Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

New Report Maps CIS Critical Security Controls Against SAP

The SANS CIS top twenty critical security controls (CSCs) is a living document reflecting world-wide expert opinion on the primary controls that can best mitigate against cyber attacks. While it lists the controls, it makes no suggestion on how they should be implemented in any specific situation.

The SANS CIS top twenty critical security controls (CSCs) is a living document reflecting world-wide expert opinion on the primary controls that can best mitigate against cyber attacks. While it lists the controls, it makes no suggestion on how they should be implemented in any specific situation. Barbara Filkins, a senior SANS analyst, has now published a document mapping these controls against SAP: Blueprint for CIS Control Application: Securing the SAP Landscape.

A good map is an effective cheat sheet. Hard-pressed security officers are able to follow the map to ensure that all – or at least, most – security angles are covered for any relevant topic. Filkins offers advice on each of the SANS critical security controls aimed specifically at providing security for SAP implementations.

The Filkins map is divided into four main steps. Each one is presented in the traditional mapping format: a table that lists the actions required against each control topic. It is not a simple sequential run through of the top twenty controls, but rather four separate groupings related to individual areas. These are: tailor the operating processes; secure the landscape; configure the technical controls; and align with administrative and management controls.

The aim, however, is that these tables should give quite detailed recommendations for securing SAP against those top twenty controls. For example, CSC 16 states simply, ‘Account Monitoring and Control’. This is elaborated in three of Filkins’ four separate steps. In the first it comes under ‘account management’, which also references CSC 5 and CSC 14. In the third step it is elaborated within ‘Account Monitoring and Control’. And in the fourth step, again with the sub-heading ‘Account Monitoring and Control’, it gives details on ‘proper password management through configuration of user-related parameters and settings’.

There are few known attacks against SAP. Although Anonymous has claimed to have successfully attacked government organizations using SAP zero-day exploits, there has so far only been one clear example. reported 10 May 2015 that the entry point for the OPM breach and data exfiltration was third party software: “That software apparently was an SAP enterprise resource planning application.”

But despite the current lack of successful SAP or ERP attacks, Filkins notes that “Since 2012, the number of vulnerabilities reported annually in SAP systems has risen substantially… Meanwhile, the overall number of security patches reported by SAP has decreased.” It is unlikely, she warns, “that attackers will continue to ignore such a dramatic indication that SAP systems can be an easy path to rich veins of valuable data.”

One of the problems for SAP and its users is the sheer complexity of implementations. On May 11 2016, US-CERT issued alert TA16-132A (Exploitation of SAP Business Applications). Onapsis, who incidentally sponsored the Filkins document, claimed to have found indicators of exploitation against 36 large-scale global enterprises. The vulnerability, however, had been ‘patched’ by SAP five years earlier in 2010. 

In fact, all SAP did was disable the Invoker Servlet in its NetWeaver 7.20 released in that year. This month it explained that the Invoker Servlet had not been disabled by default in older versions of NetWeaver because of the danger that it would break customers’ custom software built around SAP. This is a continuing problem for complex implementations that are at the heart of business – they are difficult to patch, but prove very expensive if breached.

The California Data Breach Report published in February this year makes a number of recommendations on cyber security. The first is, “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.” More worryingly, in a report from the office of the California Attorney General, it adds, “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Barbara Filkins CSC/SAP map will help all SAP users meet and demonstrate at least ‘reasonable security.’

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.