A few days before the doors opened on SAP Sapphire Now 2019, SAP customers were likely alarmed by a Reuters headline that their systems are vulnerable to hackers.
The SAP exploit was not new, but the potential damage to SAP systems and data was considerable. Onapsis Inc., a Boston-based security and compliance monitoring software company, as well as a security research outfit, sounded the alarm that SAP customers were vulnerable to a configuration exploit released online.
SAP issued security patches that addressed the vulnerability in 2009 and 2013, but Onapsis' research found that many companies have not dealt with the issue. According to report, about 50,000 companies and 1 million SAP systems are currently running components affected by the SAP exploit and that 90% of the systems are not configured properly to defend against it.
In an interview conducted at Sapphire Now, Onapsis CEO Mariano Nunez and SAP chief security officer Tim McKnight discussed the specifics of the SAP exploit and what companies can do to protect their systems. Working in partnership with SAP, Onapsis also works with customers to identify and mitigate SAP security issues.
Editor's note: This interview was edited for brevity and clarity.
What are some of the biggest SAP security issues that customers have to deal with today?
Tim McKnight: The challenge is that it's an evolution every day with security. The bad guys are innovating as much as the good guys are -- and sometimes more. They're highly motivated for financial reasons, whether it's criminal actors or nation-states. And there are plenty of reasons to attack and exploit systems, whether it's stealing PCI data or social security numbers and background information.
What was the nature of the SAP exploit that recently made headlines?
Mariano Nunez: Two individuals released an attack tool [that targeted SAP systems] and published it online. So the risk equation changed. People have known about this issue for 10 years, but in reality it was a lower probability of it being exploited because it was only sophisticated hackers who could do this attack. Now the attack tool is on the internet and anyone can use it to point to an SAP system. So if you're doing risk management, it changes the risk. The impact is still as high as it was before, but now the probability is way higher.
How did this vulnerability work and what specific SAP vulnerabilities did it exploit?
Nunez: SAP has certain technical components that regulate which interfaces and systems can connect to SAP at a very technical level. You can have an interface with a vendor or some other ERP or business intelligence systems. On some of the more technical settings, there is a configuration that you need to apply to make sure that only allowed systems can talk to the SAP systems. It's similar to a firewall keeping you out. If you are an accepted system, you are allowed in and that system is approved in the firewall, but it will be blocked if it's not approved. The risk of this exploit is that the attacker pretends to be an SAP system and, therefore, has full access to the SAP environment.
Why is this particular tool dangerous for SAP systems?
Nunez: The challenge is that now people don't need to know [the technical details] to use this tool. They just need to point that tool against a system that's not secured properly. Publishing this exploit has lowered the entry bar for people to do this kind of attack.
What are some of the risks to SAP systems if this security exploit is used on a company?
Nunez: This weapon could give an attacker full control over an SAP system without having an SAP user name and password. That's why it's so critical. It's not that [a hacker] needs to have a user and then find some hole. This gives someone full control; they can extract data, modify data or disrupt processes.
Could a bad actor hold a company hostage by threatening to use this tool?
Nunez: Unfortunately, we're seeing some things like that -- ransomware. That's why companies should pay attention. They need to review the practices and guidelines that SAP put out years ago and start mitigating this, because the impact is substantial.
How did Onapsis determine that up to 50,000 SAP customers were vulnerable to this security exploit?
Nunez: We have about 300 large enterprise SAP customers [on our platform]. So we have a lot of data on how SAP systems were set up. Every time we work with a new customer, we do a system assessment. So we have hard data on how many SAP customers have been secure and changed that configuration or not. The 50,000 number is based on official data about how many systems are most likely running these components that this attack targets.
What's the best way for companies to deal with this specific problem?
McKnight: Patch early and often is still the mantra, and it's something customers have to do. As long as you are up to date on your patches and configured properly, you'll have no problem. But we recognize that's a challenge for some customers, and we need to help them get there. The other thing SAP's doing is we're extending our coverage for critical patches back to 24 months. That was something that was planned well before this story came out.
Nunez: It's really how organizations have governance programs against SAP cybersecurity. In many cases they are protecting the network, the end point, the windows systems, but they don't have the right framework to secure their SAP systems. There's a little bit of a gap in customers' maturity in terms of how they approach security problems -- that kind of lack of operational rigor and governance on how to secure the crown jewels.