Thursday, 12 March 2020 12:07

How Covid-19 endangers your SAP systems

Insecure SAP systems at risk with more employees working from home

It is virtually impossible to escape hearing about the Coronavirus – not only with regards to media coverage, but also in our suddenly adapting workplace practices. Some companies – Google for example – have ordered their employees to work from home for the foreseeable future. This cautionary approach may well have repercussions, for example a potential impact on the security of SAP systems. There are several reasons why this might happen, giving attackers an opportunistic window to search for vulnerabilities and obtain valuable data.

Firstly, there will likely be many workers who are now newly working from home, in order to curtail the virus. Naturally, corporate IT does not have as much control over the home network than they do in the office. This opens up a potential for vulnerabilities. One example is smart home devices, or Internet of Things (IoT) devices. As mentioned here, most devices in the IoT, especially in the smart home sector, are very insecure. If you want to know how insecure, take a look at the Shodan search engine, which specifically searches for connected devices, and enter, for example, a manufacturer of cheap IP cameras. You will very likely get a long list of connected devices. If you tried to connect to one of these using a very common combination of admin/admin for username and password, you will likely be able to see live footage and undoubtedly, those devices could be used to spread more malicious hacking tools.

Realistically, most IT departments these days will have addressed and taken preventative action against most threats: the endpoint, i.e. the employee's Laptop or computer, will have the latest Anti-Virus programs, firewalls, and the connection to the corporate network will likely be established over VPN. This should cover most of the threats that could originate from infected devices in a home network.

The same may not be true, however, for SAP systems, which are still not sufficiently hardened in many implementations. For example Secure Network Communications (SNC) encryption technology is provided by SAP free of charge and encrypts both the connections between SAP systems, and between an SAP client and the SAP system. SNC, however, is not always used, in other words: the communication between an employee’s laptop and the SAP system is often not encrypted, everything can be read in plain text. Capturing this traffic is easy for an experienced hacker. There are more examples, like the well-known SAP Gateway hack or the 10KBLAZE exploit which was discovered (and commercially exploited) last year. All of these exploit vulnerabilities which, if the SAP system is not sufficiently secured – are more likely to occur in an unprotected network than within corporate boundaries.

Coming back to the relationship witth Covid-19. More employees working from home means a bigger attack surface for hackers. But what can you do about it? The most crucial measures are quite simple:

  • Scan your SAP landscape for vulnerabilities. SAP has thousands of security relevant settings, and that does not even account for all roles and authorizations which could potentially lead to data breaches or a compromised system. Use a tool to scan your system for potential vulnerabilities and critical authorizations
  • Constantly monitor your SAP system for threats. In order to successfully protect your systems and quickly react to potential attacks, you will need to know what’s happening when it’s actualy happening. This can only be achieved if you continuously monitor your SAP systems for any anomalies and filter those to detect threats. Ideally, this monitoring should integrate into your existing security landscape, such as a SIEM solution.

In order to ensure that your home-based workforce is as secure as if they would be in the office, we strongly recommend you to secure your SAP systems by implementing these measures, at least. Our SecurityBridge tool provides both these measures, and integrates into existing SIEM solutions. We'd love to show you how you can mitigate risk with an agile, accurate, anomaly detection platform.

Additional Info

  • Language:: English
Patrick Boch

Patrick Boch

Email This email address is being protected from spambots. You need JavaScript enabled to view it.