Onapsis has released an e-book for CISO’s entitled The CISO’s Guide to SAP Cybersecurity Risks (email registration required). The SAP security failures are not the focus. Instead it looks at how SAP customers are failing to secure their systems properly. The report says:
“Many CISOs and their teams don’t have complete visibility into their SAP infrastructure, nor do they understand where the responsibility of SAP security lies within an organization.”
This is a fairly damning statement and highlights the problem of complex software systems. The report goes on to quote from Ponemon Institute saying: “There is discrepancy when it comes to who within an organization is primarily accountable if an SAP breach does occur. Thirty percent of respondents said that no one person is accountable, and 54% even stated that it is the responsibility of SAP, not of the company, to ensure that its applications and platform are secure.”
Too many patches and system complexity
SAP has done a lot in the last year to improve its response to vulnerabilities. It regularly delivers patches to customers but cannot enforce patching especially for on-premises installations. In May the US-CERT team issued an alert Exploitation of SAP Business Applications (TA16-132A). The focus was on outdated or misconfigured SAP systems and highlighted a vulnerability with the Invoker Servlet. SAP patched this in 2010 but not all customers have deployed it.
The report suggests that the problem is not only down to customers dragging their feet. It says: “SAP has released more than 3,500 security patches to date that address accumulating vulnerabilities in various SAP systems including 216 in 2015 alone— more than half of which were ranked as high priority.3 With patches being released at a rate of more than ~30 a month, organizations are having a tough time applying such a large number of complex patches to live systems—and are therefore leaving systems exposed to known vulnerabilities.
“Despite SAP releasing security patches, the patching process is complex and overwhelming; applying patches to live systems creates an additional risk of disrupting critical business operations. Therefore, SAP administrators are often reluctant to patch as taking a critical system offline can sometimes pose a greater threat than leaving the vulnerability unpatched. As a result, these mission-critical systems remain unpatched and exposed to vulnerabilities for up to years at a time.”
Poor security costing millions of dollars per minute
Putting numbers on security breaches is fiendishly hard. Many of the losses are hard to quantify leaving numbers as often more than guesswork than reality. However, the report does cite the CISO of a Fortune 100 company as: “placing losses from shut down SAP systems at $22 million a minute.”
It is not just about the cost from systems being down. Regulators are introducing stricter compliance with larger penalties. If the cybersecurity breach includes loss of data then there are other penalties that will apply. European customers in particular stand to lose millions when the General Data Protection Regulation comes into force in 2018. The penalty for serious breaches can be up to 4% of global turnover. Some companies will see losses of tens of millions of dollars on top of other business losses.
DevOps + Security to the rescue?
The use of DevOps to speed up software from development to production has been successful for a lot of companies. This is already seen as a key part of their enterprise modernisation but is not used by many security teams. The Onapsis e-book makes a good case for companies bringing security processes into a new DevOpsSec approach. This is not just about SAP. IBM, HP, Microsoft and other enterprise software vendors are also looking at this.
Onapsis suggests that there are three things that companies can do to improve their SAP security. These are:
- Assessment of their SAP environment. This will provide visibility of the risks from their current security patches. It will also show the business what an outage could cost it.
- Automation to improve the speed of patching. There has been a substantial increase in the number of SAP customers that are using Agile methods and continuous delivery, integration and deployment. It is important that security patches are brought in to the continuous integration and deployment phases.
- Adaptiveness looks at threat detection and the processes for predicting, preventing and responding to threats. This is something that most large enterprises have been developing as part of their security model. It is also a service offered by an increasing number of security vendors.
Questions and steps that Onapsis wants CISO’s to take
The book closes with 10 questions that CISO’s need to ask of their IT and security teams. These are aimed at discovering problems before and not after a security incident. It then delivers five steps that they can take to improve their organisations SAP security posture although it seems to be missing step five. Perhaps that’s because step four is an unashamed pitch to buy into Onapsis service offerings.
Conclusion
Despite being just 21 pages in length this is a fairly quick read. It is interesting that none of the questions, steps or processes are SAP specific. They are applicable to any enterprise IT environment. Customers should not have to spend large amounts of money and time on training and developing new processes.
The one thing that stands out is that customers need to do more to sort out their cybersecurity environment.
