Onapsis is the leading provider of solutions to protect ERP systems from cyber-attacks. Through our innovative software solutions, our global customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks.
Network Products Guide: What can we learn from recent cyber attacks? What’s basically wrong with the approach most security solution providers are taking?
Mariano Nunez: Recent cyber-attacks prove to be targeted and highly sophisticated. Security solution providers are ensuring that companies are protected against threats affecting different technologies: mobile, Web applications, user browsers, etc. However, while highly important, we regard an attack exploiting them as a mean, not as the cyber-criminal’s end-goal. Attackers are exploiting them to get a first foot into the target corporation, but the exploited systems or applications do not usually contain the information they are after. If the motive is to perform espionage, sabotage or financial fraud attacks, the targeted information is stored in the ERP systems (grouping CRM, SCM and other business-critical applications).
Our practical experience assessing ERP platforms shows that they are usually widely exposed to technical vulnerabilities and cyber-attacks. Therefore, most intruders do not actually need to attack the “intermediary” systems, as they can exploit the ERP systems and access the business crown jewels directly.
About Mariano Nunez
Mariano Nunez is the CEO at Onapsis. A respected authority in the ERP field, he was the first to publicly present on cyber-security risks affecting SAP platforms and how to mitigate them. He has been invited to hold presentations in major security conferences, as well as in Fortune-100 companies and military organizations.
He discovered several critical vulnerabilities in SAP applications and developed the first opensource SAP & ERP Penetration Testing frameworks. Mariano has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek and PCWorld and has been distinguished by the MIT TR35 publication.
Network Products Guide: The purpose of ERP is to facilitate the flow of information between all business functions inside the boundaries of the organization while effectively integrated to external connections too. How has ERP security changed during the last few years?
Mariano Nunez: Several years ago, ERP security was basically regarded as a synonym of Segregation of Duties controls: enforcing strict user authorizations to ensure that ownership of a business process was split among different individuals.Therefore, compliance audits and security assessments were solely focused in reviewing employees’ authorizations in the ERP systems, and ensuring that nobody had more authorizations than they should.
However, in 2007 Onapsis’ experts made the first public presentation demonstrating that there was false sense of security in this discipline: SoD security controls were not protecting the systems against cyber-attacks on the systems’ technological frameworks. Therefore, awareness was raised regarding the fact that systems that were once believed to be secure (as they had SoD controls properly applied), were actually exposed to high-impact attacks that could be performed even by intruders that didn’t have a valid user in the ERP systems. This changed the industry radically, demonstrating that ERP security must be addressed holistically and that SoD controls, while highly important, are not enough to protect the systems against modern threats.
Furthermore, during the last years, ERP systems have become more connected to untrusted networks (such as the Internet), significantly increasing the probability of successful attacks from remote locations.
Network Products Guide: Why have ERP systems simply become an easy target for cyber-attacks? Who is responsible for these attacks?
Mariano Nunez: The main factor that makes cyber-attacks on ERP systems easy is that still some organizations have not yet implemented an holistic ERP application security risk management process. In the first place, as many of these systems are shipped with default insecure configurations and customers do not know how to protect them, they are currently widely exposed to technical attacks with big business impact. Secondly, ERP customers are struggling with applying vendor-provided security patches promptly. This further exposes platforms to exploits which are many times found in the public domain.
Regarding who is behind of these attacks, I certainly believe that we are not dealing with script-kiddies playing in their garage with free tools. However, that should not confuse us regarding how we analyze the risk of this threat: attackers going after ERP systems will certainly have the right skills and resources to perform targeted attacks and, should they succeed, they would be able to perform espionage, sabotage and financial fraud activities over our business-critical information. Probable sources are unethical competitors, state-sponsored attacks and hackivist groups. In fact, in October 2012, Anonymous claimed to have broken into the Greek Ministry of Finance and to have an SAP exploit that they were going to use widely.
Network Products Guide: Based on your experience, what advice would you give to CIOs/CSOs? Are there any solutions that can help companies to automate this task?
Mariano Nunez: My advice to CIOs/CISOs would be to start addressing this problem by evaluating their current posture regarding ERP application security threats. This would be the first step in order to understand the risks they may be facing, and manage them accordingly. I certainly believe it’s unrealistic to mitigate every single vulnerability, so having the right processes and solutions to help them understand and prioritize mitigation efforts is critical.
In this sense, Onapsis can help through its cutting-edge technology, which empower Information Security professionals to be on top of these threats without having to be ERP security experts: Onapsis X1 is the first-and-only SAP-certified solution to automate SAP application security assessments, providing customers with a holistic analysis of their current risk exposure and with actionable information on how to remediate existing issues. The product consolidates more than seven years of cutting-edge SAP security research, featuring the largest knowledge-base of SAP application security risks, and is used by leading organizations such as the US Army, Siemens, Westinghouse, AXA Group, PwC and Deloitte, among others.
Company: Onapsis | USA