Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

New Report Maps CIS Critical Security Controls Against SAP

The SANS CIS top twenty critical security controls (CSCs) is a living document reflecting world-wide expert opinion on the primary controls that can best mitigate against cyber attacks. While it lists the controls, it makes no suggestion on how they should be implemented in any specific situation.

The SANS CIS top twenty critical security controls (CSCs) is a living document reflecting world-wide expert opinion on the primary controls that can best mitigate against cyber attacks. While it lists the controls, it makes no suggestion on how they should be implemented in any specific situation. Barbara Filkins, a senior SANS analyst, has now published a document mapping these controls against SAP: Blueprint for CIS Control Application: Securing the SAP Landscape.

A good map is an effective cheat sheet. Hard-pressed security officers are able to follow the map to ensure that all – or at least, most – security angles are covered for any relevant topic. Filkins offers advice on each of the SANS critical security controls aimed specifically at providing security for SAP implementations.

The Filkins map is divided into four main steps. Each one is presented in the traditional mapping format: a table that lists the actions required against each control topic. It is not a simple sequential run through of the top twenty controls, but rather four separate groupings related to individual areas. These are: tailor the operating processes; secure the landscape; configure the technical controls; and align with administrative and management controls.

The aim, however, is that these tables should give quite detailed recommendations for securing SAP against those top twenty controls. For example, CSC 16 states simply, ‘Account Monitoring and Control’. This is elaborated in three of Filkins’ four separate steps. In the first it comes under ‘account management’, which also references CSC 5 and CSC 14. In the third step it is elaborated within ‘Account Monitoring and Control’. And in the fourth step, again with the sub-heading ‘Account Monitoring and Control’, it gives details on ‘proper password management through configuration of user-related parameters and settings’.

There are few known attacks against SAP. Although Anonymous has claimed to have successfully attacked government organizations using SAP zero-day exploits, there has so far only been one clear example. Nextgov.com reported 10 May 2015 that the entry point for the OPM breach and data exfiltration was third party software: “That software apparently was an SAP enterprise resource planning application.”

But despite the current lack of successful SAP or ERP attacks, Filkins notes that “Since 2012, the number of vulnerabilities reported annually in SAP systems has risen substantially… Meanwhile, the overall number of security patches reported by SAP has decreased.” It is unlikely, she warns, “that attackers will continue to ignore such a dramatic indication that SAP systems can be an easy path to rich veins of valuable data.”

One of the problems for SAP and its users is the sheer complexity of implementations. On May 11 2016, US-CERT issued alert TA16-132A (Exploitation of SAP Business Applications). Onapsis, who incidentally sponsored the Filkins document, claimed to have found indicators of exploitation against 36 large-scale global enterprises. The vulnerability, however, had been ‘patched’ by SAP five years earlier in 2010. 

In fact, all SAP did was disable the Invoker Servlet in its NetWeaver 7.20 released in that year. This month it explained that the Invoker Servlet had not been disabled by default in older versions of NetWeaver because of the danger that it would break customers’ custom software built around SAP. This is a continuing problem for complex implementations that are at the heart of business – they are difficult to patch, but prove very expensive if breached.

Advertisement. Scroll to continue reading.

The California Data Breach Report published in February this year makes a number of recommendations on cyber security. The first is, “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.” More worryingly, in a report from the office of the California Attorney General, it adds, “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Barbara Filkins CSC/SAP map will help all SAP users meet and demonstrate at least ‘reasonable security.’

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.