We’ve all seen the way too familiar news reports:
A massive data breach has occurred. Millions of customer records have been hacked. The company issued a statement, the CEO has stepped down and the stock has plummeted.
A recent study by Ponemon Institute (2017 Cost of Data Breach Study: GLobal Overview) showed that the average cost of data breach was $3.62 million, and the average cost for each lost or stolen record containing sensitive and confidential information is $141.
Many analysts took notice of the unique characteristics and elements related to SAP cyber security:
SAP Company-wide security countermeasures
Over the years SAP has been creating company-wide countermeasures to potentially successful attacks. In the SAP market one can see internally SAP developed solutions related to
These tools come on top of the more standard IT-wide tools like firewalls, intrusion detection systems, security information and event management systems, or antivirus software.
So many SAP security solutions, am I not covered?
There are several problems common in most organizations, that none of these solutions address.
Monitoring profile parameters from within SAP application layer will not find any changes until it would be too late
Neither of these two problem causing issues are covered by any of the solutions mentioned above. One example is profile parameter changes.
SAP has three type of profile parameters (system profiles) - default, start and instance. They contain parameters that specify how to startup an instance and how to setup the numerous variables that define the way the SAP instances and system work. These parameters change the system global and instance settings and define the management of processes, memory buffers, ports, and starting parameters for the instance and more. Monitoring profile parameters from merely within the SAP application layer itself will not find any changes until they have taken effect, which would be too late. Proper profile monitoring needs to take place at the operating system to notify of any changes before they become active within the application layer.
Protecting the SAP system profiles is extremely important as a change there or hacker access could be detrimental to the system and the organization.
SAP base level administrative user - security issue
There is a little known secret for breaking into a SAP system. The base level administrative user (called SAP*) in an ABAP system has the same password for all systems. This is used during the base installation and is then locked down via a profile parameter setting that acts like a light switch. Logon using the default password is either enabled or not. This profile parameter can be changed at the operating system level, meaning anyone who has access to the operating system can turn this switch on/off. The catch is that the SAP application needs to be shut down and turned back on for that parameter change to take effect. A malicious attacker may make this change at the OS layer and then wait for the system to be restarted for regular maintenance. Once into SAP with these credentials, the amount of damage that can be done is beyond comprehension.
SAP database access - different than any other database vulnerability
SAP is unique that 99% of the application is held within the database. While most applications may hold data in the database, SAP goes beyond and even things like support packs and admin data are held at the database layer. Pretty much anyone with access to the direct database has the ability to do some serious damage to the overall system. It is obvious to see how important the security of the SAP database is. The database connection to the SAP application layer is done with very specific security credentials. Monitoring for additional or new database users can easily put a stop to any malicious activity, and will make your auditors happy.
Does your systems protect SAP system profiles?
In our experience no current solution protects you from an accidental opening of the system profiles, protecting base level access, SAP database unauthorized access and many other elements of the system. This is why we’ve added a feature in Xandria that will notify the designated user in case of a system profile change or opening. As with all of the checks we’ve added in the past twenty years, it comes pre-configured out-of-the-box, so that the lack of specialist, inexperience SAP operators or any customization will not have any effect on the system security.
Picture source: Brick Resort