Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top Cyber Attack Vectors For Critical SAP Systems

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Despite housing an organization's most valuable and sensitive information, SAP systems are not protected from cyber threats by traditional security approaches. Based on assessments of hundreds of SAP implementations, the Onapsis Research Labs study found that over 95 percent of SAP systems were exposed to vulnerabilities that could lead to full compromise of the company's business data and processes. Most companies are also exposed to protracted patching windows averaging 18 months or more. In 2014 alone, 391 security patches were released by SAP, averaging more than 30 per month. Almost 50 percent of them were ranked as "high priority" by SAP.

65 comments

  1. You are all cows! by Anonymous Coward · · Score: 0

    Cow say moo. MOOOOOOOOO! Mooo cows! MOOOOOOOO! Moo says a cow. YOU COWS!!

    1. Re: You are all cows! by Anonymous Coward · · Score: 0

      You're a sap. (D'ya see what I did there?)

  2. Why bother to use the word "traditional"? by dbIII · · Score: 1

    SAP systems are not protected from cyber threats by traditional security approaches

    That implies that there is some sort of protection while leaving out the word "traditional" implies the more correct situation where they are not protected at all.
    That not necessarily a bad thing so long as the practice is to secure their stuff with third party approaches afterwards (eg. need to get on a secured VPN before you can communicate with the software).

    1. Re:Why bother to use the word "traditional"? by Shoten · · Score: 2

      SAP systems are not protected from cyber threats by traditional security approaches

      That implies that there is some sort of protection while leaving out the word "traditional" implies the more correct situation where they are not protected at all.
      That not necessarily a bad thing so long as the practice is to secure their stuff with third party approaches afterwards (eg. need to get on a secured VPN before you can communicate with the software).

      Onapsis' bread and butter is a non-traditional security product meant specifically to secure...wait for it...SAP. So, that gives you an idea what the anonymous OP is up to.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    2. Re: Why bother to use the word "traditional"? by Anonymous Coward · · Score: 0

      If 95% of SAP systems are vulnerable, then that is the tradition. Seems like an anomaly that they are actually secured (5%).

  3. There is only one by Anonymous Coward · · Score: 0

    Even from the summary, the stupidity just comes right at you, oozing like it does. There is really one cyberreason why cyberSAP is cybertraditionally cybervulnerable to cyberattack cybervectors. It's networked. It's the cyber, baby. The thing ass-u-mes a trustworthy network and is not fit to connect to anything else whatsoever. Too bad, big spender enterprises, you really do have to build a separate network for this.

    1. Re: There is only one by Anonymous Coward · · Score: 0

      If that only were feasible, boy.

    2. Re: There is only one by Anonymous Coward · · Score: 0

      Oh please. You (hired very expensive people that) managed to get SAP into some semblance of "installation" once, didn't you?

      Usually people that buy very expensive machinery make sure there's some sort of security on the containing building.

  4. The problem is not limited to SAP by Anonymous Coward · · Score: 0

    I used to be active in the hacking scene and I know that there are a lot more system out there that are very vulnerable to attack

    1. Re:The problem is not limited to SAP by Anonymous Coward · · Score: 0

      And then you took an arrow to the knee?

  5. wha? by AndyCanfield · · Score: 2, Insightful

    What the H* is a SAP system?

    1. Re:wha? by Anonymous Coward · · Score: 1

      And what in the fucking bloody cunt hell's name does "H*" mean?

    2. Re:wha? by Anonymous Coward · · Score: 1

      Outsourced, overpriced enterprisey bullshit software. Also with really shitty security, given that they averaged over 30 security patches a month in 2014, with nearly half marked "high priority".

    3. Re:wha? by Anonymous Coward · · Score: 0

      0 or more H characters.

      Of course, I'm assuming he was using the Kleene star in a regex-type context:

      http://en.wikipedia.org/wiki/Kleene_star

    4. Re:wha? by fuzzyfuzzyfungus · · Score: 5, Insightful

      A 'sap' is a small blunt weapon, usually a leather sack of lead shot, used to incapacitate a target. A 'SAP system' is a gargantuan and expensive piece of ERP software used to incapacitate a corporation.

    5. Re: wha? by Anonymous Coward · · Score: 0

      They are all stupids and should be enlightened by you, mr prophet Boy.

    6. Re: wha? by Anonymous Coward · · Score: 0

      Only those who do something make mistakes. Diogenes does not make mistakes.

    7. Re:wha? by AndyCanfield · · Score: 1

      Ah. Thank you very much. - https://en.wikipedia.org/wiki/... - Sounds like a very large blunt weapon.

    8. Re: wha? by Redmancometh · · Score: 1

      Odd, all of the PRs for my software are functionality patches...as are my changes. Almost as if it's not an issue of "haters gonna hate," and that 40 vulnerabilities in that period of time is insanely unacceptable.

      Then again it's corporate IT, and a ridiculous amount of that "community" are still running highly vulnerable IIS servers, so par for the course I suppose.

    9. Re:wha? by v1 · · Score: 2, Informative

      You'd think that [i]somewhere[/i] in the article they'd least ONCE explain that short acronym. But no. Short acronyms are difficult to google.

      I think they're talking about this?

      --
      I work for the Department of Redundancy Department.
    10. Re:wha? by Anonymous Coward · · Score: 0

      Obviously you have not a single clue. Good luck writing your own SAP system!

    11. Re:wha? by vulcanrob · · Score: 1

      Yes, please define fricken TLAs. Not everyone is in the, I don't know, business computing world. Some of us are hanging out in out ivory towers.

    12. Re: wha? by Anonymous Coward · · Score: 0

      No, I think he was globbing, ie, all words starting with capital H. In unix that word be no words at all.

    13. Re: wha? by UnifiedTechs · · Score: 2

      SAP = Stupid A** Program The sentence would still be true. (Honestly I'd tell you but it's a new one to me too.)

      --
      iRepairIT - iPhone, Mac, & PC Repair
    14. Re:wha? by wonkey_monkey · · Score: 2

      Yes, please define fricken TLAs.

      Fricken what?

      --
      systemd is Roko's Basilisk.
    15. Re:wha? by Anonymous Coward · · Score: 3, Interesting

      SAP is the third largest software company in the world (source). What rock do you live under?

    16. Re:wha? by vulcanrob · · Score: 1

      exactly!

    17. Re:wha? by Anonymous Coward · · Score: 0

      It's the software running most admin and finance in most companies (private and public) in the Western World with more than about 50 employees.

    18. Re: wha? by KlomDark · · Score: 1

      I've always heard it as "Shitty Ass Program".

    19. Re:wha? by Anonymous Coward · · Score: 0

      http://www.acronymfinder.com/Systems-Applications-and-Products-%28data-processing%29-%28SAP%29.html
      Please note:

      "This definition appears very rarely and is found in the following Acronym Finder categories:
      Information technology (IT) and computers

    20. Re:wha? by AndyCanfield · · Score: 1

      I'm living in Isan, Thailand (otherwise known as Heaven). You ever see the pretty dancing ladies in the Bangkok gogo bars? Well, I live where they come from. Me and all my (happy) wives. I don't know what TLA's are. I can guess what the "T" stands for, and what the "A" stands for, and there are lots of T and A where I live, but they don't allow words like that on Slashdot.

    21. Re:wha? by neurovish · · Score: 1

      I manage like 100 servers running SAP, and I have no idea what it stands for. Probably something German.

    22. Re:wha? by cbelt3 · · Score: 4, Informative

      Systeme, Anwendungen und Produkte (Systems, Applications, and Products).

      www.sap.com

      Basically it's one of the two the largest Enterprise Resource Planning software companies in the world. Oracle is the other one. And since most SAP systems are run inside a highly protected corporate network, the self-promoting hysteria from this article is so much bullcrap.

    23. Re:wha? by AndyCanfield · · Score: 1

      Thank you for the information on SAP. I passed the link on to the company bigshots in case they want to buy something.

    24. Re:wha? by Anonymous Coward · · Score: 0

      Software, Applications, and Programs

    25. Re: wha? by modi123 · · Score: 1

      I figured it was "Sucks All Profit".

    26. Re:wha? by Anonymous Coward · · Score: 0

      You really didn't want to do that.

      Part of the reason so many SAP systems go unpatched is because everyone is still trying to get them to work at all.

      Well, you made your bed...

    27. Re:wha? by Ben+Hutchings · · Score: 1

      highly protected corporate network

      Do those really exist?

    28. Re:wha? by vulcanrob · · Score: 1

      Hi Thailand! I'm living in Florida (otherwise known as "source of bizarre news stories"). Do you ever see rich people close to death? Well I live where they end up. Me and myself! TLAs are three letter acronyms, hence the delicious irony! Enjoy the land of T and A, my friend!

    29. Re:wha? by onkelonkel · · Score: 1

      SAP is the equivalent of a parasitic wasp. It lays eggs on the host, which then hatch and devour it from within. Except it's software and the host is a company. But otherwise exactly like that.

      --
      None of them can see the clouds; The polished wings don't care.
  6. Consider the source... by Anonymous Coward · · Score: 1

    Hm.. So the research lab of a company that secures SAP for a living has found that nearly all SAP systems in the world are insecure.

    Just sayin'..

    1. Re:Consider the source... by Headw1nd · · Score: 2, Interesting

      Well, to be honest, if you work with SAP everyday you can' t help but realize it sucks.

    2. Re:Consider the source... by Anonymous Coward · · Score: 4, Interesting

      I do not disagree at all that SAP sucks. I work for a large retailer and sit right next to the SAP guys. I've never seen such a miserable lot. Daily banging their heads against one stupid SAP issue after another and always complaining about SAP support being completely useless.

      I'm just not sure I buy the 95% of installs are horribly insecure claims coming from a company that's only product is securing SAP.

    3. Re:Consider the source... by neurovish · · Score: 1

      I do not disagree at all that SAP sucks. I work for a large retailer and sit right next to the SAP guys. I've never seen such a miserable lot. Daily banging their heads against one stupid SAP issue after another and always complaining about SAP support being completely useless.

      I'm just not sure I buy the 95% of installs are horribly insecure claims coming from a company that's only product is securing SAP.

      You might get a laugh out of this then, one of the SAP guys came to me yesterday asking if one of the ECC servers can receive email. I asked him why the ECC server needs to read email, and he just said it was on this checklist he had and would have to see what the reason was. I don't think he even realized how preposterous his question was.

    4. Re:Consider the source... by cbelt3 · · Score: 1

      SAP can send and receive email. Your guys should know that. It's a sucky 1990's email system, but it works.

      Disclaimer... I'm one of those 'SAP Guys' and have been doing it for a decade and a half.

    5. Re:Consider the source... by Anonymous Coward · · Score: 1

      You just described our SAP group. Blindly following checklists and SAP recommendations. Anytime an issue occurs you can actually watch the SAP guys travel in a pack to point blame. VMware -> Windows -> Networking -> Storage.. The Database guys are on the same team as the SAP guys otherwise I'm sure they would be in the mix as well. Never is the issue SAP itself.

    6. Re:Consider the source... by Anonymous Coward · · Score: 1

      Can and should are two different things. The point of the comment was that the SAP guy is blindly following some checklist but has no idea why he needs the thing he is asking for.

      Sort of thing that makes it not that hard to believe that so many SAP systems are insecure....

    7. Re:Consider the source... by Anonymous Coward · · Score: 0

      It may suck, but it pays very well.

    8. Re:Consider the source... by Anonymous Coward · · Score: 0

      We're just starting our migration away from JDE to SAP. I have been assisting with data conversion from the "legacy" systems. I am not impressed so far.

    9. Re:Consider the source... by Anonymous Coward · · Score: 0

      Both are crap, in my opinion. If ever an industry was in need of a disruptive competitor, this is it.

  7. Definition of SAP by Anonymous Coward · · Score: 1

    For everyone who is wondering what SAP is:

    http://yourfinancebook.com/what-is-sap

  8. Golf by coofercat · · Score: 1

    When will the PHBs realise that the golf course is not a 'reputable source' for software?

    1. Re:Golf by disposable60 · · Score: 1

      When they have to start paying their own greens fees and club dues.

      --
      You're looking for quotes? See my journal.
  9. Can confirm by Anonymous Coward · · Score: 0

    Having recently done a pentest for a client that uses SAP, they were a fucking mess.

  10. SAP can be both a blessing and a curse by Anonymous Coward · · Score: 0

    SAP can be difficult and terribly sticky to work with at times. SAP can be especially troublesome if the trunk is attacked from an outside vector. Once security is breached some samples will just continue to leak, even the ones claimed to be self healing can be troublesome. It is often necessary to deploy TERPs for thorough cleanup of equipment. In conclusion, pine can have a tremendous amount of SAP. It gets all over your 'Saw And Pruners' (SAP) as you work, and makes a horrible mess.

  11. Pine beetles by Anonymous Coward · · Score: 0

    Pine beetles are the #1 threat to sap in the layer 8 domain.

  12. Article author has no idea what SAP security is by Anonymous Coward · · Score: 1

    As a SAP architect for over 15 years, I can tell you definitively that this article is one big troll. Responsible architecture never exposes SAP systems to the outside world without a dedicated hardened third-party product in between. As far as the article’s points:

    1) Portals: The portal product runs behind Apache and a J2EE product. Like 50% of the web, these products are very safe. I don’t understand the argument about “backdoor” users. Do they mean “system accounts”, accounts that can never have a dialog login session? If they do, then they should have done enough homework to know that all accounts on SAP systems have lockout protocols on par with industry security standards. This whole argument about portals is bogus.

    2) Proprietary protocols: Yes, SAP systems do have proprietary protocols, such as RFC, ALE, SOA, etc. Though, these are never exposed to the outside world. Then, from even the inside, these are usually protected by STRUST, a certificate based trust service, and then secondarily by password. Again, you cannot get to it if it is behind a VPN and even if you could, you don’t have the certificate and would lockout any accounts trying.

    3) Pivoting between sap systems: So the argument is that if you can hack and gain access to a low priority box that you now have unfettered access to an ERP? No, not going to happen. Security between systems is always sandboxed to minimize access. For example, gaining access to a SAP Business Objects server will gain you the ability to call BAPIs which still require certificates and passwords on the ERP/BW box. Portals are setup the same way. In short, even if you could defeat apache, account management, and other 3rd party barriers, you have absolutely nothing because the level of trust setup system to system is not enough to even login.

    Alright net-security.org, do your homework next time.

    1. Re:Article author has no idea what SAP security is by Anonymous Coward · · Score: 0

      SAP_ALL for everyone!

    2. Re:Article author has no idea what SAP security is by guruevi · · Score: 1

      You are describing idealized setups. In most cases, the people on the floor don't give a shit about what the architect has said.

      The third party firewall is too expensive, I mean we already laid out millions of dollars on SAP licensing, contractors and architects, let's cut it because the Windows box it is running on has a firewall too.

      Why does the portal need it's own box? We pay $100k per CPU for SAP and Windows Server licenses cost $10,000 per CPU as well, let's run it on the same box.

      That thing keeps locking me out, let's stop it from doing that. We've paid millions of dollars to implement this hack, we need to be able to use it.

      etc. etc.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  13. Shit article by neurovish · · Score: 1

    What a useless article. The only content is that evil hackers leverage vulnerabilities to gain access to companies' SAP systems. Well, no shit sherlock. SAP is a mess and barely works under normal conditions, so anybody VP-level and above freaks out at the mere mention of touching anything on them. Of course they're going to have patching windows > 18 months.

    1. Re:Shit article by Anonymous Coward · · Score: 0

      You haven't boiled it down enough. "evil hackers" equals guaranteed content-free article.

  14. In fairness to SAP by erp_consultant · · Score: 1

    the vulnerabilities are most likely in the operating systems/database/web servers etc. SAP, of course, runs on top of all that. The SAP software itself is not insecure but there are a lot of moving parts :-)

  15. Is this surprising? by AmazingRuss · · Score: 0

    "over 95 percent of SAP systems" are admined and operated by complete chuckleheads.

  16. Not the primary threat... by Anonymous Coward · · Score: 0

    If you are running SAP external security really is not your primary problem.

    I would worry much more about SAP's well known tendency to eat any company from within until it finally bankrupt it.

    It's like living on a Roc egg...

  17. Re: Article author has no idea what SAP security i by mobby_6kl · · Score: 1

    I think you mean GLOBAL for all.