Shulou(Shulou.com)05/31 Report--

SAP environment what are the eight major security errors, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

The complexity of modern SAP footprints and common security failures expose many organizations to avoidable risks.

Configuration errors and other errors, many of which have been known for years, continue to undermine the security of the enterprise SAP environment. The rapid complexity growth of SAP footprint is an important reason for this situation. SAP applications have been changing and evolving over the years and are now connected to countless other systems and applications.

A typical SAP environment consists of many custom code and custom components that communicate with each other and with external systems through various API and interfaces. CTO Juan Perez-Etchegoyen of Onapsis, a security provider in the ERP field, says the new code and protocols interact with traditional environments and inherit their security vulnerabilities and flaws.

He points out that profiles, parameters, and configurations are constantly changing to accommodate new business processes, but little is known about potential security concerns. The complexity of these environments makes them full of security vulnerabilities.

This issue became the focus of attention earlier this year with the public release of a set of vulnerabilities known to be misconfigured in two major SAP components. These vulnerabilities, collectively known as 10KBlaze, provide an attacker with a way to gain full remote administrative control of the SAP environment and prompt US-CERT to issue a warning.

Here are some of the most common configuration errors and security failures in an enterprise SAP environment.

1. Configure ACL

Access control lists (ACL) control connections and communications between different SAP systems, as well as between SAP and non-SAP environments. They also determine user access to the SAP system.

Perez-Etchegoyen said that the ACL that controls the connection between SAP and external systems, or between SAP systems, is usually poorly configured and has many vulnerabilities that allow people on one system to easily access another. He said that in penetration testing, misconfigured ACL almost always showed that it provided an attacker with a way to move sideways in a SAP environment.

For example, the 10KBlaze vulnerability disclosed by Onapsis in May is intended to exploit poorly configured ACL in SAP gateways and SAP messaging servers. These vulnerabilities allow attackers to take full control of the SAP environment to view, delete, or modify data, shut down the system, and perform other malicious actions.

According to CTO of Onapsis, other components that often configure insecure ACL in the SAP environment include SAP Internet Communication Manager (ICM), SAP Dispatcher, SAP Management Console for remote monitoring and management, and SAP Host Agent ACL for OS monitoring.

SAP itself has long warned organizations of the dangers of misconfiguring ACL. In this respect, the new version of the application is much more secure than the old version, and the setting of ACL is much stricter by default, Perez-Etchegoyen said. Nonetheless, insecure ACL remains one of the largest avoidable vulnerabilities in the SAP world.

two。 Weak user access control

Most SAP software has one or more default user accounts with highly privileged and administrator-level access. Malicious users who access such accounts can cause serious damage. Examples of such accounts include SAP* and DDIC, as well as system user accounts in SAP HANA, said Jonathan Haun, senior director of Enowa LLC, a consulting firm that specializes in SAP systems.

"hackers know these accounts exist and they will attack them first," Haun said. "companies can either disable these accounts if necessary or use very complex, randomly generated passwords that cannot be guessed," he says. " In some cases, there are even software products that allow administrators to securely use these accounts temporarily.

Perez- Etchegoyen said that SAP environments, especially those that evolve over time, have many accounts that can be easily abused to give malicious users full administrator privileges and even super-administrator access to everything in the environment. "this is an area of SAP security and health, and many organizations definitely need to improve."

3. Unsafe custom code

Gert Schroeter, SAP Global security's vice president of secure communications, believes that the custom code and functions that organizations build around their SAP environment often have bug and contain security vulnerabilities. "We do see a lot of problems in the software development lifecycle," Schroeter said.

Under the pressure of rapid release of software, development organizations often pay little attention to security fundamentals, such as code vulnerability analysis, code scanning, and bug search when building and deploying software. "We are talking about security in design and security by default," Schroeter said. In many organizations with SAP footprints, "this is not the case in the end."

4. Sloppy patch management

Because of the mission-critical nature of most SAP environments, administrators are often hesitant or unwilling to do anything that could undermine usability. One result is that security patches and updates-even for the most critical vulnerabilities-are rarely applied quickly, sometimes not at all.

Applying patches in a SAP environment means understanding the impact through development, QA, pre-production, and all other levels, Perez-Etchegoyen said. The time it takes for an administrator to ensure that patches do not break existing processes or interfaces usually results in the required patches not being implemented even a few years after they are first available.

Schroeter added that due to the lack of information, it is difficult for many organizations to identify and implement the required patches on the field SAP system. He pointed out that administrators need to regularly pay attention to vulnerability exposure sites and databases and subscribe to resources in order to update patch information on a regular basis.

5. Unprotected data

Today, the SAP environment can be connected to almost anything and can be accessed directly or indirectly from almost anywhere. Many SAP workloads are also starting to shift to the cloud.

However, usually the actual data itself (although the task is critical) is not protected. Few companies encrypt data during transmission or rest and expose it to the risk of improper access and abuse during the encryption process. "for cloud computing and hosting environments, they mistakenly believe that vendors are implementing network encryption and other security standards," Haun said.

When your SAP database is hosted by a third party, especially a third party, the rest of the data should be encrypted to prevent untrusted users from accessing the data. "many organizations take advantage of hosted and IaaS cloud platforms, so encryption of data, transaction logs, and backup files is highly recommended," he said.

6. Poor password management

ERP systems and the applications connected to them contain critical information, but are often protected by weak passwords and password management practices. Access to highly privileged accounts using default passwords or cross-accounts protected with the same password is not uncommon. Weak passwords are of course a problem across applications, but they are especially problematic in critical SAP environments.

Haun said that some organizations do not support basic standards for passwords, which can lead to account hacking and undetectable damage caused by hackers using valid user accounts and passwords. "the SAP system should be configured to complicate user account passwords and change them several times a year," he suggested. "

Superuser and administrator passwords should not be given to ordinary users and should be locked in a digital safe. Schroeter recommends that organizations implement stronger controls, including SSO, two-factor, and context-based authentication, rather than relying on macro and text-based authentication.

7. Failed to develop emergency response plan

A big problem for many organizations is the lack of adequate crisis management plans. Few people have programs to deal with ongoing attacks, and few have a chain of command to deal with crises, Schroeter said.

He said that a survey conducted by SAP showed that companies were worried about data loss, disaster resilience and business continuity in the ERP environment, but few had plans to deal with the crisis.

8. Insufficient logging and audit

Logging and auditing are critical to achieving the visibility required to monitor system activities across SAP environments. It helps administrators keep a close eye on privileged users and monitor access to applications, data, and databases and any identity changes to them.

However, Haun says that most organizations do not provide sufficient audit policies to track key operations in SAP systems. This includes the application server tier and the database tier. "Audit data can be used to proactively detect attacks or provide forensic data after an attack," he said. "

Schroeter says SAP itself has added a lot of security features to its products and has been providing these features in a security default configuration for many years. The company provides guidance on key topics such as configuration drift, as well as how to handle security patches and add security features to its software. "customers need to start dealing with this issue and start to address cyber security issues in a holistic manner," he said. "

Like SAP applications, solving security issues is complex. Schroeter points out that organizations need to implement a security plan, prioritize risks, and find a formal way to mitigate threats to the SAP environment.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.