What is ERP Security?
Originally published by Onapsis on October 6, 2022.
This month marks CISA’s 19th Cybersecurity Awareness Month, a joint effort between the government and public to raise awareness of the importance of cybersecurity. This year's theme, "See Yourself in Cyber," demonstrates that while cybersecurity may seem like a complex subject, it comes down to people playing their part in the security of their home and organization.
Despite their importance, business-critical Enterprise Resource Planning (ERP) applications have been neglected by most of the security community. However, in the last two years, 64% of ERP systems have been breached in the last two years and over the past five years, there have been six US-CERT alerts on malicious cyber activity or vulnerabilities in SAP. With 70% of organizations saying their application portfolio has become more vulnerable in the past year, organizations need an ERP security strategy that protects their crown jewels.
An Overview of ERP Applications
With hundreds of thousands of implementations across the globe, ERP applications support the most critical business processes and house the most important information for the biggest organizations in the world. The vast majority of these large organizations have implemented ERP applications from one of the two market leaders, SAP and Oracle. Organizations rely on these applications to support business processes such as payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics and billing. By their very nature, these applications host sensitive information, including financial results, manufacturing formulas, pricing, intellectual property, credit cards and personally identifiable information (PII) from employees, customers and suppliers.
Current Gaps in ERP Security
ERP systems, such as SAP and Oracle E-Business Suite (EBS), are the operational engine of an organization, running the business-critical applications and holding the sensitive data needed for businesses to function. Yet despite the importance of these systems, they often fall in a cybersecurity blind spot, left unprotected against internal misuse and external attacks.
Just as with any other software, ERP applications may also be susceptible to vulnerabilities that must be patched by customers who are running and maintaining these applications. More often, organizations struggle to apply security patches due to some of these unique characteristics: complex system architecture, customized functionality, high number of integrations, or lack of knowledge and processes for ERP security. For example, the sheer size and complexity of the task of securing ERP systems can be overwhelming. ERP systems consist of a wide array of elements, including process and workflow, master data and data warehouse, an underlying computational infrastructure, a large storage network—and share data with hundreds of other IT applications inside and outside of the organization. Many organizations also do not have the visibility into these shared applications to understand what is happening within their ERP system. These factors combine to make it difficult for ERP customers to stay up to date with security vulnerabilities, secure configurations and security patches. Unfortunately, this means that many organizations are implementing and running insecure ERP applications.
The Evolving ERP Threat Landscape
With a large amount of sensitive data at stake and a host of exploited security vulnerabilities, it is no surprise that threat actors target these ERP applications. The need for ERP security has never been more urgent. Threat actors have the expertise to identify and exploit unprotected these business-critical applications. SAP and Onapsis found evidence of over 300 automated exploitations leveraging seven SAP-specific attack vectors and over 100 hands-on-keyboard sessions from a wide range of threat actors. The window for defenders is small and it is clear that cyberattackers have sophisticated knowledge of ERP applications. Onapsis Research Labs found that SAP applications are being weaponized within 72 hours of a patch release.. They are actively targeting and exploiting unsecured SAP applications through varied tactics, techniques, and procedures (TTPs).
The Business Impact of Unsecured ERP Systems
If not properly secured, ERP systems could be vulnerable to insider and outside threats, critical assets and data could be exposed, and compliance violations may go undetected. ERP systems contain an organization’s crown jewels—the sensitive information enterprises need to function on a daily basis. The types most frequently targeted are sales, HR, and financial data as well as personal information and intellectual property. If such data were to fall into the wrong hands, or be held for ransom, operational, financial, and reputational impacts can be substantial.
Exploits targeting misconfigurations and vulnerabilities can allow attackers to compromise IT controls and take full control of vulnerable systems. Successful exploitation would allow an attacker gain access to the ERP system and perform several malicious activities, including:
- Steal personal identifiable information (PII) from employees, customers, and suppliers
- Read, modify, or delete financial records
- Change banking details
- Administer purchasing processes
- Disrupt critical business operations by corrupting data, shutting processes down completely, or deploying ransomware
- Delete or modify traces, logs, and other files
The broad range of possible digital ERP data is also key to many vital compliance mandates, including CCPA, GDPR, SOX, PCI-DSS, and the NIST and CMMC frameworks. The information compromised most often is the highest regulated in today’s business ecosystem – and most concerning is the popularity of sales, financial data, and PII. Protecting the integrity of that data is a must.
Six Steps to Secure Your ERP Systems
1. Implement a risk-based vulnerability management program
Conventional tools such as firewalls and vulnerability scanners are absolutely necessary, but while they may cover system-level concerns in business-critical applications, they do not support the ERP application security itself. The underlying operating system vulnerability may be detected, but not the SAP custom code issue, or the E-Business Suite (EBS) application layer flaw.
With modern vulnerability management tools, security teams can gain full visibility into all assets across the IT environment, including those hosted on-premise, the cloud, or both. This enables them to make an inventory of all assets within their system, identify any hidden or previously known vulnerabilities, and keep a record of all of them. These tools can also provide security teams with automated assessments of each threat, their business impact, and their associated security risk, and subsequently share thorough descriptions and solutions for each. Vulnerability management capabilities that capture a complete view of an enterprise’s threat environment can help security teams understand their attack surface and save significant time, money, and resources that would have otherwise been spent focusing on lower priority items. A risk-based vulnerability management process that includes threat intelligence and monitoring of users, activity, and vulnerabilities at the application and database layer will help achieve this outcome.
2. Continuously monitor for internal and external threats
Security teams have implemented defense-in-depth strategies in an attempt to protect the application layer from these threats. Their approach is to surround ERP applications with layers of defense to try to prevent bad actors from reaching these critical applications. This includes deploying security at the perimeter, network, and endpoint levels using endpoint detection and response (EDR), network detection and response (NDR) and security information and event management (SIEM) tools. Yet these existing defense-in-depth solutions are not specifically focused on threats and vulnerabilities for business-critical applications. None of these tools provides the security team with visibility into potential misuse or abuse of business-critical applications. Organizations should employ a threat detection and response tool that can allow them to continuously monitor threat intelligence sources to detect compromised ERP credentials.
3. Stay on top of software updates
ERP systems should be updated regularly. This prevents bugs from impacting the system and prevents information from being leaked or stolen. Keeping your system regularly up-to-date by keeping up with software updates makes the ERP less vulnerable to external threats.
4. Timely patch management
Given the frequency and volume of patch releases, complexity of the patching process, and size of application landscapes, organizations have the potential to face a growing backlog of patches. A manual patch management process can be error prone; there isn’t an easy way to identify which systems are missing which patches, which missing patches to prioritize, and whether or not patches were applied. Having an automated patch management process can minimize the risk of critical vulnerabilities and protect the business’ most important assets.
5. Secure custom code
Ensuring teams are writing high quality and secure code can be arduous with traditional tools and processes. This code will be brought into the organization environment via transports, which adds additional complexity. Organizations also need a way to check that the transports aren’t going to introduce security, performance, or compliance issues. Unaddressed issues in the custom code and transports used to create, maintain, and update the applications can disrupt business operations and interfere with the ongoing delivery of updates. An application security testing solution can replace these time-consuming and error prone automatic remediation for common code errors, enabling organizations to build security into development processes to find and fix issues as quickly as possible.
6. Seek and use targeted threat intelligence to stay ahead of zero-day threats
Timely, impactful threat intelligence programs can provide insightful information about current TTPs used by threat actors for pre-patch protection. They can also provide early alerts about new ransomware campaigns as well as actionable intelligence for security teams responsible for designing and implementing security controls.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.