与任何软件应用程序或系统一样, SAP系统存在攻击者可能利用的漏洞, 无论他们是内部还是外部的对手. SAP information is precious to a hacker because it stores a vast amount of sensitive financial data, 客户信息和知识产权, 这使得它成为攻击者的一个有吸引力的目标. Moreover, SAP systems are critical to 99 of the 100 largest enterprises in the world1—a successful cyberattack would cause significant disruption, reputational damage and financial loss.
减低网络攻击的风险, organizations must keep their SAP systems up-to-date with the latest security patches and updates identified during SAP's monthly Security Patch Day.2 除了, regularly conducting vulnerability assessments to identify and remediate security gaps significantly reduces attack vectors.3 然而, it is important to understand how internal and external SAP attackers differ in their levels of access and proximity to the SAP system. Gaining awareness of their attack profiles can help prevent enterprises from being subjected to unfortunate and embarrassing cyberincidents.
SAP内部环境的风险
Internal SAP attackers are individuals or entities who already have access to the SAP system as employees, 承包商或合作伙伴. 他们有进入系统的合法权限, but misuse their privileges to carry out malicious activities such as stealing sensitive data, 破坏系统或安装后门以备将来利用.
It is possible for insider attacks to occur in the application security domain, 哪些属于内部网络安全风险. Such attacks may involve data theft or malicious manipulation of business information, 除此之外.
Analyzing application logs is typically the most effective method for detecting insider behavior anomalies, but this can be difficult to do for SAP applications due to the sheer number of logs that exist. Monitoring the most critical SAP S/4HANA logs is essential for detecting fraud and malicious manipulation. The speed of response depends on whether automatic notifications are in place and whether monitoring and evaluation are performed manually or periodically. The level of risk assigned to corresponding log items is highly individual and depends on various factors unique to each organization.
The level of risk assigned to corresponding log items is highly individual and depends on various factors unique to each organization.
来自SAP外部环境的风险
External SAP attackers are individuals who or entities that do not have legitimate access to the SAP system and must breach its defenses to carry out their attacks. 他们可以使用各种方法, 比如利用系统中的漏洞, 社会工程, 或网络钓鱼, 来访问系统. 一旦他们获得访问权限, 他们可能会进行各种攻击,比如窃取数据, 安装恶意软件或发起拒绝服务(DoS)攻击.
超文本传输协议(HTTP)走私漏洞, 互联网通讯管理高级设计(ICMAD), 是外部SAP漏洞的一个例子吗. 此漏洞标识为CVE-2022-22536,4 cve - 2022 - 22532,5 和cve - 2022 - 225336 用于SAP Web Dispatcher. The SAP Web Dispatcher is often a proxy between the SAP application and insecure networks. 在此漏洞的情况下, 哪一个可以从外面进入, 它被归类为外部风险, 由特殊攻击者传播.7
Because there are many vulnerabilities to consider, a rating classification helps align priorities. 但即使是评级分数也会波动, so the ultimate decision of when to act must be made by the cybersecurity professional. Case in point: The SAP vulnerability example ICMAD can be rated using the standardized Common Vulnerability Scoring System (CVSS), 哪个分数是10分.0(非常高),评分范围为1.0(低)到10.0(非常高). Attackers also sometimes take advantage of multiple vulnerabilities with lower CVSS scores in chains to reach their target. Hence, it is vital to not only look for the highest CVSS score when patching SAP security issues.
然而, the CVSS rating system is not the only source for a specific vulnerability rating. 安全管理员也应该考虑实际的漏洞利用.g., by comparing the CVSS score with the rating from a threat intelligence company such as Mandiant). Mandiant根据真实的攻击信息评估漏洞. 在没有已知剥削的情况下, Mandiant's experts downgrade the SAP risk with a CVSS score of very high to high. Whether an individual vulnerability rating should be increased or lowered also depends on the external exposure of the SAP system, 包括SAP环境中的关键访问路径.
谁更危险?
外部和内部SAP网络攻击的破坏性是一样的, 而且很难确定哪种攻击更严重. The severity of the attack depends on various factors such as the type of attack, 获得的访问级别, 数据的敏感性受到损害, 以及反应的速度和有效性.
与外部攻击者相比,内部SAP攻击者可能具有优势, because internal attackers have more in-depth knowledge of 系统及其漏洞. 因此,内部攻击可能构成更大的威胁. 例如, it can be devastating to an enterprise’s profits and reputation if an employee sells SAP HANA secrets to a competitor or defaces its website or ecommerce platform.
外部SAP网络攻击可能更具挑战性, 因为攻击者必须首先攻破系统的防御. 一旦他们进入, 它们会造成严重的损害, since they can operate from a position of anonymity and exploit vulnerabilities. Furthermore, external hackers usually seek information they can sell or use for profit. 除了, external attacks may be challenging to detect because the attackers are not part of the organization and may not leave any traceable digital footprints.
结论
SAP系统容易受到外部和内部网络攻击, and both types of attackers have unique advantages in achieving their nefarious goals. The internal SAP attackers may have more knowledge of the enterprise security process, 系统及其漏洞, 让他们更容易实施袭击, 但一旦外部攻击者获得系统访问权限, they can operate from a position of anonymity and continue to exploit vulnerabilities for long periods.
Organizations must act on this knowledge by taking a proactive approach to cybersecurity and implementing appropriate security controls, regularly monitoring the system and training employees to identify and prevent all cyberthreats to their SAP systems.
尾注
1 SAP、 SAP澳门赌场官方下载概况, 2023年5月16日
2 SAP、 SAP安全说明
3 安全的桥梁, Automate and Simplify Vulnerability Management for SAP Applications and Custom Code
4 国家标准与技术研究所,”cve - 2022 - 22536的细节美国,2022年
5 国家标准与技术研究所,”cve - 2022 - 22532的细节美国,2022年
6 国家标准与技术研究所,”cve - 2022 - 22533的细节美国,2022年
7 芒,我.; “谁是典型的SAP攻击者?,《澳门赌场官方软件》,2022年9月1日
伊凡芒
Is an experienced SAP technology consultant who has worked in the SAP space since 1997. 2012年,他与人共同创立了 SecurityBridge. 他目前的职位是首席技术官(CTO)。, 他是一个积极的司机,激励着人们,推动着技术的发展, 为安全桥平台的不断创新做出贡献. 近年来, Mans has been a regular speaker at SAP events where he evangelizes about SAP security.