Thursday, 26 July 2018 10:40

The risk of "UNKNOWN UNKNOWNS"

In this article, we would like to explain what known-unknowns or unknown-unknowns are and how those affect your SAP security risk. In February 2002 already, the former United States Secretary of Defense, Donald Rumsfeld, answered a question with the following statement:

 

 Reports that say that something hasn't happened are always interesting to me because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones. 
[Source, external]

 

As a result, he was almost universally lampooned since many people initially thought the statement was nonsense. Rumsfeld's statement sounded weird, however, what he said was not wrong. Like the apocryphal “you don’t hear the bullet that gets you” the phrase about “known unknown” and “unknown unknown” threats are worth remembering. Much scientific research is based on investigating known unknowns. In other words, scientists develop a hypothesis to be tested, and then in an ideal situation experiments are best designed to provide the proof.

SAP Risk Potential

I ran into this 2x2 matrix in the German translation of a Wikipedia page [link, external]. As a somewhat interesting side note, this matrix was invented by a psychologist and is a well-known analyst-tool for the sense of self or others. In fact, this also perfectly works with the risks residing from Cyber Security threats.

 

matrix known unknown

Examples with SAP security context

  • known-known:
    We know that our support team has display all rights and access to transaction SE16, and we know that they can access all data stored in tables, access they need while working on support incidents.
  • known-unknowns:
    We know that our SAP developers have debug rights and the permission to overwrite variable values. We assume that, some of them also use these permission to bypass authorisation checks, but we have no proof.
  • unknown-unknowns:
    We did not execute a security assessment recently, hence we do not know which vulnerabilities exist nor who is using them. 

 

Recap what Rumsfeld said after understanding the classification. Now, it makes perfect sense. And not only that, it becomes obvious that the "unknown unknowns" should be of utmost interest. Not only because you probably will not see what is coming to get you, but because of the potential size and impact of the risk.

known unknown graph

 

Cyber Security is not a task that can ever be ticked off your to-do list, it requires a constant state of vigilance and constant updating of your understanding to minimize the “unknown unknowns”. Especially now, with new legislation (GDPR) forcing all European businesses to report breaches. But how do you address the “unknown unknown” Cyber Security risks to protect your enterprise i.e. against SAP GDPR violations?

 

Cyber Risk Management

The National Cyber Security Centre is a good source of information and guidelines. You may start by looking at
10 steps to Cyber Security [link, external].

Following measures are essential to securing the SAP application level:

  • Secure SAP Configuration
    Hardening of the system after an installation. Profile- and system parameters shall be securely configured (in reference to your SAP security baseline document) for all installed and used components.
  • Secure SAP Development
    Educate your SAP development team to apply threat modelling for their coding. Implement a Quality Assurance gateway, before code gets released. Use tools like the SAP Code Inspector and deploy a code vulnerability scanner.
  • Managing SAP user privileges
    Apply proven principles for your authorizations, like "least privileges" or "need to know".
  • Monitoring
    Continuously monitor all SAP activity, evaluate the security risk and generate actionable security alerts. Enable cross-platform visibility by combining generic security events (Hardware, OS, ...) with SAP security events using a holistic security monitoring approach.

You can find various best practices guidelines, sadly most of them focus on "Secure Configuration" and "User Privilege Management". Monitoring all SAP activity throughout your landscape, without an extensive workforce and/or tools, is a major challenge - if not simply impossible!"

Run a secure IT organization

SecurityBridge will help you to master this hurdle throughout your journey.

Surface Unknown Unknowns

I recommend you to also read the blog article SAP® Cybersecurity monitoring made easy.

Additional Info

  • Language:: English
Christoph Nagy

Christoph Nagy

I have been working for close to a decade in the SAP area as an in-house- and external consultant.

Email This email address is being protected from spambots. You need JavaScript enabled to view it.