Page 138 - Cyber Defense eMagazine December 2022 Edition
P. 138

2.  Reduce the Attack Vectors

            Any connection point such as the previously mentioned SAP Internet Communication Framework (ICF)
            services  that  are  not  used  or  needed,  shall  be  deactivated.  Also,  ensure  to  sufficiently  harden  all
            touchpoints with untrusted networks or the public internet.

               3.  Software Components

            Software components that do not serve a distinct purpose shall be uninstalled or at least deactivated.
            Most of the SAP customers still run at least one SAP NetWeaver system where the client 066 exists,
            which is not needed anymore but until recently was shipped with the standard installation.

               4.  Surveillance of Change

            Whenever a new service is enabled or introduced, there are security considerations to make. A SAP
            security  firm  can  help  customers  to  monitor  any  change  to  the  attack  surface.  Those  changes  are
            immediately reflected in the overall SAP security posture.

               5.  Threat detection


            The recent Log4j incident but also the somewhat older RECON release have impressively proven that
            vulnerabilities  can  exist  for  a  long  period  of  time  without  being  noticed.  Detection  of  malicious  and
            monitoring of action with impacts to the SAP system security are key elements to protect against severe
            damage.

               6.  Layered security

            Introduce additional security layers. Besides precise hardening, patching, and monitoring it is beneficial
            to consider adding intrusion prevention systems and network segmentation based on your individual risk
            situation.

            How to reduce the SAP attacker surface?

            This is not an easy task and especially becomes difficult for SAP organizations that expand their digital
            footprint and embrace new technologies. Reducing means:

               •  Deactivation  of  services  of  SAP  Internet  Communication  Framework  (ICF)  and  Internet
                   Communication Manager (ICM)
               •  Deinstallation of unused software components
               •  Deletion of unused or obsolete RFC Destination and service endpoints. Those in use need to be
                   sufficiently hardened
               •  Elimination of trusting (SMT1), which is not needed
               •  Deletion of SAP clients that are not used
               •  Governance and tracking of SSL certificate handling in SAP (STRUST)
               •  And many more…

            It may be a fine line between accepting the risk and fulfilling the business department’s wish for a new
            service. This is especially true if the new service only adds additional comfort but comes with a very




            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         138
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   133   134   135   136   137   138   139   140   141   142   143