Skip to content

The difference between internal and external sap attackers

SAP Cybersecurity Risks

Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.  

Even today, experts agree that the greatest threat comes from phishing and ransomware. The attack on Continental clearly illustrates this. But not only renowned industry leaders such as the automotive supplier Continental are affected. Every company is affected, even if the press does not report cyber incidents at a medium-sized company to the same extent as at Continental.  

Phishing targets the human component, such as an unknowing employee who doesn’t realize he has been tricked by an email. So, is this an external or internal SAP risk? What is the view when it comes to SAP application security? 

External SAP Cybersecurity Risk

Answering the question, we should first classify and define what an external risk is. At this point, we will move away from the example of phishing and focus on a specific SAP vulnerability that caused a furor in February 2022. We’re talking about the HTTP Smuggling Vulnerability, ICMAD (Internet Communication Manager Advanced Desync), identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 for the SAP Web Dispatcher, which you can patch with the Security Notes 3123396 and 3123427.  

This example seems appropriate because the affected component, SAP Web Dispatcher, is often used as a proxy between the SAP application and insecure networks. In this application scenario, there is a risk of infiltration by an external attacker outside the corporate network.  

In the case of this vulnerability, which is accessible from the outside, we could classify it as an external risk. This type of risk is attacked by special attackers. For this, we recommend reading the article “Who are the typical SAP attackers.” 

How should the SAP risk be rated?

Our SAP vulnerability example ICMAD was assessed using the standardized CVS scoring procedure with a 10.0 (Very High) score. This assessment measures vulnerabilities with a score of 1.0 (low) to 10.0 (very high). The score is not rolled off the dice but determined based on the scoring procedure. However, such a rating system also has weaknesses, which become clear when we compare this rating with the rating provided by the Threat Intelligence company Mandiant. Mandiant is a leader in Threat Intelligence and uses real attack information to evaluate vulnerabilities. The experts contradict the CVSS assessment in that they downgrade the SAP risk to “high” since no exploitation has so far become known. 

Internal SAP Cybersecurity Risk

In the application security area, it is also possible that an insider attack will occur. This type can account for the category of internal cybersecurity risks. Among other things, this includes data theft, malicious manipulation of business information, etc.  

It is unimaginable that employees of one’s own company suddenly turn against their employer. This is mostly not the case. The term “social engineering” describes techniques, tactics, and procedures used to make an innocent employee perform harmful actions. In simple terms, it is enough for the employee to open the door to the attacker. It is precisely these risks that are often difficult to identify and contain. Besides, you do not want to apply general suspicion to every employee. 

Analyzing application logs is usually the best method of detecting insider exploits. This is not easy in the case of SAP applications because there are many different logs.  

Monitoring the most important SAP S/4HANA logs is the only way to detect fraud and malicious manipulation. How fast you react to this depends on whether there are automatic notifications or if you manually and periodically monitor and evaluate. The risk you attribute to corresponding log items is very individual and depends on many factors.  

We have already described how to detect anomalies in another article. To learn more about it, click here

So, which one is worse?

Both are equally devastating, but it depends on the nature of the industry and how the information gets leaked. Arguably, internal hacks could pose a greater threat than external ones. It can be devastating to a company’s profits and reputation if an employee sells SAP HANA secrets to a competitor or defaces its web portal (website, eCommerce, etc.). External hackers usually look for information they can sell or use for profit. Consequently, external hacks could have more monetary impact if a hacker gains access to your network or software, hides valuable information, and demands a ransom. 

Posted by

Ivan Mans

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

CISA - NIST Webinar Q3 2023
Events
Raffaella Ronzi

Mastering NIST & CISA Compliance for SAP

Join us for an enlightening webinar where we simplify these regulatory frameworks, map CISA guidelines to SAP instances, and showcase how the SecurityBridge platform can assist you in achieving your SAP compliance needs.

Read More »
SAP vulnerability
SAP Vulnerability
Vishnu Vardhan I

Top 10 Vulnerabilities in SAP

As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default – there will always be security challenges, and SAP is no exception.

In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them with SecurityBridge.

Read More »
SAP vulnerability
SAP Vulnerability
As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default - there will always be security challenges, and SAP is no exception. In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them with SecurityBridge.
SAP security Patch day
Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
Leadership team
SecurityBridge, a leading provider of cybersecurity solutions for SAP customers, acquired Dutch SAP security specialist Protect4S. Through the acquisition, customers will benefit from an even more comprehensive one-stop-shop software platform that will improve every SAP customer’s security position across all technology stacks.