There’s more opportunity in hacking business. Whether for mayhem or financial gain, cybercriminals are switching from attacking unsuspecting individuals to more organized cyber crime that targets businesses large and small. ERP, in particular, is a prime target.
That’s because ERP systems are the nerve center of the businesses that use them, and unauthorized access can reveal medical records, open the door to embezzlement at financial institutions, and sabotage industrial firms. Compromising ERP offers a lot for the unscrupulous.
“Hackers have shifted their focus from individuals to enterprises,” “We can expect an increasing number of targeted attacks, including ones against ERP systems. There are a lot of resources on the Internet providing all the required information on the ERP’s architectures for attackers to customize their techniques.”
ERP is vulnerable, too; in March, for instance, SAP issued a patch for a critical vulnerability in its HANA platform that gave full access to the software without the need for security credentials. The patch was issued with the highest severity rating possible.
Firms should be taking their ERP security very seriously. Here are six of the top ERP security threats right now.
It’s safe to say that no system is immune to the ransomware epidemic. ERP systems are no exception, and experts believe that the volume of ransom attacks against ERP systems is going to rise in the near future.
For instance, researchers have disclosed a proof-of-concept attack against SAP systems where a remote command execution vulnerability in SAP’s standard client application allows the auto loading of any program from the server onto the workstation. Once the attacker breaks into the SAP server, the cybercriminal can download malware to the device that can automatically be installed on every endpoint with SAP graphical user interface when a user runs the application.
A second ERP security challenge is a lack of planning on the part of many businesses. Many firms do not have effective methods in place to detect ERP vulnerabilities and intrusion. Worse, many don’t have an adequate incident response plan in place for when there is a breach or suspicious activity.
Business “often lack a proper incident response that includes the ERP layer, and they do not define proper logging for forensic purposes,”.
Malicious workers or former employees who still have access to the ERP system are another top security threat. Businesses already are concerned about it, even if it is hard to stop; insider threats top the list of security risks that businesses are most concerned about, according to the 2017 Cybersecurity Trends Report by Crowd Research Partners.
“One of the most widespread internal attacks is payroll fraud,”
With access to the HR module, for example, an employee can change his or her wage. Because a direct modification can be easily detected, many of these breaches by employees instead inflate the number of additional working hours, raising total wages stealthily.
One of the biggest security challenged in 2017 is properly defining who handles ERP security, and the consequence is that many preventative measures fall through the cracks.
He says that whenever he visits a new company that is interested in ERP security, “we realize that information security teams are not fully aware of the importance of ERP security in a holistic way.”
This not only includes a lack of awareness about basic security practices, but also more modern best practices such as scanning for security vulnerabilities, continuous monitoring, and proper cloud security.
ERP systems typically are interconnected with many other systems. This is part of the value of ERP. But it also poses a security threat because a vulnerability in any one of the systems opens the door for access to the others. In the connected world of IoT and the cloud, in other words, the threat surface has increased dramatically.
This goes both ways; a vulnerability in a connected app can compromise the ERP system potentially, and a vulnerability in ERP can spread to other systems.
“A flaw in ERP may be the first step in a multi-stage attack resulting in physical damage,” Taking together that both solutions have security issues, it’s a matter of time and skills for hackers to conduct such chain of attacks.”
Enterprises need to take into account all of these interconnections and monitor them closely because there is more room for attack than ever before.
Finally, one of the biggest ERP threats today is unapplied security patches. ERP vendors such as Oracle and SAP regularly roll out security patches, but many businesses have an inadequate process for monitoring these updates and putting them into place.
“IT security teams have their own patch management programs which usually exclude ERP systems,”. “What usually happens, in our experience, is that ERP systems are not often up-to-date.”
And as the SAP HANA vulnerability shows, poor patch management can be costly from a security perspective.
Reading between the lines, therefore, sophisticated attacks are only a small part of the problem when it comes to ERP security. The bigger challenge is organizational. Despite ERP sitting at the root of a business, many of the top ERP security challenges today actually come from action not taken by the firms using these systems.