Layer Seven Security

What’s New in the SAP Cybersecurity Framework 3.0

Released earlier this month, the third version of the SAP Cybersecurity Framework includes important changes in the areas of transport layer security, logging and monitoring, and vulnerability management. It also discusses the most significant hack against SAP systems to date: the devastating data breach suffered by U.S Investigation Services (USIS). USIS performed background checks on prospective federal employees for the Office of Personnel Management (OPM) and other government agencies before it’s contracts were severed after the announcement of the breach in 2015.

The breach is estimated to have impacted the personal information of up to 20 million individuals. According to the findings of an internal forensic investigation, attackers were able to breach systems at USIS by exploiting an undisclosed vulnerability in a connected SAP ERP system sometime in 2013. The attack went unnoticed by intrusion detection and other network-level monitoring devices.  The specific vulnerability exploited by the attackers has been the subject of widespread speculation by security researchers. Some have argued that the breach was caused by a brute-force password attack. Others have pointed towards RFC exploits or unapplied security patches. The source of the breach could have been any one of these or a combination of other vulnerabilities. The wide attack surface presented by SAP systems makes it impossible to pinpoint the root cause without access to the log data. Regardless, the breach demonstrated the destruction that can be wrought by successful attacks against vulnerable SAP systems. The contracts lost by USIS as a direct result of the attack were valued at $3 billion. The organization laid off 2500 workers and filed for bankruptcy shortly after the public announcement of the breach.

For transport layer security, the framework has been updated in line with RFC 7568 issued by the Internet Engineering Task Force (IETF) for deprecating Secure Sockets Layer Version 3 (SSL v3). SSL was the standard protocol for securing Web-based communication between clients and servers. Support for SSL has been gradually waning as a result of the growing awareness of weaknesses in its encryption scheme and key exchange mechanism. The POODLE vulnerability proved to be the final straw since it could be exploited to break encrypted SSL sessions and access sensitive data passed within such sessions including cookies, passwords and tokens.

The new version of the Framework includes an improved section on Read Access Logging (RAL). RAL should be configured to log access and changes by unauthorized users for sensitive data fields in SAP systems. This includes fields for banking, credit card and salary data. Exclusion lists can be maintained to rule out logging for authorized users. Together with the updated framework, you can also refer to an earlier Layer Seven article on protecting sensitive data in SAP systems using RAL for more information.

Lastly, much of the technical jargon related to Configuration Validation (ConVal) in earlier versions has been removed to focus on the core use-case for ConVal. ConVal is a powerful vulnerability management framework included in SAP Solution Manager that is recommended by SAP for managing vulnerabilities in SAP systems.

Since licensing for Solution Manager is included in SAP support and maintenance agreements, ConVal provides the most cost-effective alternative to third party tools.

You can download version 3 of the SAP Cybersecurity Framework in the whitepaper Protecting SAP Systems from Cyber attack from the Resources section.

Get Ready for SAP Solution Manager 7.2: What to Expect

SAP Solution Manager 7.2

It’s well known that licenses for SAP Solution Manager are included in SAP maintenance and support agreements. However, with the release of version 7.2 next year, SAP will take this a step further by providing free licenses for SAP HANA for use with SolMan 7.2. Customer’s will still have to pay for hardware costs but HW costs have been falling and there is the option for cloud services to avoid hardware costs altogether.

Other improvements in SolMan 7.2 include a streamlined architecture requiring fewer integrations and system resources and delivering faster processing times. Depending upon the implementation scenario, customers will be able to lower SolMan running costs by up to 70 percent.

SolMan will also provide a vastly improved UI based on the Fiori Lauchpad and support access through Apple, Android and Windows mobile devices. Click on the images below to enlarge.

SAP Solution Manager 7.2

SAP Solution Manager 7.2

SAP Solution Manager 7.2

SolMan 7.2 will provide full support for HANA, S/4HANA, Cloud and Hybrid solutions, enabling customers to manage and monitor all SAP on-premise and cloud systems.

For security monitoring, we can expect improved reporting capabilities based on UI5 that do not require embedded BI or Flash, tighter integration between the SolMan frontend and BW Query Designer to support highly customizable reports, upgraded dashboards and alerts, and the ability to not only discover missing Security Notes for systems using SysRec but also identify the business processes impacted by the planned implementation of Notes. The latter will rely on solution documentation maintained directly in SolMan and a much improved Business Process Change Analyzer application that will integrate with Test Management to enable customers to develop, execute and review the results of test cases for planned changes.

SAP Solution Manager 7.2

SAP Solution Manager 7.2

SAP will remove maintenance for the current version of Solution Manager at the close 2017. Customers will have around 18 months to upgrade their Solution Manager platforms. The advanced performance and analytical capabilities offered by SAP HANA together with the major enhancements in Solution Manager 7.2 suggest that most customers will opt for early adoption. This will strengthen SolMan’s position as the premier solution for monitoring the security of SAP systems, providing the lowest total cost of ownership, unlimited flexibility and scalability, and unrivalled performance.

Are your System Users Vulnerable to SAP Hacks?

One of the most telling statistics revealed at BlackHat USA earlier this year was the fact that 84 percent of InfoSec professionals regard unmanaged privileged credentials as the biggest cyber security vulnerability within their organizations. For SAP environments, the dangers posed by abusing user accounts with privileged access are well-known and can include shutting down SAP servers to interrupt the availability of services, reading or modifying sensitive information, and performing unauthorized changes to system configurations, programs, users, and other areas. For this reason, privileged access is carefully granted and vigilantly monitored in most systems, especially productive systems.  This includes privileges assigned through powerful authorization profiles such as SAP_ALL, SAP_NEW, S_ABAP_ALL and S_A.SYSTEM.

However, countermeasures to prevent abuses of privileged credentials in SAP systems are usually focused upon dialog users since interactive logon is not possible with most other user types. This includes system users that are used for background processing. Therefore, it’s common to find system users with privileged access in productive systems, especially when such users support several cross-system connections and integration scenarios.

The risks posed by system users with privileged credentials should not be overlooked and can be as grave as those posed by dialog users. Attackers are able to modify user types from system to dialog in several ways. The most common method is through the Function Builder used to build, test and manage function modules.

Attackers can access the Function Builder through transaction SE37 in a connecting system to execute the BAPI_USER_CHANGE remote-enabled function module (RFM). This RFM can be used to implement user changes in destination systems. The changes are applied using a privileged system user in the destination system. The credentials for such users are often stored in RFC destinations configured in connecting systems. The relevant RFC destination is entered in the field RFC target sys of the Function Builder (see below). The username of the system user configured for the RFC connection is entered in the USERNAME import parameter. Finally, the values of the LOGONDATA and LOGONDATAX are maintained to specify the dialog user type.


Once executed from the connecting system, BAPI_USER_CHANGE will change the system user to a dialog user type in the destination system through a remote function call. This will enable the attacker to logon to the destination system through methods such as the Remote Logon option in the RFC destination maintained in the connecting system (see below).

SAP RFC Destination - Remote Logon

Since attackers can bypass the restrictions placed on system users by abusing the privileged credentials provided to such users, it stands to reason that super user privileges should be managed for all user types, not just dialog users. This should include minimizing privileges for technical system and communication users to the minimum required for each scenario. Trace tools such as STAUTHTRACE, STRFCTRACE and STUSOBTRACE can be used to identify the authorization objects required for each user. This should be supported by enabling switchable authorization checks for sensitive function modules such as BAPI_USER_CHANGE, BAPI_USER_CREATE1 and BAPI_USER_PROFILES_ASSIGN, and, in NetWeaver releases 7.4X, enabling Unified Connectivity (UCON) to restrict external access to remote-enabled function modules.

RFC destinations with stored logon credentials can be identified using the config store RFCDES_TYPE_3 in Configuration Validation (ConVal). RFC users with critical profiles such as SAP_ALL can be identified using the store RFCDES_TYPE_3_CHECK. See below.

SAP Configuration Validation RFCDES_TYPE_3

SAP Configuration Validation RFCDES_TYPE_3_CHECK

Monitoring SAP Security Metrics with SolMan Dashboards

SAP Solution Manager (SolMan) includes a complete dashboard framework for visualizing data metrics and KPIs across a wide variety of areas. This includes areas such as availability, performance, service delivery, and crucially, system security. What’s more, the process for enabling and customizing dashboards is relatively quick and simple. This short guide walks through the steps to leverage the SAP-delivered dashboard apps in SolMan for security monitoring.

The first step is creating a link to the dashboard in the SAP Easy Access menu. Once you have logged into SolMan, right click on the Favorites folder and select Add Other Objects.

SAP Solution Manager Security Dashboard

From the list in the Restrictions screen, choose Web-Dynpro Application.

SAP Solution Manager Security Dashboard

Enter GENERIC_DASHBOARD_VIEWER in the Web Dynpro Applicat. field of the Web Dynpro Application screen.

Enter Security Dashboard in the description field.

Select HTTPS if applicable.

Within the Parameter table, enter ALIAS in the Name column and CIO_PERSONAL in the Value column. Click Save when complete.

SAP Solution Manager Security Dashboard

The Security Dashboard link will now appear in your Favorites menu. Double click on the link to launch the dashboard in a browser. You will require the role SAP_SM_DASHBOARDS_DISP to access the dashboard, including the auth object SM_DBSINST.

SAP Solution Manager Security Dashboard

The second step is configuring security apps in the dashboard. The welcome screen below is displayed the first time you access the dashboard. Select Configure in the top right of the screen and then Add new App.

SAP Solution Manager Security Dashboard 15

Select the Cross-Application category. Click on the image below to enlarge.

SAP Solution Manager Security Dashboard


Select and configure the following apps in sequence: Security Overview, Security Details, and Security List. You can learn more about these dashboard security apps at the SAP Help Portal.

Follow the steps below for each app.

Select one of the specified apps and click OK.

SAP Solution Manager Security Dashboard

Enter a title for the app in the Header field. In the example below, we have configured the Security List app which displays the compliance status of systems by Software, Configuration, and User areas. The Software group includes checks for the release and support pack level of critical software components, kernel levels, and unapplied Security Notes. The Configuration group includes checks for security-relevant profile parameters, access control filters in operating system files such as sec_info and reg_info, client change settings, Security Audit Log filters, RFC destinations with stored logon credentials, trusted RFC connections, and active Web services. Finally, the Authorization group includes checks for users with critical authorization objects or combinations of auth objects, sensitive transactions, and powerful SAP-delivered profiles such as SAP_ALL. It also includes checks for standard users with default passwords.

The next step is to select the target system. This is the template that contains the baseline security policy used to check the compliance levels of systems in your landscape. You can select default templates such as 0SEC_NEW. However, best practice is to develop custom templates to perform checks for a wider array of vulnerabilities in SAP systems than covered by SAP-delivered defaults. Templates developed by Layer Seven Security, for example, perform over 500 vulnerability checks for ABAP, Java and HANA systems.

Once you have selected the target system, specify the comparison systems that should be monitored using the dashboard security app. In the example below, we’ve chosen to monitor the ABAP stack of the system SMP using the custom template in the virtual target system SEC_ABAP.  This is a simplified example. In most cases, multiple systems should be selected for monitoring at the same time against a single target system.

SAP Solution Manager Security Dashboard

Select Preview to sample the dashboard and then click Apply when done. Perform the configuration steps for the other security apps available in the SolMan dashboard. Save the Dashboard. Once complete, the dashboard should resemble the following:

SAP Solution Manager Security Dashboard

The final step is to set the Auto Refresh frequency in the drop-down menu positioned in the top right of the dashboard. Once set, the dashboard will refresh as often as every 5 minutes for near real-time security monitoring.

SAP Solution Manager Security Dashboard

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Earlier this month, the New York Stock Exchange released a definitive guide to cybersecurity targeted at directors and officers of public companies. Developed with Palo Alto Networks, the guide includes contributions from over thirty-five industry experts and contends with a wide range of questions including legal and regulatory issues, cyber insurance, supplier risks, and incident detection and response. It also discusses investor perspectives towards cybersecurity and cites a recent survey of 130 global institutional investors with an estimated $3 trillion under management that reveals 4 out of 5 institutions would blacklist the stocks of hacked organizations. The full report can be downloaded here.

According to the guide, cybersecurity risk management plans should include several critical countermeasures.  One of the most important is effective patch management. In fact, the report points out that “system compromise and data breach are rarely the result of some sophisticated attack that no one has ever been seen before. The bulk of effective attacks use vulnerabilities that have been known for years…..Lack of patching and other standard security issues are normally the culprits” (p95).

This suggests that more active and rapid patching can significantly lower the risk of successful cyber attack. For SAP customers, this calls for the regular application of SAP-delivered security patches to address programming and other flaws. Security fixes are generally released by SAP on Security Patch Day, scheduled for the second Tuesday of every month. Corrections are packaged in Hot News, Security and Support Package Notes that are available through the SAP Support Portal.

There are several options for discovering relevant Security Notes for SAP systems. The first is directly through the SAP Support Portal using preconfigured filters for registered systems and products. Automatic email notifications can be setup through the Portal for newly released Notes.

The second is System Recommendations (SysRec). You can refer to our earlier post for guidance on how to Discover Security Patches for your SAP Systems using System Recommendations.

The third is a standard report available in Configuration Validation (ConVal). Although this approach draws upon SysRec, it consolidates missing SAP patches for all systems across landscapes. This is useful if you need to check the patch status of several systems at the same time. The instructions below provide a step-by-step guide for detecting unapplied SAP Security Notes using ConVal.

Step 1. Open Configuration Validation from the Root Cause Analysis or Change Management work center in SAP Solution Manager. Click on the image below to enlarge.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 2. Select the Reporting Templates option from the Report Execution tab.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 3. Select the report highlighted below and click ‘Start configuration reporting’.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 4. Maintain the filters for the report by selecting specific SAP System IDs (SIDs), system types, areas, and the date range. In the example below, we have selected Hot News and Security Notes released between Jan-Sep 2015 for all ABAP systems in the landscape. Click Execute when you are done.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 5. Analyze the results. In the report below, the table on the left provides a count of missing Notes by SID. The table on the right displays the unapplied Notes in each row against SIDs in each column.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

The details of each unapplied Note are provided in the lower section of report. This includes version, description, priority level, and impacted application components. The results can be filtered by priority level to focus on Hot News and High Priority patches. Results can also be exported to .xls and other file formats for further analysis.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Featured in SAPinsider: Unlocking the Cyber Security Toolkit in SAP Solution Manager

How to Implement Advanced Security Monitoring Without Third-Party Software

The fear and anxiety driven by the wave of cyber attacks in recent years has led many companies to bolster their security programs. It’s also led to a stream of software solutions from third-party developers offering to solve customers’ cyber security challenges. You may have heard the sales spin, watched the demos, and even considered the proposals. But before you launch the purchase order, ask yourself: Is there an alternative? What if the tools you need to secure your SAP systems were available to you at this very moment?

SAP has equipped customers with a variety of tools to protect against even the most advanced forms of cyber threats. The tools are available in SAP Solution Manager and include:

1. Configuration Validation: Implement automated vulnerability checks across your entire SAP landscape

2. System Recommendations: Detect security-relevant SAP patch day and support package notes

3. Change Analysis: Analyze the root cause of changes in your SAP systems

4. End-to-End (E2E) Alerting: Investigate email and SMS alerts for critical SAP security events

5. Security Dashboards: Monitor the health of your SAP systems in near real time

Read more at SAPinsider

Cyber Security Monitoring using SAP Solution Manager

How to Protect Sensitive Data in Your SAP Systems with Read Access Logging

The need to monitor access to classified data in SAP systems has never been greater. End users are increasingly working with SAP data from outside the borders of corporate networks. Corporate information is also increasingly under threat from cyber criminals, hacktivists, cyber spies and terrorists that seek to exploit classified information for financial gain or to further ideological or national interests.

Read Access Logging (RAL) empowers organizations to combat these threats by providing the ability to detect and contain information leaks before they escalate into large-scale data breaches. This is performed by logging and monitoring access to sensitive data in SAP systems. RAL can also be used to identify malicious changes by tracking old and new values for classified data.

This article will explain how you can enable RAL in your SAP systems. The use-case illustrated in the article is sensitive employee data including social security numbers (SSN), salary and banking information. However, RAL can support any use case including health records, payment data, pricing information, etc. It can also be used to monitor access to custom data fields in your SAP systems.

RAL is accessed using the SRALMANAGER transaction. The screen below displays the options available in the Administration tab of the control panel. You will need the templates roles SAP_BC_RAL_ADMIN_BIZ, SAP_BC_RAL_ADMIN_TEC and/ or SAP_BC_RAL_CONFIGURATOR to administrator RAL.

Administration 2

The options in the Administration tab are organized in line with the sequence of activities performed to configure RAL. The first step is the definition of Logging Purposes. A log purpose is the specific use-case for the log groups you will create in later steps. In the example below, we have created a use-case to group sensitive employee-related data.

Logging Purpose Creation

Next we must create Log Domains. These are assigned to data fields to support log analysis since many fields are unintelligible when relying on just system identifiers. The screen below captures the log domains we have created for employee data including banking information, salary and SSN.

Log Domains 2

Once we have defined our log domains, we must configure recordings to capture the data fields that we will assign to the domains. Recordings can be used for SAP GUI (Dynpro) and Web GUI (Web Dynpro) sessions. Below we have created a recording to capture specific types of employee information using SAP GUI. Click on the image to enlarge.

Recording 2

We can choose the data fields to log by selecting the Record Field option in the context menu. The screen below shows that we have selected to record the SSN field during a recording session in an IDES system with mock data using SAP GUI.

Recording Session 2

The fields captured in RAL during the recording sessions are assigned to log domains during the configuration step. In the example below, we have assigned the SSN field to the SSN log domain.  You can choose to record field values in log entries during this step and to include/ exclude initial values. You can also specify whether the trigger for logging should be data entry performed by the end user or data displayed to the user or both. Specific users can be excluded from RAL using the User Exclusion List. Therefore, we can ensure HR and other users that require access to employee information for their role are not included in log results.

Configuration 2 (SSN)

The final step is enabling RAL by maintaining the profile parameter sec/ral_enabled_for_rfc in each application server. RAL configuration settings can be transported within your SAP landscape using transaction SRAL_TRANS.

Log analysis is performed using the options in the Monitor tab. This can be performed using the role SAP_BC_RAL_ANALYZER.


The entries for all log domains are displayed below. The first entry in the log reveals that the user SAPADMIN successfully read the SSN of employee ID 109815 at 9.06AM on September 18, 2015.

Log Results - Details 2 (SSN)

Other log entries reveal that the user also accessed the bank details and salary information of the employee on the same day. See below.

Log Results - Details 2 (Bank)

Log Results - Details 2 (SALARY)

Changes performed by SAPADMIN for data fields logged by RAL would be displayed as separate log entries if we had selected the option to record field inputs with values.

RAL is available in NetWeaver 7.40 but SAP intends to make it available for earlier releases. For further information including professional services to enable Read Access Logging in your SAP systems, contact Layer Seven Security.

For logging table-level access in SAP systems, we recommended using the Workload Monitor accessible through transaction ST03. You can configure table access logging for up to five transactions including well-known table maintenance transactions such as SE16, SM30 and SM31. The log below from the Workload Monitor displays the number of records viewed or modified using transaction SE16 for the user table USR02 during a specific date. Large record counts could indicate a potential data breach. Correlation with transaction starts performed by users logged in the Security Audit Log or STAD should be possible using conventional SIEM solutions or SAP Enterprise Threat Detection.

ST03 - Table Access Log by Transaction and Table

Can You Trust SAP with Your System Security?

Can you trust SAP with your system security? The question is worth pondering, not least since it is one of the key arguments used by third party software vendors to support the use of their security tools over SAP-delivered solutions. Although the argument is usually made in the context of vulnerability management for cybersecurity, the logical extension of this point of view is that SAP shouldn’t be trusted for any security domain, including access control, identity management, program development, and security patching. In this article, we discuss whether SAP has earned the right to your trust and the implications of a low-trust and a high-trust relationship with SAP for your security needs. The discussion will be driven by the notions of trust taxes and trust dividends which can either constrain or multiply your organization’s performance.

But, firstly, what is trust? There are many definitions but they all boil down to a single concept: confidence. Trust is confidence in the integrity, strength or ability of someone or something. By this definition, most economies and societies are low-trust. According to one of the most widely-known studies of global perspectives on trust, confidence in governments, leaders, and organizations has never been lower. The Edelman Trust Barometer has charted the worldwide decline in trust levels over 14 years. In 2014, the study surveyed 33,000 people in 27 countries. Although it revealed a general level of mistrust in people and institutions, it’s important to note that trust is impacted by many factors including geography and industry. Interestingly, companies based in Germany or operating in the technology sector tend to command the highest levels of trust.

Security is driven by mistrust. Therefore, it’s not surprising that organizations are investing in resources, training and technologies to strengthen information security in environments with declining levels of trust. The reaction is understandable and necessary given the dramatic rise in cybercrime, commercial espionage and insider threats. Improved security measures can realize substantial, tangible benefits but there is a cost. This includes not only the direct costs associated with investing in further resources, training programs and security tools, but indirect costs arising from the organizational impact of security measures. Mistrust can be very expensive.

Performance is often measured as the outcome of an organization’s strategy and its ability to execute on the strategy. In other words, strategy + execution = results. However, there are hidden variables that can undermine this equation. The results of a great strategy combined with flawless execution can be undone by low levels of trust which push up costs and reduce the speed of execution. This is known as the so-called Trust Tax. On the other hand, results can be amplified in high trust scenarios since costs are held down and the pace of execution is higher. This is called the Trust Dividend.[1]

Based on this model, organizations that trust SAP-delivered solutions for vulnerability management should be able to realize a trust dividend by minimizing the cost side of the equation: vulnerability management can be performed using standard components in SAP Solution Manager over licensing third party solutions. However, the question remains: can SAP be trusted to provide sound and independent security guidance?

Trust requires creditability. Credibility is based on integrity, intent, capabilities and results. Therefore, to answer this question, we must ask another: is there any reason to doubt the integrity or intent of SAP or question its capabilities and results? I can think of none. SAP’s commitment to educate and empower customers with insight and tools to manage the security of its solutions is undeniable. Its difficult to imagine any benefit SAP could derive from anything other than an honest and transparent approach to security. SAP has demonstrated its commitment to improving software quality by strengthening development procedures to detect and remove program vulnerabilities before general availability. It has also established a robust security response process to deal with vulnerabilities identified by internal teams and external researchers. Finally, SAP continues to deliver innovative solutions to enable customers to deal with today’s threat landscape. This includes tools designed to:

Discover data leaks (Read Access Logging)
Detect system vulnerabilities (Configuration Validation)
Manage security patches (System Recommendations)
Control access to sensitive function modules (Unified Connectivity)
Analyze security-relevant changes (Change Analysis)
Remove redundant custom code (Coverage Analyzer)
Secure custom code (Code Vulnerability Analyzer)
Detect attacks in real-time (Enterprise Threat Detection)

So, can you trust SAP with your system security? The answer is, why not?

[1] The Speed of Trust, Stephen Covey (2008)

Counting the Costs of Cyber Espionage

According to a recent study performed by the Center of Strategic and International Studies, the annual cost of cybercrime is more than $400 billion. This is equal to almost 1 percent of global income and higher than the national income of most countries. The report states that “The most important loss from cybercrime is in the theft of IP (intellectual property) and business confidential information, as this has the most significant economic implications”. In fact, some estimates place the cost of IP theft higher than the actual returns to IP creators: According to the World Intellectual Property Organization (WIPO), the world IP market generates $180 billion a year in fees and royalties, whereas IP theft costs the US economy alone more than $200 billion. This means that eliminating IP theft could more than double the returns on innovation for IP-generating firms.

Losses can vary significantly between sectors. The risk of IP theft and losses resulting from stolen data is higher in sectors where IP can be more readily monetized such as finance, chemicals, aerospace, energy, defense and IT. The impact of IP theft on individual firms can also fluctuate depending on how closely R&D and innovation-driven IP is tied to profitability. In extreme cases, it can lead to a complete collapse in profits. This is illustrated by the experience of Codan, an Australian technology company that manufactures mining and communications equipment. Codan’s net profit fell by 500 percent in a single year from $45M to $9M following the theft of technology blueprints during a targeted cyber attack. The stolen blueprints were used by counterfeiters to manufacture imitations that substantially undercut the price of genuine products manufactured by Codan. Despite slashing the price of its products, Codan was unable to stem the loss of market share that eventually eroded the company’s profits. The attack against Codan was profiled in a recent episode of Four Corners, a current affairs program aired by the Australian Broadcasting Corporation. The episode can be viewed below and underlines the destructive impact of financially-motivated economic espionage. According to research performed by Symantec and Kaspersky, such attacks are growing in volume and sophistication. They are frequently performed by organized criminal groups that target high-value corporate information that can be exploited for insider trading or other purposes.

Protection against such threats requires a layered security strategy including countermeasures at the network, OS, database and application level. For SAP application stacks, you can refer to Layer Seven’s white paper Protecting SAP Systems from Cyber Attack. The paper outlines a comprehensive approach for securing SAP systems against advanced threats and includes guidance for encrypting sensitive communications, securing access, implementing robust password policies, effectively patching SAP systems, and other areas.

OPM Data Breach Reveals the Limitations of Cybersecurity Solutions

The fallout from the record-breaking breach disclosed by the Office of Personnel Management (OPM) earlier this month reached a low point at a Capitol Hill hearing on June 16. During the hearing, members of the House Committee on Oversight and Government Reform scolded OPM officials and IT executives for their “complete and utter failure” to protect sensitive personal information stored in compromised systems. The breach is estimated to impact at least 3.2M federal employees and contractors. However, the number of breached records may be as high as 14M.

While the root cause of the breach is yet to be disclosed, there are several factors that are suspected to have contributed to the successful attack against the OPM. The first is OPM’s sluggish response to the recommendations of a systems audit performed by the Inspector General last year. The Inspector General Audit Report identified numerous material weaknesses in OPM’s security program and practices, including missing configuration baselines for operating platforms and ineffective security monitoring procedures. OPM has been widely criticized for failing to implement many of the key recommendations made by the Inspector General.

The second is weaknesses in cybersecurity tools put in place by the Department of Homeland Security to detect and contain the type of incident that led to the breach at OPM. The most widely criticized tool is Einstein, the multi-billion dollar intrusion detection system deployed by US-CERT to monitor government Internet gateways for malicious traffic. Einstein is at the cornerstone of the $4.5 billion U.S National Cybersecurity and Protection System (NCPS) program. Despite a recent $200M upgrade, it failed to expose the original attacks that led to the breach at OPM. Yet again, this serves to illustrate known limitations with signature-based intrusion detection systems that can be circumvented by scrambling or encrypting attack payloads. These and other drawbacks have led institutions such as SANS to conclude “It is far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of defense against intruders”.

It also illustrates the broader concern over the effectiveness of cybersecurity solutions, not just network-based IDS or, for that matter, IPS systems. According to a joint study performed by Juniper Networks and RAND earlier this year, worldwide spending on cybersecurity is growing between 10 to 15 percent per year. However, despite investing increasing amounts on cybersecurity tools, most companies report a low level of confidence in the ability of such tools to improve the security of their infrastructure. This sentiment is understandable and is based on the questionable success of conventional tools to combat cyber threats. The irony of sky-rocketing costs for cybersecurity tools against the backdrop of the declining value of such tools is not lost on customers.

For this reason, organizations would be better served by redirecting budgets from dubious investments in redundant tools to tackling the most critical issue in cybersecurity today: the shortage of skilled resources capable of modelling and managing the wide array of risks in complex and evolving threat landscapes. The global cybersecurity skills shortage is borne out by the following startling facts:

83% percent of enterprises lack the skills to protect their IT assets (1)

1 out of 3 security professionals are not familiar with advanced persistent threats (2)

62% of organizations did not increase security training in 2014 (2)

There are 1M unfilled positions for security professionals worldwide (3)

One of the consequences of the skills shortage is that it often leads enterprises to rely on a patchwork of third parties for core security services. OPM, for example, is alleged to have granted privileged access to contractors in China, one of the nation states suspected of perpetrating the attack.

For SAP systems, the aim of fostering an effective security operations center or center of excellence is made easier by the availability of a wide array of powerful monitoring tools in Solution Manager. The most important of these tools is Configuration Validation (ConVal) which can be leveraged to implement automated, policy-based vulnerability management. The accessibility and convenience of tools such as ConVal eliminates the need for third party security software and enables customers to focus more resources on staffing, training and other needs.

ConVal performs system configuration monitoring. It also monitors critical authorizations, transactions and profiles. For security information and event monitoring (SIEM), most existing platforms can analyze event data in SAP log files including the Security Audit Log. Platforms such as HP Arcsight, RSA enVision, McAfee/ Intel, and Splunk can be tuned to review SAP logs using available connectors or modules. For more information on ConVal or integrating SAP systems with your SIEM platform, contact Layer Seven Security.

1 ESG, March 2015
2 2014 APT Study, ISACA, April 2014
3 Annual Security Report, Cisco, January 2014