How to Improve Your SAP Security by Being Proactive
Nov 23, '21 by Joerg Schneider-Simon
Know what’s worse than discovering that your network has been breached by hackers?
Not discovering it.
When it comes to ensuring SAP security, even veteran cybersecurity professionals may operate in reactive mode. Instead of getting out ahead of threats, they wait to be attacked. Or they wait for someone to tell them about the latest vulnerabilities before taking steps to protect themselves.
Considering that the average cost of an SAP security breach is $5 million (and the risks are growing every day), you cannot afford to wait until hackers uncover a vulnerability before protecting your SAP systems. Here’s why—and how—to be proactive when it comes to your SAP security.
What an SAP Security Wake-Up Call Looks Like
The thing to remember about wake-up calls is that you get them when you are asleep. In the world of cybersecurity, wake-up calls happen when organizations get attacked – and realize they’ve been vulnerable all along.
As Exhibit A, consider SAP’s recent “unrestricted file upload vector vulnerability.” This class of vulnerabilities, which is included in CWE’s 2021 Top 10 Most Dangerous Software Weaknesses, allows attackers to upload or transfer files of dangerous types that can be automatically processed within the target environment.
Depending on which compliance framework is relevant to your organization, this vulnerability is classified in multiple ways, including:
- PCI v3.1-6.5.1
- PCI v3.2-6.5.1
- OWASP 2013-A1
- OWASP 2017-A1
What’s at Stake if You’re Caught Unprepared
One of the consequences of this vulnerability is that target systems may interpret an uploaded file as code. Hackers then use another vulnerability (typically XSS or OS command injections) to get this malicious code to execute.
Uploading a file onto a target system is always one of the first steps that attackers take in a multi-stage attack. They first upload a file to the server, then they use another vulnerability or clever social engineering to either get code to run on the server, or to get the client to download it.
This combination of unrestricted file upload with a potential remote execution is what creates the high-risk vulnerability. The first step of uploading the file is not critical. It’s the second step that creates the bigger problem. Breaking that chain at the earliest possible link will provide the highest level of protection.
How to Protect Against Unrestricted File Upload Attacks
To be proactive in protecting your organization against unrestricted file upload attacks, here are some steps to take today:
- Authenticate all users. Ensure that the users who are uploading files are legitimate.
- Restrict harmful file extensions. Limit uploads to file-types/extensions required by the business logic. Block all others.
- Verify file types. Use MIME-type checks to ensure the content of files matches their extension.
- Scan uploaded files. Use anti-virus software and anti-malware engines to scan files for malicious code.
- Block active content: Use a security software capable of detecting active content attacks that do not classify as malware, but have the potential to compromise your application
Be Proactive With Your SAP Security
The key to elevating your SAP security is to take action before you are the victim of an attack or a data breach. Here are some practical, proactive steps to take.
- Conduct a vulnerability assessment. Also known as a cybersecurity audit, a vulnerability assessment defines, identifies, classifies, and prioritizes security vulnerabilities in your SAP systems and applications. It gives your organization the knowledge you need to react to threats in your SAP environments.
- Conduct penetration tests. One of the best ways to discover if your SAP systems are vulnerable is to hack into your own networks and find out. Penetration testing of SAP applications simulates the actions of malicious actors. The goal is to check for exploitable vulnerabilities, by hiring experts who will attack the system like hackers would. Penetration testing gives you the proof you need to patch detected vulnerabilities or deploy additional protection measures.
- Apply SAP patches immediately. SAP publishes around 20 Security Notes a month. That’s around one Security Note every one and a half days. SAP Security Notes contain SAP's expert advice regarding important action items and patches to ensure the security of your systems.
The key thing to know about SAP Security Notes is that hackers love them. As soon as SAP publishes a Security Note describing a new vulnerability, hackers immediately search for systems that have not applied that patch yet. In 2021, hackers typically attacked within 72 hours of SAP releasing a patch.
The lesson here is to apply SAP patches as quickly as possible. The only way to ensure that your SAP systems are as secure as possible is to apply security patches as soon as they're published.
Waking Up to a Secure SAP System
If you want to stay a few steps ahead of hackers, you must be proactive rather than reactive. Don’t wait until you are hacked to improve your defenses. Instead, take the battle to the hackers by fortifying your defenses beforehand.
If you need help protecting your SAP applications against viruses and malware, check out our Anti-Virus for SAP Solutions. If you are concerned about content-based attacks, check out how to protect your SAP applications from content-based attacks.