Page 137 - Cyber Defense eMagazine December 2022 Edition
P. 137

Why is the SAP attack surface so important?

            Organizations  must  constantly  monitor  their  attack  surface  to  identify  and  block  potential  threats  as
            quickly  as  possible.  They  also  must  try  to  minimize  the  attack  surface  area  to  reduce  the  risk  of
            cyberattacks succeeding. In the context of SAP, the Internet Communication Manager (ICM) or Internet
            Communication Framework (ICF) available via SAP transaction SICF, and also the remote function call
            connection setup, is prone to overexposing services to the outside.

            SAP  customers  with  SAP  security  in  mind  need  to  continuously  assess  and  inventory  the  exposed
            services (SOAP, WebService, API’s). Any service that is not used or does not serve a specific SAP
            business scenario should be deactivated to reduce the attack surface and thus also to minimize the risk
            of exploitation.

            Furthermore, a close tab needs to be kept on those services that are not requiring authentication. In SAP
            they  exist  in  the  /sap/public/  namespace  that  can  be  found  in  transaction  SICF.  Services  like
            /sap/public/info are the number one touchpoint for threat actors to gather information in the exploration
            phase of an attack.




            Effective counter measures against SAP Zero-Day exploitation?

            Just to remind, a zero-day is a vulnerability that is not yet widely known, and no patch exists. Hence
            patching is not an option. This does not mean that regular and timely patching is not one of the most
            effective exercises to protect against exploitation - on the contrary. Any second Tuesday of a month SAP
            customers expect to see another SAP Security Patch Day – a day when SAP publishes the new security
            patches. This event starts the race between attackers and defenders, who can only win by installing the
            patch before the exploitation.

            SAP sponsors bug bounty programs to support bug hunters and security researchers. There are various
            individual researchers but also entire research labs that analyze standards software for vulnerabilities,
            however, even with a combined effort zero-days can’t be eliminated.
            Patch Management solutions can inform you once a new patch has been published that is relevant for
            your specific system installation to reduce effort and lead time before patching. Additionally, SAP security
            firm product teams can instantly issue signature updates that allow customers to monitor for potential
            exploits of yet unpatched vulnerabilities.

            However, as no patch is available for a zero-day, there are a few other things that you need to consider:



               1.  Inventory of Attack Vectors

            Knowing  your  attack  surface  overall  is  important  and  serves  as  the  foundation  for  further
            countermeasures. It also helps organizations to understand their individual risk situations.







            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         137
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   132   133   134   135   136   137   138   139   140   141   142