A Programmatic Approach to ERP Vulnerabilities

The CISO and security organizations often overlook Mission-critical applications such as SAP and Oracle. However, these systems are essential to all major business processes and hold extremely sensitive customer and employee data. Their security is a must-have, not a nice to have. So, how do you go about doing this? Here I detail how a CISO can develop a programmatic approach to securing business-critical ERP systems, especially in light of significant vulnerabilities such as the recently discovered RECON. The CISO of any organization is ultimately responsible for ensuring the business is protected. Therefore, securing the ERP application from a breach is one of the fundamental responsibilities for a CISO. I should know!

Businesses depend on the availability of ERP applications to maintain the predictability of operations, while at the same time continually improving capabilities in ERP applications to more tightly align with the ever-changing business requirements. For a CISO, security maintenance of ERP applications is frequently in competition with enhancements occurring in the applications. At times, security maintenance can mean delaying an enhancement. Simultaneously, resources are focused on testing, and applying security patches can be difficult, if not impossible. Particularly with ERP systems, getting the resources necessary for regular security maintenance activities can be a challenge. 

So, what can we do?

Despite the best effort to maintain reliable vulnerability landscape data and prioritize patches, bad actors can reside anywhere around or inside the applications. ERP security must be part of a layered security strategy, and those layers must be at the application level, which is where the data resides. Today, it is widely understood that network perimeter security is insufficient, and the new perimeter is where the data resides.

With a security-by-design program, you have visibility into your business-critical application environment, the ability to assess for vulnerabilities, prioritize and fix them, prevent configuration drift, and detect potential malicious attacks or internal misuse. This program establishes security baselines when assessing and monitoring code, configurations, and aspects of your business processes throughout development and carried through to production.

This programmatic approach to security and compliance of ERP applications consists of standard elements, such as:

• Identifying vulnerabilities and their associated risk to the business
• Prioritizing remediation by risk levels
• Identifying the impact of remediation on the ERP application (What level of testing is required?)
• Scheduling the remediation/change in a non-production environment
• Testing the solution
• Promotion of the solution to production

At times, emergency patching is required, such as the case with the recent RECON vulnerability, which represents a serious risk to any company that was or is vulnerable to exploitation. Indeed, situations like those presented by the RECON vulnerability benefit from the layered security approach. In cases like this, the company should reference its emergency change procedure and deploy or enhance applicable countermeasures to detect and prevent exploitation. At the same time, the patch is reviewed and tested for production readiness. 

With a programmatic approach to patching ERP applications, the pressure to rush patches into production and risk creating unintended problems is mostly reduced. 

In July, SAP issued patches for the RECON vulnerability identified and disclosed to SAP by the Onapsis Research Labs. Because of the severity and the amount of potential vulnerable Internet exposed SAP systems, the DHS-CISA and many other global organizations issued CERT Alerts warning organizations of the RECON vulnerability’s criticality. Both SAP and Onapsis urged organizations using SAP Applications to apply the patches immediately. In the days following the patches’ release for RECON, the Onapsis Research Labs and other security/threat intelligence organizations and researchers witnessed and reported rapid threat activity, including scanning for vulnerable systems and ultimately weaponized exploit code posted publicly. This content is part of a coordinated effort with threat intelligence experts, researchers, and organizations to provide further insight, intelligence, and actions you should take to ensure your organization is protected from the RECON vulnerability. 

All the parts can be found here:

• Part 1: The Vulnerability @Onapsis Blog
• Part 2: The Mitigations @SAP Community Network
• Part 3: Relevance to the Cloud @Cloud Security Alliance
• Part 4: Threat Intelligence @DigitalShadows
• Part 5: Active Scanning @Stratosphere Labs
• Part 6: Tools Techniques and Procedures @BlueLiv
• Part 7: Active Exploitation @Onapsis Research Labs
• Part 8: Compliance @The Institute of Internal Auditors
• Part 9: Data Privacy @Radical Compliance
• Part 10: Programmatic Approach @Linkedin