back to article US Homeland Security warns of latest hacker craze – ERP pwnage

Hackers are increasingly looking to target enterprise resource planning (ERP) systems to disrupt and steal data from large companies. This according to a report (PDF) from security companies Digital Shadows and Onapsis, who say that hacktivists and state-sponsored groups in particular have been looking to exploit flaws in …

  1. Version 1.0 Silver badge

    The writing is on the wall

    We need to stop kidding ourselves that we can "secure" these cloud platforms and Internet facing applications. What we fix today is broken tomorrow and we may notice it next year.

    I know there's a lot of money to be made pretending that "security" can be purchased/guaranteed and it's an easy sale for all the big database companies but - let's face it - random sex with strangers is safer than putting your corporate bawls out for anyone to examine and fiddle with even if the vendor tells you "it's safe" ... what they really mean is that your money is in their safe - and on its way to the Virgin Islands via Ireland.

  2. Marketing Hack Silver badge
    Trollface

    "exploit flaws in Oracle and SAP platforms."

    WAIT, there might be FLAWS in the monolithic, byzantine tangle of code that are too often modern on-prem enterprise ERP systems? And that replacing all that by putting your keys to the kingdom in the cloud might have security implications? Icon shows my surprised face.

    (Not-so-fondly recalling my time at Symantec during the Veritas merger when just getting both halves of the company off of different releases of Oracle ERP and onto the same one caused PO requests to disappear in the procurement process and occasional inability of customers to get keys for the software licenses they just bought. Ugh.)

    1. Yet Another Anonymous coward Silver badge

      Re: "exploit flaws in Oracle and SAP platforms."

      We will know if the hackers succeeded when Russia announces a 5 year plan to utilize synergy to leverage paradigm changes in Soviet era agriculture

  3. JeffyPoooh Silver badge
    Pint

    Impossible to hack SAP...

    The tiny perhaps-they-make-sense-in-German icons are perfectly inscrutable even when you're right next to them with a magnifying glass. How on Earth would anyone be able to hack into SAP from a remote location?

  4. jake Silver badge

    It ain't ERP that's the problem, per se.

    It's the clueless middle-to-upper management that spec it and use it that are the security problem.

    1. m0rt Silver badge

      Re: It ain't ERP that's the problem, per se.

      "It's the clueless middle-to-upper management that spec it and use it that are the security problem."

      No, it is still also due to the coders who write the stuff, the analysts who examine the stuff, the testers who test the stuff, the customers who buy the stuff.

      Joint effort.

      Security will only work when holistically applied. Otherwise you are always just one phishing attack away from pwnage.

      (Except in the case of Oracle. Oracle is Satan's work.)

  5. Zippy's Sausage Factory

    Proofreaders?

    "minimise the attack service" - should that last word be "surface", or has my morning coffee not kicked in yet?

    1. Alistair Silver badge
      Windows

      Re: Proofreaders?

      @ZSF

      minimize the attack service on their ERP software.

      I suppose it was a typo, but I'll tell you, considering the way some legal tents are bending around the world, I would imagine that the Admins aren't told about the attack service. Just the TLA's.

  6. Anonymous Coward
    Anonymous Coward

    I laugh at the idea that a hacker could get something useful out of a SAP system.

  7. Captain Scarlet Silver badge
    Coat

    "segregation of duties"

    I fecking hate SOD, I'll be off before an auditor make changes to their overcomplicated grid system again.

    1. robidy

      Re: "segregation of duties"

      It depends on implementation.

      It's a very good layer in a properly secured system to help prevent internal abuse.

      It's also a very good tool to help reduce the level of access each user account has.

      Having one user with complete control and acess means you're only one USER mistake away from total loss of system control to miscreants.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019