SAP and Oracle applications are increasingly being targeted by hackers

Lack of security patches and uncontrolled data transfers facilitate cyber attacks

The recent headlines from the US could alarm many SAP and Oracle users. Cyber ​​security companies and the US Department of Homeland Security warn of an increasing number of hidden hacker attacks, which are, however, in some cases still taken too lightly. [1]

Hackers deliberately use vulnerabilities in SAP and Oracle

It is reported that many years of occurring security issues have made it particularly interesting and easy for hackers. In the recent past, these issues have occurred in leading enterprise applications of Oracle and SAP that have not been updated or provided with security patches. Vulnerabilities that are not eliminated are zealously exploited and, according to Nunez, provide “unrestricted access to SAP and Oracle systems.” [1]

In the long-term, companies may experience serious problems that are far worse than short-term disruption to their business activities due to the implementation of security patches. The data stolen by hackers not only causes damage to the operating business, but ultimately also to the company concerned which must pay for the data breach. [1] The new EU General Data Protection Regulation (EU GDPR) includes stricter penalties for infringements. This raises the question of whether the incentive is enough to eliminate security holes and to invest in modern data protection solutions before high penalties must be paid.

Why are security holes not fixed?

Finding a solution to all security vulnerabilities presents a huge challenge that any business needs to face. However, there are known vulnerabilities to be offered for the security patches. SAP and Oracle recommend installing them and updating application systems to prevent attacks. However, these recommendations are often not followed up. The companies and government agencies affected by the attacks had no patches installed. The reason for this was that they were worried that “manufacturing, sales or financial activities may be interrupted”. SAP has stated that security patches are issued each month and must be installed promptly. However, one often forgets that companies simply do not comply with this recommendation due to their numerous projects and the lack of staff. The effort to implement the updates and the associated testing is too high.

Challenge: Process and application-spanning data security

Companies must establish processes to detect data security gaps in good time. In order to do so, the view must be expanded and, in addition to the systems, business processes and data flows must be considered. For example, data transfers between applications or technology platforms are not adequately protected by traditional data loss prevention (DLP). With HALOCORE from SECUDE, SAP customers, in particular, are provided with extended data loss prevention.

Through automated data classification and encryption, data exports from SAP systems can be controlled and unauthorized exports of sensitive data in connection with cyberattacks can be prevented. In addition, violations of the new EU General Data Protection Regulation (GDPR) are avoided.

A solution to consider

SECUDE’s HALOCORE provides a dedicated data protection solution for SAP. You can read more about this solution here.

Reference

[1] USA warnen vor wachsenden Hacker-Risiken für Software von SAP und Oracle

Related Reading

[1] Hospitality doesn’t pay; Robust data security does: What Marriott should have done at the outset

[2] Reuters article on hackers highlights basic question overlooked by CIOs

[3] No cog too small: Data security in Materials Management

 [4] How do you secure data against Industrial Espionage?