Layer Seven Security Blog

Stay up to date on the latest trends in SAP security, new threats and information on protecting your critical systems against an attack

M-Trends, Verizon DBIR & Symantec ISTR: Detecting and responding to cyber attacks has never been more important

Posted on
The release of three of the most important annual threat intelligence reports earlier this month confirmed that 2013 was an explosive year for cybersecurity. All three reports point to rising incidences of cyber attack, increasing sophistication of attack vectors and a growing diversity of threat actors and targets. The first of the reports is entitled …
Read Article

Trustwave Survey Reveals that IT Professionals are Feeling the Pressure of Board Level Scrutiny over Cyber Security

Posted on
The rise in the rate and sophistication of cyber attacks has predictably fuelled the pressure on security resources. However, the precise complexion and source of the pressure was largely unknown until the recent release of the Trustwave Security Pressures study. The study examines the threats most concerning to security professionals and the preferred responses. The …
Read Article

A First Look at the U.S Data Security and Breach Notification Act

Posted on
On January 30, members of the U.S Senate and House of Representatives introduced a new bill intended to enforce federal standards for securing personal information and notifying consumers in the event of a data breach. Sponsored by leaders of the Senate Commerce, Science and Transportation Committee, the Security and Breach Notification Act of 2014 would …
Read Article

Measuring the Risks of Cyber Attack

Posted on
Most studies that examine the impact of cyber attack tend to focus on a combination of direct and indirect costs. Directs costs include forensic investigations, financial penalties, legal fees, hardware and software upgrades, etc. The approach is typified by the annual Cost of Data Breach Study performed by the Ponemon Institute, now in its eighth …
Read Article

Monitoring Access to Sensitive Data using SAP RAL

Posted on
The disclosure of up to 200,000 classified documents belonging to the NSA by Edward Snowden in 2013, together with the release of over 750,000 U.S Army cables, reports and other sensitive information by Bradley Manning in 2010, has drawn attention to the need to control and monitor access to confidential data in corporate systems. For …
Read Article

New malware variant suggests cybercriminals are targeting SAP systems

Posted on
Security researchers at last week’s RSA Europe Conference in Amsterdam revealed the discovery of a new variant of a widespread Trojan program that has been modified to search for SAP systems. This form of reconnaissance is regarded by security experts as the preliminary phase of a planned attack against SAP systems orchestrated by cybercriminals. The …
Read Article

SAP HANA: The Challenges of In-Memory Computing

Posted on
This article is an extract from the forthcoming white paper entitled Security in SAP HANA by Layer Seven Security. The paper is scheduled for release in November 2013. Please follow this link to download the publication. According to research performed by the International Data Corporation (IDC), the volume of digital information in the world is …
Read Article

Layered Defenses in Oracle 12c: The New Benchmark for Database Security

Posted on
Oracle databases support more than two thirds of SAP deployments in mid to large size enterprises. Oracle’s domination of the SAP database market is due to a widely regarded performance edge in areas such as compression, availability and scalability. Oracle databases are also optimized for SAP technology as a result of a long-standing partnership between …
Read Article

Organisations are not effectively addressing IT security and compliance risks according to accounting professionals

Posted on
The results of the 2013 Top Technology Initiatives Survey revealed that securing IT environments against cyber attack and managing IT risks and compliance are rated as two of the three greatest challenges in technology by accounting professionals in North America. The survey was performed jointly by the AICPA and CPA, the largest accounting organisations in …
Read Article

Introducing the ABAP Test Cockpit: A New Level of ABAP Quality Assurance

Posted on
The ABAP Test Cockpit (ATC) is SAP’s new framework for Quality Assurance. It performs static and unit tests for custom ABAP programs and introduces Quality-Gates (Q-Gates) for transport requests. ATC was unveiled at last year’s SAP TechEd. The entire session including a live demo can be viewed below. Following a successful pilot, it was released …
Read Article

A Dangerous Flaw in the SAP User Information System (SUIM)

Posted on
Customers that have yet to implement Security Note 1844202 released by SAP on June 10 should do so immediately. The Note deals with a vulnerability that could be exploited to bypass monitoring controls designed to detect users with privileged access, including the SAP_ALL profile. This profile can be used to provide users with almost all …
Read Article

Exploring the SAP DIAG Protocol

Posted on
One of the most memorable events at last year’s BruCON in Belgium was Martin Gallo’s expose of the SAP DIAG protocol. The session can be viewed in its entirety below. DIAG (Dynamic Information and Action Gateway) is a proprietary protocol supporting client-server communication and links the presentation (SAP GUI) and application (NetWeaver) layer in SAP …
Read Article

Securing Your SAP Systems: How to Counter Every Current and Emerging Threat

Posted on
One of the highlights of the Sapphire conference earlier this month was the insightful session on SAP security delivered by Gordon Muehl, Senior Vice President of Product Security at SAP. A recording of the session can be viewed below. The session highlighted the threat presented to Internet-enabled SAP systems by external agents and stressed the …
Read Article

Verizon Data Breach Investigations Report (DBIR) 2013: ‘This isn’t a threat you can afford to ignore’

Posted on
The breadth and depth of the 2013 Verizon Data Breach Investigations Report (DBIR) is unprecedented. Released this Monday, the reports brings together the investigations performed by nineteen law enforcement agencies, research institutions and private security firms that combat data breaches including the European Cybercrime Centre (EC3), U.S Secret Service and the Department of Homeland Security. …
Read Article

Countering the Threat of Corporate Espionage

Posted on
According to the results of a survey released by HBGary during the recent 2013 RSA Conference in San Francisco, more than 70 percent of American investors are interested in reviewing the cybersecurity practices of public companies and nearly 80 percent would not invest in companies with a history of cyberattacks. The survey of 405 U.S. …
Read Article

International Corporate Espionage: Annual Cost of Intellectual Property Theft Estimated at $250 Billion for U.S Economy

Posted on
According to NSA Director General Keith Alexander, cyber-espionage has led to “the greatest transfer of wealth in history.” This is supported by not only a recent report by Symantec, which places the cost of intellectual property theft in the United States at $250 billion a year, but a prominent report on cyber-espionage released by Mandiant …
Read Article

Lessons from the Top Ten Data Breaches of 2012: Defense-in-Depth for SAP Systems

Posted on
According to the Privacy Rights Clearinghouse (PRC), there were 680 reported data breaches in 2012 covering all forms of commercial, governmental, educational, medical and non-profit organizations. The breaches are estimated to have compromised over 27M data records.   The most significant breach occurred at VeriSign. Although the extent of the breach has never been disclosed …
Read Article

The Final Frontier: The Challenges in Developing Secure Custom ABAP Programs

Posted on
In November, SAP released an unusually high number of Security Notes to patch various forms of injection vulnerabilities in it’s software. The trend continued in December with the release of several patches for code injection flaws in the Computer Center Management System (BC-CCM), Project System (PS-IS),  Transport Organizer (BC-CTS-ORG) and work processes in Application Servers …
Read Article

SAP Security Notes, September 2012

Posted on
Missing Authorization Checks, Signature Wrapping Attacks and Code Injection Vulnerabilities. Read September’s Guide to SAP Security Patches at http://layersevensecurity.com/SAP_security_advisories.html
Read Article

Security Researchers Expose a Dangerous Authentication Bypass in Oracle Databases

Posted on
More than two-thirds of mid to large SAP customers in every industry run their SAP applications with Oracle databases. Oracle’s success is driven by compatibility and performance. Oracle 11.2 is certified for use with Unix, Linux and Windows-based SAP environments and provides features such as self-tuning, sophisticated partitioning and advanced data compression that give Oracle …
Read Article