The ERP security landscape is drastically evolving and traditionally on-premise applications such as SAP ECC and S/4HANA are falling behind. Dynamic risks posed by remote access, changing compliance requirements, and the rising number of user-centric threats have highlighted a gap in controls. The ways users access SAP has changed, and because of this, it’s time to reevaluate your security model and how the concept of Least Privilege is being enforced.
The Traditional Approach to Least Privilege in SAP is Insufficient
The Principle of Least Privilege aims to minimize risk by limiting the number of privileges given to a user based on what privileges are job-related or necessary to complete a task—reducing the opportunities for improper uses of privilege to occur.
In SAP, this has traditionally guided role design from a functional perspective. For example, an HR Manager role may have privileges such as maintaining HR master data, processing payroll, or modifying pay rates – but should not have access to transactions outside their line of work (ex. creating, maintaining PO’s).
The approach was sufficient when user access was limited to a physical office, during normal business hours, and on a secure network. However, we all know this has changed. Remote work and cloud-hosted applications have expanded the scope of access, and with it, shifted the risk landscape. Context such as the what, when, where, and how a user interacts with SAP must be considered in addition to functional access rights.
Unfortunately, this leads us to the Achilles heel in SAP security: static, role-based access controls (RBAC). Risk is dynamic. RBAC is not. Without the ability to consider contextual factors beyond a user’s role and privileges, organizations are actually constraining their ability to enforce PoLP.
This gap leads to a variety of risks, including data exfiltration, fraud & theft, policy violations, and compliance risks. It’s time for companies to take their SAP security to the next level. It’s time for Least Privilege 2.0.
Appsian’s Approach to Least Privilege 2.0
As noted earlier, a key to minimizing SAP risk exposure is context. To integrate context into controls, SAP customers can leverage attribute-based access controls (ABAC) and business rules that extend SAP’s existing authorization model.
With the Appsian Security Platform, organizations can enable security policies that align controls with real-world scenarios by considering the context. Dynamic authorizations at both the data and transaction level can be implemented to fine-tune your security measures and align exposure to your organization’s risk appetite.
Least Privilege 2.0 means going beyond static roles and privileges, allowing companies to achieve:
- Dynamic access controls to understand if a transaction should be performed remotely and incorporating attributes such as user, resource, action, and environment characteristics to limit access to and within SAP data.
- Risk-aware process controls to ensure that established business policies are enforced and prevent violations from happening in the first place
- Fine-grained data protection to determine if a user really needs access to a particular set of sensitive data and capture granular insights to uncover user activities and transaction details.
This supplemental attribute-based authorization layer enables rapid, wide-reaching changes without the need to redesign individual roles. For example, organizations can now dynamically protect data with:
Policy-Based Data Masking
Limit the exposure of PII and other high-risk information with dynamically enforced data masking throughout SAP. Policy dictates at runtime whether a user has full access to data within a transaction, limited access via full/partial mask on sensitive fields, or is blocked entirely.
Data Exfiltration Controls
Stop data leakage from both privileged accounts and normal end-users by ensuring data can only leave SAP in secure environments. Access to transactions that export data to downloadable files can be blocked in high-risk scenarios.
Let Appsian Show You How to Address Risk in SAP with Least Privilege 2.0
As business processes in SAP evolve and grow more complex, your organization’s capability to mitigate access risks must also evolve. Appsian can help you leverage Least Privilege 2.0 to extend your SAP security controls to address gaps in coverage and minimize your accepted risk. Get in touch with the experts at Appsian today to schedule a demo and learn how we can help.
A critical SAP vulnerability (CVE-2020-6287 or RECON) was recently discovered by Onapsis, giving attackers TOTAL control of vulnerable business applications. It allows hackers to gain unauthenticated access to SAP and then create new user accounts with admin (superuser) privileges. A malicious attacker can do limitless amounts of damage with these privileges, including stealing data, changing bank account numbers, fully sabotaging systems, and more.
RECON Shares Similarities to a Familiar Foe – 10KBLAZE
The RECON vulnerability puts the confidentiality, integrity, and availability of SAP ERP data and processes at risk, which is very similar to the 10KBLAZE exploit from 2019. What do these two exploits have in common? Simple, they are leveraging a lack of visibility and control to be successful. There is a reason that these exploits focus on the creation of admin accounts – because once you’re an admin (legitimate or not), you have the keys to the castle.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators of SAP products to:
- Analyze systems for malicious or excessive user authorizations.
- Monitor systems for indicators of compromised accounts resulting from the exploitation of vulnerabilities.
- Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
- Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
- Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
The key recommendations align with the need for monitoring – monitoring systems, monitoring transactions, monitoring the creation of accounts, and (most importantly) monitoring data access and usage. This is where many customers will struggle with their SAP risk management as attaining fine-grained controls and visibility are complex, even prohibitive at times, with native functionality. This is precisely where Appsian can help.
A Second Layer of Defense: Fine-Grained Control and Visibility
RECON and 10KBLAZE highlight that a single, static layer of security within SAP is inadequate to combat modern-day threats. Appsian enables SAP ERP customers to layer their defenses using a comprehensive suite of fine-grained, risk-aware access controls, and continuous monitoring of data access and usage.
Here are Appsian’s recommendations to minimize your attack surface and the risks posed by RECON – and future vulnerabilities like it (in addition to recommended security patches).
Attribute-Based Access Controls (ABAC) Are Essential in a Dynamic Environment
RECON and 10KBLAZE take advantage of vulnerabilities in the open, internet-facing SAP components (think remote access). The Appsian Security Platform (ASP) uses attribute-based access controls (ABAC) to implement data-centric, “risk-aware” controls. ABAC prevents specific transactions like user provisioning when access originates from untrusted IP addresses (or IP addresses outside your whitelist), certain geographic locations, outside work hours, mobile devices, and many other contextual attributes. The bottom line is that Appsian can stop the creation of a user account (or changes in privileges) if access is coming from outside the corporate network. Fine-grained policies can be implemented to block high-risk activity, such as those matching the RECON attack patterns.
Visibility into Data Access and Usage is Essential for Combatting Configuration Gaps
Both RECON and 10KBLAZE center around the unauthorized creation of high privileged user accounts. Appsian360, the latest real-time analytics solution by Appsian, captures and visualizes data access and usage, which is essential for monitoring user provisioning activity like user creation/deletion and role/profile changes. Appsian360 can detect and alert organizations at the point of initial account creation, minimizing the damage by reducing how long a threat goes undetected.
Appsian360 can also detect suspicious transaction activity if the compromised and illegitimate accounts are not addressed at the point of creation. Furthermore, this creates an audit trail that acts independently from existing SAP logs and can expedite breach forensics activities.
This detailed insight can make a positive impact on a company’s SAP risk management.
Prepare Yourself for the Next Critical SAP Vulnerability – Layer Your Defenses (While and After you Patch Your Applications)
RECON isn’t the first critical vulnerability to affect SAP, nor will it be the last. While there are security patches available to keep their ERP systems safe, these can take time (and resources) to implement, which results in significant downtime of production systems. Furthermore, the time to apply the patches depends on the complexity and the components involved. By all means, stay up to date on system updates, but bugs like RECON and 10KBLAZE serve as a reminder that patches aren’t enough to protect critical SAP data.
Talk to the SAP Risk Management and Security Experts at Appsian today to discuss how your organization can address the risks posed by RECON and other vulnerabilities.
A critical SAP vulnerability (CVE-2020-6287 or RECON) was recently discovered by Onapsis that gives attackers TOTAL control of vulnerable business applications. The RECON vulnerability allows hackers to penetrate SAP systems and create new users with administrative privileges, allowing them to manage (read/modify/delete) every record/file/report in the system.
The RECON bug is one of those rare vulnerabilities that received a maximum of 10 out of 10 rating on the CVSSv3 vulnerability severity scale, so it is crucial that organizations move quickly to apply patches.
Remote and unauthenticated attackers can exploit the vulnerability to create a new SAP admin user, bypassing access and authorization controls and gaining full control of the SAP system. Exploitation will impact the confidentiality, integrity, and availability of SAP applications. With an admin-level user account at their disposal, an attacker can:
- Steal personal identifiable information (PII) from employees, customers, and suppliers
- Read, modify or delete financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt the operation of the system by corrupting data or shutting it down completely
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files
The RECON Attack Path
The RECON vulnerability is easy to exploit and resides in the LM Configuration Wizard component of the SAP NetWeaver Application Server (AS) JAVA. The LM Configuration Wizard of SAP NetWeaver AS JAVA does not perform an authentication check, allowing an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user. This compromises the Confidentiality, Integrity, and Availability of the system.
The vulnerability not only compromises the security of the NetWeaver Java applications but can also be used to exfiltrate credentials to an ABAP system through the ABAP secure storage and potentially lead to the exposure of ERP data-sensitive PII and financial information.
SAP Guidance: Apply the Patch or Enable a Workaround
The critical nature of this vulnerability caused the Cybersecurity and Infrastructure Security Agency (CISA) to strongly recommend organizations immediately apply patches, as noted in SAP Security Note #2934135.
If you cannot apply the patch, then at least disable the tc~lm~ctc~cul~startup_app application, as described in SAP Security Note 2939665. Note 2939665 is a workaround and a defense-in-depth, but not a solution.
Further SAP Risk Management Measures
Being up to date on the patches is an integral part of any SAP risk management framework because it helps mitigate potential vulnerabilities. Still, because of the number of security patches released in recent years, several customers are behind on these as the application of these patches requires downtime of the production systems. Moreover, the time to apply the patches depends on the complexity and the components involved. It can require a significant amount of time and effort, especially if the systems are a couple of patches behind.
All this ends up increasing the risk and the timeframe for which the systems are exposed. Having application security in the form of multi-factor authentication or additional policy-based controls and logging will help mitigate the risks and control sensitive data exposure in mission-critical systems.
Talk to the SAP Security Experts at Appsian today to discuss how your organization can address the risks posed by RECON and other vulnerabilities. Learn more about how we can be an integral part of your overall SAP risk management posture.
Every organization using SAP ERP applications faces the unique challenge of maintaining a strong security posture while enabling productive business processes. Throw in the uncertainty of today’s rapidly changing environment, and you can bet that IT professionals and business stakeholders are facing misalignment between IT controls and business rules and objectives.
To discover how organizations are evolving their security and risk management practices, Appsian commissioned a survey of nearly 200 senior stakeholders using SAP applications through an independent market research firm. We compiled the results of our survey into the SAP Security Report: Executive Perspective on SAP Business Risk Management.
We found that this rapid state of change in today’s environment has brought about a new normal for acceptable risk in SAP – but not by choice. While some organizations are adopting new processes and technology to address risk, legacy strategies are holding back many in their path towards efficiently managing ERP data risks.
We also uncovered four key takeaways from the respondents:
1. Business Process Risks Are Slipping Through the Cracks
Executive confidence is wavering in an organization’s ability to detect business risks from fraud, theft, and human error. While concern is generally high, a lack of consistent visibility into these business processes highlights a gap that many have yet to address.
2. IT Leaders Are Concerned About Excessive User Privileges
Excessive user privileges continue to be a top concern of leadership – and for good reason. Users have the keys to your kingdom, and with this, pose a heightened risk if their accounts are compromised or if they engage in malicious activity.
3. Misalignment is Hurting Confidence in SAP Security
Tight alignment between SAP security controls and business goals and objectives is paramount to secure, compliant, and efficient business processes. However, many respondents signal that the two are not aligned effectively.
4. Limited Visibility & Complex Controls Are Hindering Progress
Organizations are facing the limitations of their existing technology and processes. Solving this will require a new approach to overcome complexities in controls and limited visibility into their business-critical applications.
Want to gain a better understanding of how organizations are evolving their ERP security and risk management practices? Curious about the kinds of risks organizations are most concerned about, and how they view and prioritize user and system visibility, access control, oversight, and accountability?
Download your free copy of the SAP Security Report today and take a deeper dive into these findings.