The SANS CIS top twenty critical security controls (CSCs) is a living document reflecting world-wide expert opinion on the primary controls that can best mitigate against cyber attacks. While it lists the controls, it makes no suggestion on how they should be implemented in any specific situation. Barbara Filkins, a senior SANS analyst, has now published a document mapping these controls against SAP: Blueprint for CIS Control Application: Securing the SAP Landscape.
A good map is an effective cheat sheet. Hard-pressed security officers are able to follow the map to ensure that all – or at least, most – security angles are covered for any relevant topic. Filkins offers advice on each of the SANS critical security controls aimed specifically at providing security for SAP implementations.
The Filkins map is divided into four main steps. Each one is presented in the traditional mapping format: a table that lists the actions required against each control topic. It is not a simple sequential run through of the top twenty controls, but rather four separate groupings related to individual areas. These are: tailor the operating processes; secure the landscape; configure the technical controls; and align with administrative and management controls.
The aim, however, is that these tables should give quite detailed recommendations for securing SAP against those top twenty controls. For example, CSC 16 states simply, ‘Account Monitoring and Control’. This is elaborated in three of Filkins’ four separate steps. In the first it comes under ‘account management’, which also references CSC 5 and CSC 14. In the third step it is elaborated within ‘Account Monitoring and Control’. And in the fourth step, again with the sub-heading ‘Account Monitoring and Control’, it gives details on ‘proper password management through configuration of user-related parameters and settings’.
There are few known attacks against SAP. Although Anonymous has claimed to have successfully attacked government organizations using SAP zero-day exploits, there has so far only been one clear example. Nextgov.com reported 10 May 2015 that the entry point for the OPM breach and data exfiltration was third party software: “That software apparently was an SAP enterprise resource planning application.”
But despite the current lack of successful SAP or ERP attacks, Filkins notes that “Since 2012, the number of vulnerabilities reported annually in SAP systems has risen substantially… Meanwhile, the overall number of security patches reported by SAP has decreased.” It is unlikely, she warns, “that attackers will continue to ignore such a dramatic indication that SAP systems can be an easy path to rich veins of valuable data.”
One of the problems for SAP and its users is the sheer complexity of implementations. On May 11 2016, US-CERT issued alert TA16-132A (Exploitation of SAP Business Applications). Onapsis, who incidentally sponsored the Filkins document, claimed to have found indicators of exploitation against 36 large-scale global enterprises. The vulnerability, however, had been ‘patched’ by SAP five years earlier in 2010.
In fact, all SAP did was disable the Invoker Servlet in its NetWeaver 7.20 released in that year. This month it explained that the Invoker Servlet had not been disabled by default in older versions of NetWeaver because of the danger that it would break customers’ custom software built around SAP. This is a continuing problem for complex implementations that are at the heart of business – they are difficult to patch, but prove very expensive if breached.
The California Data Breach Report published in February this year makes a number of recommendations on cyber security. The first is, “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.” More worryingly, in a report from the office of the California Attorney General, it adds, “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Barbara Filkins CSC/SAP map will help all SAP users meet and demonstrate at least ‘reasonable security.’