Last year, the Department of Homeland Security (DHS) issued a US-CERT Alert warning of increased exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. This alert was the result of a joint research report, ERP Applications Under Fire, performed by Digital Shadows and Onapsis. The report shed light into how nation-state actors, cybercriminals and hacktivist groups are actively attacking SAP and the Oracle E-Business Suite (EBS) and what organizations should be doing to mitigate the risk.
You may ask, why are ERP systems suddenly a target? The reality is, these systems are not “suddenly” a target. There has been a history of critical vulnerabilities for years. Patching can be difficult because of availability demands. And, with more internet-facing applications, attackers are finding it easier to exploit ERP systems. At Onapsis, we have identified more than 17,000 SAP and Oracle ERP applications directly exposed to the internet.
Your organization’s crown jewels are stored in your ERP systems – making these systems attractive to both internal and external attackers. Traditional security tools including perimeter and endpoint protection have been proven to not be sufficient enough to protect ERP systems and blind spots still exist. So, while many organizations still believe “behind-the-firewall” ERP implementations are protected, they are now facing a new security challenge.
So why is ERP security such a challenge? The simple answer is that it’s hard. ERP systems are massively complex and involve teams across the organization to keep them available, secure and compliant. Oracle application, security and audit teams all have their own agendas. The application team is responsible for maintenance, uptime, and optimization of Oracle EBS. The security team is responsible for protecting the organization and its most critical data. Meanwhile, the audit team is making sure the proper controls are in place to meet specific compliance mandates.
Then there’s the added complexity of thousands of configurations and parameters that can impact security. Having a strong patch management strategy can help, but patching Oracle EBS is not easy and finding maintenance windows, or downtime, can be difficult.
The bottom line is that ERP security matters to ensure organizational success and must be addressed. You not only need to develop a security program that aligns your teams, but you need to implement security solutions that specifically focus on your ERP systems. At Onapsis we offer the industry-leading Onapsis Security Platform (OSP) for both SAP and Oracle EBS. Our solution continuously monitors your business-critical ERP applications for security vulnerabilities and compliance gaps. By providing cross-function visibility and detailed reports, you have the intelligence to make an informed decision and prioritize remediation – helping to keep you secure and compliant.
Come See Us at OAUG Collaborate 2019
We invite you to visit us at Collaborate 2019 in San Antonio, Texas April 7-11, where we will be providing demos of OSP and discussing how you can better secure Oracle EBS. Set up a meeting today or stop by the Onapsis booth #327.
Our Oracle cybersecurity experts will be presenting on hot topics such as audit and compliance advantages to running in the cloud, how to stay secure with Security Configuration Console, hacking and protecting Oracle, and how to implement Critical Patch Updates. See our full Collaborate program for more information.