When we talk to companies about SAP cyber security and basic security, the conversation often quickly comes to roles and authorizations. Many companies believe that their SAP systems are safe from hackers if they have only correctly assigned the roles and authorizations. Unfortunately, this is completely wrong and therefore worth a blog article.
Traditionally, SAP systems were only accessible on a company's intranet, and due to a lack of security research and corresponding publications, virtually no attack vectors were known, except for the obvious: If a user had too many rights, he could do things that harm the company. For this reason, when securing SAP systems, they focused on correctly assigning roles and authorizations. Unfortunately, even some SAP security companies today advertise that they provide SAP cyber security even though they only have roles and authorizations in their portfolio. But anyone who only focuses on this area risks overlooking much more dangerous gaps.
It is indisputably harmful for a company if, for example, an employee can both create suppliers and approve or transfer their invoices. She could set herself up as a supplier and then transfer money to herself — a classic scam. However, from a security point of view, this is an abuse of the assigned rights. The employee does not need any technical knowledge of SAP systems, programming languages, protocols or application security for her procedure. She simply has to operate the existing programs.
The situation is completely different in the following scenario: A cleaning service employee who cleans a company's premises in the evening connects his computer to a network socket. It performs a port scan to determine whether there are SAP installations on the network. Several SAP systems are identified. Next, he tests whether the SAP gateway is insufficiently secured on these systems. That is the case on a system. The attacker then uses this circumstance to copy a transport to this computer using operating system commands and then import it into the SAP system. Since his transport contains a user account including a password and an appropriate role, he now has full access to the SAP system. He notes that it is a test system that does not contain any real data. But he quickly finds out that this test system has an RFC connection to a production system for which a user with high rights is stored. With existing SAP function modules, he can now download all data from the production system and offer it for sale on the darknet. Of course, it could at least completely destroy the hijacked test system.
that is a cyber attack. And it has much more fatal consequences than the fraudulent transfer in the first example. In addition, the attack is also anonymous, making it extremely difficult to identify the perpetrator than in the event of fraud. In particular, this cyber attack clearly shows that very special knowledge and various vulnerabilities were involved. These vulnerabilities have various causes: inadequate system hardening and poor RFC topology/protection. Both are areas of SAP cyber security, but by no means all.
Roles and authorizations are undoubtedly an important aspect of SAP security. But if you want to secure an SAP landscape, you have to cover all aspects. The aggressor has the luxury of attacking the weakest link in the defense. Basic protection should therefore be carried out at least in all relevant areas in order to block the most dangerous attack vectors. A procedure that is based on risks and not on topics is recommended. In this way, the existing budget can be optimally distributed among the relevant risks. When companies focus only on roles and permissions, they risk overlooking much more dangerous entry points.
