Newsflash: +++ Hackers Stole Over 6.42 Million SHEIN Customers' Data +++ SAP Customer British Airways hacked: Hackers steal financial data in BA website attack +++ The same hacker group who breached Ticketmasters were behind the British Airways attack, using DIGITAL SKIMMING +++

Milky Blog

know what’s going on out there about SAP®

  • Blog
  • Read Our Rules

SAP® security @agileSI™ - layered cyber security defenses

By Hendrik Jansen  - December 11, 2018

ERP systems (like SAP® systems) see a growing level of attack and interest in attack for two obvious reasons. First of all, the ERP monolithic era has been long gone, no more mainframe or isolation thinking, many of these systems are now connected to the internet in some way shape or form. So the EXPOSURE of these ERP systems is much bigger then it was ever the case before.

Secondly, ERP security has a lot of components, parameters, settings, deep technical methods, it is incredibly complex and thus hard for any regular administrator to understand it all, oversee it all. Herein hides the danger ....., the things you master are under control, but how do you know if you know it all? There are many known unknowns, we come across such situations every single week. With every technology update and connection added the ATTACK FOOTPRINT is increasing.

The fact that these systems are sometimes so complex, very interconnected, highly customized, extremely crucial in the business process uptime, all of this has an adverse effect on security patching. It is considered risky, lengthy, expensive, complicated and thus often put off. The non-ERP systems are often patched within days, but business operations may wait many months to get patched with ERP systems.

An often heard credo is: IF AIN'T BROKEN DON'T FIX IT. While that is true, you may want to consider this one as well, IF IT IS EXPLOITABLE IT WILL BE BREACHED.


Our conclusion is that these large corporate systems, which manage entire companies operations, are far too easy to be compromised and shut down (or worse) by an attacker.

If someone manages to breach one of those ERP or SAP® applications, they could literally stop operations for these companies.

Security vulnerabilities warnings - nothing new

Cybersecurity evangelists, engineers, trendwatchers have been warning for a long time that there is evidence of a shift going on towards real safety, think about critical infrastructure like power, transport, water, heating. Think about our financial institutions (the oil of the economy), think about large (inter)connected supply chains. These sort of threats originally went way beyond the nasty kid in the basement trying out stuff, but the VAULT7 release on the DARKNET of hundreds of attacking tools available, we are wondering if it takes a nation-state hacking scenario to really cause a mess.


"The great risk in ERP is disruption," said Alan Paller, the founder of SANS Institute, a cybersecurity research and education organization in Bethesda.


If attackers were interested in for example ransomware, there are easier targets, such as unprotected e-commerce websites (we refer to the BA booking hack recently). What hacker organizations may be doing with your ERP systems is preparing (planting a back door), which means having a key to get in later (with a clear purpose). Often the real purpose or attack goes unspotted because during the preparation a plan is developed to erase the digital fingerprints. Nobody then is the wiser.



Layered defenses, a well-balanced strategy and implementation between security INSIGHT-PREVENTION-DETECTION-RESPONSE, that is the only way to keep up with the very real threat landscape also when it comes to ERP systems.
If you are curious about such a balanced strategy (INSIGHT-PREVENT-DETECT-RESPOND), what that means for you as a CISO, what you should be doing against ERP threats, why you should be closer working together with experts, let us know. Just ask the question(s) on our website.

Picture©: GettyImages-817486028-gordenkoff

Enroll and receive updates!

Popular posts

We take privacy seriously! This is what happens to your data:

  • Data from forms and website-tracking can be saved for analysis.
  • Data can be evaluated for optimizing the website. This enables us to better understand what our visitors are interested in. We primarily use Hubspot for this tracking. You can find more information on this in our privacy policy linked at the bottom.
  • We do not share your data with third parties. In the context of events in which you want to participate it might be necessary to submit your data to contractors.
  • You have the right to have your personal data corrected, deleted or transfered to you at any time.
  • You can withdraw your consent to any sort of communication with us at any time.

More details about what we do and don't do with your personal data can be found in our privacy policy, or you can directly contact me by e-mail!

Felix Möckel
Data Protection Officer