[BreachExchange] Four Ways to Mitigate Cyber Risks for ERP Applications

[Destry Winant]

https://www.securityweek.com/four-ways-mitigate-cyber-risks-erp-applications

A confluence of factors is putting hundreds of thousands of
implementations of Enterprise Resource Planning (ERP) applications at
risk of cyber attacks. These factors include the following:

● Cyber attackers can focus their efforts. The vast majority of large
organizations have implemented ERP applications from one of two market
leaders – SAP and Oracle. This means that attackers can concentrate on
understanding and finding weaknesses within just one or both
applications.

● The rewards are big. The largest organizations in the world support
their most critical business processes and house their most sensitive
information in these systems.

● They can leverage known vulnerabilities. ERP customers struggle to
stay up to date with security vulnerabilities, secure configurations
and security patches for a variety of reasons, including: complex
system architecture, a high number of interfaces and integrations,
customized functionality and little tolerance for system downtime. As
a result, many organizations are implementing and running insecure ERP
applications.

● The attack surface is expanding. Due to cloud, mobile and digital
transformation projects, thousands of these applications are directly
connected to the Internet and can increase an organization’s exposure
to risk when security measures aren’t implemented correctly.

● Information is being leaked. Third parties and employees are
exposing internal ERP applications unintentionally by using insecure
file repositories over the Internet and sharing ERP login credentials
in public forums.

The bottom line is that the risk/reward ratio is attractive. As a
result, nation-state actors, cybercriminals and hacktivist groups are
attacking these applications for the purposes of cyber espionage,
sabotage, business disruption, data theft and even cryptocurrency
mining. Evidence is rampant on the dark web, criminal forums, paste
sites and social media where bad guys are sharing information and
tools and bragging about successful breaches.

Clearly, ERP applications are not safe from attacks.
“Behind-the-firewall” ERP implementations are being targeted. ERP
applications in cloud environments, and on-premise as well, are
directly accessible online. Even the traditional controls for ERP
application security, such as user identity management and segregation
of duties, are ineffective as attackers continue to evolve their
tactics, techniques and procedures (TTPs), for example to include
distributed Denial of Service (DDoS) attacks or banking trojans in
combination with botnets.

Fortunately, as a security professional, there is a lot you can do to
mitigate existing risks, particularly when you work with ERP
administration to understand the technical complexities of these
solutions, how they are deployed, and the processes they support. The
following four recommendations can help to improve the cyber security
posture of your organization’s ERP applications, whether deployed on
premise or in public, private and hybrid cloud environments:

1. Identify and mitigate ERP application-layer vulnerabilities,
insecure configurations and excessive user privileges. This includes
aligning with your vendor’s security patching cadence (monthly for SAP
and quarterly for Oracle), strengthening weak/default passwords, and
reviewing user privileges for administrators and developers as well as
those used for batch jobs and interfaces with other applications.
Importantly, when deciding on which vulnerabilities to patch, you
should look for the vulnerabilities that are being actively exploited
by attackers, and those that have public exploits available.

2. Identify and remove dangerous interfaces and APIs between the
different ERP applications in the organization, especially those with
third parties and Internet-facing. This includes connections from/to
development, quality assurance, and pre-production systems as they can
be abused as pivot points; the use of encryption, service account
privileges, and trusted relationships when configuring interfaces and
APIs; and assessing whether sensitive applications are being exposed
without a legitimate business reason.

3. Monitor and respond to sensitive ERP user activity and ERP-specific
indicators of compromise. This includes suspicious user behavior,
including both privileged and non-privileged users, for both technical
and business user types; and implementing a repeatable process to
incorporate ERP applications into existing incident monitoring and
response processes and capabilities.

4. Monitor for leaked ERP data and user credentials. This includes
monitoring threat intelligence sources to detect: compromised ERP
credentials, ERP-related information that could have been
inadvertently or maliciously exposed to the Internet, and evidence of
exploits and vulnerabilities related to ERP applications that might be
applicable to the organization’s environment.

Each of these recommendations must be applied across the entire ERP
application platform – both business and technical components – and be
executed on an ongoing basis as an organization’s environment and the
threat landscape continue to evolve.

It’s clear that ERP applications are a target for cyber attackers.
Fortunately, many of these controls and actions are adaptations of
well-known information security best practices and programs. As
security teams and ERP administration start collaborating to evolve
current processes and implement these recommendations, they can shift
the risk/reward ratio and make ERP applications less attractive
targets.