A Guide to Handling SAP Security Breaches

By Christoph Nagy

By Christoph Nagy, SecurityBridge

So your SAP system has been breached.

While this is not an unusual occurrence, it’s still a serious issue that needs your immediate attention. Since SAP is one of the most widely used systems by organizations around the globe and houses a lot of business-critical and thus valuable information, hackers constantly try to find backdoors and vulnerabilities for exploitations.

The more time that elapses before the breach is dealt with, the longer hackers have access to the data your company houses in the SAP platform, and the more damage they can do.

The first step is to determine where the cybersecurity breach occurred, and then walk through the steps of addressing it. And when the immediate attack is dealt with, putting in place resources to prevent it from happening again is a wise course of action. Let’s start with the kinds of SAP breaches that might befall your company.

The Most Common Attack Vectors

We’re defining a breach as any exploitation of the vulnerabilities of a system resulting in unauthorized access to that system and its data. The most common (and sizable) damages to a company that is successfully attacked is financial damage (in the form of fines, the cost of addressing the breach, among other expenses) and a hit to the company’s reputation. Customers are less likely to stick around when they don’t feel their business or confidential data is being safeguarded properly.

When a breach occurs, it’s most likely tied to one of the following:

Vulnerabilities in code. All applications are subject to vulnerabilities, and it’s possible for custom SAP applications to provide a window for attackers to access the overall system.

Unapplied security patches. Patches for SAP applications are extremely important, since they address known flaws that could be exploited in a breach attempt. Companies that delay implementing these patches leave themselves exposed.

System misconfigurations. When settings in an SAP application are misconfigured—or keep unused functions active—attackers can exploit this mistake and gain unauthorized access. You see this most often when applications are left on default settings or someone goes in and makes changes that they shouldn’t.

Inside jobs. Occasionally, someone with at least some level of access already, like an employee, can clear a path for attackers to gain entry into the system. More often than not, it’s the employee’s account, but not the employee themselves causing the breach. The employee account could be taken over by bad actors through phishing or social engineering tactics—the MGM Grand/Caesar’s breach provides a perfect example of this type of attack.

How to Respond to an Attack

When you’ve identified where the threat has come from and what vulnerability has been exploited, it’s time to take decisive action. Reacting quickly but also in the right way will help reestablish your company’s security posture. For most breaches, the following steps will be the most effective means of getting a handle on the situation:

  • Lock down any compromised user accounts and cut off access to the network and system by any third parties such as partners or clients that are involved in the attack. If such a tactical approach doesn’t work, you might need to isolate the full SAP system, going into full lockdown or cutting off its access to the internet so unauthorized users can’t keep finding their way in while you address the issue.
  • Put together a team of stakeholders—executives, your best tech leads, SAP admins, and any other experts available—to assess the damage of the threat and make a plan to deal with it.
  • Make sure to keep all SAP logs relating to security and put them under forensic analysis. It can be useful to look at these logs, such as the Security audit log, JAVA audit log, and HANA audit log within the timeframe of the attack.
  • Use those logs to assess the details of the vulnerability that was exploited and identify the critical events and activity patterns during the key time periods.
  • Install fixes and patches as needed to shore up vulnerabilities and adopt the appropriate security configurations to stop the attack and prevent that specific vulnerability from being exploited again.
  • Only then should you return, one application at a time, to normal SAP operations. Monitor your SAP security logs following this return to make sure operations are now secure.

While all of the above is happening, be sure to comply with all legal requirements for communications with affected or relevant parties. Especially if there is ever a legal investigation on your company’s actions during and after a breach, transparency and timely notification to affected parties so they can take appropriate action will work in your favor.

Future Actions

Once the immediate threat is over, most companies should shift to prevention mode: making it so such a breach can’t happen again. Perhaps those fixes and patches can be extended to other SAP applications. Following NIST and other common SAP security frameworks is recommended.

Further SAP process improvements can help provide preventative measures or early alerts of a potential attack. Some features can detect anomalies in SAP systems or include automation capabilities that can make changes to protect a system on the fly. You can even set up the capability to alert users when their credentials might be compromised—like if they were just used to sign in from an unusual geographical location or were exposed due to a hack elsewhere. In those cases, contacting the SAP security team immediately could make a big difference in preventing authorized accounts from being misused.

There’s never a good time to experience an SAP breach, but companies that have a plan to address it quickly and effectively will fare better in both the short and long term than those that don’t. SAP’s systems are critical for many companies, so ensuring the strongest possible security posture for those applications is an equally critical task that organizations should prioritize.

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.


No posts to display