Can a SAP system be hacked?

SAP

SAP systems are part of the critical company infrastructure because they process and store sensitive data and thus control the value-added processes. Although attacks by hackers, industrial spies and your own employees can cause enormous damage, many people in charge still lack the necessary security awareness. How else can it be explained that in market surveys there are always answers to be heard such as: "Of course there can be SAP security incidents in companies, but certainly not with us, something like this has never happened before!" When asked how this can be reliably determined, there is usually only one reaction: shrugs and long faces.

  1. The Top 15 Hacker Attacks on Businesses
    Companies around the world have been the focus of hackers and cyber criminals for years. Identity and data theft are particularly popular with computer crime supporters - no wonder that cyber risk insurance is becoming more and more popular. We'll show you 15 of the biggest hacking attacks on companies in recent years.
  2. Yahoo
    It wasn't until September that Yahoo had to admit the biggest hack of all time. There are now increasing signs that the same hackers had already outdone each other a year earlier: In a cyber attack in August 2013, the accounts of almost a billion Yahoo users were compromised. Names, email addresses, telephone numbers, dates of birth and encrypted passwords were tapped.
  3. Dyn
    A massive DDoS attack on the DNS provider Dyn caused a stir in October: With the help of a botnet - consisting of thousands of inadequately secured IoT devices - cybercriminals managed to paralyze three Dyn data centers. Amazon, GitHub, Twitter, the New York Times and some other large websites are down for hours.
  4. Cicis
    The US pizza chain Cicis also had to admit a hacker attack in mid-2016. As the company announced, the till systems of 130 branches were compromised. Credit card information theft is very likely. As in the case of Wendy's and Target, hackers also succeeded in infiltrating malware into the point-of-sale POS system with Cicis. The first attacks occurred in 2015, and in March 2016 the individual attacks intensified into a large-scale offensive. According to its own information, Cicis has now eliminated the malware.
  5. Wendy's
    At the beginning of July 2016, a hacker attack on the US fast food chain Wendy’s became known. Malware was found on the cash register systems - initially there were fewer than 300 affected branches. As it turned out, the malware attacks had been going on since autumn 2015. In addition, the burger chain announced that up to 1,000 branches would be affected. The customers' credit card details were apparently also stolen in the malware attacks. As in the case of The Home Depot, the hackers had obtained remote access to the cash register system of the fast food chain.
  6. Heartland Payment Systems
    The 2008 cyber attack on the US company Heartland Payment Systems is still considered one of the biggest hacks of all time when it comes to credit card fraud. Heartland is one of the world's largest providers of electronic payment processing. Around 130,000,000 credit card information was stolen in the course of the hack. The damage to Heartland amounted to more than $ 110 million, the majority of which was spent on out-of-court settlements with credit card companies. A group of cyber criminals was responsible for the hack. Their head, a certain Albert Gonzalez, was sentenced to 20 years in prison in March 2010 for his significant role in the Heartland hack. Heartland has been offering its customers a special security package since 2014 - including "breach warranty".
  7. Sony Playstation Network
    In April 2011, nothing worked for many Playstation owners around the world. The reason: a cyber attack on the digital service portal Playstation Network (PSN). In addition to the PSN's downtime of just under four weeks (!), The data (credit card information and personal data) of around 77 million PSN subscribers were also stolen during the cyber attack. Sony only informed its users about the hack for around six days - and had to accept harsh criticism for it. The cost of the PSN hack was approximately $ 170 million. Those responsible have not yet been identified.
  8. Livingsocial.com
    The online platform Livinggsocial.com (content comparable to Groupon) was the victim of a hacker attack in April 2013. The passwords, email addresses and personal information of around 50 million users of the e-commerce website were stolen. Fortunately, customer and partner financial information was stored in a separate database. The perpetrators of the security incident were not identified.
  9. Adobe Systems
    In mid-September 2013, Adobe became the target of hackers. Approximately 38 million records of Adobe customers were stolen in the course of the cyber attack - including the credit card information of nearly three million registered customers. The hackers behind the attack were not caught.
  10. Target Corporation
    Target Corporation is one of the largest retail companies in the United States. At the end of 2013, Target had to admit to a cyber attack in which around 70 million data records containing personal information from customers were stolen. Far more serious, however, was that among these were 40 million records that contained credit card information and even the associated PIN codes. Target had to invest around ten million dollars in out-of-court settlements with affected customers, and then CEO Gregg Steinhafel had to resign six months after the hack.
  11. Snapchat
    A small mistake at the end of December 2013 led hackers to publish the phone numbers and usernames of 4.6 million Snapchat users. Snapchat itself came under fire from users and security researchers because, as is so often the case, the reason for the publication of the data was a lack of security precautions. However, the problems hackers cause are usually less serious than the damage that follows once they are published. Even if you don't consider your username or phone number to be a big secret - a motivated attacker like a stalker or an identity thief could do bad things with this data. This hack, in turn, shows that all data is important - especially if it belongs to the users. It is safe to assume that the developers of Snapchat would have liked to have found this security flaw before the hackers.
  12. Ebay Inc.
    In May 2014, eBay became the target of cyber criminals. No payment information was stolen during the attack, but the email addresses, usernames and passwords of almost 145 million registered customers. The hackers apparently gained access to the company's databases through logins stolen from eBay employees. Those responsible were not identified.
  13. J.P. Morgan Chase
    With J.P. Morgan targeted one of the largest US banks by cyber criminals in July 2014. Around 83 million data records with names, addresses and telephone numbers of customers fell into the hands of the hackers. The criminals apparently gained access via stolen login data from an employee. However, J.P. Put up with Morgan's accusation of inadequate protection of its systems. Four people suspected of being involved in this hack have now been arrested in the United States and Israel.
  14. The Home Depot
    The US home improvement chain The Home Depot was the victim of a particularly devious hack in September 2014. Cyber ​​criminals had managed to smuggle malware into the cash register systems of over 2,000 branches. The result: 56 million credit card information from citizens of the USA and Canada was stolen directly when making payments in the Home Depot stores. In addition, 53 million email addresses fell into the hands of the hackers. The damage to the US company is estimated at around $ 62 million.
  15. Anthem Inc.
    Anthem is one of the largest health insurers in the United States. In February 2015, cyber criminals succeeded in stealing personal data from around 80 million customers. The records included social security numbers, email addresses, and postal addresses. Salary information from customers and employees was also stolen. After all: medical data should not have been affected. According to various security experts, the trail of the hack leads to China.
  16. Ashleymadison.com
    The addresses, credit card numbers and sexual preferences of around 40 million users were made public by a hacking group called Impact Team in August 2015 after a cyber attack on the affair portal Ashley Madison. The attack proved that Ashley Madison did not - as actually promised - delete users' personal information for a fee. The captured 30-gigabyte package contained a total of 32 million data records, including 15,000 government and military addresses of users. Parts of the page source code and internal e-mails from the operators were also exposed. Because of the intimate user data and the mysterious nature of Ashley Madison, this hacker attack is particularly delicate. The fact that the operators did not destroy personal data even on request shows a problem with companies that process personal data on different systems. But even such companies have to protect user information from dangers - regardless of whether the danger comes from external hackers, malicious insiders or accidental data loss. An Ashleymadison user has now filed a lawsuit against Avid Life Media in a Los Angeles court. The accusation: negligent handling of highly sensitive data. A motion for a class action has also been received. Should the court follow this, ALM could face billions in compensation claims.

Typical SIEM products fall short

The fact is: With the typical automated monitoring products, the so-called SIEM systems (S.ecurityI.nformation and E.vent M.anagement), companies are not able to detect possible SAP attacks quickly and securely. These systems are suitable for determining and correcting irregularities in the IT infrastructure. For this purpose, the log data from various sources such as the network, servers and databases are collected, correlated and linked to predefined rules in order to identify possible attack patterns.

In the event of an attack, the SIEM systems trigger an alarm, which is followed by defined measures: for example, the administrator receives specific information to stop certain IT activities immediately or to block users completely. In addition, SIEM systems are able to compare historical data with known attack patterns in order to find out retrospectively what exactly happened in the context of forensic analyzes.

As useful as the widespread SIEM products are for general IT security in companies, they cannot protect SAP systems from unauthorized access. This is because these SIEM solutions simply do not "understand" the special SAP protocols and evaluation options. The result: Time and again, companies only find out through press reports or - worse still - through the appearance of "competing products" on the market that their SAP systems have been hacked by industrial spies.

  1. IP filter
    The SIEM solution shows, among other things, which IP address is used to access certain data (in this case from an IRC connection) at certain times.
  2. Sources of danger
    Data is collected about running programs and web services.
  3. Type of traffic
    Which data traffic flows through which protocols and web services can also be traced.

Expert silos or "You take it, I'll have it for sure ..."

In addition to the technical limitations with regard to the SAP coverage of standard SIEM solutions on the market, there is an organizational aspect that has been observed on the market for many years: In companies, security is typically located in the IT department and the SAP competence center. If you ask the IT department about security, you will hear terms such as firewalls, operating systems, virtual private networks and SIEM - a very technical point of view.

However, if you talk to SAP experts, you come across terms such as roles and authorizations, access control, risk management - a perspective that aims to secure the application level. Since the IT department usually points to the SAP colleagues in the company when it comes to questions of SAP security, but they often see the topic of technical security in the IT colleagues, there is a gap in the detection of attacks urgently needs to be closed.

Upgrade or launch?

In order to protect themselves effectively against external and internal attackers, SAP customers must therefore do more to ensure the security of their SAP systems and applications. "Is there any unexpected activity in my SAP environment?", "Who is the attacker?" and "What kind of attack took place?" are the essential questions that must be answered quickly and linked to countermeasures. One possible approach is to "upgrade" the existing SIEM monitoring systems by developing the functions and logic required for evaluating and correlating the SAP log files. Although this requires a lot of in-house SAP know-how and a certain amount of time, it allows SAP security monitoring to be performed within the existing SIEM system environment.

Another option is to supplement the SIEM products with a new SAP security solution: SAP Enterprise Threat Detection (ETD) closes the gap in the monitoring of critical IT infrastructures. Since this solution "understands" all SAP protocols and log files, it is possible for the first time to detect attacks on SAP systems in real time. In principle, ETD works in a similar way to the SIEM systems: First, the SAP log files are transferred and analyzed in real time. If an attack has taken place, ETD recognizes its traces and triggers an alarm, which in turn triggers predefined follow-up activities. Forensic analyzes are also possible with ETD.