• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Novis Euforia

Novis Euforia

Un nuevo proyecto
 con más de 20 años de experiencia en tecnología SAP

  • Home
  • About Novis
  • Services
    • S4 Conversion
    • Suite On Hana
    • Landscape Transformation
    • Cloud Adoption & Operations
    • SAP Licensing
    • SAP BTP
    • SAP DevOps
    • Cybersecurity for SAP
    • SAP Managed Services
  • Solutions
    • Chameleon – Multicloud ArchiveLink
    • euKaria – SAP Security Automation
    • euGenie – RPA for automating IT tasks and resolving SAP incidents
  • News
  • Contact
  • Español

Ethical Hacking in SAP environments

03/11/2021

There are many reasons why SAP deserves a special treatment in terms of security. Some of them are:

  • An extensive network of expert consultants. SAP has always relied in a wide environment of partners, specialized in the different functional modules and technical areas. This approach allowed SAP to become the absolute ERP leader worldwide, but that comes with a price in security: the inner architecture of SAP is well known, and a lot of detailed information is available. A good SAP consultant can easily become a dangerous black hat.
  • Many users at different levels. When an ERP of SAP is implemented in a company, normally many users are entitled to access to it at different levels: from financial managers to blue-collar operators, from IT engineers to trainees, a relevant percentage of employees or external workers can be SAP users, which increases the risk of internal hacking. This fact is even more dangerous combined with the next one:
  • A complex authorizations structure, not always correctly implemented. Normally, an initial SAP implementation includes a proper design of roles and profiles, which determines the access control to different functionalities and organizational scopes. But along the years, the organizations change, and the ERPs evolve, so it is not rare that, after some years, the authorization structure contains security holes. A disloyal employee with good SAP skills can discover those holes and use them. Also, a hacker can take advantage of it to escalate privileges in an attack. 
  • Difficulty of updating: It is not technically easy to keep SAP ERP updated with security patches, so many implementations keep the vulnerabilities unfixed during long periods after they were discovered.  

On top of everything, hacking an SAP system can be very interesting for a black hat, due to the nature of the information stored in it: financial data, confidential information of clients, vendors and employees, production procedures…

Therefore, it is clear that we must be especially careful to protect our SAP environment, and Ethical Hacking is one of the most powerful tools to do it, but as we stated, SAP deserves a special treatment, so a penetration test on an SAP system has also some specific characteristics:

  • As any other SAP project, the Ethical Hacking must be performed by certified ethical hackers who are also SAP Partners. SAP provides its partners with access to patches and security notes, as well as extensive material to build sandboxes and test vulnerabilities.
  • Internal Penetration Test is very important, due to the risk of internal hackers as well as vulnerability to social engineering.
  • Deep review on the authorization roles and profiles is a must. A weak definition of roles will make escalation of permissions very easy, which joint to the risk of internal hacking, makes a dangerous combination
  • SAP systems are complex, and the system administrators are not always aware of the running functionalities. Therefore, white-box pentesting should be dealt as grey-box, challenging the information provided by the administrators.
  • In addition to the usual pentest tools, some ad-hoc scripts are required, focused on the specific vulnerabilities. E.g. in the following picture, a script from Santa Marta AB has been run on a test SAP system, to find accessible users and detect their permissions. In the example, the script has found two powerful standard users keeping their default passwords. Both users can also create new users, which is useful for maintaining access and covering tracks.

At Novis Euforia we can help you to detect your SAP Environment Vulnerabilities together with your Flight to S4.

Primary Sidebar

Services

S4 Conversion

Cloud Adoption & Operations

Landscape Transformation

SAP DevOps

Cybersecurity for SAP

SAP Managed Services

Newsletter

We create high-value content in the field of SAP. Would you like to receive it?

SUBSCRIBE

Footer

Novis Euforia

Calle de Martínez Villergas, 49, Edificio V, Planta 1, 28027 Madrid

CONTACT US

Newsletter

We create high-value content in the field of SAP. Would you like to receive it?

SUBSCRIBE

Social media

  • Facebook
  • LinkedIn
  • Twitter
  • Privacy Policy
  • Cookies Policy

Copyright Novis Euforia 2022

We use cookies to enhance your experience on our website. If you wish you may consult our cookies policy. ACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
Subscribe to our newsletter

We offer best quality SAP content.