Some 3 months ago, two members of a Vulnerability research team: Charlie Miller and Chris Valasek started a project to look into the vulnerabilities that may exist in an automobile manufacturers firmware and Software, they chose Chrysler this time. It only took them a month to realize where the loop holes were in the Chrysler software/firmware build; A security case termed as zero – day exploit. Of course, this hack did not really start today, In the summer of 2013, They had performed the same attack using a Ford Escape and a Toyota Prius as subject test vehicle and performed same remote attacks.
see video here courtesy CNN
So… what question should we be asking?:
Why was the vulnerability existing without Chrysler really knowing about it? To put it as it is: That is why it is a vulnerability. The sad truth is that, most cases of software /firmware build, the end result is the main goal: “Get the product out to satisfy user experience”, of course, that is not an entirely wrong motive for a product development team, however, it is important to pay careful attention to security. Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone.
Businesses today running SAP continue to explore the ease of business using Mobility, and also taking advantage of Webservices on SAP and making initiatives around IoT (In most cases, blissfully unaware of the 0-day exploits and associated vulnerabilities that may exist in the method of their SAP implementation)
Like the Chrysler situation, most SAP users and/or SAP implementation partners always do a very great job mapping the business process altogether, getting the ultimate goal achieved: Business Automation and ease of doing business! But most often than not, they take the real deal into little or no account: Security! Vulnerabilities and 0-day exploits are just usually never taken into account. This is a very huge business risk in itself! External hackers can easily gain critical access into SAP system via known vulnerabilities, which in today’s world are published in public domain like google, and then go on to exploit these vulnerabilities to either gain privileged access through internal trust connections within your SAP landscape or take advantage from existing misconfigurations or perhaps through your SAP router or RFC loopholes.
One of the ways to combat these types of hacks on the SAP platform is to conduct a proper SAP penetration test from within and without your existing landscape so as to show you where your vulnerabilities exist (Blackbox or whitebox)
It is important to note that while Miller and Valasek have been sharing their research with Chrysler for some months, enabling the Chrysler to quietly release a patch ahead of the Black Hat conference. Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.
This scenario is almost same and can be likened unto most SAP systems where patch management is a terrible nightmare and even in numerous cases where understanding of patch kernel for an evenly distributed and large landscape is limited.
Are you a SAP run business in Africa and are concerned about the integrity of your landscape as regards Cybersecurity, please send an email to email@example.com and some advice on running your SAP security initiatives will come your way.