A recent study reveals that ERP systems, including SAP, are more vulnerable to insider attacks
The recent Data breach report by IBM reveals that malicious insiders are equally liable for the data breaches. Many of us think that stolen or compromised credentials are the primary or the most common cause of a data breach.
It is also evident that Insider attacks by these malicious insiders are most common across the ERP systems and pose a potential threat to the organization’s key assets, i.e., data. Here are a few facts:
- 6 out of 10 data thefts in the past 3 years are by malicious insider attacks, while only 4 are by external threats.
- Nearly half of all data breaches happen in the cloud. It cost $4.24M loss on average for organizations that are on private clouds and $5.02M for organizations in public clouds.
- According to the “Insider Threat Report 2022”, insider attacks are a much more significant threat. As far as the security of SAP systems is concerned, insider attacks are by far the greatest problem.
- Identifying a malicious insider attacks is a tougher task than an external event
The focus of this blog is on securing the SAP systems. However, ToggleNow has expertise in Oracle GRC and can build Ruleset for other ERP packages as per the customer’s requirement.
Did you ever think of the potential reasons for malicious insider attacks? If not, here is what you should know:
Unstructured Authorizations are the Primary Culprits
Many of the insider attacks are by employees who cause problems either intentionally, unintentionally, or by mistake. A recent study reveals that the main reason for unintended security incidents was that the authorizations were granted too generously (Wider authorizations).
This is a common issue in SAP systems where roles and authorizations are developed ad-hoc and from time to time they are piled up. With the complexity of an ERP system, it is easier for administrators – who do not necessarily have the expertise required to appropriately restrict authorizations – to assign authorizations by way of general role descriptions. This gives wider authorizations.
Secondly, not auditing the system for non-Dialog users such as communication, system, or service. Malicious insider attacks typically target these IDs, which usually have broader authorizations. It is therefore vital to audit them periodically and set up processes to utilize them correctly.
Third on the list of reasons for security problems is the complexity of the relevant systems. A new way of working has been introduced by Industry 4.0. This is the age of systems communicating with one another. Furthermore, SAP AG acquired many products, including S/4 HANA, C/4 HANA, the SAP Cloud Platform, SAP Ariba, SAP Success Factors, etc. It is crucial to secure not only the systems but also the interfaces since these systems are interconnected. There is a high level of vulnerability in cloud-based systems as well, as previously mentioned.
The latest IBM report indicates that cloud systems are equally vulnerable to attacks. It has been estimated that 45% of breaches have happened in the cloud.
Nearly half of all data breaches happen in the cloud
While 45% of breaches occurred in the cloud, organizations with hybrid cloud models had lower average data breach costs- USD 3.80$ Million- compared to organizations with a public or private cloud model.
Most of us consider Security to be a small project that yields no business benefits. In fact, it increases your SAP system’s overall security posture, protecting your critical business data.
Having the same challenges and wondering how to secure your SAP system?
As a first step, we need to understand the current status of the system. Security risk areas should be evaluated. A simple way to identify gaps is to review the system with standard ITGC and/or ITAC controls. ToggleNow’s FourEdge Discovery offering will also help you discover your security posture. This tool dives into SAP systems, evaluates them, and provides recommendations on more than 70 parameters.
The next steps in this exercise is as follows:
- Revisit your authorization structure
- Protect the systems with the right password and identity theft controls
- Have a mechanism to identify identity thefts
- Give importance to data privacy
- Use the right solutions to identify phishing
Revisit your authorization structure
Authorization structure plays a vital role in securing the system. SAP’s authorizations lie with users & roles. The role concept is a potential source of security problems on two fronts:
- On the one hand, there are critical authorizations that give a user more rights than his job profile requires.
- On the other hand, there are those authorizations that violate the principle of segregation of duties (SoD). It is important to ensure that SoD conflicts are avoided and that authorizations are not allocated too generously.
A classic problem is an employee who moves from one department to the other in his employment tenure effect. An employee, who spends some time in one department or a position will only request new access when he moves to the other. This leaves the old authorizations intact and collectively, he may get more access than required. In simply called Accumulated authorizations.
Having a robust role design is a must and the industry recommendation is always to have a design in the below approach:
A job-based role is typically a composite role or a business role that contains a group of single roles derived from a task. In simple terms, these roles contain all necessary authorizations to perform a user’s duties.
Task-based roles are those that provide authorizations to a specific task. For easier management, these are further derived at the business process level, and at the subprocess level. An example would be an Asset Acquisition – Asset Management role. Single-role designs for the most part do not pose Segregation of Duty risks and make individual roles risk-free.
Enabler roles are also known as value roles. The enabler role doesn’t contain any tcodes; it only contains authorization objects. It separates organizational authorizations from functional authorizations in this concept. To successfully execute a transaction, users need two roles.
In these concepts, the functional role receives all authorization objects and values, but not organizational values. It is necessary to add an additional enabler role that contains the “missing” organizational values in order to complete the authorization process.
Protect the systems with the right password and identity theft controls
An interesting fact! It has been found that 7 out of 10 audited SAP systems are still vulnerable to relatively straightforward attacks. It covers users with default passwords that have not been changed, or with passwords that are very weak. Users with wider access, such as those using RFC communication, are included in this category. Similarly, poorly maintained or unpatched systems in the landscape may provide backdoors to both internal and external hackers.
In a recent attack at Nvidia, more than 71,000 emails and hashes of employee passwords were exposed. This includes both current and former employees. The figures, however, have not been confirmed by Nvidia and are based on internet sources. As most emails will contain critical and sensitive business data, it is possible for the compromised email data to be mis-utilized in this case.
Implementing strong Password parameters and adding additional layer of security is of high priority. Here are some points to consider:
- Ensure that the users are using strong passwords (it should be a combination of numbers, alphabets, special characters, upper and lower case characters.)
- It is also recommended to keep the password length as 12 characters for business critical systems with an auto expiry of 30 days.
- Enable secondary authentication. Use solutions such as Microsoft Authenticator, Cisco Duo authentication to enable 2FA, MFA solutions. ToggleNow has the required expertise in integrating Cisco Duo with SAP for 2FA. If you have subscription to any of these authenticators, talk to our SMEs today!
Additionally, ToggleNow’s UserSentry application enables 2-Factor Authentication and protects the SAP systems. It acts as an additional layer of user authentication to the existing User Id and password-based authentication. For a particular Target System, OTP can be sent to the user either via Email or Mobile SMS and once authenticated, user will be able to login to the SAP system.
How can we arrest or reduce identity thefts?
There are many ways to reduce identity thefts. Few of which are configuring Single Sign-on (SSO), setting up 2FA and so on. In addition to these, it is also recommended to establish additional controls such as user binding, and periodic reviews.
Bind Users is an important functionality from a Cybersecurity perspective since it prevents duplicate as well as dubious logins. Thus, it helps in ensuring that only the intended user can log in and all other login attempts are thwarted thus securing the system from any unsecured login.
Based on the requirement, you can bind the users to a particular Host, Geo Location, Operating System, GUI Version, and Screen Resolution.
Dormant ID Review:
Dormant ID Management is used to identify the Users who haven’t logged in to the system for a specific period of time (based on the provided input in the Last Log-on (Days) parameter). It is an exercise to detect the IDs that are no longer required, lock/delete them so that only the user IDs that are relevant can access the SAP system.
Give importance to data privacy
Securing data is of utmost importance to any business. It’s the primary asset. Organizations should implement the right tools & techniques to protect the same. Here is what the experts recommend:
- Use the right data classifications so that the employees know what to keep confidential.
- Implement DP solutions that can identify critical downloads and trigger emails to the key personnel and user as well
- Check IRM solutions that can restrict what data can go out of your systems
- Patch the system periodically. Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which has been synchronized with the Security Patch Day of other major software vendors. On these SAP Patch Days, SAP publishes software corrections as SAP Security Notes, focused solely on security to protect against potential weaknesses or attacks.
Use the right solutions to identify phishing
For cybercriminals, phishing is big business. It’s essential for IT professionals and anyone working with email to stay vigilant against phishing attacks, as 89% are orchestrated by professional cybercrime organizations. Your users are the weakest link in your phishing defenses. Your organization is at risk when you open and click on phishing emails.
It is user education that is more important than implementing solutions to protect systems from phishing attacks.
It is important for your users to be familiar with the basic checkpoints before opening any emails. Here are a few things they should see:
- Bad grammar and spelling mistakes in emails.
- An unfamiliar greeting or salutation in an email.
- Links, email addresses, and domain names are inconsistent.
- Attachments that are suspicious.
- Emails requesting login credentials, payment information, or sensitive information.
- Emails that sound too good to be true.
Phishing attacks are the primary cause of “inadvertent” security incidents. A total of 67% of study participants pointed out this problem. Get users educated about email security and implement Email protection solutions that can identify potential phishing emails using signatures. Even before your users receive them, they can be stopped.
Conclusion? Add some conclusions to the article.
It remains a challenge for companies to maintain security and stay on top of emerging threats as SAP systems upgrade and evolve. Insider attacks are all too prevalent. Although many security professionals claim they are difficult to execute, they still exist and the best way to avoid them is by monitoring your system closely. Identifying critical vulnerabilities can help you ensure your critical information is secure. Fortunately, there are many ways to minimize risk while staying on top of security concerns. In other words, it’s never been easier to stay ahead of threat activity and maintain a secure environment at your company.
It’s easy to become complacent and forget that SAP systems can be vulnerable. Whether it’s an insider attack or an external attack, it pays to know how your system’s security measures can be better applied within your context. After all, as we’ve seen before, you’re always one click away from a data breach.
What can ToggleNow do to help enterprises transform their businesses?
Using ToggleNow’s unique Security as a Service (SaaS) offering, many enterprises have transformed their GRC processes. The first step to kicking off your journey is to secure your systems and implement the right controls. Using FourEdge, organizations can improve their security and governance practices and impart effective industry and SAP practices. Poor security maintenance is always a threat, pushing your company to last place and giving your competitors an advantage.
Experts from ToggleNow’s Subject Matter Expert team have developed ToggleNow’s GRC Maturity Model. FourEdge imparts this maturity model so that organizations can discover, plan, and execute the right strategies. Talk to our experts!