The asymmetry between attackers and defenders

Asymmetry attacker vs defenders

SAP systems manage many vital aspects of our businesses. SAP based applications serve as the digital backbone of many organizations supporting logistics (SAP LO), financials (SAP FI), human resources (SAP HR), and other important processes. SAP modules hold and process sensitive data of companies that need to be protected from increasing cyber threats around the globe. It is commonly known that such enterprise-critical applications provide a huge attack surface that customers have to manage. Ignoring a single attack vector could lead to an outage, data exfiltration, or corruption of important data assets. Loss of reputation and financial damage or legal fines are at risk for a company if a threat actor succeeds. 

SAP systems contain millions of dollars’ worth of information that must not be disclosed to attackers. Unfortunately, the likelihood of such an event is very high because the company’s defenders have engaged in an unfair battle.

Complex, enterprise-critical systems, are not secure by design, and by default. Defenders must put in an effort, usually manual, to maintain and build a secure configuration. Once accomplished, the security posture needs to be maintained, continuously and long-term, while the system is subject to frequent change and version updates.

Attackers’ advantage

A simple principle of life is that destroying is easier than building. Unfortunately, in many IT scenarios, it is also easier to attack than to protect. Why is this so, you might ask? Imagine the thousands of parameters that exist to secure an SAP system, those represent a catalog of vulnerability an attacker could choose from unless those are maintained with security in mind. 

Besides the secure configuration, the defenders need to monitor for commonly known security flaws within the standard product and apply the manufacturer’s patches soon after their release. 

The SAP and the cybersecurity teams mostly have limited resources to cover all attack vectors. Consequently, they may lose the battle and an attacker takes advantage of a small loophole to carry out an attack with immense impact on the organization.

Asymmetry between attackers and defenders
Asymmetry between attackers and defenders

SAP protection is a challenging task due to the complexity of the system, but there are other factors that also contribute to the attacker’s advantage. Many of these factors are on the side of attackers, let’s have a look:

  • One vulnerability is enough
  • Limited people
  • Human error
  • Unknown vulnerabilities (Zero Days)
  • Inefficient detection and response process 
  • Logging not enabled
  • Insufficient hardening of systems
  • Missing overview or transparency
  • Lengthy processes cause late patching of vulnerability
  • Custom code that contains vulnerabilities

These are just a few reasons, while there may be other conditions under which attackers can gain access to your SAP systems to steal your company’s data.

SAP Protection

A drastic transformation must take place to bring about a change in the scenario outlined above. With the goal of increasing SAP security, organizations must begin to equip themselves with tools to help defend and, more importantly, monitor their virtual walls. In a virtual world, walls are typically not broken down, they are bypassed.

Experience shows that it does not help you to define a security requirement for SAP-based systems that you cannot implement or comply with. In particular, ensuring the compliance with the directives involves recurring efforts, audits, and adjustments and is not only often neglected in reality, but is also too tedious.

Technology vs Attackers
Technology vs Attackers

With the right tool, even small teams can build and maintain a more effective line of defense.  The “right” tool is characterized by helping you monitor the configuration, detect intrusions, and eliminate vulnerabilities in the standard product or custom code. Only by gaining control over these areas will it be possible to protect and defend SAP systems in an ongoing Cyber War. 

Seize your chance and use technological evolution to your advantage.

Finally, I would like to end on a note that you probably won’t like. No matter what manual protections you have in place for your SAP systems, they are probably already outdated, modified, or ineffective.
Be aware that your opponents are not static, but will react very dynamically to changing circumstances. Attackers are constantly changing their methodologies and techniques and, thanks to the Internet, have access to an almost infinite knowledgebase.

Securing your SAP landscape should be imperative, but unfortunately, most SAP systems are insufficiently secured. The whitepaper describes the major steps on your road to securing enterprise-critical applications based on SAP SE products. 

Download the whitepaper YOUR ROAD TO SAP SECURITY to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.