Page 137 - Cyber Defense eMagazine December 2022 Edition
P. 137
Why is the SAP attack surface so important?
Organizations must constantly monitor their attack surface to identify and block potential threats as
quickly as possible. They also must try to minimize the attack surface area to reduce the risk of
cyberattacks succeeding. In the context of SAP, the Internet Communication Manager (ICM) or Internet
Communication Framework (ICF) available via SAP transaction SICF, and also the remote function call
connection setup, is prone to overexposing services to the outside.
SAP customers with SAP security in mind need to continuously assess and inventory the exposed
services (SOAP, WebService, API’s). Any service that is not used or does not serve a specific SAP
business scenario should be deactivated to reduce the attack surface and thus also to minimize the risk
of exploitation.
Furthermore, a close tab needs to be kept on those services that are not requiring authentication. In SAP
they exist in the /sap/public/ namespace that can be found in transaction SICF. Services like
/sap/public/info are the number one touchpoint for threat actors to gather information in the exploration
phase of an attack.
Effective counter measures against SAP Zero-Day exploitation?
Just to remind, a zero-day is a vulnerability that is not yet widely known, and no patch exists. Hence
patching is not an option. This does not mean that regular and timely patching is not one of the most
effective exercises to protect against exploitation - on the contrary. Any second Tuesday of a month SAP
customers expect to see another SAP Security Patch Day – a day when SAP publishes the new security
patches. This event starts the race between attackers and defenders, who can only win by installing the
patch before the exploitation.
SAP sponsors bug bounty programs to support bug hunters and security researchers. There are various
individual researchers but also entire research labs that analyze standards software for vulnerabilities,
however, even with a combined effort zero-days can’t be eliminated.
Patch Management solutions can inform you once a new patch has been published that is relevant for
your specific system installation to reduce effort and lead time before patching. Additionally, SAP security
firm product teams can instantly issue signature updates that allow customers to monitor for potential
exploits of yet unpatched vulnerabilities.
However, as no patch is available for a zero-day, there are a few other things that you need to consider:
1. Inventory of Attack Vectors
Knowing your attack surface overall is important and serves as the foundation for further
countermeasures. It also helps organizations to understand their individual risk situations.
Cyber Defense eMagazine – December 2022 Edition 137
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.