Security Teams Can Shift the Risk/Reward Ratio and Make ERP Applications Less Attractive Targets
A confluence of factors is putting hundreds of thousands of implementations of Enterprise Resource Planning (ERP) applications at risk of cyber attacks. These factors include the following:
● Cyber attackers can focus their efforts. The vast majority of large organizations have implemented ERP applications from one of two market leaders – SAP and Oracle. This means that attackers can concentrate on understanding and finding weaknesses within just one or both applications.
● The rewards are big. The largest organizations in the world support their most critical business processes and house their most sensitive information in these systems.
● They can leverage known vulnerabilities. ERP customers struggle to stay up to date with security vulnerabilities, secure configurations and security patches for a variety of reasons, including: complex system architecture, a high number of interfaces and integrations, customized functionality and little tolerance for system downtime. As a result, many organizations are implementing and running insecure ERP applications.
● The attack surface is expanding. Due to cloud, mobile and digital transformation projects, thousands of these applications are directly connected to the Internet and can increase an organization’s exposure to risk when security measures aren’t implemented correctly.
● Information is being leaked. Third parties and employees are exposing internal ERP applications unintentionally by using insecure file repositories over the Internet and sharing ERP login credentials in public forums.
The bottom line is that the risk/reward ratio is attractive. As a result, nation-state actors, cybercriminals and hacktivist groups are attacking these applications for the purposes of cyber espionage, sabotage, business disruption, data theft and even cryptocurrency mining. Evidence is rampant on the dark web, criminal forums, paste sites and social media where bad guys are sharing information and tools and bragging about successful breaches.
Clearly, ERP applications are not safe from attacks. “Behind-the-firewall” ERP implementations are being targeted. ERP applications in cloud environments, and on-premise as well, are directly accessible online. Even the traditional controls for ERP application security, such as user identity management and segregation of duties, are ineffective as attackers continue to evolve their tactics, techniques and procedures (TTPs), for example to include distributed Denial of Service (DDoS) attacks or banking trojans in combination with botnets.
Fortunately, as a security professional, there is a lot you can do to mitigate existing risks, particularly when you work with ERP administration to understand the technical complexities of these solutions, how they are deployed, and the processes they support. The following four recommendations can help to improve the cyber security posture of your organization’s ERP applications, whether deployed on premise or in public, private and hybrid cloud environments:
1. Identify and mitigate ERP application-layer vulnerabilities, insecure configurations and excessive user privileges. This includes aligning with your vendor’s security patching cadence (monthly for SAP and quarterly for Oracle), strengthening weak/default passwords, and reviewing user privileges for administrators and developers as well as those used for batch jobs and interfaces with other applications. Importantly, when deciding on which vulnerabilities to patch, you should look for the vulnerabilities that are being actively exploited by attackers, and those that have public exploits available.
2. Identify and remove dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and Internet-facing. This includes connections from/to development, quality assurance, and pre-production systems as they can be abused as pivot points; the use of encryption, service account privileges, and trusted relationships when configuring interfaces and APIs; and assessing whether sensitive applications are being exposed without a legitimate business reason.
3. Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise. This includes suspicious user behavior, including both privileged and non-privileged users, for both technical and business user types; and implementing a repeatable process to incorporate ERP applications into existing incident monitoring and response processes and capabilities.
4. Monitor for leaked ERP data and user credentials. This includes monitoring threat intelligence sources to detect: compromised ERP credentials, ERP-related information that could have been inadvertently or maliciously exposed to the Internet, and evidence of exploits and vulnerabilities related to ERP applications that might be applicable to the organization’s environment.
Each of these recommendations must be applied across the entire ERP application platform – both business and technical components – and be executed on an ongoing basis as an organization’s environment and the threat landscape continue to evolve.
It’s clear that ERP applications are a target for cyber attackers. Fortunately, many of these controls and actions are adaptations of well-known information security best practices and programs. As security teams and ERP administration start collaborating to evolve current processes and implement these recommendations, they can shift the risk/reward ratio and make ERP applications less attractive targets.