Level 1: Check your SAP Cybersecurity Mindset

1. Our SAP systems are “internal only”. Their exposure to outside attackers is low/zero.

Best Answer: Fully Agree

However, even “internal only” systems are not 100% safe.

The internet is not the only “untrusted” network. With the erosion of network perimeters and the proliferation of mobile and roaming devices moving in and out of the corporate network, it is increasingly difficult for large organizations to segregate “safe” from “unsafe” networks. One compromised employee laptop or smartphone can be enough for an attacker to bridge into your network.

The infamous “insider threat” is very real when it comes to your mission-critical systems. Think of the harm that could be done by a disgruntled employee, a dishonest contractor or even a targeted attack, where a seemingly innocent visitor plugs a device into a hidden network socket in your office. In fact, 34% of all breaches in 2018 were caused by insiders.

The “Zero-trust” cybersecurity trend needs to be applied first and foremost to your mission-critical systems – like your SAP systems.

2. If only the production system has critical data, it’s enough to secure only those production systems.

Best Answer: Fully Disagree

Less critical (and less secure) systems can be an effective gateway to more mission-critical systems.

Think like a hacker. If you understand that SAP systems are interconnected, would you attack the most locked-down, secured and audited production system?

Or would you rather attempt to compromise the potentially less secured QA or even development systems and move “laterally” to then escalate your privilege to the production system exploiting shared passwords, RFC-pivoting or even shared OS-level vulnerabilities?

Consistent security posture among all SAP systems is critical. Attackers will go for the “weakest link”. Security decisions need to apply to all SAP systems, regardless of whether they are production or not.

3. We have SAP security covered. We have a team/tool taking care of roles, profiles, SoD and GRC.

Best Answer: Fully Agree

Standard SAP security is critically important. However, it’s still not enough.

SoD and GRC, while critical, are not sufficient to secure an SAP system, as they affect only the SAP Business Logic. They do nothing to protect the underlying SAP application layer (aka SAP BASIS Layer or SAP NetWeaver Layer), let alone the Database and Operating System Layers.

Successful attacks at lower layers, like the SAP Application Layer or even the OS-layer are likely to result in a full compromise of the system.

It is imperative corporations take a more holistic view of SAP security.

Close cooperation with “traditional” IT-Security teams is mandatory, as is the implementation/designation of responsibility for SAP cybersecurity – that layer between the OS and the Business Logic that is commonly overlooked.

SAP Application Stack Security
If your answers matched ours, congratulations! Your organization has the right approach toward SAP cybersecurity. But…how savvy are you on SAP cybersecurity vulnerabilities? Ready to move on to Level 2? (Warning: The questions are going to get tougher.)