GRC
HR
SCM
CRM
BI


Article

 

9 Deadly Security Risks to Avoid in Your SAP Landscape

by Andreas Wiegenstein | SAPinsider, Volume 15, Issue 4

October 1, 2014

Have your organization’s security measures kept pace with your data growth? Read about nine of the most common security pitfalls and learn how to keep your organization from exposing SAP systems to malicious users.

 

The amount of critical data in businesses is growing exponentially, but are security measures growing at the same pace? With new cloud-based technologies affecting the way data is stored and mobility changing the way users share information, ensuring your SAP systems are safe and secure is more imperative than ever. To make sure your company is protected, you need to have a handle on the nine most lethal security vulnerabilities that can be found in SAP systems. 

1. Hard-Coded SAP* User Is Active

If a malicious user connects to a login mechanism of your SAP system (e.g., SAP GUI or Web Dynpro), the user will be able to use this hard-coded username (SAP*) and password (PASS) to gain SAP_ALL privileges and full control of the SAP system.

2. Insecure Gateway

A malicious user with a network connection to your SAP system can easily execute arbitrary commands on the operating system of the SAP server. This allows attackers to sabotage the server, install malware, or further penetrate your SAP landscape.

3. Critical Patches Are Not Applied

Security researchers constantly discover and report new critical vulnerabilities in the standard SAP system. When SAP releases a security patch, malicious users can read the corresponding SAP Note and learn how to take advantage of a weakness. If patches are not installed in a timely manner, your systems are at high risk.

4. Default Passwords of High-Privileged Users

If a malicious user has access to your SAP system, that user can log in with the well-known credentials of high-privileged users like SAP*, DDIC, and EARLYWATCH, which come with default passwords, gaining SAP_ALL privileges and full control of the SAP system.

5. User with S_RFC* Authorization

Any malicious user with S_RFC* authorization can call any of the more than 34,000 remote-enabled function modules of the standard SAP system. There are many critical function modules that allow you to create users, change system settings, and read or write business data.

6. Unscanned Custom Code

Custom code can bypass all security settings in your SAP system. Malicious custom code is equivalent to SAP_ALL access to your system and allows attackers to take full control. Any custom code deployed on the SAP server that was not previously inspected is therefore a very high security risk.

With new cloud-based technologies affecting the way data is stored and mobility changing the way users share information, ensuring your SAP systems are safe and secure is more imperative than ever.

7. SAP Solution Manager on the Internet

Although SAP Solution Manager contains no business data, it is a gateway to the entire SAP system landscape. The moment a malicious user gets access to SAP Solution Manager, the entire landscape is compromised. If this system is on the internet, it is especially vulnerable to being hacked.

8. Too Many ICF Services Are Active

Internet Communication Framework (ICF) services can be called via HTTP(S) and are reachable remotely. ICF services in the SAP standard system that allow you to read or change system settings or read or write business data present severe risk in the hands of a malicious user.

9. Trusted Connections Between Development and Production Systems

Development and quality assurance (QA) systems are usually not as secure as production systems. However, with trusted connections set up among them, an attacker who can break into the development system can penetrate the SAP landscape and access production systems as well.

Effectively Protect Your Systems

Don’t fear these nine security risks — they can be easily overcome. Through system, code, and application analysis and penetration tests, Virtual Forge, Inc. can help ensure your systems are secure before a risk is introduced. Learn more by visiting www.virtualforge.com.

An email has been sent to:





 

Andreas Wiegenstein
Andreas Wiegenstein

CTO and Co-Founder
Virtual Forge, Inc.



More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ