Modern cybersecurity threats are growing in complexity, scale, and speed. In this live Q&A, SAPinsider GRC 2017 speaker Peter Hobson dove into cybersecurity as it relates to your SAP landscape. Read the transcript to get expert answers to your questions on topics like role design, controls, vulnerability scans, supporting tools, and more.
- What type of tools are available to support SAP cyber programs?
- What kind of threats & vulnerabilities are you seeing in the industry related to Fiori & mobile apps?
- How can SAP cyber security benefit the other aspects of SAP security?
Meet the panelist:
Peter Hobson, PwC
Pete is a Director at PwC focusing on securing SAP applications and identities through the effective use of role design, controls, governing processes, analytics and enabling technologies. He has over 12 years of experience leading complex, global projects for clients in multiple industries, including Retail & Consumer, Wholesale Distribution, Industrial Products and Automotive. Pete has international work experience, having delivered services in Russia, China, Australia, Mexico, Jordan and Colombia. Pete holds an MBA from the NYU Stern School of Business.
Hello, and welcome to our Live Q&A, Proven Techniques and Strategies to Fortify Your SAP Landscape from Cybersecurity Threats. We’re joined today by PwC’s Peter Hobson, who will be taking your questions for the next hour. Peter will be speaking at the upcoming SAPinsider GRC conference, March 21-24 in Las Vegas.
Thanks for joining us, Peter!
Thanks, Kendall! I'm very excited to be here. Looking forward to a great session today.
Let's get the questions rolling. Pretty open forum today. I know the high level topic is cyber security, but very glad to talk about any topics related to SAP security, role design, identity management, risk management, controls, analytics, etc. So please, fire away!
Oh, almost forgot - I know SAP S4/HANA is a pretty big topic out in the market today. There are lots of security impacts and considerations for S4 as well that I would be more than happy to answer questions about.
Comment From MP Daniels
Peter, what would you see as the top couple threats specific to the SAP Landscape
Excellent question to get things started. The biggest threat to any SAP landscape comes from within. Making sure employee access to SAP systems is properly set up and secured to manage risks and threats is my first recommendation to anyone looking to better secure the SAP landscape. With the amount of changes that have happened in the SAP space over the last few years with the introduction of SAP S4/HANA and Fiori / mobility, it's a great time to revisit user access to make sure you are up to date.
Another risk is third party access. The supply / value chain and SAP landscape continues to become more interconnected and shared. More and more third parties are on your SAP systems than ever before. Making sure an effective policy and activities exist to manage and monitor third party access in SAP is another great way to promote a secure SAP landscape.
Finally, the introduction of Fiori and mobility adds several new threats and vulnerabilities to SAP landscapes. This includes exposing your SAP landscape to mobile devices and the internet, along with direct end user access to the DB layer in SAP to enable certain Fiori / mobile apps. Make sure you to include security within your overall Fiori / mobile app strategy to make sure you haven't left your SAP landscape exposed. A great place to start looking is the SAP Gateway. That tends to be a common place to find vulnerabilities within your SAP landscape.
Comment From SAP Customer
What do you foresee as top tangible SAP landscape threats (internal or external) that SAP customers should immediately focus on for 2017 and 2018?
Thanks for the question, SAP customer. In my response to MP, I mentioned employee access, third party access and Fiori / mobile apps / SAP Gateways as immediate areas of focus. Another I will toss out there is critical assets and intellectual property stored within SAP. In my experience, I have found that critical assets / IP are left exposed within SAP. There are a few key reasons why:
- Critical assets / Intellectual property aren't clearly defined for the organization
- Lack of understanding about where critical assets / IP are stored within SAP
- The fact that critical asset / IP risk comes from display access instead of update / transactional access. This is because the drivers behind access limitations in SAP has traditionally revolved around regulatory requirements, such as SOX, and those focus on update access only.
One more item to add to the list - SAP patch management. SAP patch management programs are either limited or non-existent at many organizations. The most common reason provided is that SAP is too critical to the business to take it down for a window of time to apply patches. This is interesting to me because I certainly agree that SAP is important and therefore its availability needs to be maximized. At the same time, because it’s so important it should also be a priority system from a good security / patch management perspective, which it often isn't. My advice is always to find a way to balance availability with security, because often a security issue will lead to an availability issue.
Comment From Latha
Can you please provide some examples for SAP Gateway vulnerabilities?
Latha - thanks for the question and absolutely. A few examples of SAP Gateway vulnerabilities / concerns include the following:
- The ability to start external RFCs remotely from the SAP Gateway
- The availability of SAPXPG server
- Improper audit logging on the SAP Gateway --- this is more to help detect potential bad behaviors and do root cause analysis if there is an issue
This is certainly not an exhaustive list, but hopefully gives a few insights and thoughts into what is out there.
Comment From Latha
What is the advance threat protection monitor that you recommend for SAP landscape?
Latha - going to answer this more broadly as "what type of tools are available to support SAP cyber programs?" Hopefully that works.
There are quite a few out there. The one I run into the most in Onapsis. They were known originally for their X1 vulnerability scanner which produced a nice report on where your SAP landscape had exposures. More recently they released a product called OSP that builds on that vulnerability scanning foundation and expands it to include SAP vulnerability monitoring, management and reporting capabilities.
SAP has a suite of products that support SAP cyber initiatives. Those include Enterprise Threat Detection (ETD), which is a log monitoring tool that can be used to identify potentially fraudulent activities within your SAP system. The example I will provide is the ETD can identify within SAP logs whether a user has debugged code in order to reroute a payment to themselves or others. Other products include SOS and UCON, which help promote secure connections between SAP systems and non-SAP systems and can look at vulnerabilities within ABAP code.
Other products that I have seen include ERPscan and VirtualForge. I'm a bit less well versed in those two, but both offer capabilities to identify vulnerabilities within your SAP landscape. An interesting capability that VirtualForge has is the ability identify potential vulnerabilities within ABAP code, and help promote good upfront ABAP coding standards.
Another consideration - before you invest in an additional tool, look at the tools and capabilities that you already have in house. A great example is SAP GRC Access Control. It's traditionally a SOX / SOD reporting and management tool, but at its core its an access reporting tool. That access reporting tool can be used to support SAP cyber programs if you tell it the right things to look at. User access exposure critical asset / IP exposure or system availability risks can be looked at using tools like SAP GRC Access Control.
Final tip - don't start a program with "what tools can I buy?" Start with - what are the risks to my business that I want to protect against, what activities do I perform to protect them and then start asking which tools can help enable / automate / accelerate those activities.
Comment From Kiran
Hi Peter - Thanks for taking my question. In general, what kind of threats & vulnerabilities are you seeing in the industry related to Fiori & mobile apps?
Kiran - touched on this a bit in some of my other responses but want to add one more to this. Make sure to embed security in your Fiori strategy. A "Fiori" only solution is missing many key security features. Integrate Fiori with things like SAP Mobile Platform and Afaria to enable key security features like mobile device management, endpoint security policies, encryption and VPN.
Comment From Marissa
How can SAP cyber security benefit the other aspects of SAP security that you've mentioned before, such as role design, identity management, risk management, controls, analytics, etc.?
Hi Marissa - an excellent question. I'm going to say it a different way. It's not what SAP cyber security program can do for your role design, controls and analytics; it's what your role design, controls, analytics can do for your cyber security program.
Let me give an example. I'm sure most of us are familiar with IT General Controls, or ITGC. Many ITGC activities support SAP cyber security programs and leading cyber security frameworks, such as NIST. A common vulnerability in SAP (and most other applications) is generic IDs. This is because SAP comes with a few generic IDs, such as SAP* and DDIC, that have the same default password in each installation. You should change it, otherwise anyone that knows the default can log into your SAP system with full authorization. That's a big risk and vulnerability to your system.
Another example that I've touched on in my other responses but will bring up again here is role design. Cyber security programs focus on protecting critical assets and maintaining system availability, amongst other things. Give the wrong access to the wrong user and both of those items could be compromised. Set up roles so you can give the right access to the right people at the right time.
Finally, analytics. With SAP HANA and other high performing, big data solutions, there is an unprecedented opportunity to deliver insights from the large volumes of data captured and stored in your SAP systems. Many organizations are finding ways to leverage analytics to replace / automate controls, risk management and cyber security activities and to understand the true impact of risks that exist within their systems. An example of how to use these for cyber programs - malicious / fraudulent activities often hide in the deep details of SAP logs. Analytics can help you find those instances, and analytics built on SAP HANA can find those instances in near real time.
There are many more ways that these activities promote SAP cyber security programs. I will close with this - it's very possible that many of the activities you perform today from a risk, compliance, governance and security administration perspective support SAP cyber security programs. You just may not be looking at them that way today. Think about your risks and then look at the activities you perform today that can protect against them. You might be surprised!
Comment From Mark
Hi Peter, what is the most common vulnerability with SAP cyber security? Thx!
Pete Hobson: Mark - hard to say most common, but I will mention the most well-known. That's the invoker servlet. The Department of Homeland Security issued a US-CERT last year about the vulnerability, which was the first time that happened for an SAP vulnerability. If you haven't checked your exposure to that one, do. It's more common than you would think.
That’s all the time we have today, but thanks to everyone who joined us for this Live Q&A. To dive deep into SAP cybersecurity, attend SAPinsider GRC 2017 in Las Vegas March 21-24, where we have an entire track devoted to the subject. Special thanks to PwC’s Peter Hobson for joining us today and answering questions.
Thanks everyone for joining! I had a great time answering your questions. Feel free to reach out at any time - easiest way to find me is on LinkedIn. For those of you at the GRC conference, please come check out my session on operationalizing cyber security. It's scheduled for Wednesday morning. If you can't make it, I will be at the PwC booth from Tues - Thurs. Come say hello!