SAINTGITS INSTITUTE OF MANAGEMENT

MANAGEMENT INFORMATION SYSTEM

PROJECT PHASE -3

SUBMITTED BY: SACHIN THOMAS GEORGE

RENU P H
SUBMITTED TO :MR.SARATH P
( ASSISTANT PROFESSOR)
SUBMITTED ON:16/06/2020
SAP

SAP is one of the world’s leading tech brands. Responsible for producing cutting edge
customer relationship management and tracking tools for businesses of all kinds, the German
company has a presence on every continent. It’s no exaggeration to say that, without SAP’s
products, the world of “just in time” delivery and lean management would be unimaginable.
Because of this, any security flaws in SAP products is a massive deal. Unfortunately, the past
few years have seen rising hacker threats to SAP applications, leading to in-depth discussions
about how (and whether) they can be secured in the future.

This article will look at why this matters, what kind of threats are occurring, and how
organizations can secure SAP apps and the data they process.

SAP: creating a new era of data processing, and new cyber-threats

Based in Walldorf, Germany, SAP has around 400,000 clients spread across the globe. It
operates in numerous sectors, delivering services like CRM, ERP, cloud storage, and
generalized data handling solutions.
As well as becoming a global leader in cloud-based storage (in cooperation with IBM), the
company has branched out into the Internet of Things, offering its data processing expertise,
alongside AI-based machine learning. Put together, this suite of services makes SAP a go-to
provider for the nuts and bolts IT required to run many modern businesses.
However, this also leads to a dependency on SAP which can present additional risks.
Whenever large amounts of information pass through applications, sensors, and storage
solutions, there is a risk of a data breach taking place. And that’s why SAP’s security is
constantly under the microscope. It’s vital to understand the risks before it’s too late. Don’t
let your organization take a place on lists of worst data breaches of 2019.

What security risks are associated with SAP products?

When security experts have peered into the microscope, the results haven’t necessarily been
pretty. SAP’s applications have experienced a sharp rise in malicious cyberattacks in recent
times that all clients need to be aware of.
The first signs appeared in 2012 when the hacking group Anonymous broke into SAP
systems held by Greece’s Ministry of Finance, coming away with a number of credentials for
ministry employees.
Soon after, special SAP malware started to appear. One of the malware samples used screen-
grabbing techniques to capture banking information and certificates. It also used keylogging
to harvest password data.

In other cases, older vulnerabilities have re-emerged from nowhere. For example, 2014 saw
an attack on GPU-maker NVidia using an old SAP NetWeaver vulnerability. Apparently,
NVidia had simply failed to implement an SAP approved patch, leading to a huge customer
service data breach.
Then came the biggest SAP-related security alert yet. The US Department for Homeland
Security released a US-CERT alert regarding the safety of ERP systems, with a focus on
SAP. This alert documented as many as 36 separate illicit intrusions into corporate SAP
systems from 2013-2016 – putting millions of records at risk.
Since then, the attacks and alerts have continued. In 2018, the US National Cybersecurity and
Communications Integration Center released a damning report on ERP security, citing: “A
rapidly rising interest by hacker activists, cybercriminals and government spy agencies” in
raiding vulnerable ERPs.
According to the report, at least 10,000 major organizations are running vulnerable SAP
implementations, and there are 4,000 separate bugs in SAP packages that attackers can
exploit. Moreover, as Gartner’s Neil McDonald puts it: “Publicly disclosed attacks are rare,
so the problem remains largely ignored.” There’s often an unwillingness to admit
weaknesses, both to safeguard share prices, resist expensive remedial investments, and ward
off potential attackers. That’s actually a recipe for continuing attacks.

Why are these SAP cybersecurity threats so challenging?

There are several reasons why SAP clients are vulnerable to cyberattacks:
Large attack surface. When numerous IoT, networks, and storage tools are connected in SAP
systems, this can present an appetizing target for hackers, and securing all systems can be
challenging.
Tempting targets. Hackers know that when clients implement SAP solutions, they do so
because they need to manage high-value data flows, so it’s usually worth expending effort to
hack into these networks.
Poor updating procedures. SAP solutions need to be patched and updated regularly, just
like any other IT solution. These patches aren’t always implemented, raising the risks
associated with cyberattacks. Companies often resist the need to patch, preferring to avoid the
hassle of disrupting CRM or payment systems – sometimes with devastating results.
Poor cybersecurity strategy. In some cases, companies choose to implement costly SAP
solutions but fail to couple this with an investment in cybersecurity. A few technicians may
be familiar with the risks but security knowledge may be lacking in the wider corporate
structure.
Careless employee behavior. This feeds into a final risk-magnifier. Many firms rely on SAP
software but have outdated employee security policy, leading to lax password and general
network security.
Are these cyberattacks and vulnerabilities a big deal?
While we know that there have been numerous reported, and even more unreported attacks
involving SAP systems, the scale of the threat may not be clear. But it’s important, to be
honest about this: anyone who uses SAP software and doesn’t invest in security solutions is
running a risk.
The average cost of SAP security breaches is estimated at $5 million per attack, and the risks
are growing. According to these figures, there was a 100% increase in publicly known SAP
exploits between 2017 and 2018. And off-the-shelf ERP hacking tools like Dridex are
commonplace among hackers and hacktivist groups.
Given that situation, managers who use SAP-based ERP or CRM systems should plan for an
attack on a “when”, not an “if” basis. Being prepared is non-negotiable unless you are happy
to suffer crippling reputational and financial risks.

PREVENTIVE MEASURES

Patches and updates

Above all else, it’s essential for SAP clients to update their systems systematically, just as
SAP representatives themselves recommend. It may be tempting to resist updates, especially
if your systems require downtime when patches are installed. But that’s a huge error. SAP
devs work hard to counter exploits as they appear, and as NVidia’s case demonstrated, even
years-old weaknesses can come back to haunt lazy users. It’s also worth noting that SAP site
offers a service called Support Packs, which combine multiple patches. They can be a good
way to catch up on long periods of missed updates.
Schedule regular SAP audits
It’s also really important to ensure that the code which underlies SAP systems is fit for
purpose. SAP’s software tends to use a language known as ABAP, and this can pose
problems for some companies. Relatively few organizations possess the skills required to
audit ADAP code, so many shut their eyes and pray. Don’t do that. If necessary, bring in
ABAP auditors.
Don’t always rely on SAP, be proactive
Thirdly, don’t assume that, because it is a reputable tech company, SAP will always
automatically apply security updates and ensure that clients are protected. In 2018, when the
various exploits became well-known, SAP released a series of patches designed to switch off
vulnerabilities. But this “switch” was left up to users to implement, even if the updates were
installed. So be proactive. Contact your SAP representative to ask about plugging security
gaps. They should be happy to help.
Tighten up employees’ security skills
As we discussed above, human error can be a major threat to SAP systems. For instance,
indiscipline staff members are more likely to click on unsolicited attachments in suspicious
emails, which can lead to virus infections. Small undetected infection can lead to a serious
data breach. So, train staff regularly to adopt healthy security habits. It sounds simple, but
many companies neglect these security basics – to their cost.

SUMMARY

In a SAP Distributed Environment, there is always a need that you protect your critical
information and data from unauthorized access. Human Errors, Incorrect Access Provisioning
shouldn’t allow unauthorized access to any system and there is a need to maintain and review
the profile policies and system security policies in your SAP Environment.
To make the system secure, you should have good understanding of user access profiles,
password policies, data encryption and authorization methods to be used in the system. You
should regularly check SAP System Landscape and monitor all the changes that are made in
configuration and access profiles.
The standard super users should be well-protected and user profile parameters and values
should be set carefully to meet the system security requirements.
While communicating over a network, you should understand the network topology and
network services should be reviewed and enabled after considerable checks. Data over the
network should be well protected by using private keys.