At a Senate hearing in the US, Former CIA Director – Leone Panetta painted the crux of the matter by saying: … The next Pearl Harbor that we confront, could very well be a Cyber-Attack
Seeing Blackhat played out yet again, the critical importance of securing systems and data and re-emphasizes the obvious: that we now live in a world where cyber security really poses a global impact to not only the fabrics of our individual lives but most importantly, the systems that run the world’s business, called ERP platforms.
For a long time, there has been the notion that ERP platforms were off the radar for cybercrimes and that back office operations could not be easily exposed to cyber-attacks. Sadly, this is not the case as we now know that most security audits fail to catch the common critical ERP exposures. Ofcourse, a lot of the Audit firms put in great amount of effort into Security audits for ERP platforms and more so, with best Security practices available in public domain, several organizations continue to believe they are protected when in fact they are totally exposed and blissfully unaware!
In my previous post, I did mention that it may take close to 200 days before an attack is noticed within an enterprise.
As an outward-looking Security Enthusiast with a SAP certified badge in GRC Access Control 10.0, plus also a member of the OWASP, I have come to the conclusion that most of the common tools used by security professionals for exposure valuations are not tuned to find weaknesses specific to ERP platforms like SAP as well as other Tier1 ERPs. Hence, what you find out is that with the over1500+ SAP configuration parameters and 80,000+ tables existing in a production system, it becomes terribly difficulty for most organizations to identify which of their systems might have been compromised even so ab-initio the time of implementation before go-live (Which is scary to say the least, as this could pose a colossal financial tragedy).
The sad truth is that: As we saw in the Hollywood Blackhat movie, most organizations either do not have the right skills to perform vulnerability scans and penetration tests at the SAP application layer or they have too much bureaucratic admin processes OR policies that would dis-allow them to perform this.
It is no news that with the Fortune 500 running SAP, core business data, processes and applications running on these SAP systems have now become attractive targets of sophisticated attacks from cyber criminals. Today, Cyber attackers continue to employ more advanced techniques making our traditional modes of support and cleansing become redundant and close to useless.
The good news for most businesses particularly in Africa is that since we live in a business world where knowledge can be easily outsourced; And as best of breed security professionals with these rare skills are always available to give a helping hand, wouldn’t you rather speak to DeltaGRiC to avoid being burnt?