SAP Security Vulnerability Profile: Government
May 17, '18 by Joerg Schneider-Simon
Processes and data: These are two things the average government agency has in abundance. And after decades of distributing massive procedural binders and struggling with file and document management, many government departments have found themselves drowning in inefficiencies.
Today, these entities are seeking out ways to reduce duplication and administrative burden. Many of them have turned to SAP to help streamline their processes and quickly share data and files.
It’s a sensible solution, considering SAP’s excellent track record and reputation. If not properly managed, however, SAP may also carry unexpected risks.
SAP Use in Government
With over 75,000 customers in 120 different countries, SAP is ubiquitous, and for good reason. In today’s environment, data is king. And any organization that does not make good use of its data will not be long for this world.
When it comes to government, the use of data is amplified to a massive degree. In fact, the public sector is the single largest producer and consumer of massive data.
Most departments and agencies gather, store, and share reams of data on a regular basis. From consumer taxation files to vital statistics, to agricultural production information, to data on every single weapon in a country’s military — the sheer volume of information is staggering.
To manage that data, share it among departments, and use it for analytics and forecasting, many governments rely on SAP modules such as SFIS, EHS, and ERP.
This would be all well and good, if governments had stronger cybersecurity.
In February, the CTO of Crowdstrike told CNBC that the US government is vulnerable to cybersecurity attacks and that they greatly need to improve their network protection.
On one hand, it might surprise some to hear that a wealthy, technologically advanced country like the US, with so much to lose, would not have top-line protection against cyberattacks.
On the other hand, the US government suffers from its sheer size and archaic processes, meaning quick decisions are virtually impossible. In fact, by the time they get around to buying a solution, it’s already outdated.
And it’s safe to say they’re not the only government with this problem.
Further complicating this situation is the fact that SAP itself has vulnerabilities that go largely unrecognized or unaddressed by many of its users:
- SAP applications with form fields for users to input information also provide an entry point for cyberattackers to conduct XSS attacks or redirections via malicious code entered into the form. Cyberattackers can also insert hidden malware into innocent-looking file attachments (like a CV or a purchase order) that launches a directory traversal attack as soon as the attachment is opened.
- Traditional OS-level antivirus programs can’t scan data or file uploads that go into SAP, either as on-access scans or scheduled scans. This is due to how files are stored in SAP:
- Data and files uploaded into SAP are transmitted via an encrypted connection.
- The SAP application will store the file either in the SAP database or in an SAP-proprietary data repository, NOT in standard operating system disk volumes.
- Lastly, even advanced anti-virus programs do not connect to SAP’s virus scan interface.
What’s the Risk?
We’ve already seen and heard multiple news stories about the proliferation of information theft. And what juicier target than the databases containing the personal information of every single citizen in the country? The US government already had a taste of that during the cyberattack against the Office of Personnel Management, with sensitive (read: ripe for blackmail) information reportedly being given to countries like China.
Beyond outright theft, there’s always the risk for data hacking and data integrity attacks. With international espionage shifting from cloak-and-dagger to Red-Bull-and-hoodie, it would be a tempting proposition for a country to sabotage its rivals by subtly changing vital bits of data. Considering that this data would be linked to things like national infrastructure, the economy, and weapons systems, any data integrity attacks could be catastrophic.
What Can be Done?
So … where does that leave the beleaguered public sector as they try to be more efficient while still staying safe from cyberattacks?
As they become more efficient, government agencies and departments can and should use their reclaimed time and resources to perform a deep-dive analysis of their current cybersecurity, focusing on three things:
- Protection: How hard is it for a cyberattack to penetrate our defenses?
- Detection: If one does get through, how quickly are we able to know what’s happening?
- Mitigation: How quickly and thoroughly can we neutralize the threat?
With 200 days being the average time between a malware infection and its discovery, governments have an enormous amount of work to do to develop cybersecurity processes that are nimble, responsive, and robust.
An additional way in which governments can help protect themselves from cyberattack is to adopt third-party anti-virus and application security solutions (like those from bowbridge) that are designed specifically for SAP, overcoming the inherent vulnerabilities mentioned earlier.
We’re living in a rapidly changing cybersecurity landscape, and the leaders of our nations and cities have a heavy responsibility to keep their — and our — sensitive data safe from cyberattack. There is hope, but only if the task is given the seriousness and swiftness it deserves.