In 2014, records show that there was over 43 million data breaches reported by companies around the globe. These data breaches impacted negatively on organizations by disrupting business continuity, stealing customer data, creating legal liabilities, disclosing intellectual property to the wrong hands and also damaging reputation.
No doubt, C-Level is beginning to understand that effective Cybersecurity initiatives entails collaboration of policy, governance and risk management, application security, information security and network security. However, application security as seen in most SAP run organizations has been confined to Security patch alone… This is dangerous!
On the SAP front, a huge percentage of SAP Security teams will agree that managing the security notes is not a small task as there are functional notes as well as security notes to cater to every month. It is therefore imperative for CIOs/ CISOs running SAP to understand the risk and impact definition of all notes.
In today’s piece, I examine some critical questions that leading CIO’s have asked us in our SAP cybersecurity engagements. We hope it will assist other CIO’s who might not have the opportunity to discuss with DeltaGRiC.
Q: What are best practices for managing security notes?
A: Best practices for security notes is to first, understand the vulnerabilities being discussed either as a function of impact and likelihood of exploitation. Review the notes and discuss specific ones that may impact business with the development teams. Whereas in the case of functional notes, I would advise a monthly notes application cycle: first in perhaps QA and then after user acceptance testing and validation, push to production. But for Security notes, check the severity and criticality of the notes and make sure you apply critical notes immediately while you prioritize the rest as a function of the severity.
Q. How do we deal with the case of performance regression tests after patch on a monthly basis, should we not rather do this quarterly?
A. Generally, not all notes require full regression testing – it is better to maximise the application developers/configuration people in your organization who can help flag those that will need regression testing. It is also important to note that the volume of notes today in 2016 is far too high and to apply them quarterly would almost amount to managing a full project – time and material you cannot afford considering that you have to run normal day-to-day business. It is better to have a fixed monthly note cycle in order to evenly distribute the workload.
Q: Can’t we just simply move to HANA and all of our security problems will be solved?
A: Actually, moving to SAP HANA helps your data compression and reduces your data archiving/storage needs, but it impacts greatly on your information security. Typically, what happens is that you place a huge volume of data for availability through a single source, so… whilst you gain speed during data mining and spend less on storage, you could potentially be making huge volumes of your company information accessible to hackers via your single source. This could make HANA the single point of failure if not configured or patched properly. Be aware that from the inception of SAP HANA, SAP security vulnerabilities has risen by over 200%. Hence proper security monitoring of HANA using specialised tools is very key to maintaining the integrity of your landscape. Otherwise, you could be flattening the “defense in depth principle” by using HANA.
Q. What does SAP codes have to do with all this? Once I patch, am I not okay? Or Does SAP codes allow for exploitation again?
A. From an application development perspective, SAP business suite consist of very complex lines of codes which have dependencies on many other external codes as well. One single installation of SAP Business suite comprises over 0.3Billion lines of code, after which organizations also build additional lines of codes for your custom code (Z program). What you need to understand is that SAP also makes use of open source codes which also has dependencies on other codes. Hence, it is imperative for customers to adequately monitor their SAP code/ SAP custom code critically to block potential exploitation opportunities for hackers.
Q. Why should I care?
A. Washington Post records for 2014 shows that over 2 billion USD was paid out in the form of cyber insurance premiums in the US alone. Also, the Ponemon Institute estimates average corporate data breach to be 3.5million USD in combination of data theft, intellectual property theft, Denial of Service, reputation damage etc. The cost of not caring is far too huge to recover from.
Q: How can I best evaluate my systems to determine whether my organization is vulnerable to hackers?
A. It is important to start from the point of Audit:
Understand your organizations’ current security posture and also identify security gaps as well as check external connections into SAP leveraging your existing SAP security program by expanding COBIT processes down into ERP Security with special addendums addressing SAP Security.
Also for you to make a case to your board for budgetary investments towards specialized tools, you may wish to also do a computation of the cost of the future investment vs cost of a future potential security breach.
Ultimately C–level must come to terms with the fact that, attacks on SAP are often slow and quiet in nature, distributed in time and involve the insertion of false transactions into SAP and this is not necessarily carried out by the whiz kids. With most IDS not understanding SAP traffic, it is important to invest in a security monitoring tool like ERPScan Monitoring Solution delivered byDeltaGRiC Consulting in Africa.
To get us to answer some of your SAP cybersecurity questions, be sure to send us a mail on email@example.com