Is WannaCry possible for SAP systems?


Last year, WannaCry brought some companies to the edge of absolute ruin. While the most common entry vectors are known, companies are still making it much too easy for hackers.

Officially, emails were to blame for the largest-scale cyberattack in recent years. If users clicked on the mail attachment, WannaCry implanted malware into the computers, propagated itself, and encrypted accessible data in the blink of an eye. In an alternative scenario, hackers had infiltrated the manufacturer of a subsystem and built the malware code into a software patch.
While unfamiliar emails can simply be deleted, the deployment of such a patch can undermine the in-house security system with breathtaking speed.

Four out of five companies hacked in the space of 60 minutes
Time and again, our penetration tests for SAP systems show that security vulnerabilities in companies are routine. In over 80% of companies tested, we successfully broke into SAP and connected systems within one hour. What’s more, only six percent of those affected actually noticed we had done so. Over three-quarters of businesses do not secure their systems adequately and offer hackers quick and easy paths to getting their hands on personnel and customer data, engineering plans, formulations, and lists of salaries.”, concludes Bodo Kahl, Managing Director “SAST” at AKQUINET.

Bitkom, Ernst & Young: At least two-thirds of companies affected by IT security incidents
This internal survey is also confirmed by independent external analysts. According to market researchers from IT association Bitkom, two-thirds (67%) of all firms have now been affected by ‘IT incidents’. And the ‘Global Information Security Survey 2017/2018’ from consulting services group Ernst & Young also makes a plea for urgent action: A mere 4% of the security experts interviewed worldwide believed that the implementation of their security strategy was comprehensive enough to be able to detect and effectively counter relevant threats. Mr. Kahl has noticed this, too: “Many companies don’t even notice when their secret plans are being copied and their knowledge is leaking.”

As a rule, whether or not a data theft is ever detected is typically only thanks to employee alertness and internal audits – or just a lucky chance. According to Bitkom’s findings, security systems simply fail 99% of the time. On the positive side, companies are planning to increase their spending on security technology (45%), to conduct regular requirements analyses for IT security (36%), and hire additional staff in this area (31%). But is all of this enough? It would, of course, be better to detect unauthorized access to in-house data immediately.

Job applicant and supplier portals often used as a point of entry
Our experience has shown us that companies often lack an integrated security policy. Firewalls have long been inadequate as the only means of protection for database, networks, interfaces, and portals. Evidence has shown that hackers have a penchant for infiltrating company systems via applicant and supplier portals. With SAP customers, it was also clear just how frequently SAP Solution Manager was left unprotected. “It’s no good if production data has excellent protection but SAP Solution Manager is left wide open,” Mr. Kahl explains.

Analyze systems first – then harden
A security and compliance audit often marks the starting-point for developing a suitable security policy for a business. The procedure is as follows:

1) A comprehensive assessment of SAP security at the customer enables a detailed analysis that states the most important individual vulnerabilities and establishes priorities. Since hackers like to bypass SAP systems, a key point of focus here is on databases, networks, and operating systems. While SAP does publish guidelines giving precise instructions for SAP system pre-installation and parameterization, these are very detailed and (as experience has shown) almost impossible to handle manually.

2) To ensure good ‘data leakage prevention’ practice, only a select group of individuals should have authorization to download sensitive data from the SAP system. Mr. Kahl: “A good security system should be capable of showing at the press of a button if someone has too many rights.”

3) Detection systems are used to sense – ideally in real time – if unauthorized persons have penetrated into systems and trigger an alarm. A dashboard is used to present an at-a-glance view of information such as critical staff authorizations, critical system parameters, and security incidents.

Establishing system security and setting up real-time monitoring with a preconfigured security suite
The challenge in large companies and corporations consists of mastering the complexity of discrete system architectures. To achieve this, AKQUINET developed its SAST SUITE – a software package that includes all of the key building blocks needed to secure SAP systems – from ‘Platform Security’ and ‘Identity and User Access Management’ to 360° real-time analyses. While larger-scale SAP environments require, for example, protection for hundreds of interfaces, customers still need just a few weeks for real-time monitoring to be established. One reason for this is the fact that, unlike other security tools, the SAST SUITE preconfigures a very large number of rulesets – thereby avoiding the need for this time-consuming task from the outset.
“We typically quote a few days for the analysis and hardening of a single system, including modifications to centralized access rights,” explains Mr. Kahl. In this context, AKQUINET also handle real-time analysis work for customers where needed as a managed service.

Managed service security: packaged Expertise
Managed services are a particularly hot topic with companies at the moment. Often, the necessary technical expertise is lacking – not only for the in-house configuration and parameterization of the complex systems and the targeted deployment of monitoring and security tools, and especially for correctly interpreting the results that are later shown on the dashboard. Yet time is of the essence if an attack is actually detected. Service level agreements can be used to specify response times depending on the severity of an incident, while regular reports ensure the security managers in the companies remain fully informed of the security status at any time.

Understanding attack scenarios: think like a hacker
“Because we are continuously confronted with the latest IT security incidents, we get the opportunity to analyze one new attack scenario after another,” explains Mr. Kahl. The goal is to make it as difficult as possible for hackers to break into corporate networks. “As we know from our penetration testing, 90% of attacks focus on interfaces, attached documents, supplier and job applicant portals or the SAP Solution Manager. Anyone who closes these loopholes has effectively won the battle.”

Companies still prefer to focus long-term spending on productivity, efficiency and innovation rather than in security. That could soon change; however, after May 2018, when the transition period for the EU’s General Data Protection Regulation (GDPR) expires, potential losses resulting from IT security oversights will become exponentially higher. Companies who leak customer data in the future will not merely damage their reputation. They will also be fined up to 4% of their earnings by the data protection regulators.

Bodo Kahl

Attend one of our webinars: These are a time-saving way to find out more about these and other current topics in SAP security and compliance – live and designed to provide answers to your questions.

The article can also be found in the print edition “IT-SICHERHEIT Best Practice 1/2018”.