Page 138 - Cyber Defense eMagazine December 2022 Edition
P. 138
2. Reduce the Attack Vectors
Any connection point such as the previously mentioned SAP Internet Communication Framework (ICF)
services that are not used or needed, shall be deactivated. Also, ensure to sufficiently harden all
touchpoints with untrusted networks or the public internet.
3. Software Components
Software components that do not serve a distinct purpose shall be uninstalled or at least deactivated.
Most of the SAP customers still run at least one SAP NetWeaver system where the client 066 exists,
which is not needed anymore but until recently was shipped with the standard installation.
4. Surveillance of Change
Whenever a new service is enabled or introduced, there are security considerations to make. A SAP
security firm can help customers to monitor any change to the attack surface. Those changes are
immediately reflected in the overall SAP security posture.
5. Threat detection
The recent Log4j incident but also the somewhat older RECON release have impressively proven that
vulnerabilities can exist for a long period of time without being noticed. Detection of malicious and
monitoring of action with impacts to the SAP system security are key elements to protect against severe
damage.
6. Layered security
Introduce additional security layers. Besides precise hardening, patching, and monitoring it is beneficial
to consider adding intrusion prevention systems and network segmentation based on your individual risk
situation.
How to reduce the SAP attacker surface?
This is not an easy task and especially becomes difficult for SAP organizations that expand their digital
footprint and embrace new technologies. Reducing means:
• Deactivation of services of SAP Internet Communication Framework (ICF) and Internet
Communication Manager (ICM)
• Deinstallation of unused software components
• Deletion of unused or obsolete RFC Destination and service endpoints. Those in use need to be
sufficiently hardened
• Elimination of trusting (SMT1), which is not needed
• Deletion of SAP clients that are not used
• Governance and tracking of SSL certificate handling in SAP (STRUST)
• And many more…
It may be a fine line between accepting the risk and fulfilling the business department’s wish for a new
service. This is especially true if the new service only adds additional comfort but comes with a very
Cyber Defense eMagazine – December 2022 Edition 138
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.