Key Insights Blog

Read the latest insights from our experts on GRC and risk management

14 December 2021

A false sense of security: Why the external threat to SAP is greater than you think

Did you know that only one in seven SAP customers think external attacks are the greatest threat to their SAP systems? And that half think SAP is better protected because it sits within their internal network?

These surprising misconceptions were uncovered in a recent SAP Security Report, compiled by Turnkey Consulting, Legion Star and Onapsis. For businesses that use SAP, they suggest a worrying complacency that leaves them open to considerable risk if attacked by cyber-criminals who are increasingly sophisticated and well-resourced.

In this blog, we’ll take a closer look at the scale of the problem, and what businesses can do to protect themselves against external attacks.

Why has the threat increased?

There are a number of different factors at play here, and if anything, the COVID-19 pandemic hasn’t helped matters. At face value, it might seem like the acceleration in digital transformation that so many businesses have undergone is a positive: customers are getting better, digitally-led experiences and employees are able to benefit from the flexibility of working from home.

However, the speed at which businesses have been innovating has not been matched with similar progress in security provision. With so many business-critical and public-facing systems and applications hosted in the cloud, some organizations haven’t sufficiently adjusted their security to cover their new set-up, and are at major risk as a result.

The increase in people connecting to SAP while working from home means it’s now more exposed to the public Internet than ever before. At the same time, well-known yet unpatched SAP vulnerabilities are now being targeted by cybercriminals, who are devoting more time and resources to malicious activity hoping to infiltrate the SAP estate.

Recent Onapsis research has revealed the scale of this activity, including that:

  • There are more than 300 automated exploitations, leveraging seven specific attack vectors
  • Critical SAP vulnerabilities are being weaponized within 72 hours of a patch being released
  • Unprotected SAP applications in the cloud are being compromised within three hours of their creation

"The SAP Threat Landscape has dramatically changed recently," said Sebastian Bortnik, Director of Research at Onapsis. "The Onapsis Research Labs have been at the forefront of monitoring and researching it for over a decade, and the amount of public exploits and vulnerabilities that have arisen rapidly in the last few years has been extremely concerning. Through our sensors in the Onapsis Threat Intelligence Cloud, we have confirmed that threat actors are actively exploiting those vulnerabilities in real life, confirming our troubling observations. Protecting SAP environments isn't more complex than before, but it is more relevant and requires more urgent attention now than ever before."

The impact of an external attack

Should an external attack be successful, the attacker would have full and unrestricted access to the SAP system in question, along with the underlying business data and processes. This means every piece of data within the system could be read, modified or deleted by the attacker. Potential ramifications include (but are not limited to):

  • Personal data and business-sensitive data being stolen
  • Banking details being accessed and tampered with
  • Supply chain disruption through data corruption or the installation of ransomware
  • Exfiltration of intellectual property

All of these consequences will cause major headaches around compliance, on a number of different fronts. For example, unauthorized access to protected data would breach data privacy regulations like GDPR or CCPA, even if the data isn’t exfiltrated. Additionally, changes to financial data, or a bypassing of controls leading to inaccurate reporting, would breach financial reporting regulations like Sarbanes-Oxley. 

Nabeel Nizar, CTO at Legion Star, said this about how their clients are remaining secure: "At Legion Star, we’re seeing an uptick in clients performing risk assessments to help lower their cyber insurance premiums. By addressing NIST & Cybersecurity controls for configuration & patch management, Onapsis helps clients secure & protect their intellectual property & financial data across their mission-critical applications like SAP"

Ultimately, the presence of vulnerabilities and misconfigurations that would enable unauthenticated access, or the creation of high-privileged user accounts, would represent a major deficiency in IT controls. Such a deficiency would fail an audit and violate compliance requirements for those businesses where compliance is mandated.

The knock-on impact of a violation like this could also be highly expensive, with security breaches often leading to third-party audits and financial penalties (along with potential further legal action).

In summary

The first thing organizations should do to make sure they’re better protected from external threats is to ensure their SAP systems are fully patched. Regular checks should be undertaken to see if any new patches have been released, and then promptly installed accordingly if so.

Going further, there are three other strategies that can make a significant difference to SAP security:

  • Implement a vulnerability management program for SAP: finding and remediating any vulnerabilities before threat actors have a chance to access and exploit them
  • Build application security testing into development processes: find and resolve issues in the shortest possible time, and before production, so that expensive fixes further down the line can be avoided
  • Involve security in your project lifecycle: try to bring the CISO into your SAP transformation, or your SAP estate into the CISO discussions - especially with regard to projects which change either the hosting or end-user entry points to business-critical estates.
  • Continuously monitor for internal and external threats: spotting malicious or suspicious activity earlier makes it much easier to prevent serious consequences

Download the full 2021 SAP Security Survey Report from Turnkey, Onapsis and LegionStar to see all the results from their SAP Security Survey, and further insights into how SAP customers can protect themselves from external threats.