How well are your SAP systems protected?
Posted by Joris van de Vis, SAP Security researcher and co-founder at Protect4S
Last week I got a phone call from a friend, the CTO of a software company in the Netherlands, that was hit by last weeks’ Kaseya ransomware and his business came to a halt because of that. Their productive database got ransomed and their online software solution was reduced to nothing more than unreadable garbage, leaving customers behind with nothing more than an error message on their screen. A first-hand view of the crippling effects of ransomware and what it can do to businesses. Apart from some help and advice, thankfully they had unaffected backups and were able to recover from this situation (not mentioning the weekend of hard work, stress and costs involved to recover).
Now the weird coincidence is that I was no stranger to this specific case. As a volunteer for the Dutch Institute for Vulnerabilities, I knew that these vulnerabilities were discovered and reported to the vendor earlier and that the DIVD was working with the vendor to fix this issue. Unfortunately, these fixes were just not there yet, leaving room for this mass exploitation of systems with extensive damages worldwide as a result.
Overthinking this event and seeing the consequences had motivated me to (again) think of our SAP customers and how well their SAP systems are protected. And while there are no specific SAP ransomware attacks known to me, I personally believe that this should be a wake-up call for all of us. SAP customers specifically are a really interesting target. Think of it: they all have valuable and business-critical data, money to offer (they could purchase SAP software right 😉 ) and a sense of urgency as their businesses need to keep on running. So in my view, it is only a matter of time before SAP systems will be targeted.
Now, I don’t want to make this a commercial story and tell everybody to use Protect4S and all will be fine. Yet I really think that in some way or another, all SAP using customers should really address this topic if not done already and rethink their SAP Security strategy to be at least prepared. No processes, specialists or tooling can prevent 100% of attacks, but there are lots of initiatives and measures to take to reduce risk. So please do make sure to look at your basic security hygiene. Make sure patch management is in place, make backups and check them periodically, look at your processes and procedures, take technical measures and train the skillsets of your people. All of this are not new, but let’s use last weeks’ attack as another wake-up call and prepare ourselves for the next one. Because that one may be targeted at SAP systems.
The good news is that you can do a lot of prevention. Even more good news is that in most cases, the money spent on prevention is way less than the money spent on dealing with a security breach. And if you need help with this rather complex topic, please let us know or share your comments with us anyway. We are happy to hear it as we believe that this is not a topic that is going away any time soon.
P.S. While reading this post you could have taken a backup already as suggested by SAP (but we prefer you don’t do this once but on a periodic schedule 😉 )