After many years working in the field of SAP security, I am still regularly surprised to discover how much Hollywood has contributed to the discussion on cybersecurity. The common perception is that of a hacker sitting at home in front of several screens and using cryptic commands to hack into corporate networks. The recently published “Insider Threat 2018 Report” however, shows that insider attacks represent a much more serious threat. As far as the security of SAP systems is concerned, insider attacks are by far the greater problem. Why that is the case and what the main risks are is the subject of this post.
Most likely, when you think of insider criminals, you think of another Hollywood-inspired character: An employee sitting in front of a computer, sweating profusely – frantically watching the progress bar that is taking forever to reach 100% – and his boss approaching the office. The fact is, however, that this image does not accurately convey the typical insider attack.
Unstructured authorization concepts and complex system landscapes facilitate security incidents
The “Insider Threat 2018 Report” published by the market research company Crowd Research Partners assumes that more than half of all insider attacks (51%) are carried out by employees who cause problems either by mistake or unintentionally. The reasons for these errors are a direct mirroring of the problems by which SAP systems are primarily affected.
The study shows that the main reason specified (37%) for unintended security incidents was that authorizations were granted too generously. In SAP systems in which roles and authorizations have developed on an ad-hoc basis, this is a frequent problem. And it’s no wonder when you consider that so many core processes are handled in SAP. With the complexity of an ERP system, it is easier for administrators – who do not necessarily have the expertise required to appropriately restrict authorizations – to assign authorizations by way of general role descriptions.
With regard to complexity: Number three in the list of reasons for security problems is the increasing complexity of the relevant systems, which was deemed to be critical by 35% of those surveyed. And here again, SAP is strongly impacted: S/4 HANA, C/4 HANA, the SAP Cloud – new products that are typically added to an existing system landscape. And this with a product that, with 320 million lines of code, is already significantly more complex than other software products.
90% of the survey respondents feel vulnerable to insider attacks
Second on the list of reasons for security problems is a factor that is topically related to both the over-generous authorizations and the increasingly complex technology: More and more devices have access to sensitive information. For 36% of those surveyed, this is a critical problem. Quickly approve your employee’s vacation request as you head to the car park and then, as you sit in traffic, have a brief look at the recent quarterly figures: With SAP UI5 or Fiori, such scenarios are realistic. And we haven’t even considered SAP Leonardo and integration of the “Internet of Things”!
It’s no wonder that two thirds (66%) of the companies surveyed are more worried about attacks from within than external threats. It should be said that “inadvertent” security incidents are primarily caused by phishing attacks. 67% of the study participants highlighted this problem. Thus, the report comes to a clear conclusion: 90% of respondents feel vulnerable to insider attacks.
The best form of prevention: Basic protection of all SAP systems
SAP managers naturally wonder how they can best prevent insider attacks. The answer is as simple as it is logical: Protect the SAP system landscape to the greatest extent possible. There are three areas where particular attention should be paid:
- Authorizations: The role concept is a potential source of security problems on two fronts:
- On the one hand, there are the critical authorizations that give a user more rights than his job description actually requires.
- On the other, there are those authorizations that infringe the principle of segregation of duties (SoD). Here it is important to ensure that SoD conflicts are avoided and that authorizations are no longer allocated too generously.
A classic problem is the trainee effect. A trainee, who spends a short period in several departments, collects authorizations that are similar in scope to those of an administrator – he is given new authorizations for each department but does not lose those that he has already accumulated.
- General protection of SAP Basis: This is a topic that should have been dealt with a long time ago by most customers. Unfortunately, our experience shows that most of the SAP systems inspected are still vulnerable to relatively straightforward attacks. This vulnerability covers standard users who have not changed their default passwords, or an unprotected SAP gateway left open like a barn door.
- Interface protection: Increasing complexity and a growing number of Cloud solutions such as On-Premise systems must somehow be integrated with each other. There are very few companies, however, who have a central instance that maintains an overview of all the interfaces that are in use. The SAP system offers an excellent starting point here, and not only because of its central importance. Appropriate solutions facilitate an overview of all interfaces.
Comprehensive SAP security with the SAST SUITE
With the SAST SUITE from AKQUINET, we provide an all-in-one solution which, in addition to the points mentioned above, also addresses further security weaknesses. The advantage of the SAST SUITE solutions is that ongoing operations are unaffected even by complex security projects. Even if you decide to redesign all roles and authorizations, or if you opt to cleanse your code, our tools ensure that your users can continue working without any interruptions. This effectively prevents both internal and external attacks.
Would you like more information on our SAST SUITE or would you like to find out more about comprehensive protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail to: sast@akquinet.de
The “Insider Threat 2018 Report”, produced by the market research company Crowd Research Partners, was jointly commissioned by the online platform Cybersecurity Insiders and the Information Security Community on LinkedIn with the support of Quest Software. (Source: Security Insider)
Patrick Boch
Product Manager SAST SOLUTIONS
Related articles in the SAST BLOG
C/4HANA – how does security work for this? Our take.
Are you really that attached to your ABAP security flaws, or is it time to say goodbye?