New ways to protect your SAP system security

We’ve all seen the way too familiar news reports:

A massive data breach has occurred. Millions of customer records have been hacked. The company issued a statement, the CEO has stepped down and the stock has plummeted.

 A recent study by Ponemon Institute (2017 Cost of Data Breach Study: GLobal Overview) showed that the average cost of data breach was $3.62 million, and the average cost for each lost or stolen record containing sensitive and confidential information is $141.

 Many analysts took notice of the unique characteristics and elements related to SAP cyber security:

• “Enterprises need to shed outmoded concepts of SAP and Oracle enterprise application security in light of attackers that have become increasingly adept at finding high-value targets. A systematic approach to enterprise application vulnerability and security risk management is needed not only to assure that these high-value assets get the protection they require, but also to handle them with the care that their business-critical status typically demands”. Scott Crawford, Research Director, 451 Research
• Traditionally SAP systems are major targets for internal and external auditors. And usually they are especially vulnerable to attackers from both inside and outside the organization due to the high level of complexity and individual configurations”. Matthias Reinwarth, Senior Analyst, KuppingerCole
• “In-depth assessments of databases and applications, such as ERP systems (for example, SAP or Oracle), especially, are not widely supported in traditional VA solutions, which generally focus on devices. DAST solutions will often still be required.” - Market Guide for vulnerability assessment, Gartner, 2016

 SAP Company-wide security countermeasures

Over the years SAP has been creating company-wide countermeasures to potentially successful attacks. In the SAP market one can see internally SAP developed solutions related to

• Single sign-on application and access control management - Reducing the risks and the potentially high administrative costs associated with multiple authentication processes
• SAP GRC (Governance, risk and compliance) - automating the processes associated with managing access to business applications. GRC also audits user access to spot problems with user privileges or behavior. Once those identified, it provides a complaint provisioning program which is then implemented using SAP security tools.
• SAP Identity Management - a central mechanism that support provisioning and access to applications securely and efficiently in accordance to their business roles
• SAP Enterprise Threat Detection - help users to detect and analyze potential threats by identifying critical attacks as they happen
• Vulnerabilities identification tools - SAP NetWeaver AS and others that help detect code level vulnerabilities

 These tools come on top of the more standard IT-wide tools like firewalls, intrusion detection systems, security information and event management systems, or antivirus software.

So many SAP security solutions, am I not covered?

 There are several problems common in most organizations, that none of these solutions address. 

• Customized configuration - with more than 1000 parameters in a standard system configuration, plus a great range of advanced options securing a configuration can be very complicated even on one system. Add to that segregation of access rights to various objects like transactions, tables, RFC procedures, etc. making it almost an impossible task
• Insufficient amount of specialists - while most companies will have very experienced SAP engineers and security officers, neither side understand the other’s challenges, let alone preventing and protecting the system properly

 Monitoring profile parameters from within SAP application layer will not find any changes until it would be too late

Neither of these two problem causing issues are covered by any of the solutions mentioned above. One example is profile parameter changes.

 SAP has three type of profile parameters (system profiles) - default, start and instance. They contain parameters that specify how to startup an instance and how to setup the numerous variables that define the way the SAP instances and system work. These parameters change the system global and instance settings and define the management of processes, memory buffers, ports, and starting parameters for the instance and more. Monitoring profile parameters from merely within the SAP application layer itself will not find any changes until they have taken effect, which would be too late. Proper profile monitoring needs to take place at the operating system to notify of any changes before they become active within the application layer.

 Protecting the SAP system profiles is extremely important as a change there or hacker access could be detrimental to the system and the organization.

 SAP base level administrative user - security issue

 There is a little known secret for breaking into a SAP system. The base level administrative user (called SAP*) in an ABAP system has the same password for all systems. This is used during the base installation and is then locked down via a profile parameter setting that acts like a light switch. Logon using the default password is either enabled or not. This profile parameter can be changed at the operating system level, meaning anyone who has access to the operating system can turn this switch on/off. The catch is that the SAP application needs to be shut down and turned back on for that parameter change to take effect. A malicious attacker may make this change at the OS layer and then wait for the system to be restarted for regular maintenance. Once into SAP with these credentials, the amount of damage that can be done is beyond comprehension.

 SAP database access - different than any other database vulnerability

SAP is unique that 99% of the application is held within the database. While most applications may hold data in the database, SAP goes beyond and even things like support packs and admin data are held at the database layer. Pretty much anyone with access to the direct database has the ability to do some serious damage to the overall system. It is obvious to see how important the security of the SAP database is. The database connection to the SAP application layer is done with very specific security credentials. Monitoring for additional or new database users can easily put a stop to any malicious activity, and will make your auditors happy.

 Does your systems protect SAP system profiles?

 In our experience no current solution protects you from an accidental opening of the system profiles, protecting base level access, SAP database unauthorized access and many other elements of the system. This is why we’ve added a feature in Xandria that will notify the designated user in case of a system profile change or opening. As with all of the checks we’ve added in the past twenty years, it comes pre-configured out-of-the-box, so that the lack of specialist, inexperience SAP operators or any customization will not have any effect on the system security.

Picture source: Brick Resort