LAS VEGAS (Black Hat) - In early July, news circulated that a Chinese manufacturer stood accused of tampering with the firmware of hand-held scanners.
The firmware, modified with malware that targeted supply chain resources, harvested data from Enterprise Resource Planning (ERP) platforms – grabbing everything it could from financial data, to logistical and customer information.
Attacks such as this demonstrate the blind spot that most organizations have when it comes to security. Many of the organizations impacted by this embedded attack, called ZombieZero by the security firm that discovered it (TrapX), had all the latest and greatest when it came to defenses, but they were implemented and designed to flag attacks from the outside - not a product scanner used in the shipping department.
"The Zombie Zero attack started from hardware purchased and deployed inside the target’s infrastructure and didn’t attack the operating systems - but instead went straight for the ERP systems," said Mariano Nunez, the founder and CEO of Onapsis, during an interview with CSO.
"The unfortunate reality is that the attackers are ahead of most organizations because few have a mature security practice regarding the monitoring of attacks against their ERP and SAP systems, let alone include these systems in their vulnerability management programs."
Case in point, Microsoft issued a warning last November, about a Trojan that was based on the Carberp family of malware targeting SAP.
In their notification, Redmond said that they believed it was the first time malware was written to target the platform. This, Nunez says, implies that attackers have identified a rich target inside of organizations: the ERP platform - which hosts all of the company’s critical data and processes.
"In this instance, the malware was smuggled into the targets via scanner equipment. But the next time the Trojan horse could be a printer, router, access point or some other piece of equipment that most people consider to be benign," he added.
If protecting ERP and supply chain management (SCM) platforms is so important, why do organizations fail to monitor these systems on the same level that they would endpoints or other systems on the network?
"The truth is because it is not easy," Nunez explained, "there are a number of challenges."
"Even in a lot of mature organizations these ERP systems have grown organically, through individual business units creating their own systems to external systems integrated to the core via acquisitions. Understanding the true scope and inter-connectivity of these systems is a significant project. Secondly, the protocols these systems use are often proprietary, meaning traditional IDS and other technology is unable to understand the communication between these systems and distinguish good traffic from malicious traffic."
Moreover, he added, there's the belief that the only relevant security measure for these systems is the concept of Segregation of Duties (SoD).
Most security planning for ERP and SCM platforms focus on limiting the operator's access rights to those functions that are essential to their task. The goal is to ensure that no single user can commit acts of fraud or abuse of the system. However, while it's important, SoD only solves one part of the security equation.
It ignores the possibility that an unauthenticated person (attacker) could abuse vulnerabilities and configuration errors, issuing commands and instructions outside of the process controlled by SoD. So considering these types of challenges, it's understandable that organizations struggle with ensuring the complete security of their ERP systems, Nunez said.
When asked about recommendations, Nunez offered five things that organizations should be aware of when ERP/SCM/SAP systems:
Ask questions about the systems that handle and store core business data:
What are they? Where are they? How are they accessed, and who can access them? Make sure that every system involved in critical business is identified and categorized correctly.
Establish a vulnerability management program for ERP and SAP systems:
This program should have key metrics and report on the level of security and changes in security on a month to month basis.
Attack and vulnerability surface mapping:
The attack or vulnerability surface of the critical ERP and SAP systems should be mapped periodically. The frequency of the mapping should be in a direct relationship with the critical nature of the data the system stores or processes for the business.
Develop real-time situational awareness of the risk level of all core business systems:
Through the use of vulnerability scanners, traffic monitoring and real-time user behavior analysis the office of the CISO should be able to report on the current security posture and threats of and to their core business systems.
In order for CFOs to accurately report on risk to the organization, they should be able articulate the security posture and current state of risk as it applies to the core business systems.
Develop a security baseline and measure systems against the baseline:
Any deviation by a system below the baseline should be investigated and the cause identified. In addition, the security team should be able to identify how the security of the system was reduced, when and how long it was in an insecure state before it was detected.
"Traditionally people have employed a lot of parameter defensive technology based on the assumption the attack will come from outside the network. With the success of phishing and drive-by attacks, and the new threat of any piece of hardware-running software being a point of attack, businesses will stop worrying about where the attack will likely come from and instead focus on what in their environment is critical and could be attacked," Nunez said.
The key is reducing the likelihood of an attack being successful, he added.
But when an attack is successful, the security team should be able to identify it quickly and reduce the impact significantly. This can only be done with a security program that ensures business-critical systems are identified and actively monitored, for internal and external problems.