SANS has mapped SAP cybersecurity to the CIS Critical Security Controls for Effective Cyber Defense for the first time.
More than 12,560 individuals and organizations have downloaded the CIS Critical Security Controls for Effective Cyber Defense since their release to the public last October 15. The CIS Controls are a recommended set of actions that provide specific ways to stop today’s most pervasive and dangerous cybersecurity attacks.
As cyber-attacks targeting SAP continue to grow, organizations need to secure their SAP landscape as part of their organization’s overall security posture—hence the CIS Security Controls mapping.
“Direct attacks on ERP systems such as SAP’s are being disclosed more frequently, validating the assumption that even complex applications housed in secure facilities need specific protection and that safeguarding them should be a top priority,” said Barbara Filkins, senior SANS analyst, SANS Institute. “Attacks aimed directly at complex, mission-critical applications result in extraordinary costs and impact to the business.”
She added, “To protect an SAP system, start by looking retroactively at current configurations to be sure they’re up to date with the latest patches and that they are continually monitoring unauthorized user behavior and advanced threats.”
SANS has laid out a step-by-step approach that organizations can take to secure SAP implementations. The approach is largely application-oriented, but also applies network restrictions to underlying network devices and firewalls, in addition to closing loopholes through operational procedures and training.
“Having SAP cybersecurity formally recognized as a standard control for organizations is a major achievement in building awareness for the business-critical application security market,” said Juan Pablo Perez-Etchegoyen, CTO at Onapsis, which sponsored the white paper. “This is still a blind spot for many organizations, as they often assume that their SAP data—or ‘crown jewels’—are covered by traditional security methods or by the SAP administration team.”
A recent US CERT alert warned that at least 36 organizations worldwide are affected by an SAP vulnerability. Security researchers from Onapsis discovered indicators of exploitation against these organizations’ SAP business applications.
“[This] showed us the very real ways in which attackers are accessing these applications, and the vulnerabilities they are leveraging to do so,” said Perez-Etchegoyen. “Having SAP cybersecurity mapped to the CIS Critical Security Controls will help organizations to better understand why SAP needs to be included in the overall security posture, and [this] provides steps for how to best do so.”
Photo © NicoElNino