SAP Security And The Concept Of Risk – How We Translated It In Our Software

By 4 June 2020 August 19th, 2020 No Comments

Within the cyber security industry, Risk is an important and central concept. It is commonly defined as exposure to harm or loss resulting from breaches of or attacks on information systems.

Protect4S reduces Risk by:

  • identifying vulnerabilities present in SAP systems
  • classifying these vulnerabilities in terms of: Risk, Impact, Likelihood and Mitigation Effort
  • assigning a value metric to Risk, Impact, Likelihood and Mitigation Effort
  • showing staff how to mitigate or remediate these vulnerabilities by referring to trusted information from SAP
  • assisting in the process of mitigation and remediation.

Risk, Impact and Likelihood

Risk is associated with vulnerabilities in information systems. When such a vulnerability is successfully exploited by a hacker, this will likely result in real quantifiable damage or Impact. The chance of such an event occurring depends on the Likelihood of exploitation of that specific vulnerability.

Putting these together result in the following formula that is a central part of many vulnerability scanners:

Risk = Impact * Likelihood

Usually, a value metric series has been assigned to these parameters, for example, Extra Low, Low, Medium, High, Extra High. When both Impact and Likelihood are expressed in these 5 discrete values, the resulting Risk value must also be mapped to them.

Protect4S uses the following table for this:

Which approximates the Risk formula with:

Risk = FLOOR((Impact + Likelihood)/2;1)

The graph below shows the differences between the original formula and the approximation.

Risk re-calculation in Protect4S

Protect4S also uses 2 weights for Impact and Likelihood that can be varied using a slider:

Varying the weights between Impact and Likelihood in Protect4S

This corresponds with the formula:

Risk = FLOOR(a* Impact + b*Likelihood) (a + b = 1)

Normally, both weights are equal to 0.5. This way, the Impact and Likelihood have equal importance. By varying the weights from 0 to 1, one can make either the Likelihood or the Impact of a given vulnerability more important.

This will result in a different Risk value and a different order of the vulnerability list. Using the slider, one can analyse all vulnerabilities in a better manner, making sure that, for example, the vulnerabilities with Medium Likelihood and Very High Impact are not missed.

In the moving image below, you can see the effect of the slider on a list of vulnerabilities found in a SAP system:

Impact of a vulnerability in SAP

There are many kinds of vulnerabilities in SAP systems. The ones with the highest Impact are those that result in a takeover or creation of an SAP user with administrative privileges.

Likelihood of a vulnerability in SAP

A vulnerability is more likely to be exploited when it is present in large numbers of SAP systems. This is the case when the vulnerability is located in a component that is present in the SAP Netweaver layer, for example, SAP_BASIS or ST-PI.

Vulnerabilities that are more difficult to exploit and require interaction with a SAP user, for example, have a lower likelihood of exploitation.

A competent hacker usually selects the most efficient method (the shortest path) to achieve this goal. The shortest paths are usually by means of remote exploitation of existing SQL-Injection or command injection vulnerabilities.

An example of such a vulnerability was described in an earlier blog.

Risk Matrix

After each vulnerability Scan, Protect4S generates a Risk matrix showing the distribution of the vulnerabilities found. This is represented in the Risk distribution heat map:

The vulnerabilities with the highest risks can be found in the upper right quadrant of the graph, the ones that have both High, Very High Impact and Likelihood.

It is these vulnerabilities that should really be addressed.

Mitigation Effort

Mitigation Effort is another parameter that can be associated with Risk. After each vulnerability Scan, Protect4S also generates a Mitigation effort heat map showing the Risk value plotted against Mitigation effort:

The idea behind this is that: If you know how much effort it takes to mitigate or remediate a vulnerability, then you can select to work on the vulnerabilities that have high Risk and low Mitigation Effort and get the biggest value (in terms of Risk reduction) for your money.

Leave a Reply