SAP Security Notes: What’s New, What’s at Stake

Feb 25, '19 by Joerg Schneider-Simon

Keeping your SAP system safe from cyberattack takes time, effort, and manpower. Busy cybersecurity teams are no strangers to effort, but time and manpower? Those are in short supply nowadays.

Shorthanded and short-on-time teams are faced with prioritizing their cybersecurity efforts, hoping that there will only be minor consequences if they let a task go unaddressed. Often, one of these neglected tasks is reviewing SAP security notes and applying the needed patches.

As it turns out, the consequences of this neglect can be severe.

The Reality and the Risks of Security Notes

Before diving in, it’s worth taking a look back at 2018:

  • A total of 215 SAP security notes were released.
  • Five HotNews (i.e. critical) notes were released.
  • 43 high priority notes were released.
  • The top vulnerability type was missing authorization check, followed by cross-site scripting.

To the uninitiated, it may not seem like a huge chore to apply 20 or so security patches per month. However, cybersecurity teams know it can take hours to apply these patches — hours they simply can’t spare. And even if they have the time, they may be leery of applying the patches due to fear of inadvertently breaking a business process and grinding the entire company to a halt.

And yet, applying these patches is more important than ever, according to the German Federal Office for Information Security, who confirms that if SAP systems are not patched in a timely fashion, these systems will be vulnerable to manipulation, sabotage, and data theft by attackers.

This threat is not idle.

The World Economic Forum’s 2019 Global Risks Report lays bare the risk that cybersecurity teams are facing, ranking cyberattacks in the top 10 most likely and most impactful threats:

There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyberattacks. Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds.

An Expert View on Security Notes

To further examine this issue, we reconnected with Joris van de Vis of ERP-SEC, the makers of Protect4S, to discuss SAP security notes:

Joris, remind us why it's so important to keep patches up to date.

“It is an important line of defense in safeguarding your business-critical data. SAP is responsible for providing fixes, but you as a customer are responsible for applying them. Effective vulnerability management is the only way to keep your SAP systems in a secure state — especially in these times of highly-internet-connected SAP systems. In addition to security reasons, there is the question of compliance with regulations such as the EU GDPR.”

Can companies just apply the most high-priority patches and be okay? If not, why not?

“Risk is not black and white, so there are choices to be made. Completely reducing risk to 0% is not possible. However, you also don’t want any more risk than necessary, so it comes down to spending your budget wisely. In general, the biggest bang for your buck can be achieved by focusing on the HotNews and high priority patches, but then again, this might leave you vulnerable to medium and low risk vulnerabilities that, added together, can still pose a high risk. So yes, you can choose to only apply higher priority patches, but you need to be aware that this certainly doesn’t eliminate your risk completely.”

What situations have you seen take place when companies have NOT applied patches? 

The most famous example we’ve seen in recent years is the Equifax breach, when the data of over 140 million US consumers was exposed. As it turns out, attackers were able to access this data by exploiting a vulnerability that had gone unpatched by Equifax for about two months. Could a breach have still taken place if Equifax had applied the patch earlier? Of course — but the narrower the window of exposure, the lower the odds of a successful attack.”

What Cybersecurity Teams Can Do

It’s all well and good to say, “Apply all your security patches!” But if cybersecurity teams simply don’t have the time and manpower to do so, the advice is less than helpful. So, what can busy cybersecurity professionals do about their SAP security patches?

As mentioned, patching some is better than patching none. If teams can at least carve out the time to apply the HotNews and high priority patches, it will provide much more security than doing nothing. An even better (and increasingly popular) option is to outsource the job to a specialized solution like Protect4S, letting it handle SAP security patch applications — much like bowbridge’s solutions do for SAP malware protection.

Staying on top of SAP cybersecurity is no small task. But by tackling the problem head-on and finding a workable solution that fits with their resources, companies can keep their SAP systems safe and functional in the coming year and beyond.

 New call-to-action