{"id":8963,"date":"2020-03-23T22:19:06","date_gmt":"2020-03-23T21:19:06","guid":{"rendered":"https:\/\/139-162-136-174.ip.linodeusercontent.com\/?page_id=8963"},"modified":"2022-11-15T10:46:06","modified_gmt":"2022-11-15T09:46:06","slug":"sap-cybersecurity-self-assessment-tool-level-1-results","status":"publish","type":"page","link":"https:\/\/www.bowbridge.net\/en\/sap-cybersecurity-self-assessment-tool-level-1-results\/","title":{"rendered":"Level 1: Check your SAP Cybersecurity Mindset"},"content":{"rendered":"

[vc_row css_animation=”qodef-element-from-fade”][vc_column][vc_column_text]<\/p>\n

1. Our SAP systems are \u201cinternal only\u201d. Their exposure to outside attackers is low\/zero.<\/h3>\n

Best Answer: Fully Agree<\/h4>\n

However, even \u201cinternal only\u201d systems are not 100% safe.<\/h4>\n

The internet is not the only \u201cuntrusted\u201d network. With the erosion of network perimeters and the proliferation of mobile and roaming devices moving in and out of the corporate network, it is increasingly difficult for large organizations to segregate \u201csafe\u201d from \u201cunsafe\u201d networks. One compromised employee laptop or smartphone can be enough for an attacker to bridge into your network.<\/p>\n

The infamous \u201cinsider threat\u201d is very real when it comes to your mission-critical systems. Think of the harm that could be done by a disgruntled employee, a dishonest contractor or even a targeted attack, where a seemingly innocent visitor plugs a device into a hidden network socket in your office. In fact, 34% of all breaches in 2018<\/a> were caused by insiders.<\/p>\n

The \u201cZero-trust\u201d cybersecurity trend needs to be applied first and foremost to your mission-critical systems \u2013 like your SAP systems.[\/vc_column_text]

\r\n\t
<\/div>\r\n<\/div>\r\n[\/vc_column][\/vc_row][vc_row css_animation=”qodef-element-from-fade”][vc_column][vc_column_text]<\/p>\n

2. If only the production system has critical data, it\u2019s enough to secure only those production systems.<\/h3>\n

Best Answer: Fully Disagree<\/h4>\n

Less critical (and less secure) systems can be an effective gateway to more mission-critical systems.<\/h4>\n

Think like a hacker. If you understand that SAP systems are interconnected, would you attack the most locked-down, secured and audited production system?<\/p>\n

Or would you rather attempt to compromise the potentially less secured QA or even development systems and move \u201claterally\u201d to then escalate your privilege to the production system exploiting shared passwords, RFC-pivoting or even shared OS-level vulnerabilities?<\/p>\n

Consistent security posture among all SAP systems is critical. Attackers will go for the \u201cweakest link\u201d. Security decisions need to apply to all SAP systems, regardless of whether they are production or not.[\/vc_column_text]

\r\n\t
<\/div>\r\n<\/div>\r\n[\/vc_column][\/vc_row][vc_row css_animation=”qodef-element-from-fade”][vc_column][vc_column_text]<\/p>\n

3. We have SAP security covered. We have a team\/tool taking care of roles, profiles, SoD and GRC.<\/h3>\n

Best Answer: Fully Agree<\/h4>\n

Standard SAP security is critically important. However, it\u2019s still not enough.<\/h4>\n

SoD and GRC, while critical, are not sufficient to secure an SAP system, as they affect only the SAP Business Logic. They do nothing to protect the underlying SAP application layer (aka SAP BASIS Layer or SAP NetWeaver Layer), let alone the Database and Operating System Layers.<\/p>\n

Successful attacks at lower layers, like the SAP Application Layer or even the OS-layer are likely to result in a full compromise of the system.<\/p>\n

It is imperative corporations take a more holistic view of SAP security.<\/p>\n

Close cooperation with \u201ctraditional\u201d IT-Security teams is mandatory, as is the implementation\/designation of responsibility for SAP<\/em> cybersecurity<\/em><\/strong> \u2013 that layer between the OS and the Business Logic that is commonly overlooked.<\/p>\n

\"SAP<\/h5>\n

[\/vc_column_text][vc_empty_space height=”50px”][vc_column_text css=”.vc_custom_1585230432088{padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;background-color: #f4f4f4 !important;}”]<\/p>\n

If your answers matched ours, congratulations! Your organization has the right approach toward SAP cybersecurity. But\u2026how savvy are you on SAP cybersecurity vulnerabilities? Ready to move on to Level 2? (Warning: The questions are going to get tougher.)<\/h5>\n

[\/vc_column_text][vc_empty_space height=”20px”][\/vc_column][\/vc_row][vc_row content_aligment=”right”][vc_column width=”1\/4″][\/vc_column][vc_column width=”1\/2″][\/vc_column][vc_column width=”1\/4″]\n Level Up!<\/span>\n <\/i><\/span>\n<\/a>[\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space height=”60px”][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

[vc_row css_animation=”qodef-element-from-fade”][vc_column][vc_column_text] 1. Our SAP systems are \u201cinternal only\u201d. Their exposure to outside attackers is low\/zero. Best Answer: Fully Agree However,…<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"content-type":"","footnotes":""},"class_list":["post-8963","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/pages\/8963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/comments?post=8963"}],"version-history":[{"count":33,"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/pages\/8963\/revisions"}],"predecessor-version":[{"id":9783,"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/pages\/8963\/revisions\/9783"}],"wp:attachment":[{"href":"https:\/\/www.bowbridge.net\/en\/wp-json\/wp\/v2\/media?parent=8963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}