Palo Alto, CA, August 08, 2016 --(PR.com
)-- ERPScan, the most credible business application security provider, released the first comprehensive SAP Cybersecurity Threat Report.
The years 2015-2016 was game-changing for SAP Cybersecurity. Nowadays, top security experts agree on the importance of SAP Security (it was listed as a beyond 2016 trend at the Gartner Summit), SAP Security Incidents were covered in the world's leading media, and several guidelines on securing SAP systems were released. Nonetheless, the industry still lacks an in-depth research of different parts of SAP Cybersecurity.
To close this gap, ERPScan research team decided to slightly change the concept of its annual "SAP security in figures" research. The new SAP Cybersecurity Threat Report covers 3 main angles of SAP Cybersecurity, namely SAP Product Security, SAP Implementation Security, and SAP Security Awareness.
In 2011, when ERPScan published the annual research for the first time, SAP Security was in its initial state. The study was a proof what it is not only theoretical comprehensible but based on actual numbers and metrics. However, times have changed, and their research team always keeps up with the latest trend. ERPScan did not exclude the statistics but added some important parts, gathering together the history of all SAP security incidents and analyzing threats by conducting a worldwide scan for vulnerable SAP systems.
SAP Product Security
The average number of security patches for SAP products per year has slightly decreased.
However, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one.
The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA.
Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices.
There are vulnerabilities in almost every SAP module: CRM takes the leading position.
The most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps, as they attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional modules.
The number of vulnerabilities in industry-specific solutions has grown significantly.
More than 160 vulnerabilities have been detected in industry-specific solutions. The most vulnerable types of them are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.
SAP Implementation Security
· Worldwide threat landscape grew up to more than 36000 systems.
Most of them (69%) should not be available directly via the Internet.
Critical Infrastructures and IoT devices are at risk.
SAP can act as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.
SAP Security Awareness
· Almost half of unnecessarily exposed services is located in 3 countries where wide adoption of new technologies takes place (namely, USA, India, and China).
The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (comparing to the total number of implemented systems).
Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents. Hopefully, it somehow helped to increase SAP Security awareness worldwide.
“We used our own scanning method to gather information about SAP systems. Protocols used to interact with and between SAP servers are often proprietary and not well-known outside of the SAP IT world, so open scan resources don’t include them in their scans. What’s why we built a database of probe requests and then matches probe response to determine the state of the service. When we perform a check for a vulnerability; if there is no friendly payload, we try to fingerprint the version of a remote service to compute potential statistics,” commented Mathieu Geli, Director of SAP Threat intelligence.
Their reports of the series always help in decreasing the number of SAP systems exposed to cyber threats. ERPScan hopes the current edition won’t be an exception.