Onapsis Research Study Reveals Top Three Cyber Attack Vectors For SAP Systems

Over 95 percent of systems assessed had vulnerabilities that could lead to compromised data and disruption of critical business processes

Boston, MA – May 5, 2015Onapsis the global experts in business-critical application security and SAP cybersecurity solutions, today revealed the three most common cyber attack vectors used for compromising SAP business systems at the application layer. These attack vectors put intellectual property, financial, credit card, customer and supplier data as well as database warehouse information at risk for the world's largest companies. Based on assessments of hundreds of SAP implementations, the Onapsis Research Labs study found that over 95 percent of SAP systems were exposed to vulnerabilities that could lead to full compromise of the company’s business data and processes.

In addition, the research study found that most companies are also exposed to protracted patching windows averaging 18 months or more. In 2014 alone, 391 security patches were released by SAP, averaging more than 30 per month. Almost 50 percent of them were ranked as “high priority” by SAP.

SAP is run by over 250,000 customers worldwide, including 87 percent of Global 2000 companies and 98 percent of the 100 most valued brands. Despite housing an organization’s most valuable and sensitive information, SAP systems are not protected from cyber threats by traditional security approaches.

“The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP Operations team and the IT Security team,” said Mariano Nunez, CEO and co-founder of Onapsis. “The truth is that most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications. Onapsis constantly researches the attacks that are impacting the industry and works directly with our customers, the market and federal agencies to proactively prevent compromise and respond to incidents when they happen.”

“Companies today are looking ahead at the opportunities presented by moving systems to the cloud, enabling user adoption through mobile devices and big data. The challenge is that most of these new possibilities rely on legacy systems such as SAP. In a connected world, it is essential that critical business applications be protected. Securing a company’s crown jewels is a board-level discussion. Information security professionals need to re-evaluate how SAP is protected from cybersecurity threats,” said Renee Guttmann, vice president, Office of the CISO, Accuvant.

The Top Three Common Cyber Attack Vectors on SAP Systems
Onapsis Research Labs analyzed thousands of vulnerabilities to identify the three most commonly used approaches for hacking into business-critical data hosted in SAP applications, as well as disrupting key business processes:

  • Customer Information and Credit Card Breaches Using Pivoting Between SAP Systems. The attack begins with a pivot from a system with lower security to a critical system in order to execute remote function modules in the destination system.
  • Customer and Supplier Portal Attacks. Backdoor users are created in the SAP J2EE User Management Engine. By exploiting a vulnerability, the hacker can obtain access to SAP Portals and Process Integration platforms and their connected, internal systems.
  • Database Warehousing Attacks through SAP proprietary protocols. This attack is performed by executing operating system commands under the privileges of a particular user, and by exploiting vulnerabilities in the SAP RFC Gateway. The hacker is able to obtain and potentially modify any business information stored in the SAP database.

“This trend is not only continuing, but exacerbating with SAP HANA, which has brought a 450 percent increase in new security patches specifically affecting this platform. With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise,” Nunez continued. “The Onapsis Research Labs is the leading company helping SAP SE identify and fix security vulnerabilities affecting SAP HANA.”

Action Plan for CISOs
Retail, oil and gas, manufacturing, pharma and other Global 2000 organizations running critical business process in SAP Business Suite solutions are urged to stay up to date with the latest SAP Security Notes, and to ensure their systems are configured properly in order to meet compliance requirements and strengthened security. These should be part of an action plan to add SAP cybersecurity to the organization’s strategy and roadmap:

  • Gain visibility into SAP-based assets to determine the “value at risk”
  • Prevent security and compliance issues through continuous monitoring
  • Detect and respond to new threats, attacks or user behavior anomalies as indicators of compromise (IOCs)

On Thursday, May 21st Onapsis CTO, Juan Perez-Etchegoyen will be hosting a live webcast “Top Three Cyber Attacks on SAP Systems” at 9:00am and 2:00pm EST.
For more information, or to register please visit: https://www.onapsis.com/news-and-events/webcasts/top-3-cyber-attacks-on-... .

About Onapsis

Onapsis provides the most comprehensive solutions for securing business-critical applications. As the leading experts in SAP cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps targeting their enterprise applications.

Headquartered in Boston, MA., Onapsis serves over 160 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E&Y, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating SAP applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP systems. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA and SAP Mobile deployments.

For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.