ERP: Protecting the pipeline by focusing on business-critical platforms

In early July, news circulated that a Chinese manufacturer stood accused of tampering with the firmware of hand-held scanners.

The firmware, modified with malware that targeted supply chain resources, harvested data from Enterprise Resource Planning (ERP) platforms -- grabbing everything it could from financial data, to logistical and customer information.

Attacks such as this demonstrate the blind spot that most organizations have when it comes to security. Many of the organizations impacted by this embedded attack, called ZombieZero by the security firm that discovered it (TrapX), had all the latest and greatest when it came to defenses, but they were implemented and designed to flag attacks from the outside - not a product scanner used in the shipping department.

"The Zombie Zero attack started from hardware purchased and deployed inside the target's infrastructure and didn't attack the operating systems - but instead went straight for the ERP systems," said Mariano Nunez, the founder and CEO of Onapsis, during an interview with CSO.

"The unfortunate reality is that the attackers are ahead of most organizations because few have a mature security practice regarding the monitoring of attacks against their ERP and SAP systems, let alone include these systems in their vulnerability management programs."

Case in point, Microsoft issued a warning last November, about a Trojan that was based on the Carberp family of malware targeting SAP.

In their notification, Redmond said that they believed it was the first time malware was written to target the platform. This, Nunez says, implies that attackers have identified a rich target inside of organizations: the ERP platform - which hosts all of the company's critical data and processes.

"In this instance, the malware was smuggled into the targets via scanner equipment. But the next time the Trojan horse could be a printer, router, access point or some other piece of equipment that most people consider to be benign," he added.

If protecting ERP and supply chain management (SCM) platforms is so important, why do organizations fail to monitor these systems on the same level that they would endpoints or other systems on the network?

"The truth is because it is not easy," Nunez explained, "there are a number of challenges."

"Even in a lot of mature organizations these ERP systems have grown organically, through individual business units creating their own systems to external systems integrated to the core via acquisitions. Understanding the true scope and inter-connectivity of these systems is a significant project. Secondly, the protocols these systems use are often proprietary, meaning traditional IDS and other technology is unable to understand the communication between these systems and distinguish good traffic from malicious traffic."

Moreover, he added, there's the belief that the only relevant security measure for these systems is the concept of Segregation of Duties (SoD).

Most security planning for ERP and SCM platforms focus on limiting the operator's access rights to those functions that are essential to their task. The goal is to ensure that no single user can commit acts of fraud or abuse of the system. However, while it's important, SoD only solves one part of the security equation.

It ignores the possibility that an unauthenticated person (attacker) could abuse vulnerabilities and configuration errors, issuing commands and instructions outside of the process controlled by SoD. So considering these types of challenges, it's understandable that organizations struggle with ensuring the complete security of their ERP systems, Nunez said.

When asked about recommendations, Nunez offered five things that organizations should be aware of when ERP/SCM/SAP systems:

Ask questions about the systems that handle and store core business data:

What are they? Where are they? How are they accessed, and who can access them? Make sure that every system involved in critical business is identified and categorized correctly.

Establish a vulnerability management program for ERP and SAP systems:

This program should have key metrics and report on the level of security and changes in security on a month to month basis.

Attack and vulnerability surface mapping:

The attack or vulnerability surface of the critical ERP and SAP systems should be mapped periodically. The frequency of the mapping should be in a direct relationship with the critical nature of the data the system stores or processes for the business.

Develop real-time situational awareness of the risk level of all core business systems:

Through the use of vulnerability scanners, traffic monitoring and real-time user behavior analysis the office of the CISO should be able to report on the current security posture and threats of and to their core business systems.

In order for CFOs to accurately report on risk to the organization, they should be able articulate the security posture and current state of risk as it applies to the core business systems.

Develop a security baseline and measure systems against the baseline:

Any deviation by a system below the baseline should be investigated and the cause identified. In addition, the security team should be able to identify how the security of the system was reduced, when and how long it was in an insecure state before it was detected.

"Traditionally people have employed a lot of parameter defensive technology based on the assumption the attack will come from outside the network. With the success of phishing and drive-by attacks, and the new threat of any piece of hardware-running software being a point of attack, businesses will stop worrying about where the attack will likely come from and instead focus on what in their environment is critical and could be attacked," Nunez said.

The key is reducing the likelihood of an attack being successful, he added.

But when an attack is successful, the security team should be able to identify it quickly and reduce the impact significantly. This can only be done with a security program that ensures business-critical systems are identified and actively monitored, for internal and external problems.

Join the CSO newsletter!

Error: Please check your email address.

Tags BC/DR planningOnapsisapplicationsenterprise resource planningSAPTrapXBlack Hat 2014ERPsoftwareCSOsupply chain security

More about CSOMicrosoftSAP Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place