The Evolving SAP Cyber-Security Landscape

Stephen Higgins, Senior Vice President of Customer Experience, Services and Solutions at Onapsis

$1.3 billion lost an hour!  This is what one of our global customer’s estimates is the impact to their business if their SAP systems become compromised and operations are disrupted.  The cost of an SAP breach can be inconceivable. And yet, it may be one of the most under scrutinized areas in IT security from a business continuity perspective.  Everyday our services team sees the real-world impact of breaches to organization’s SAP systems. This in mind, our consensus is that it is imperative to not only be able to detect a potential attack, but to have a response plan in place in case an attack still occurs. Responding quickly is where many organizations reach out to Onapsis for expert advice.

What we see is that there is a tendency amongst organizations to think that once a year is enough to perform a security assessment of SAP systems. More often than not, it’s assumed that Segregation of Duties and/or basic perimeter defenses are enough to protect systems from intrusion, and that penetration tests are only a necessary evil – for when internal auditors are requesting an update. However, with the “Bad Guys” getting more intelligent about business-critical systems, their ability to exploit these systems is becoming more and more advanced.

If you’ve taken a look at major headlines recently, you’ve likely noticed the staggering number of corporations who’ve suffered large-scale data breaches. Many of these breaches were targeted at SAP and other business-critical applications.  The impact of these breaches could have been minimized and potentially avoided had there been proper security measures in place for continuously monitoring their business-critical applications. As attacks of this nature will continue to evolve in complexity, it is absolutely imperative to have a preventative, systematic approach to SAP security in place in order to help your organization avoid interruptions to its business and incur huge financial liabilities.

Continue reading

Share Button

Prevent the next Anthem breach by protecting your data warehouses

Each year companies dedicate millions of dollars for IT and security budgets to prevent cyber security breaches. However, these budgets are only effective if part of the budget is allocated to preventing new and advanced threats, closing security gaps in your business infrastructure and monitoring the systems for intrusions and malicious activities.

We have all seen recent  headlines and publications about the Anthem breach and its unprecedented number of 80 million affected customers. According to Anthem’s own FAQ page… “Anthem is doing everything it can to ensure there is no further vulnerability to its database warehouses” [1], and despite the magnitude of the situation, there are no additional details about the products that were compromised during the breach. The Onapsis Research Labs and Incident Response Teams have seen this type of breach before and most often we see that the database warehouses are compromised. This is not hard to do on an SAP system and typically, when organizations do not have the right security measures or controls in place, we have had to assist organizations on a massive scale clean up project.

SAP provides many solutions that are widely adopted for data warehousing, the most famous being SAP BW or SAP Business Warehouse. If you are an SAP customer, you are most likely running some type of SAP BI, BO or BW.

These solutions hold a centralized database of business data, as they receive information from many different business solutions, such as the ERP, CRM, SCM, HCM and SRM, to name a few. Therefore the information stored on these databases represents a high value asset, not only for the company, but also for potential attackers such as state-sponsored, competitors, former employees, criminal organizations, and more. Onapsis continuosly holds presentations about vulnerabilities and mitigations to attacks affecting SAP solutions, and last year we presented on vulnerabilities and attacks affecting business warehousing solutions [2].

Continue reading

Share Button

2014 – The Year of Milestones

As we enter the New Year, there is a lot to look back on that has gotten Onapsis to where it is today.

Mariano Nunez, CEO and co-Founder of OnapsisThe security industry has never been more complex, and as the need for reliable business-critical application security solutions increases, Fortune 500 companies are looking for a reliable solution they can trust to protect their processes and data running on SAP. In 2014, Onapsis established itself as the defacto solution to solve the most pressing SAP security and compliance challenges. After receiving funding in June from .406 Ventures and Endeavor, we have been able to double-down our  investment in R&D to enhance our product offerings and launch the Onapsis Security Platform. We were also able to expand our global sales and marketing efforts to drive rapid growth. Fast forward 6 months later and we are well positioned and ready to see what 2015 has in store for the Onapsis team and the market we serve!

Continue reading

Share Button

Four Reasons to Look Closer at Business-Critical Application Security

As cyber-threats become more advanced, organizations face a constant dilemma: how to best implement a comprehensive security strategy that covers all areas of the business including critical infrastructure and applications. We hear from many security professionals that their SAP applications and systems are “covered” because they have a firewall and SAP systems sit inside the perimeter. After all, anything inside the firewall is safe from attacks right?

Wrong.

Security professionals that are true thought leaders have long abandoned this notion. In fact, most thought leaders have been able to connect the dots on the reasons why they have to include SAP applications into their security strategy. This type of thought leadership can be summed up in a quote from one of our newly appointed Board of Advisors, Renee Guttmann, Office of the CISO from Accuvant:

“There is a profound transformation taking place in application security right now …..Enterprises across the globe are committing to invest in, and protect, mission-critical applications, and this commitment needs to go beyond technology alone.”

Continue reading

Share Button

SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:

  • Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
  • Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
  • Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
  • Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
  • Project Systems: Budgeting, planning, forecasting.
Industrial Value Chain via http://practicalanalytics.wordpress.com/

Industrial Value Chain via http://practicalanalytics.wordpress.com/

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

Continue reading

Share Button

5 Questions CISOs Should Ask About SAP Security

Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.

This is a problem that tends to be overlooked by many organizations. In the second blog Adrian outlines the critical need for enterprise application security by presenting analysis on key use cases. These include compliance, transaction verification, usage of sensitive information, potential security threats from both inside and outside of an organization, and necessary changes for management and policy enforcement.

In the blog Adrian states:

“None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.”

This statement had me thinking… a majority of the current problem around SAP security stems from a lack of understanding around why it’s critical to implement new, more adaptive security solutions. Since joining Onapsis I’ve engaged with many of my friends in the cyber-security industry and have found that most CISOs and their teams do not have visibility into their SAP infrastructure, nor do they understand how connections are set-up between their SAP systems. There is truly a lack of insight into what SAP teams are doing to solve security issues. I have also found that when leaders in security ask their SAP counterparts in IT, they receive “old school” security answers like – “We have it covered as we use SAP GRC for access controls and separation of duties measures.”

Continue reading

Share Button

Welcome to the New Onapsis

I’m pleased to announce that today we’ve launched both a new product, a re-design of our website and ultimately – a new brand. This is a very exciting day for Onapsis!

Detection Dashboard

Detection Dashboard

After having great success with the Onapsis X1 product, we worked closely with our customers and partners over the last several years to produce this next-generation platform. Combining the unique knowledge and outstanding dedication of our researchers and engineers with the expertise of our product management team, we are confident that we’re delivering not only exactly what our customers and partners require, but the most advanced business-critical application security solution on the market.

Our new product, Onapsis Security Platform, is the first SAP-certified solution that combines a preventative, behavioral-based and context-aware detective approach for identifying and mitigating security risks, compliance gaps and cyber-attacks on business-critical applications. These applications include ERP, CRM, HCM, SCM, SRM and BI solutions.

Our new Platform is able to deliver continuous monitoring, real-time visibility and protection for SAP applications, providing coverage across SAP NetWeaver ABAP, J2EE, HANA, Mobile and BusinessObjects platforms. It also provides compliance gap analysis, automates the security audit process for SAP applications and is able to generate alarms to close windows of vulnerability, as detection and response actions are automatically triggered, including both alerting and real-time mitigation capabilities.

One thing we’ve heard from our customers was to integrate our capabilities with their existing network security, security management and SIEM solutions and workflows. And we always listened. The new platform is not intended to have CISOs, Compliance and SAP teams worry about “yet another platform to manage”, but to serve as the vehicle to seamlessly incorporate business-critical applications security running on SAP into their existing Risk Management, Audit and Incident Response initiatives.

We are so happy to see the launch of this product and look forward to continue developing solutions to ensure our customer’s success, solving their existing and upcoming challenges.

I welcome you to read more about our new platform and look forward to hearing from all of you with continued feedback that will help guide our technology roadmap:

Best regards,

Mariano

Share Button

How SAP Advisories Affect You

This week you will have seen from our twitter account, (@Onapsis) or other security news feeds like PacketStorm regarding the publication of information about six advisories discovered by the Onapsis Research Labs effecting SAP. In a past blog, Securing Your SAP Through Research, I talked about the importance and value of the security research we do here at Onapsis. Additionally, I have discussed the fact that we have seen automated, widespread attempts to compromise SAP systems as well as very targeted attacks and the implications of those attacks.

If you look at the latest six advisories released by the Onapsis Research Labs which are listed on our advisory page you will see they impact across a variety of SAP technologies that have very different delivery methods. There are three vulnerabilities effecting SAP HANA, two targeting the Extended Application Services (XS); one of which is XSS in the Administration Tool for SAP HANA XS and the third is an authentication bypass. A highlight for me was the discovery of a hardcoded user in SAP FI Manager Self-Service, which effects every installation of FI Manager.

It is very important that you stay informed by reading about the advisories we publish and also the monthly Security Notes releases by SAP and that you evaluate their relevance to your critical systems and the risk they represent to those critical systems.

Continue reading

Share Button

Learning from Zombie Zero Attacks Targeting ERP Systems

In my previous post I talked about the discovery of targeted malware embedded in physical scanners that were sold to shipping and logistics companies. Once operational the malware searched the victim’s network for ERP systems, compromised them (from the report it would appear all systems were compromised; and based on our own experience that has been the case in our engagements) and coped the data from these systems back to command and control servers, reportedly based in China.

It is tempting to think that this is an isolated problem only specific to one industry, but the reality is all businesses have hardware attached to their network that runs or has access to their critical systems and infrastructure. Counterfeit equipment is a long standing problem, with these fakes being hard to detect from the real thing. With the practice of the hardware being assembled by one company and the firmware being produced by another there is even more room for malicious software or instructions being added to printers, switches, routers and other equipment that exists in almost every network today.

Continue reading

Share Button

Holding the attack in your hand, how organization’s ERP systems are the target of Zombie Zero

Picture someone walking around a section of your business and simply scanning your business critical data, financial records and other ERP information away. It sounds like something out of Star Trek, but in a report published by Antone Gonsalves on CSO Online this has already happened to at least half a dozen large European and US Companies.

What happened? These companies all bought scanners from the same Chinese company for use in their shipping departments. These scanners were later discovered to have malware installed on them and when the scanners where connected into the businesses network and operated the malware was activated. This targeted malware, dubbed Zombie Zero, consisted of the three stage attack.

Stage one had the scanner look for and try to compromise any server with the word ‘finance’ in the host name. This searching and compromising activity would continue until the malware discovered and compromised the host, which each time was an ERP system. At this point stage two would begin.

Continue reading

Share Button