SAP has 180,000 global customers with 75% of the Forbes 500 companies running its system. Potentially we are looking at a huge population of high risk corporate system risk staring at us.
SAP’s HANA – its new in-memory, column-oriented, relational database management system which is designed to handle both – high transaction rates and complex query processing – is turning out to be a major issue!
As per experts from Onapsis – the global experts in business-critical application security and SAP cybersecurity solutions – a whopping 95% of all SAP systems in the world are exposed to vulnerabilities that can completely compromise a company’s business data and processes! With these companies’ intellectual property, financial, credit card, customer and supplier data and the Business Intelligence (database warehouse) information in harm’s way – what we are looking at is a lurking catastrophe in making!Over 95% of SAP Deployments can be Hacked! @sapnews #SAPPHIRENOW Click To Tweet
If that is bad enough, the SAP’s security team isn’t good enough to meet the challenge. The windows to implement a patch to plug these risks are 18 months and over.
HANA itself has been responsible for 450 percent increase in new security patches. Now, HANA is the underlying database layer for both, transactional and the datawarehouse (BW/BOBJ) layer. Which means that data needs to be secured both – in the cloud and on-premise systems. This itself has meant a phenomenal rise in the security risk to SAP.
Three ways to for the hackers to breach an SAP system’s security are:
Customer Information and Credit Card Breaches Using Pivoting Between SAP Systems. The attack begins with a pivot from a system with lower security to a critical system in order to execute remote function modules in the destination system.
Customer and Supplier Portal Attacks. Backdoor users are created in the SAP J2EE User Management Engine. By exploiting a vulnerability, the hacker can obtain access to SAP Portals and Process Integration platforms and their connected, internal systems.
Database Warehousing Attacks through SAP proprietary protocols. This attack is performed by executing operating system commands under the privileges of a particular user, and by exploiting vulnerabilities in the SAP RFC Gateway. The hacker is able to obtain and potentially modify any business information stored in the SAP database.
In the coming years, if SAP does not gear up to this, we could see a very difficult time for SAP’s customers.
Here is a video for another perspective on the high security risks to SAP’s system.
Image source: IT News Australia