More than 95 percent of SAP systems are exposed to vulnerabilities that could allow an attacker to fully compromise a company's business data and processes, according to new research from SAP solutions provider Onapsis.
Many of these vulnerabilities have existed for years, said Mariano Nunez, CEO, Onapsis, in an interview with SCMagazine.com, making this finding somewhat surprising.
Perhaps this lack of patching can be understood, though, given that in 2014, SAP issued 391 security patches, with an average of 30 per month. Nearly 50 percent of those patches were considered “high priority,” as well.
Because SAP systems often run in the background and are key to essential business functions, IT security professionals are often reluctant to patch because the risk of disrupting the system or taking it offline is greater than keeping a vulnerability unpatched.
“From our perspective, IT security professionals shouldn't patch everything,” Nunez said. “[When they perform their first vulnerability scan] they will get a report with hundreds of thousands of vulnerabilities. They should analyze those vulnerabilities and prioritize based on the likelihood of someone exploiting them and criticality of the vulnerability and its patch.”
The most common cyber attack vectors, as identified by Onapsis, include customer and supplier portal attacks, direct attacks through SAP proprietary protocols, and customer information and credit card breaches using pivoting between SAP systems.
The most common attack, the customer and supplier portal attack, exploits various critical vulnerabilities that allow the hacker to access SAP Portals and Process Integration platforms and their connected internal systems.
The second most common attack through SAP proprietary protocols is performed by executing operating system commands under the privileges of the SAP administrators and exploiting a vulnerability in the SAP RFC Gateway.
To prevent against these attacks, Nunez against stressed the importance of patching, although only those most critical vulnerabilities need to be dealt with immediately.
“[IT security professionals] need to make [patching] a recurring practice,” he said. “They need to move SAP into their system vulnerability management programs and into their risk management programs. SAP continues to be a blind spot for them, so they need to create new processes and different techniques.”