Water they say gives life and purity and as they say: it has no Enemy!
…Perhaps, this may not be so true for the Department of Water Affairs of South Africa. Last week, during the valentine period, members of the World Hacker Team, one of Anonymous’ subdivisions, took it upon themselves to send a love gift to South Africa’s Department of Water Affairs (DWA) by breaching the department and releasing leaked data including real names, emails, and ID numbers of over 5,800 government employees and collaborators as part of the group’s #OpAfrica and #OpMonsanto campaigns.
#OpAfrica is an Anonymous social campaign launched to highlight the situation of child labor and government corruption in African countries.
Earlier in the year, I wrote about Turning the Tides on Cybersecurity in 2016; Lessons learnt from 2015 and examined some notable cyber incidence that occurred in 2015 sighting the South African governments’ Wikki leak on confidential and top secret information as a grave example of 2015 Africa hack. In less than a month after the write, another situation now rises again in South Africa, where more than 5,800 HR and Procurement data records have been displayed online as an evidence of cyber hacks to the Department of Water Affairs in South Africa.
With the model of this attack, it is very likely that the attackers may have taken advantage of trusted connections, Integration points and/or universal users privilege on the already compromised systems to get into the SAP systems, leveraging published /0-days vulnerabilities to plot further attacks and exploitation of the SAP ERP landscape (if not already done). Obviously, SAP security still proves a huge challenge for most organizations.
In order to prevent these types of attacks, it is important to begin to see more collaboration between IT security and SAP security as the way forward to protecting SAP landscapes, also executive commitment without bias needs to be given to SAP cyber security programmes and guided investments into technologies that can help prevent cyber-attacks and also monitor SAP security should be made.
Today, there currently is no existing guiding frameworks to govern the actual investigation and prosecution of these types of attacks in South Africa or even the whole of Africa. Hence, the repercussion arising from such cyber incidents are not only reputation damage but also largely take a negative financial implication as:
- There is reputation damage to the DWA (especially at a time where drought hits South Africa and confidence in the government dwindles)
- It could lead to huge litigation costs to the DWA, as we cannot rule out the fact that the contractors and/or business partners whose names have been published and whose fundamental rights of privacy have been breached as a result of DWA’s carelessness could go ahead to sue for damages (POPI act violation by DWA)
- It definitely will cost Tax-Payers of the Republic of South African a huge bite on recovery programmes plus ill-guided cyber investigations.
- Whatever perspective we look at this incident; it gives rise to an increase in the already huge premium on cyber insurance for the government. – a liability that South Africa cannot afford in these hard economic times.
Avail me the liberty to share some quick and very important pointers necessary to reducing SAP attack surfaces on a SAP landscapes below:
- Network filtering: a fundamental requirement for secure systems based on the SAP NetWeaver Application Server component. It reduces the attack surface to the least number of services required to be accessed by end users.
- Password Management: Default passwords, weak password policies, and old password hashes can lead to insecure systems and must be configured in a secure way.
- Secure HTTP (HTTPS) and Secure Network Communication: Cryptographically secured network communication is recommended to mitigate risks of interception of communication containing business data and user credentials (passwords, SAP logon tickets, and so on). Protection of cryptographic keys is also required.
- Remote Function Call (RFC) Connectivity with ABAP Programming Language: Security of SAP software systems relies on separation of systems of different security classifications (such as development, test, and production). If interconnectivity between systems of different security classification is required, it should be done considering guidelines to ensure the security of systems with higher classification.
- Gateway Security and Message Server Security: Secure configuration of gateways and message servers is required to mitigate the risk of unauthorized access to SAP software systems.
- Security Patch Management for ABAP: Security notes must be implemented to ensure that identified security vulnerabilities are closed and cannot be misused by attackers.
- Security Configuration Monitoring: As system configuration may change, monitoring of security configuration is essential to ensure systems remain in a secure state.
Ofcourse, whilst there may be potential political undertone from this attack, one thing is sure, it is important for SAP run businesses to take the data of their business as well as their stakeholders (employees, contractors and other business partners) seriously and invest in technologies that can assist them to have a clean SAP cyber slate.
DeltaGRiC Consulting remains the only consultancy in Africa dedicated solely to helping organizations running on SAP to prevent cyber security and compliance violations on their landscape. For information on automating the process of securing SAP landscapes be sure to write to us on info[at]deltagricconsulting.com