The 2016 Data Breach Investigations Report featured a collection of real-world data breaches and information security incidents affecting organizations in 82 countries (Nigeria, South-Africa and Kenya examined) across a myriad of industries. The report justifies other findings of other security research firms that, of all the recorded cyber breaches that occurred in 2015, 50% was attributed to the Application layer. The report reveals that:
- There were >3,100 confirmed breaches and over 100,000 incidents
- Financial gain is still the primary number 1 motive while espionage is a distant 2nd, and everything else is tiny in comparison.
- 89% of breaches had a financial or espionage motive
- 95% of confirmed web app breaches were financially motivated
- 90% of Cyberespionage breaches capture trade secrets or proprietary information.
- External threat actors still account for >80% of breaches; internal attackers were a distant second (<20%).
- Quite a huge % of the breaches suggests Common Vulnerabilities and Exposures (CVE) were used in order for the attack to advance.
- The time to compromise is almost always days or less, if not minutes or less as we see that the number of open Vulnerabilities per week in 2015 by far exceeded the number of closed vulnerabilities.
That means 2015 saw over 3000 confirmed data breaches, perpetrated by external threat actors with financial motives. Today, Q3 2016, we can clearly project a 13% increase in that figure with some notable attacks coming from Africa with breaches like theStandard Bank South Africa hack in May 2016, Department of Water South Africahack in February 2016 and many others that roll into the statistics.
There is absolutely no doubt that the great complexity of the infrastructure makes web application servers a target for attackers. Looking at South Africa, Nigeria, and Kenya, the applications which power most organizations’ mission critical business processes range between these 4 categories: SAP, Open Source Software, Oracle and Microsoft with their “perceived” market share ratio being 38:24:20:18 respectively.
One would agree that you can’t effectively protect your data (crown jewels) if you don’t know where it resides. Hence, it is important to understand this bias of this article towards SAP as a business critical application which like any other application continues to witness a rise in security patches (resulting from increased discovery of critical vulnerabilities). with SAP applications responsible for powering approximately 60 – 70% of the transactions in Africa, this article is somewhat biased towards SAP cybersecurity. Howbeit, we will face Open Source Security in our next write.
With most SAP landscapes, experience shows that sometimes you just can’t fix a vulnerability – be it because of a business process, a lack of a patch, or incompatibilities. And, most of the time, as we notice in Africa SAP landscapes, not knowing what vulnerability lies within an organizations SAP landscape is one of the greatest risks, thereby making organizations continue to live with thoseresidual & potentially critical vulnerabilities. It’s important to realize that mitigation is often just as useful as remediation and whilst patching is good, at the end of the day, all that patching is for naught if we’re not patching the right things.
Last week, SAP released the July SAP Security Notes; the revelations show urgency to patch (and of course properly patch). Some important issues here bother around the following.
1. Clickjacking Vulnerability: An 8-year-old vulnerability coming to limelight today in the SAP world, who knows what else could possibly lie beneath the security of SAP Utility Customer E-Services module?
SAP Security Note 2339506 addresses this clickjacking vulnerability in the SAP Utility Customer E-Services module which is a web application installed on SAP NetWeaver AS JAVA. Being a web application, the service is available from the Internet making the vulnerability exploitable remotely.
2. Java Deserialization Vulnerability: This is a JAVA deserialization vulnerability inAdobe Interactive Forms (CVSS Base Score: 7.3)
SAP Security Note 2245398 addresses this. It is important to note that deserialization vulnerability was disclosed in November 2015 and patched by SAPin time. Unfortunately, the first patch SAP released was only able to prevent remote code execution, leaving still the possibility of a DoS attack. This July month’s update fixes one of the ways by which DoS attack against JAVA can be conducted. This attack is remotely exploitable, and as with the Clickjacking vulnerability, the service is exposed to the Internet, which means it can be found by using an appropriate Google search request. ERPScan revealed that at least 300 such services are available online.
3. Solution Manager: A code injection Vulnerability in SolMan
SAP Security Note 2301837 addresses this SAP Solution Manager Code injection vulnerability (CVSS Base Score: 9.9). Depending on the code, attacker can inject and run their own code, obtain additional information, which should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behaviour of the system, or potentially escalate privileges by executing malicious code or even to perform a DoS attack.
4. Authorization check on SAP HANA: SAP HANA Enterprise has a Missing authorization check vulnerability rated at a CVSS Base Score: 5.5.
SAP Security Note 2321240 addresses this and An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality that has a restricted access. This can lead to an information disclosure, privilege escalation and other attacks. Install this SAP Security Note to prevent risks
In conclusion, we must realize that the actions taken by the adversary are not exclusive to a single pattern! As the 2016 Data breach report says: External threat actors still account for >80% of breaches while internal attackers at <20%; this further suggests that Privilege Misuse pattern which often includes collusion between external Actors and internal Actors may not necessarily be your greatest worry. Whilst not discounting the importance of Insider Attacks, your “disgruntled” or “greedy” ABAPer/Software developer at your SAP CoE, BASIS guy or GRC or Roles and Authorizations consultant may not be where you should be placing your major bets on from a Cyber-Security Risk management perspective as far as SAP is concerned. As an organization, you need to also invest budget in your SAP Vulnerability Management program as you have done or doing with your GRC/Roles and Authorization projects too.
Clearly, the importance of having a full 360degree security monitoring on your SAP landscape (Vulnerability Assessment, Misconfiguration Checks, SoD and Source Code) cannot be over emphasized and having an understanding of how attack patterns complement each other can help direct your efforts as to what to prioritize your limited resources against.
For more information on all other issues surrounding the July ice, check the Cyber threat intelligence report
Also, Join me at the ISACA 2016 Annual Conference this August 2016, where I will be speaking on the State of Risks in Business Critical Applications and will touch on some usually ignored but critical areas of SAP cybersecurity.