Strengthening Cyber Security for ERP Applications

It was May of 2017, when numerous enterprise resource planning (ERP) application customers found out that the U.S. Computer Emergency Readiness Team (US-CERT) advisory was going to address the security of ERP applications; the key systems which had cloud/internet access. US-CERT had evidence of hackers having unauthorized access to mission-critical data that automatically made them vulnerable even with all of the patches being applied.

That is because an ERP is a business process management software or system that allows an organization to use integrated applications to manage the business and automate many back office functions (in tech, services and HR). The key draw for using an ERP system is its centralized functionality — a shared database that supports multiple functions and is used by many different business units. Fast forward to today, and those same hackers/bad actors are still messing around and trying to cause havoc on these systems again.

There is a digital risk management firm called Digital Shadows — it details increased threats associated with all of the common vulnerabilities specially affecting ERP applications.

More and more, these threats are getting increased attention from malicious actors. There is enough evidence now to show a significant increase with many of the SAP and Oracle application modules on the darknet, which includes; criminal and underground efforts that contain details on how to attack supply chains or the lifeblood of any business like the ERP (i.e. SAP) applications, and even the latest SAP-HANA cloud-based applications.

Another example from the Onapsis and Digital Shadows report explains the key SAP modules and the 30 Oracle enterprise business suite technology stacks that were discovered on the darknet cloud forum, which was all from a scan performed by Digital Shadows.

The report helps as an alarm for all organizations to understand that cyber security for key ERP applications is a serious matter. We now have a catalog of cyber security courses and degrees that will allow more expertise to enter the workforce, while students are rethinking cyber security as a career.

Some Key Findings:

1. The risks are growing year over year. Common vulnerability reports and assessments are exploiting and increasing the attack surface, especially for organizations that are falling behind on security patches.
2. The interest from cyber attacks in vulnerabilities affecting ERP (i.e. SAP) applications is growing considerably year over year — more specifically 130% from 2016 to 2017.
3. Nine operations from hacktivist groups have been discovered with claims of sabotaging operations and compromising business-critical applications.
4. A well-known malware, Dridex, was found to be updated in 2017 and as recently as February 2018 to target the most widely used SAP client software, enabling cybercriminals to steal valid SAP user credentials.
5. Over 500 configuration files were discovered on insecure file repositories over the internet, along with employees sharing ERP login credentials in public forums.
6. Threat actors are incorporating SAP applications as part of the scope of their campaigns, as shown in over 20 examples throughout the report.
7. Some 17,000 SAP and Oracle software installations are exposed to the internet at more than 3,000 top companies, government agencies and universities.
8. More than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats, especially in older systems that have not been patched or upgraded.

A Simple (But Many Times Avoided) Solution

Hackers are interested in all the above (do not think they do not read the same report). They are not only targeting external ERP-facing applications, but internal ones as well. This is becoming their sandbox and they know that the lifeblood of any business is in the supply chain.

The latest versions of many of the ERP applications are a target — the report referenced examples of the afterthought affect: The office of the CIO is now requesting any known ERP vulnerability alert reports. Yes, I did say any, but this may be too late.

More often than not, passwords like “erp123,” as a default, is shown to have been used more often and compromised using the remote desktop protocol (RDP) session. RDP is a unique protocol that provides users with a GUI that connects one computer to another over a public or private network.

It is imperative that enterprises ensure that all employees are adequately educated on password etiquette, according to IBM Cyber Security Advisor Michael Melore.

See Related: “Weak Passwords Are Costing Enterprises Millions”

Hackers want to attack mission-critical supply chain systems due to the easy access they have, and the volume of mission critical data and artifacts businesses have. Just recently Oracle released one of its security patches for the WebLogic middleware application, which is the app server for its Peoplesoft solution. Not long after a vulnerability alert was made available, the company found a series of security gaps that were flagged by the digital shadows findings.

As such, it is important to have cyber security checks and balances in place, as well as the proper employee training more frequently than not. This means that for every employee in the organization, there must be some sort of certificate of training completion that shows the understanding of how crucial cyber security is within the enterprise — especially for mission-critical applications. In fact, I would take it to another level and make a condition of employment. 

See Related: “Driving A Cyber Security Culture Into The Business”