Skip to content

The difference between internal and external sap attackers

SAP Cybersecurity Risks

Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.  

Even today, experts agree that the greatest threat comes from phishing and ransomware. The attack on Continental clearly illustrates this. But not only renowned industry leaders such as the automotive supplier Continental are affected. Every company is affected, even if the press does not report cyber incidents at a medium-sized company to the same extent as at Continental.  

Phishing targets the human component, such as an unknowing employee who doesn’t realize he has been tricked by an email. So, is this an external or internal SAP risk? What is the view when it comes to SAP application security? 

External SAP Cybersecurity Risk

Answering the question, we should first classify and define what an external risk is. At this point, we will move away from the example of phishing and focus on a specific SAP vulnerability that caused a furor in February 2022. We’re talking about the HTTP Smuggling Vulnerability, ICMAD (Internet Communication Manager Advanced Desync), identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 for the SAP Web Dispatcher, which you can patch with the Security Notes 3123396 and 3123427.  

This example seems appropriate because the affected component, SAP Web Dispatcher, is often used as a proxy between the SAP application and insecure networks. In this application scenario, there is a risk of infiltration by an external attacker outside the corporate network.  

In the case of this vulnerability, which is accessible from the outside, we could classify it as an external risk. This type of risk is attacked by special attackers. For this, we recommend reading the article “Who are the typical SAP attackers.” 

How should the SAP risk be rated?

Our SAP vulnerability example ICMAD was assessed using the standardized CVS scoring procedure with a 10.0 (Very High) score. This assessment measures vulnerabilities with a score of 1.0 (low) to 10.0 (very high). The score is not rolled off the dice but determined based on the scoring procedure. However, such a rating system also has weaknesses, which become clear when we compare this rating with the rating provided by the Threat Intelligence company Mandiant. Mandiant is a leader in Threat Intelligence and uses real attack information to evaluate vulnerabilities. The experts contradict the CVSS assessment in that they downgrade the SAP risk to “high” since no exploitation has so far become known. 

Internal SAP Cybersecurity Risk

In the application security area, it is also possible that an insider attack will occur. This type can account for the category of internal cybersecurity risks. Among other things, this includes data theft, malicious manipulation of business information, etc.  

It is unimaginable that employees of one’s own company suddenly turn against their employer. This is mostly not the case. The term “social engineering” describes techniques, tactics, and procedures used to make an innocent employee perform harmful actions. In simple terms, it is enough for the employee to open the door to the attacker. It is precisely these risks that are often difficult to identify and contain. Besides, you do not want to apply general suspicion to every employee. 

Analyzing application logs is usually the best method of detecting insider exploits. This is not easy in the case of SAP applications because there are many different logs.  

Monitoring the most important SAP S/4HANA logs is the only way to detect fraud and malicious manipulation. How fast you react to this depends on whether there are automatic notifications or if you manually and periodically monitor and evaluate. The risk you attribute to corresponding log items is very individual and depends on many factors.  

We have already described how to detect anomalies in another article. To learn more about it, click here

So, which one is worse?

Both are equally devastating, but it depends on the nature of the industry and how the information gets leaked. Arguably, internal hacks could pose a greater threat than external ones. It can be devastating to a company’s profits and reputation if an employee sells SAP HANA secrets to a competitor or defaces its web portal (website, eCommerce, etc.). External hackers usually look for information they can sell or use for profit. Consequently, external hacks could have more monetary impact if a hacker gains access to your network or software, hides valuable information, and demands a ransom. 

Posted by

Ivan Mans

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP Security Services
SAP Cybersecurity
Ivan Mans

Game changer: Managed SAP Security Services

Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams’ workload or due to the employee’s level of knowledge.

However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.

Read More »
Patch Management
Press coverage
Patricia Franco

SecurityBridge Releases New One-Click SAP Patch Automation 

SAP security provider SecurityBridge—now
operating in the U.S.—today announced the full integration of its SAP Security Platform with
the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform
and its membership to MISA. SecurityBridge was nominated to MISA because of the integration
of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data
Adapter that significantly simplifies security monitoring of critical and highly specific business
applications.

Read More »
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.