External vs Insider Threats: Why there are no “internal” SAP systems
I would like to reflect on a common situation that I have repeatedly heard over the past few years when talking and training on the topic of SAP security: When I ask the question:
- “How are you dealing with the cyber-threats affecting your SAP platform?”
Most commonly I get the answer:
- “Oh, our SAP system is internal, so we are fine.”
I humbly believe that many people have a misconception about this statement, and it is about time that we clarify that the old paradigm of “external vs. internal” has not applied in information security for a long time. It doesn't apply when we talk about networks, and therefore, it does not apply when we talk about threats. And specifically, it does not apply to SAP environments. Let's analyze why:
- Who's on your “local” network? Several decades ago your local network would only be hosting very few and trustworthy employees. Today, the local network must be considered as harmful as any other untrusted network. Surprisingly, many large organizations still have the SAP platform deployed in networks which are directly reachable from the end-user network (no internal DMZ), significantly increasing the attack surface.
Furthermore, because most large organizations are outsourcing the management of their SAP platforms to 3rd party contractors, less controls can be enforced. Just in the last training we held at Black Hat USA, three students commented privately that they had suffered a breach in their SAP systems, having a disgruntled outsourced contractor as the perpetrator.
- That one application. It's not rare to hear from Information Security peers that they were not aware (most of the time, were not informed) of that one application that actually exposes SAP components to suppliers, partners or customers. Because of modern business requirements, many SAP systems are effectively used to provide online access to business processes, usually through Web applications (could be running on top of SAP itself) or Mobile platforms.
- Your internal users have email access. Even if there is no SAP Web application to exploit directly, malicious attackers would of course not give up. For several years now, they would just use client-side exploits in spear phishing attacks: sending malware through a malicious PDF or MS Office document to any internal employee. Upon opening it, your internal user would surrender the entire “local” network to an attacker who may be sitting thousands of miles away. From there, the attacker has effectively established a presence inside your network and can just fire at will at the SAP systems (back to point 1!).
- Your SAP system is online. I'm sorry for the bad news, but don't kill the messenger. SAP AG provides support services (such as EarlyWatch) remotely from specific locations. In order for them to do so, you need to deploy a component called SAProuter that will proxy the remote support connections to your “internal” SAP systems.
Ideally, it should be set up through a VPN connection with SAP AG only, but more often than not it's possible to find them directly exposed to the Internet. An unsecured SAProuter could be completely exposing your SAP platform to the world. Read this SAP Security In-Depth publication for more information regarding the SAProuter. In order to mitigate the risks that affect our SAP platform, we first need to understand the threats we are facing. We need to accept that our SAP systems are in fact connected to rouge and untrusted networks. With that mindset change, we can then analyze how to holistically protect it from cyber-attacks.