Six Cybersecurity Challenges Facing IT Leaders
Aug 13, '20 by Joerg Schneider-Simon
In 2013, cybersecurity challenges ranked in seventh place among the most important issues facing IT management.
Today, cybersecurity ranks as the first or second most important challenge facing IT leaders.
It’s no wonder. High-profile data breaches are more common than ever before. And threats continue to grow at a rapid rate—both in their number and in their level of effectiveness.
More than 90% of the world’s top 2,000 companies use SAP to manage everything from purchasing to payroll, from R&D to managing industrial processes. Plus, attacks on SAP systems threaten not just the target companies, but also their customers, suppliers, and the wider supply chain. This is particularly alarming, considering SAP customers collectively distribute 78% of the world’s food and 82% of global medical devices.
Here are the top six SAP cybersecurity challenges facing IT leaders in 2020.
Hackers in 2019 published a number of exploits that are easy to download and use against SAP applications. These exploits allow hackers to compromise affected SAP applications and the critical business data they contain.
One SAP vulnerability being targeted is insecure default configurations of SAP Gateway and SAP Message Server. These two components are used by many SAP business applications and are common in many IT environments. According to researchers at Onapsis, around 900,000 SAP systems remain vulnerable to these misconfigurations. Is your organization one of them?
The best remediation for this vulnerability is to apply SAP Security Notes 821875 (2005), 1408081 (2009) and #1421005 (2010).
SAP works hard to distribute security patches (which it calls “security notes”) to make sure its clients’ systems are up to date. But the trouble is, when SAP patches come out, there is a window of increased vulnerability. This is because once cyber attackers are alerted to a vulnerability, they quickly figure out how to reverse-engineer the fix and exploit the vulnerability.
Despite this threat, most SAP customers do not regularly apply SAP security notes. Fewer than 30% of companies apply SAP security notes every month, most apply them every six months, and an alarming 13% don’t apply them at all, according to a survey by Protect4S.
The solution to this vulnerability is to apply SAP patches as soon as they are released. The security maintenance of installed SAP software is key to continuously protecting your enterprise against new types of attacks or newly identified weaknesses.
SAP applications are also vulnerable to social engineering attacks, particularly phishing and spear phishing.
With phishing, attackers send mass emails purporting to be from reputable companies, in an effort to trick multiple recipients into revealing personal information (such as passwords and credit card numbers), or inadvertently downloading malware.
With spear phishing, attackers target high-value individuals within an organization, going to great lengths to trick their targets with email messages appearing to come from sources that the target knows and trusts (such as superiors at the company, or company suppliers). The goal is the same—tricking recipients into revealing passwords and credit card numbers, or inadvertently downloading malware.
With social engineering, your employees are part of the problem—and part of the solution. Which means the best protection against social engineering attacks is education. Teach your staff to:
- Never open emails from senders they do not know
- Never open email attachments from senders they do not know
- Never click links in emails from senders they do not know
- Never open emails in their spam folders
- Always use reputable antivirus software
Attackers continue to penetrate SAP systems through password cracking, the process of recovering passwords from data that has been stored in or transmitted by computers running SAP applications.
SAP does not store passwords, but only “password hashes,” a string that is calculated using a hash function, which transforms the plain password into a password hash. There are several tools on the market designed to crack SAP password hashes, including John the Ripper and Hashcat.
To protect against password cracking, take the following steps:
- Define your password policies in your SAP environment and review them regularly. These policies set out rules governing the number and mix of words, numbers and symbols in user passwords, as well as how often passwords must be changed
- Make passwords easy to remember but difficult to guess
- Prevent workers from using weak passwords
- Set the number of logon attempts you allow before locking users out
- Monitor unsuccessful logon attempts
Insecure applications at the code level
Companies face a daily pressure to innovate. And until recently, security and privacy have been afterthoughts when it comes to software development, leaving many software applications with core vulnerabilities at the code level.
“If security or privacy is an afterthought, your transformative initiative will probably fail, potentially in spectacular fashion,” says Eric Knorr, Editor in Chief of CSO. “Get the security architects in there early, however, and sensible security becomes integral to the successful outcome—and can add to the appeal of resulting applications.”
One solution is to install SAP’s Code Vulnerability Analyzer, the static code analyzer that helps you identify and fix security vulnerabilities in your ABAP coding (Advanced Business Application Programming is the primary programming language supported on the SAP NetWeaver ABAP application server platform).
Insufficient layers of defense
The sixth and final cybersecurity challenge facing IT leaders today is defenses that are simply too thin.
Modern SAP applications are commonly exposed to untrusted users, untrusted networks, and untrusted devices. This requires organizations to implement robust security controls on the data that flows in and out of these applications.
The best security comes from multiple layers of security on top of traditional tools. Known as defense in depth, this practice places multiple layers of security controls (defenses) throughout IT systems. This redundancy increases the security of a system and protects against multiple attack vectors. If one layer of defense fails, the next layer is at the ready.
One solution to insufficient layers of defense is Secure Web Dispatcher by bowbridge. This exciting new software solution ensures the availability, integrity and performance of web-exposed SAP applications for on-premises and cloud-based SAP implementations.
Unlike competing solutions, Secure Web Dispatcher is software-only, cloud-ready and built specifically for SAP applications, making it the market’s only software-based Application Delivery Controller for SAP applications.
With its powerful access to data and mission-critical processes, it’s no surprise that SAP is becoming an increasingly popular target for cyberattack. The question is: How prepared is your organization to withstand these attacks?
We’ve discussed the top six cybersecurity challenges facing IT leaders. So, what is the verdict? Is your SAP system well-secured? Or is it low-hanging fruit for attackers? Find out by taking our SAP Cybersecurity Self-Assessment.