Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

The difference between internal and external sap attackers

SAP Cybersecurity Risks

Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.  

Even today, experts agree that the greatest threat comes from phishing and ransomware. The attack on Continental clearly illustrates this. But not only renowned industry leaders such as the automotive supplier Continental are affected. Every company is affected, even if the press does not report cyber incidents at a medium-sized company to the same extent as at Continental.  

Phishing targets the human component, such as an unknowing employee who doesn’t realize he has been tricked by an email. So, is this an external or internal SAP risk? What is the view when it comes to SAP application security? 

External SAP Cybersecurity Risk

Answering the question, we should first classify and define what an external risk is. At this point, we will move away from the example of phishing and focus on a specific SAP vulnerability that caused a furor in February 2022. We’re talking about the HTTP Smuggling Vulnerability, ICMAD (Internet Communication Manager Advanced Desync), identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 for the SAP Web Dispatcher, which you can patch with the Security Notes 3123396 and 3123427.  

This example seems appropriate because the affected component, SAP Web Dispatcher, is often used as a proxy between the SAP application and insecure networks. In this application scenario, there is a risk of infiltration by an external attacker outside the corporate network.  

In the case of this vulnerability, which is accessible from the outside, we could classify it as an external risk. This type of risk is attacked by special attackers. For this, we recommend reading the article “Who are the typical SAP attackers.” 

How should the SAP risk be rated?

Our SAP vulnerability example ICMAD was assessed using the standardized CVS scoring procedure with a 10.0 (Very High) score. This assessment measures vulnerabilities with a score of 1.0 (low) to 10.0 (very high). The score is not rolled off the dice but determined based on the scoring procedure. However, such a rating system also has weaknesses, which become clear when we compare this rating with the rating provided by the Threat Intelligence company Mandiant. Mandiant is a leader in Threat Intelligence and uses real attack information to evaluate vulnerabilities. The experts contradict the CVSS assessment in that they downgrade the SAP risk to “high” since no exploitation has so far become known. 

Internal SAP Cybersecurity Risk

In the application security area, it is also possible that an insider attack will occur. This type can account for the category of internal cybersecurity risks. Among other things, this includes data theft, malicious manipulation of business information, etc.  

It is unimaginable that employees of one’s own company suddenly turn against their employer. This is mostly not the case. The term “social engineering” describes techniques, tactics, and procedures used to make an innocent employee perform harmful actions. In simple terms, it is enough for the employee to open the door to the attacker. It is precisely these risks that are often difficult to identify and contain. Besides, you do not want to apply general suspicion to every employee. 

Analyzing application logs is usually the best method of detecting insider exploits. This is not easy in the case of SAP applications because there are many different logs.  

Monitoring the most important SAP S/4HANA logs is the only way to detect fraud and malicious manipulation. How fast you react to this depends on whether there are automatic notifications or if you manually and periodically monitor and evaluate. The risk you attribute to corresponding log items is very individual and depends on many factors.  

We have already described how to detect anomalies in another article. To learn more about it, click here

So, which one is worse?

Both are equally devastating, but it depends on the nature of the industry and how the information gets leaked. Arguably, internal hacks could pose a greater threat than external ones. It can be devastating to a company’s profits and reputation if an employee sells SAP HANA secrets to a competitor or defaces its web portal (website, eCommerce, etc.). External hackers usually look for information they can sell or use for profit. Consequently, external hacks could have more monetary impact if a hacker gains access to your network or software, hides valuable information, and demands a ransom. 

Posted by

Ivan Mans

Find recent Security Advisories for SAP©

View Advisory for Oct'22
Whitepaper - Top SAP security mistake to avoid

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP security by design
SAP Cybersecurity
Christoph Nagy

6 Principles for Security-by-design for SAP

Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought.

SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.

Read More »
March 31, 2023 No Comments
SAP security by design

6 Principles for Security-by-design for SAP

SAP Cybersecurity
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
coding

Remote Code Execution (RCE) Vulnerability in SAP 

SAP Vulnerability
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard

SecurityBridge Introduces The SAP Management Dashboard – The Real-Time, Customizable Data View and Analysis Solution For SAP Security

Press coverage
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
Hacker mining SAPsecurity

How to detect script-based attacks against SAP? 

SAP Cybersecurity- SAP Vulnerability
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.