In most cases, enterprise networks are infected as a result of human error. Employees click on spoofed links, accidentally reveal their passwords to third parties, or open a file that contains unexpected malware. In attack vectors involving the SAP GUI, employees are often not to blame, because an incorrectly configured SAP system is enough to enable damage to the IT landscape.
Berliner Wasserbetriebe, Berlin’s water supply and wastewater disposal company, is a public institution and is therefore subject to special legal requirements. High security standards apply to both business processes and its IT operations. As a consequence, setting up transparent SAP authorization management company-wide to meet all of these requirements was one of the water company’s most critical tasks.
The Internet of Things (IoT) is both a blessing and a curse: While it offers tremendous potential benefits, it also fosters uncertainty when it comes to protecting these complex connections against unauthorized access. After all, as more things get connected to the Internet, the risk of hacker attacks also increases.
(A guide of the less serious sort.)
Let’s be honest right off the bat: There’s a lot of hype in the media about IT security in general and SAP security in special these days. But is there really anything behind it? Those headlines about millions of data records going missing always affect someone else – whether it’s Equifax across the pond or the big tech companies that have been infiltrated by organized groups of Chinese hackers. It’s all alarmist nonsense!
(Partner blog post of SERPENTEQ GmbH)
On April 19, 2019, at the OPCDE Cyber Security conference in Dubai, security researchers Dmitry Chastuhin and Mathieu Geli gave a presentation called “SAP gateway to Heaven”. They re-visited two configuration issues (related to SAP Gateway and SAP Message Server) that have been known for many years and for which detailed security guidelines have been available for years. Now the researchers applied some admirably creative thinking to combine them.
Since May 2, 2019, the market for SAP security has known only one topic: the 10KBLAZE exploit toolkit, which has even prompted a warning from the U.S. Department of Homeland Security. Upon closer examination, however, it quickly becomes apparent that there’s not much news to report.
Companies that operate SAP systems are subject to an annual audit by an auditor. Often, SAP authorizations are also examined. The audits check for separation of duties (SoD) and critical authorizations, in particular where SAP Basis Administration is concerned. Read this blog to learn how you can quickly reduce critical SAP authorizations (auditor findings).
After many years working in the field of SAP security, I am still regularly surprised to discover how much Hollywood has contributed to the discussion on cybersecurity. The common perception is that of a hacker sitting at home in front of several screens and using cryptic commands to hack into corporate networks. The recently published “Insider Threat 2018 Report” however, shows that insider attacks represent a much more serious threat. As far as the security of SAP systems is concerned, insider attacks are by far the greater problem. Why that is the case and what the main risks are is the subject of this post. Continue reading
Last year, WannaCry brought some companies to the edge of absolute ruin. While the most common entry vectors are known, companies are still making it much too easy for hackers.
Officially, emails were to blame for the largest-scale cyberattack in recent years. If users clicked on the mail attachment, WannaCry implanted malware into the computers, propagated itself, and encrypted accessible data in the blink of an eye. In an alternative scenario, hackers had infiltrated the manufacturer of a subsystem and built the malware code into a software patch.
While unfamiliar emails can simply be deleted, the deployment of such a patch can undermine the in-house security system with breathtaking speed.
Linde prioritized transparent and, in particular, timely success to guarantee a completely ensuring the security of their global SAP landscape.
At Linde, the sheer complexity of the SAP Systems meant that a Project of this scale would not be possible with internal resources and security knowhow alone.