las Vegas August 3-4.]

Juan Pablo leads the research & development teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Blog Voyage
Blog Voyage,
User Rank: Strategist
7/3/2015 | 2:51:32 AM
Very nice stuff. So technical but very nice.
User Rank: Apprentice
7/2/2015 | 6:15:39 AM

Read here you will be more satisfied
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).