Key Insights Blog

Read the latest insights from our experts on GRC and risk management

15 April 2021

Onapsis research shows active cyberattacks on critical SAP applications - what you should do next

Onapsis’ recently released research shows that SAP systems are not immune from the cyber threats that impact all other IT systems, but what is surprising is the speed with which the attackers are able to detect vulnerable systems and the level of expertise they’ve shown in exploiting those vulnerabilities.

It shows that the attackers may be better informed about your SAP estate than some of your own teams and, with the speed of the exploits, they may penetrate systems and hide their tracks before you’ve readied a response.

You don’t want a vulnerability to materialise into a breach which could result in data exfiltration, system downtime, malware distribution, or attempts at fraud, so consider the security of your SAP systems.

In Turnkey’s recent SAP Cybersecurity survey, 50% of respondents believed their SAP systems to be secure because they sit within internal networks. However, increasingly SAP systems are exposed to the internet and the published Onapsis report shows that it is easy for attackers to identify which of those are vulnerable.

What can and should you do?

As with any threat, the key to defending against it can be aligned to the pillars of cybersecurity management:

Identify the risk: Assess your SAP systems for their exposure to vulnerabilities, either through automated solutions, manual verification of patch levels, SAP note application, or other configured controls. Any gaps should then be remediated as a matter of priority. Ensure you know if the vulnerability has been exploited as well as if it could have been – is there any suspicious activity on your SAP estate? Is there any cause for concern when it comes to SAP application security?

Protect against the threats: Once you have identified a vulnerability, you must have a plan in place to protect those systems, especially in business-critical scenarios. This may involve patching or applying notes to protect the systems against the published exploits. Or may include more sophisticated monitoring and alerting of the exploits being utilised.

Detect intrusions or security-relevant events: Automated solutions for detecting suspicious events or Indicators Of Compromise (IOCs) can provide insight into when intruders may have access to systems, or have exploited vulnerabilities. Even without automated tooling in place, you can use your SAP system information to inform on these events. Are you configured to monitor and alert successfully? And do you use wider infrastructure telemetry to inform when SAP systems may be under attack?

Respond to a breach: Should the worst happen and an intruder gets into SAP, how are you going to respond to that breach? You must have security incident procedures in place that can isolate and deal with an attack, without impacting critical business processes. Response plans should include the ability to recover from an incident and may not always be system-based. Responding to these incidents over time should include continual patch and vulnerability management of your SAP estate.

How can we help?

My team and I at Turnkey are offering free 1-to-1, 15-minute consultations on the latest Onapsis report to any SAP customer needing further information. The consultation will give you an opportunity to ask how the findings of the report may impact your SAP landscape and what you can do to protect against the threat. Fill in your contact details on the link below and one of my team will reach out to arrange a suitable date and time.