At least 3,000 SAP systems are directly exposed to the internet, providing direct access to core corporate systems for potential attackers, according to a penetration-testing firm. Rapid7, the firm behind the Metasploit penetration-testing tool, carried out the scanning exercise in the wake of the discovery of a banking Trojan …
We are all late to the party
It is possible to secure systems to a reasonable degree, but unnecessarily difficult in our current environment. Intruders should not even be able to find your system let alone probe and attack. Unfortunately, we continue to use ancient outmoded ways of resolving addresses, authentication, routing, etc. We also continue to house the same data in multiple places under the care of multiple custodians each able to compromise the information.
I hate to say it, but it is just impossible that big players and our governments are unaware of the situation -- both cause and cure. However, for them the cure is worse than the disease. They had a choice between giving up improper access to client data or securing client data. They chose and choose to keep their fingers in the pie.
This is another case where we have created incentives for cheating without balancing sufficient disincentives for getting caught.
Scanning through an open SAProuter
So, how surprised am I that they can penetrate a SAProuter that allows the world+dog through a certain well-known port ?
Go on, take a guess ....
Oh and for demonstration purposes they also did not limit access through a Firewall.... hmmmm....
Al this stuff is mitigated (although not entirely prevented!) with a Network Admin 101 course and implementation of sensible rules.
Oh well... Another report to scare up some new projects.
1. Pen-test an open system
2. Write damning report
3. Scare the customers
And, hey! no "3. ..." for this business model ;-)
For clarity, "SAP Router" is software, not hardware, and should be sat behind an industrial-strength firewall. Anything else is pure incompetence and the SAP Basis responsible should be sacked.
Nothing new here
We've been able to find SAP systems through internet searches since the days of ITS and early SAP Portal. It would have been a trivial matter to try some default user accounts.
Other posters have commented on the reality of the tests & possible scaremongering tactics. For all their sins SAP does generally produce reasonably secure software. The problem is that most of those paid to secure it do not understand how to secure the assets using standard delivered SAP functionality and standard security techniques.
For me, there's a whole load of things wrong with this article.
First, people need to understand what a SAP router is. It is a piece of software which is designed to let SAP connect to your systems for support purposes. There are 85k SAP customers running these sorts of systems and most have several SAP routers. I'd expect there are around 250k SAP routers around the world.
Then you have to understand that SAP routers are designed to provide connectivity information for what SAP system to connect to - hence the word "router". They are also a primitive firewall and herein lies the problem because lazy administrators use them as a router and firewall and expose them to the internet.
This is stupid and irresponsible and a huge business risk to an organization. SAP routers do not provide protection and you need to use proper routers and firewalls. This is well documented and there are design guides for SAP routers that explain all this.
As the guy below says, those lazy administrators (3% of SAP routers) should be fired.
Then let's cover off the SAP systems that are out there. There are, as I said, around 85k ERP customers, most of which have many SAP systems. It's not unusual for larger customers to have hundreds, and this means that there are millions of SAP systems out there, and many different versions and patch levels.
SAP do of course release security fixes but the code base is huge and there are relatively few penetrations. I worked with a SAP defense customer some years back and they said they broke the SAP security protocol in 15 minutes. I looked worried and they said "Oh don't worry, 15 minutes is actually pretty good, your competitor took 30 seconds. We just have some rather good hackers".
But what this means is that the SAP stack has been poked at by some pretty good white hat hackers. The problem is that many customers don't apply fixes to server operating systems, databases or application layers, leaving all of them open to security flaws. As usual, this is the real risk.
What I really don't like about this article is that it gives a security vendor a load of publicity, when they have totally failed to understand the security threat and helped customers address it. This is the point of security advisory services and they have totally failed.
In case anyone thinks I'm pro-SAP, I made sure to give them a boot too - their security response is not adequate.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide