Onapsis also determined the three most common attack vectors used for compromising SAP business systems at the application layer. These mechanisms place intellectual property, financial, credti card, customer, supplier, and database warehouse information all at risk for the world's largest companies.
Onapsis states its research is based on assessments of hundreds of SAP implementations, showing over 95% of installations were exposed to vulnerabilities. These vulnerabilities have potential for full compromise of the company's business data and process.
Onapsis also states its research finds most companies are exposed to protracted patching windows, averaging 18 months or more.
In 2014 SAP issued 391 security patches, averaging more than 30 per month. Almost 50% were ranked as high priority, yet according to Onapsis these are not being applied in a timely fashion by the vast majority of SAP sites.
SAP's reach cannot be underestimated. It is run by over 250,000 customers across the world, including 87% of Global 2000 companies and 98 of the 100 most-valued brands.
The research findings present the sobering realisation that vast volumes of global data are not protected from cyber threats.
Mariano Nunez, CEO and co-founder of Onapsis, states "The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a 'responsibility' gap between the SAP Operations team and the IT security team."
"The truth is," he stated, "most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day and most [Chief Information Security Officers] don't know because they don't have visibility into their SAP applications."
"Companies today are looking ahead at the opportunities presented by moving systems to the cloud, enabling user adoption through mobile devices and big data. The challenge is that most of these new possibilities rely on legacy systems such as SAP. In a connected world, it is essential that critical business applications be protected. Securing a company’s crown jewels is a board-level discussion. Information security professionals need to re-evaluate how SAP is protected from cybersecurity threats," said Renee Guttmann, Vice President, Office of the CISO, Accuvant.
1. customer and supplier portal attacks, where backdoor users are created in the SAP J2EE user management engine.
2. direct attacks through SAP proprietary protocols, exploiting vulnerabilities in the SAP RFC gateway
3. customer information and credit card breaches using pivoting between SAP systems, moving from a system with lower security to a critical system
Nunez states, "This trend is not only continuing, but exacerbating with SAP HANA, which has brought a 450% increase in new security patches specifically affecting this platform."
This news follows earlier research this week indicating 85% of SAP customers were not interested in moving to S/4HANA citing a large amount of work and expense to migrate for no clear return on investment.
Onapsis' findings now show that SAP HANA users who are not proactive with patching face risks both in the cloud and on-premises.
It should go without saying, but Global 2000 organisations running critical business processes in the SAP Business Suite solutions are urged to stay up to date with the latest SAP security notes, and to ensure systems are configured properly to meet compliance requirements and strengthened security. Companies need an action plan to add SAP security to the organisation's strategy and roadmap.