Security patch management may seem like one of those mundane tasks that gets scheduled “when time and resources permit,” but I would argue that it’s a critical function if you want to protect against the increased threat from cyber-criminals targeting ERP applications.
According to the U.S. Department of Homeland Security, there has been a significant rise in bad actors targeting ERP applications over the past several years, posing a huge risk for your business. In 2020, the threat has actually gotten worse, with identification of a bug named RECON (Remotely Exploitable Code On NetWeaver) by the Onapsis Research Labs. An attacker leveraging this vulnerability gains unrestricted access to critical business information and has the ability to access sensitive information, delete files, execute code, carry out sabotage, and more. You can read more about the RECON bug in this article on the Threatpost website by Tara Seals entitled, Critical SAP Bug Allows Full Enterprise System Takeover.
In addition, Digital Shadows and Onapsis partnered to produce a report aimed at providing insights into how the threat landscape has been evolving over time for ERP applications, with a specific focus on two of the most widely adopted solutions, SAP and Oracle. Their report — ERP Applications Under Fire, How Cyberattackers Target the Crown Jewels — is truly eye-opening.
According to the report, bad actors have been “upping their game” and can mount attacks that can get behind company firewalls to go deeper into business networks and gain access to internal, previously inaccessible ERP systems. So if you’ve been thinking your ERP is safe behind the firewall, think again.
These warnings highlight the importance of patch management for ERP systems to ensure that at least identified vulnerabilities are remediated. Additional procedures for strong passwords, proactive penetration monitoring, and a repeatable process will help reduce, but not eliminate, the security exposure of your business’ ERP data.
Security Patch Management is Critical
SAP recommends that all customers implement SAP security patches as soon as they are available — typically on the second Tuesday of every month – to protect the SAP infrastructure from attacks. However, the reality is that most IT departments lack the time and resources to keep up with the sheer volume of software patches that need to be reviewed, tested and implemented – and it’s all too easy to get behind on applying them.
Given how rapidly cyber-security threats can evolve, you can’t afford not to stay current on known security issues and to constantly monitor for potential threats and breakage points. In cases where your IT team is unable to keep up with security patch management, you may want to consider hiring a team of ERP security experts and consultants to do the heavy lifting for you.
Security Patch Management as a Service
Setting up security patch management as a service can be beneficial. At itelligence, this would mean our trained consultants utilize SAP Solution Manager as a Managed Service (SMaaMS) to:
- Review recommended Security Notes
- Run a change impact analysis and provide the transactions and programs to be tested
- Gain alignment on the application of Security Notes
- Apply agreed-upon SAP software corrections to your development environment
- Provide advice about non-SAP software corrections
An outsourced service can help increase your system security by keeping your system up to date with SAP security patches and reduce the risk of compromised data through SAP-specific vulnerabilities.