Layer Seven, Author at Layer Seven Security

SAP Security Notes, September 2023

Layer Seven on October 3, 2023

Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the Enterprise component in BOBJ versions 4.2 and 4.3.

Note 3320355 removes sensitive information in responses from Promotion Management in BOBJ to clients in order to prevent information disclosure that could lead to the complete compromise of the application. Attackers require access to the promotion job folder for exploitation of the vulnerability. A temporary workaround can be applied by removing rights to the folder from users that do not require access.

Note 3370490 addresses a high-priority cross-site scripting vulnerability in the BOBJ Web Intelligence HTML interface. Due to insufficient file type validation, the Web Intelligence HTML interface allows a report creator to upload files from the local system into a report over the network. When uploading an image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data. The solution included in note 3370490 patches the vulnerability by blocking unauthorized file types.

Note 3327896 removes a high-risk buffer overflow vulnerability in the SAP Common Crypto Library that could be exploited to trigger a denial of service. A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and crash the application. Customers should upgrade to CommonCryptoLib to 8.5.49 or higher.

Layer Seven Security Release Updated Ransomware Guide for SAP

Layer Seven on September 19, 2023

Earlier this month, MGM Resorts reported a major cyber attack that severely disrupted its operations including online and payment processing systems. Threat actors are reported to have breached MGM’s network and systems and exfiltrated several terabytes of sensitive data. The company was forced to shut down several key systems as it worked with law enforcement agencies and cybersecurity companies to investigate and contain the breach.

MGM reported the incident in form 8-K filings required by the Securities and Exchange Commission (SEC). New SEC rules effective from September 5 require publicly listed organizations in the U.S to disclose material cybersecurity incidents within four business days.

The hacking group Scattered Spider, part of the ALPHV cyber criminal organization, has claimed responsibility for the breach. Scattered Spider is believed to have breached around 100 organizations within the last two years, mostly in the U.S and Canada. According to statements released by ALPHV, also known as BlackCat, the group was able to breach MGM by exploiting vulnerabilities in an access and identity management provider and cloud tenant. Once they gained administrative access to more than 100 ESXi hypervisors at MGM, ALPHV began deploying ransomware in the compromised systems. Ransomware is a form of malware that encrypts the file system to lock targets until a ransom is paid by the victim.

Caesars Entertainment also reported in September that it had been the victim of a successful ransomware attack that breached personally-identifiable information in it’s loyalty program database including drivers license and social security numbers. Caesars disclosed in it’s 8-K filing with the SEC that the organization paid a $15 million ransom to prevent the disclosure of the stolen data and restore access to its compromised systems.

The business impact of ransomware can be significant in terms of both direct and indirect costs and reputational harm. For example, according to the credit rating agency Moody’s, the cyberattack at MGM could negatively impact the credit rating of the company.

SAP systems are not immune to ransomware. They can be compromised through vulnerable operating systems supporting SAP solutions, insecure protocols, interfaces and cross-system interfaces, and OS commands performed through the application layer that exploit trust relationships between SAP applications and hosts. In response to the recent breaches at Caesars and MGM, Layer Seven Security has released an updated guide for securing SAP solutions from ransomware. Layer Seven Security is an industry-leader in cybersecurity services and solutions for SAP. The guide provides clear and succinct recommendations to prevent and detect ransomware attacks in SAP systems, as well as restore systems during the recovery phase. You can download the guide directly from SAPinsider by following this link.

What to Expect in the Cybersecurity Extension for SAP Version 5.0

Layer Seven on September 8, 2023

Version 5.0 of the Cybersecurity Extension for SAP (CES) is scheduled for general availability in September. It includes several enhancements, configuration checks and new patterns to improve vulnerability management and threat detection for SAP solutions. This article discusses some of the key changes.

Trend Analysis
Trend Analysis is a new application in CES that tracks changes in vulnerabilities, security notes, and alerts over two years. It can be used to monitor security results across periods. For example, the number of vulnerabilities in the current period can be compared with results from the prior month to assess the effectiveness of remediation activities. Results can be analyzed using daily, weekly, monthly, or quarterly intervals, as well as custom date ranges. Results are visualized using multiple charts and tables with the option to export results. The advanced filter can be used to focus trend analysis for specific business units, areas, landscapes, systems, priorities, and other variables.

Systems
Systems is another new application in CES. It displays system information for targets that are monitored by CES. Target systems are selected from the available managed systems in SAP Solution Manager and SAP Focused Run. System information is displayed in cards for each system. The information includes attributes such as the SAP System ID, landscape, environment, priority and group. Groups are typically business units that are maintained during the installation phase. The application includes a filter to search for specific systems based on attributes.

Actively Exploited Vulnerabilities
CES version 5.0 automatically detects actively exploited vulnerabilities. The vulnerabilities are identified and flagged based on automated correlation with event logs and alerts in CES. Results in Vulnerability Management can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.

SAP GRC Integration
SAP GRC identifies users with access to sensitive functions and conflicting functions that should segregated between users. It also detects if the functions that comprise an access risk are executed by users. CES v5.0 integrates with SAP GRC to report and alert for access risks where the relevant sensitive or conflicting functions are executed by users. This enables organizations to be notified immediately for access violations and investigate the risks using the incident response capabilities of the Cybersecurity Extension for SAP.

Report Scheduling
The Cybersecurity Extension for SAP supports export to PDF, CSV and Excel for compliance, vulnerability and other security reports, including reports related to security notes, events and alerts. In earlier versions, the reports were exported on demand. Version 5.0 supports the scheduling and automatic distribution of reports by email. Users can customize email settings including the subject and text. Distribution lists are supported.

User Experience
CES v5.0 includes a redesigned application launchpad.

Vulnerability Management includes a card view for system selection. Users can switch to the dashboard view supported in earlier versions, if preferred.

Compliance Reporting also includes a redesigned interface for selecting frameworks and systems and navigating results.

Security Alerts includes a heat map for analyzing alerts by system and column charts for analyzing alerts by 24 hour, 7 day, and 30 day intervals.

SAP ASE
The Cybersecurity Extension for SAP supports full-stack monitoring for SAP systems including application, database and host layers. SAP ASE is a widely-used relational database server for SAP solutions. Version 5.0 includes extended support for ASE monitoring including new vulnerability checks for checking logon settings, remote logins, password policies, database users including default and inactive users, critical database roles, database encryption, and audit settings. It also delivers alerts for critical database events such as failed logons, locked users, logons by default users such as sa, changes to the database configuration including disabling auditing, role and user changes, new procedures or services, remote procedure calls, the execution of stored procedures, and table contents transferred to/ from external files.

SUSE Linux Enterprise Server
Version 5.0 includes several new alerts for SLES operating systems supporting SAP solutions. This includes alerts for locked and unlocked users, new users, login failures, password changes, replay attacks, users that switch to root, and threats from the execution of malicious programs in SAP hosts.

SAP Security Notes, August 2023

Layer Seven on August 31, 2023

Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability that can enable threat actors to access password hashes in client memory. SAP PowerDesigner Client and Proxy should be upgraded to version 16.7 SP06 PL04 or 16.7 SP07 to patch the vulnerabilities. The patches include fixes for proxy side authentication and authorization, and logging of attempted access control violations.

SAP PowerDesigner is also impacted by a code injection vulnerability addressed by note 3341599. SAP SQL Anywhere bundled with some versions of PowerDesigner allows an attacker with local access to take control of the application by loading malicious libraries that can be executed by PowerDesigner. The note recommends upgrading to SP07 PL01 that includes a patched version of SQL Anywhere that does not load custom unicode extension DLL by default.

Note 3344295 addresses a high-risk authentication bypass vulnerability in the SAP Message Server. The vulnerability can be addressed by applying the kernel patches specified in the note. However, the related exploits can be mitigated by setting the profile parameter system/secure_communication to ON, protecting the internal port of the Message Server, and setting the trace level to a value lower than 2.

Notes 3317710 and 3312047 patch binary hijack and denial of service vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ).

Note 3346500 removes the ability for users to authenticate with an empty passphrase in SAP Commerce Cloud by changing the default value of the configuration property user.password.acceptEmpty from true to false.

New SEC Rules For Cybersecurity Incident and Risk Management Disclosures

Layer Seven on August 9, 2023

The Securities and Exchange Commission (SEC) issued a final rule on July 26, 2023 that will require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of discovery. In addition, the SEC will now require public companies to disclose on an annual basis in Form 10-K their process for assessing, identifying and managing material risks from cybersecurity threats, as well as information on how companies’ boards and officers govern cyber risk management.

The incident reporting requirements become effective for companies, other than smaller reporting companies, on December 18, 2023. Smaller reporting companies will not be subject to the rule until June 15, 2024. All reporting companies will be subject to the disclosure rules covering their cybersecurity risk management process in annual reports for fiscal years ending on or after December 15, 2023.

For purposes of both the new Form 8-K requirements and the required annual risk management disclosure, a “cybersecurity incident” is defined as “an unauthorized occurrence, or a series of unauthorized occurrences, on or conducted through the registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The rules also define a “cybersecurity threat” as any potential occurrence that could result in a cybersecurity incident. The rules cover all “information systems” which is defined to include electronic information resources owned or used by the registrant that are used to collect, process, maintain, use, share, disseminate, or dispose of information used to maintain or support the registrant’s operations.

The new rule adds item 1.05 to Form 8-K covering “material cybersecurity incidents.” When the rules become effective, public companies will have to disclose information relating to a material cybersecurity incident four business days after they determine they have experienced one. The disclosure must include the following information: (i) a description of the material aspects of the nature, scope, and timing of the incident and (ii) an assessment of the material impact or reasonably likely material impact of the incident on the company, including the financial impact and the impact on operations. However, companies need not disclose “specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” The adopting SEC release notes that, in assessing the impact of the incident, companies should consider qualitative factors (impact on reputation, actual or potential litigation or regulatory investigations, or competitiveness) as well as quantitative factors.

The determination of materiality relies on the standard securities law formulation that considers whether there is a substantial likelihood that a shareholder would consider the information important in making an investment or whether the information would significantly alter the “total mix” of information available about the company. The determination must be made “without unreasonable delay” following discovery of the incident and the filing must indicate if any required disclosure has not been determined or is not available at the time of the filing. That said, the SEC advises that while the determination “need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure.” Significantly, the release notes that the fact that the full extent of the incident is not yet known or that further investigation will be necessary “should not delay the company from determining materiality.” Examples of unreasonable delay include delay in scheduling a board committee meeting to determine materiality or revision of internal policy to extend assessment deadlines or to change the criteria used to determine incident reporting to management or the board.

The rule identifies two circumstances in which a disclosure delay is permissible. First, the Form 8-K filing may be delayed if disclosure would pose a substantial risk to national security or public safety. The delay is permissible if the U.S. Attorney General has notified the SEC that a substantial risk exists, in which case a delay of up to 30 days is permissible with additional extensions possible if the substantial risk continues to exist. Second, for a company subject to the breach disclosure rules of the Federal Communications Commission relating to customer proprietary network information, disclosure may be delayed if the company notifies the SEC no later than the day disclosure would otherwise be required under the SEC rules.

The SEC also adopted new Item 106 to Regulation S-K that will require a reporting company to provide disclosure in their annual report that identifies “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”

This formulation represents a revision of the rule included in the March 9, 2022 proposed regulations which would have required a more granular discussion of a company’s cybersecurity risk management structure. The agency agreed with commenters who argued that a more detailed level of disclosure went beyond the level that is material to investors and could increase vulnerability to an attack by revealing important operational details of the risk management process.

The final rule also focuses on a non-exclusive list of three areas of disclosure that will help investors to place the disclosed cybersecurity processes in context:

Whether and how the cybersecurity processes have been integrated into the registrant’s overall risk management system or process;
Whether the registrant engages consultants, auditors or other third parties in connection with their cybersecurity processes; and
Whether the registrant has a process to identify material risks from cybersecurity threats associated with the use of third-party service providers.

Separately, the new rules will require disclosure about the board’s oversight of the company’s cybersecurity risk. Specifically, the disclosure must include information on how the board manages the oversight process, i.e., through a board committee or subcommittee, and the process whereby the board or board committee is informed about such risks. The agency dropped language in the proposed regulations that would have required disclosure of board level cybersecurity expertise.

The disclosure must also identify management’s role in assessing and managing material risks from cybersecurity threats with a focus on three areas:

Identification of the management positions and committee that are responsible for assessing and managing cybersecurity risks and the relevant expertise of such persons or committee members;
The process by which such persons are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
How such persons report information about cybersecurity risk to the board and/or the appropriate board committee.

Source: Kilpatrick Townsend & Stockton LLP

Cybersecurity Extension for SAP

The Cybersecurity Extension for SAP (CES) enables organizations to secure mission-critical SAP solutions from cyber threats that may require public disclosure in accordance with the new SEC rules. CES implements industry-leading vulnerability management, patch management, threat detection and response for SAP to minimize the risk of cybersecurity threats and enable the detection and investigation of security incidents.

SAP Security Notes, July 2023

Layer Seven on August 4, 2023

Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled in systems.

Notes 3340735 and 3233899 patch high-priority buffer overflow and HTTP request smuggling vulnerabilities in the SAP Web Dispatcher that could be exploited to leak information or trigger a denial of service. The vulnerabilities affect only the HTTP/2 protocol. HTTP/1 is not affected. Standalone Web Dispatcher installations support HTTP/2 by default since version 7.73. Version 7.54 is only affected if parameter icm/HTTP/support_http2 is set to TRUE in the instance or DEFAULT profile. 7.45 is not affected because it does not support HTTP/2. Web Dispatcher installations that support HTTP/2 are only impacted if parameter icm/HTTP/support_http2 is explicitly set to TRUE.

Notes 3352058 and 3348145 deal with blind SSRF and header injection vulnerabilities impacting the Diagnostics Agent. The vulnerabilities can be addressed by upgrading the LM-SERVICE component in SAP Solution Manager. Note 2686969 includes instructions for upgrading the component to the required patch level.

How to Discover Actively Exploited Vulnerabilities in Your SAP Systems

Layer Seven on July 26, 2023

SAP systems have a wide attack surface. Threat actors can enumerate and exploit multiple known vulnerabilities in SAP components and programs to compromise SAP solutions. Automated vulnerability scans often reveal hundreds of weaknesses in SAP systems. Remediating each vulnerability requires extensive planning and testing for each impacted system. Most organizations do not have the resources to remediate every vulnerability to close all possible attack vectors in their SAP solutions. A prioritized approach focused on remediating high-risk vulnerabilities can be used to concentrate efforts. Organizations can also focus on vulnerabilities that are being actively exploited in their SAP systems. This involves correlating user and system activity captured in SAP logs with vulnerabilities that have been identified in systems.

This correlation is performed automatically by the Cybersecurity Extension for SAP (CES). CES is an addon for SAP Solution Manager and SAP Focused Run. CES will also be available as an extension for SAP Cloud ALM in 2024.

CES performs daily automated scans to detect over 4000 vulnerabilities in SAP applications and supporting databases and operating systems. The vulnerabilities are analyzed and managed using the Vulnerability Management application in CES. The application displays a summary of vulnerability scan results when accessed. Users can switch between the system card view and the dashboard view in the summary.

System Card View:

Dashboard View:

Users can select one or more system from the Summary to drilldown to the findings.

The Overview section displays the open vulnerabilities for the selected systems. Results can be filtered and sorted by area, environment, rating and other variables.

Responsibility for remediating vulnerabilities can be assigned to specific owners and assignees directly in the Overview. Target dates can also be maintained for the removal of the root causes of issues. Remediation plans can be maintained in the Action Plan tab in the detailed display for each vulnerability.

Actively exploited vulnerabilities are identified and flagged based on automated and continuous correlation with event logs and alerts in CES. Results can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.

In the example below, there is an open alert for the successful call of a vulnerable ICF service in a system. Although the vulnerability is rated as medium-risk, the active exploitation of the vulnerability in the system indicates that the finding should be prioritized for remediation.

The alert for the vulnerability can be analyzed by clicking on the alert icon for the vulnerability. This directs to the details of the alert in the Security Alerts application in CES.

The automated discovery and reporting of actively exploited vulnerabilities is supported in version 5.0 and higher of the Cybersecurity Extension for SAP.

SAP Security Notes, June 2023

Layer Seven on July 10, 2023

Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a temporary workaround that involves removing the values of the “style” and “class” attributes in the html input of control sap.m.FormattedText and other controls.

Note 3102769 was updated for releases 7.31 and 7.40 of SAP Knowledge Warehouse (KW). The note resolves a high-priority cross-site scripting vulnerability in the Internet Knowledge Servlet (IKS) of KW. A workaround for the vulnerability is detailed in note 3221696. The IKS can be deactivated using the Config Tool. Alternatively, URL filters can be applied using the ICM or Web Dispatcher to block requests to the vulnerable component.

Notes 3319400, 2826092, 3331627 and 3318657 patch cross-site vulnerabilities in SAP BOBJ, CRM, Enterprise Portal, and the Design Time Repository of SAP NetWeaver, respectively.

Security Patching for SAP Solutions

Layer Seven on June 21, 2023

The risk of unpatched systems is consistently reported as one of the top three threats to SAP systems in every survey of SAP customers performed by SAPinsider since 2021. Regularly implementing SAP security notes is reported as the most significant action performed by organizations to secure their SAP solutions. Security notes provide include corrections for known vulnerabilities in SAP software. They are released by SAP on Patch Tuesday, the second Tuesday of each month.

Keeping up with SAP patches is reported as the first or second greatest cybersecurity challenge confronted by SAP customers. This is due to several factors including:

High volume of security notes
Maintaining system availability
Validating calculated notes
Scheduling downtime
Prioritizing security notes
Resource constraints

The whitepaper Security Patching for SAP Solutions from Layer Seven Security includes best practices to overcome these challenges. It provides a comprehensive framework for discovering, analyzing and implementing SAP security notes. The whitepaper includes clear and practical recommendations from the leaders in SAP cybersecurity to automate and optimize security patching procedures for SAP.

DOWNLOAD

Cybersecurity Threats to SAP Systems Report

Layer Seven on June 7, 2023

Earlier this month, SAPinsider released the 2023 Cybersecurity Threats to SAP Systems Report. Co-sponsored by Layer Seven Security, the report is based on the findings of a survey of more than 205 security professionals in North America, EMEA, APJ, and LATAM, representing SAP customers across nine industries.

The report revealed several trends in 2023 compared to reports for earlier years. Similar to 2022, respondents ranked unpatched systems, ransomware attacks, and credentials compromise as the most significant threats to SAP systems. The exploitation of system interfaces and weak access controls were also identified as important but less significant threats.

Patching and updating SAP systems and enforcing secure password policies were reported as the most important requirements for SAP cybersecurity. Protecting SAP systems from zero-days threats was also identified as an important requirement, even though there is no evidence of the successful exploitation of any zero-day vulnerability for SAP solutions.

This article provides practical recommendations for managing the top five threats to SAP systems presented in the report. The recommendations can be implemented using a combination of the Cybersecurity Extension for SAP and SAP ALM platforms such as Solution Manager, Focused Run, and Cloud ALM. According to the report, 81% of customers are using one or more of these platforms. However, less than half of SAP customers are fully leveraging the capabilities of their ALM investments.

Security Patching

Keeping up with patches is the most significant cybersecurity challenge reported by SAP customers. This is due to reasons such as the volume of patches, difficulties with prioritizing notes and scheduling system downtimes, the reluctance to apply notes that could impact system availability, and issues validating whether patches are correctly implemented. The last is especially challenging for notes with manual corrections.

System Recommendations (SysRec) in SAP Solution Manager automates the discovery and implementation of security notes for SAP solutions. It calculates relevant notes based on the installed software components and versions in systems. Notes can be filtered by priority to focus on hot news and high priority patches. SysRec also identifies objects impacted by security notes and provides usage counts for the objects. This can be used to develop targeted test plans based on the known impact of security notes. Notes impacting unused objects can be implemented with minimal testing.

Automated corrections can be downloaded through SysRec and staged in systems for implementation. Once implemented successfully, the relevant notes are automatically removed from the SysRec results. The implementation status of notes with manual corrections can be maintained using the Status option. False positives in SysRec can occur if notes are released by SAP without software component information. The Cybersecurity Extension for SAP (CES) automatically discovers and removes the false positives to improve the quality and reliability of notes reported by SysRec.

Ransomware

Ransomware can target SAP applications through multiple attack vectors. Unauthorized external program starts through the gateway server should be restricted using the secinfo access control list. Authorizations for OS commands should be restricted. This includes authorizations for RSBDCOS0, SM49 and CG3Z which can be used to download, install and run ransomware tools. Custom ABAP, UI5, Java and SQLScript programs may be exploited to perform arbitrary OS commands. Vulnerable programs can be discovered using code vulnerability scanning solutions. Vulnerable ICF services such as SOAP RFC and WEB RFC should be disabled. The SAP Virus Scan Interface should be enabled to support the detection of malware in file uploads and the propagation of ransomware through file downloads.

Ransomware can also target hosts supporting SAP applications. Therefore, it is important to secure and monitor the operating system layer in SAP systems. Unnecessary ports and services should be closed. Root commands and sudo actions should be closely monitored, particularly wget and bash commands, and the creation and execution of OS files. The Cybersecurity Extension for SAP is the only security solution that protects and detects against ransomware across application, database and OS layers in SAP systems.

Credentials Compromise

Transport layer security using SNC and SSL for SAP protocols will protect encoded SAP passwords in client-server and server-server communications. Access to password hashes in SAP tables should be restricted and monitored. Downwards-compatible passwords should be disabled since this will prevent the storage of password hashes that use vulnerable algorithms. Strong password policies should be enforced using the relevant settings in systems including login parameters in ABAP systems. Session management should be enabled and logon tickets and cookies should be secured against misuse. Detection and alerting for SAP accounts that may have been compromised can be activated using Anomaly Detection in the Cybersecurity Extension for SAP. Anomaly Detection will detect for unusual user actions such logins from new terminals or IP addresses for each user and the execution of transactions and reports that are not typically accessed by users.

System Interfaces

Program starts, server registrations, and monitor commands should be restricted for the gateway server. The use of RFC destinations with stored credentials should be restricted. The authorizations for RFC users should be provisioned based on the principle of least privilege to minimize the impact if RFC accounts are compromised. RFC user accounts should be system or communication user types, not dialog or reference. Positive whitelists are recommended to prevent the misuse of RFC callbacks. Trusted RFC connections should be used only in the required scenarios and trust relationships should not be configured from lower to higher order environments.

Unified Connectivity (UCON) should be enabled and configured to protect external calls to sensitive remote-enabled function modules (RFMs). Requests blocked by UCON are logged in the Security Audit Log.

Interface and Connection Monitoring (ICMon) in SAP Solution Manager and Integration and Exception Monitoring in SAP Focused Run can be deployed to identify critical internal and external system interfaces. This includes RFC, HTTP, Cloud, IDoc, and Web Service connections. Alerts can be configured for the usage of system interfaces outside of normal scenarios. For example, customers can enable alerting for an RFC destination if it used by a user not included in a permitted whitelist or if the destination is used to call RFMs that are not typically called by the destination. Similar alerting can be enabled for calls to applications, IDocs, cloud services and web services accessed using non-RFC protocols.

Access Controls

Access to administrative profiles, roles, authorizations and transactions should be restricted. This includes roles and permissions in SAP databases and hosts. The SAP_ALL profile should not be used in productive systems. Standard users should be locked and default passwords should be changed. Authorization checks should be enforced for all RFMs and system operations. Switchable authorization checks should be enabled wherever applicable to secure access to sensitive function modules. Conflicting functions should be assigned to separate users to enforce the segregation of duties. This includes user creation/ role maintenance, role maintenance/ role assignment, and transport creation/ transport release.

The Cybersecurity Extension for SAP can be used to discover users with administrative permissions or access to conflicting functions. It can also alert for the execution of sensitive programs, reports and transactions. Exclusions can be maintained for specific users or based on factors such as user group to support whitelisting and prevent false positives or alert flooding.