Social Icons

Thứ Năm, 20 tháng 6, 2013

Many companies are negligent about SAP security, researchers say - Network World

@ a< href="">Sap RSS News

IDG News Service - SAP has significantly improved the security of its products over the past few years but many of its customers are negligent
with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security

The biggest issue is that companies expose insecure SAP services to the Internet -- not only HTTP services, but also critical
administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products
for SAP systems, said Tuesday.

Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn't
be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations,
he said.

Most of the services have vulnerabilities that can be easily attacked, Polyakov said.

Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security
testing tool.

The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America
and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates
to a very large number of companies, he said.

Juan Perez-Etchegoyen, the chief technology officer at Onapsis, a Cambridge, Massachusetts-based company that develops security
products for ERP systems, believes that the number of companies running vulnerable SAP systems is actually higher than what
Polyakov estimates and that it's growing.

"What makes this worse is the fact that many systems are exposed to vulnerabilities with public exploits that have been known
for five or even ten years. The risk for these organizations is huge," he said Wednesday via email.

Another problem is the high number of publicly accessible Web servers that run outdated SAP applications. Using Google search,
ERPScan researchers identified 695 unique servers with different SAP Web applications, and an additional 3,741 servers were
found using the SHODAN search engine.

SAP NetWeaver J2EE and SAP NetWeaver ABAP were the most common SAP applications found on the servers. However, the most common
versions of these two applications were SAP NetWeaver ABAP version 7.0 EHP 0 and SAP NetWeaver J2EE version 7.00, both of
which were released in 2005.

Deployments of older versions of these products are not necessarily vulnerable if their administrators applied all patches
and followed all security advice issued by SAP over the years.

However, it is more likely for an old version deployment to be more vulnerable than a new one, because newer versions of these
products are more secure in their default configurations, Polyakov said.

"The real problem is not that the systems were released in 2005, because SAP still has those under maintenance and releases
security patches for vulnerabilities affecting them," Perez-Etchegoyen said. "The real threat is that some companies are not
being able to apply them promptly, exposing themselves to cyberattacks."

Subribe Sap Feeds

Không có nhận xét nào:

Đăng nhận xét


Sample text

Sample Text

Sample Text