SAP has become an extremely popular target for cybercriminals. Onapsis research found that up to 95% of SAP installations could be compromised, meaning that data could be stolen and business-critical processes affected. The report also describes the situation as “falling through the cracks” due to the “accountability gap” between SAP operations and IT security teams.
Due to this situation, SAP has become a system that requires special attention. Fortunately, there are solutions that help to mitigate the vulnerabilities. We’ll take a closer look at them as we examine the SAP security issues.
Our tour through the possibilities of SAP portal protection begins with the key areas that are affected. These can be broken down as follows:
- Authentication to the portal
- Privileged access rights
- external attacks
The third area is a more recent problem for SAP. Originally, SAP was a closed system, i.e. designed for internal use within an organization. However, since cloud computing and web interfaces (API) have become the norm, SAP has also expanded its interface for web connectivity. Opening up to the outside world has made SAP a target for web-based attacks. However, insider threats and the simple mismanagement of user data should not be forgotten either.
The drivers of SAP protection
The reasons for SAP protection fall into two main areas:
- The protection of proprietary information and other sensitive data
- The fulfillment of compliance requirements and legal regulations, for example the EU Data Protection Directive
Authentication
Username and password + second factor
The correct implementation and sound design of a robust authentication system within SAP is a fundamental step in controlling access to sensitive data.
The SAP default configuration for user name and password can be extended using One-Time Password, OTP, for the use of a two-factor system. The SAP OTP offers additional security as it is time-limited, i.e. it is a TOTP (time-based OTP) and only exists for a configurable period of time. The use of two-factor for each application sign-in is recommended to reduce the risk of user login theft via spear phishing attempts and malware. Theft is more difficult with a two-factor approach as it is an out-of-band system – typically on a mobile device, e.g. with an OTP generator. There are some third-party systems that offer SAP two-factor or multi-factor authentication extension. It’s worth checking these out to find the right two-factor method for your user base and overall web application landscape.
Digital certificates
As an alternative to username and password, SAP supports digital certificates based on the browser or even RFID cards (which generate a temporary certificate upon login). Certificates can make sign-in a seamless process. However, they can be more difficult to manage and distribute, especially when working with an extended user base. The security of digital certificates is also questionable, as the common and usable browser-based types – once installed – often only identify devices as opposed to user identification. Consequently, digital certificates should be linked to a second factor to increase security and the login should be linked to a user.
SSO
The sign-on functions of the SAP portal, which also include the integration of internal directories such as the Microsoft Active Directory, can serve as the basis for single sign-on (SSO).
SAP SSO can also be used as part of a more comprehensive federated identity system. Federated tokens, which are generated by an identity provider and identify the user, are accepted across the entire federated application landscape. These tokens are generated using the standard SAML 2.0 protocol. The tokens are shared with every member of the federated system, ensuring SSO across the entire ecosystem.
SSO offers many advantages in terms of the user-friendliness of the portal. Nevertheless, as previously noted, the login system can be hardened by using an out-of-band factor, for example an OTP generator or SMS code. To emphasize again: SSO systems that extend SAP authentication modules and are specifically designed to handle SSO within an SAP environment should be selected to ensure the necessary flexibility for a successful SSO implementation.
Privileged access and risk-based authentication
Security and user-friendliness are often at odds with each other. With granular security options, however, the impact on usability can be reduced. Being able to more strictly implement security based on certain variables increases the likelihood of effective SAP protection. In other words, if security policies are implemented sensibly, i.e. at the right policy level and at the right time, you will have a more usable, robust system. This applies to most security measures, not just SAP. Ease of use can increase security – simply by preventing people from trying to circumvent it. SAP is configurable in the sense that it allows for appropriate authentication, i.e. based on the risk factors. Accordingly, you can, for example, activate or suppress the use of two-factor authentication if certain identification criteria exist. For example, location rules (i.e. the user is in a certain country) can enforce a two-factor requirement.
With privileged logon, we have another area that supports the granular nature of your security policies within SAP, but can also potentially become a security problem. Insider attacks against organizations are one of the biggest threats to data protection. The 2015 Vormetric Insider Threat Report stated that “insider threats are the most dangerous”. One of the main threats in systems such as SAP comes from the banal fact that insiders share their passwords. These findings are supported by the Forrester report, which shows that privileged access and password management are among the main issues in corporate security. The use of two-factor or SSO with enforced authentication via two-factor significantly reduces the risk.
Finally, on the subject of access control, it must be clearly stated that under no circumstances should the account factory settings used during SAP configuration and setup be retained. They are well known to cyber criminals and are exploited to the full.
Encryption
SAP data repositories contain sensitive and proprietary information that is the target of both external cybercriminals and insider incidents. Apart from the obvious need to protect company data, security and privacy issues arise in connection with the extended data sets of customers and partner companies as well as with regard to regulations. Encrypting repository data and all network communications will significantly reduce security risks and also address data security based on compliance requirements such as the EU Data Protection Directive.
Web attacks and SAP
SAP has opened up to the web. This means that the portal is affected by web-based attack vectors. SAP is vulnerable to the same web-based threats as any other web application. These include XSS, CSFR and injection attacks on databases such as SQL injection. SAP has released over 3000 security patches. Many of these are intended to fix problems that allow web-based attacks. In August of this year alone, eight cross-site scripting (XSS) security bulletins were issued.
Certain malware was created specifically for the purpose of detecting SAP installations, i.e. a type of reconnaissance malware. The malware searches for vulnerabilities and can steal login credentials or make illegal transfers. Once identified, vulnerabilities are fixed by SAP, but cybercriminals are constantly on the lookout for new vulnerabilities – especially zero-day vulnerabilities – of which SAP is unaware. This has resulted in the unacceptable situation that the average vulnerability window of SAP installations has extended to 18 months. In the aforementioned Onapsis report, an average of 30 patches per month were registered for 2014. And the release of SAP HANA has exacerbated the situation. This enormous patch management effort makes SAP even more vulnerable to exploits of software vulnerabilities. Patching alone will not stop the malware onslaught that is being felt across all organizations. Alternative solutions must be considered, such as the use of a web application firewall (WAF).
Many web-based attacks begin as phishing or spear phishing emails that use social engineering techniques to steal login credentials. As indicated earlier, the use of two-factor methods mitigates the impact of these phishing attempts.
You need to consider your SAP installation and any extended components analogous to other web-based systems and apply web security tactics to harden them. Monitoring and patching of system components and OS/browser patching are two areas to consider in your security strategy dealing with web attacks.
Protecting SAP – a summary
Ultimately, there is only a fine line between hardening SAP and ensuring usability for an extended user base. Areas of particular focus for security measures include:
- Authentication and login: As already mentioned, the choice of login is an area that deserves special attention. Security and user-friendliness must be carefully balanced and the use of two-factor methods and even SSO must be explored.
- Access management: Role-based restricted access and the creation of privileged access control can minimize the risk to data.
- Patch management: Timely patch management across the entire SAP installation can help to mitigate the problems associated with software vulnerabilities. However, the number of patches released by SAP jeopardizes this strategy. Alternative tools such as the Web Application Firewall need to be considered.
- User training: Training can help users recognize phishing attacks and prevent employees from sharing passwords with each other.
- Monitoring incoming threats and user behavior: Monitoring and auditing can help detect emerging threats before they become actual incidents. Monitoring and logging user behavior helps to identify unusual behavior patterns and prevent insider threats.
- The use of a web application firewall: A fast-moving threat landscape requires a more flexible approach to attack prevention.
- Layering: You need to add layers of protection that incorporate both prevention and monitoring capabilities to protect your SAP portal.