Table of Content
Last week, the United States Computer Emergency Readiness Team (US-CERT) posted An alert that puts ERP security at the spotlight. The alert urges ERP systems users and administrators to review a report on the increased exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications.
ERP: A a Breach Waiting to Happen
Cloud-based ERP systems by SAP and Oracle currently have a combined total of 9,000 known security vulnerabilities. Running business-critical processes and holding sensitive corporate and personal information, ERP systems are particularly appealing to hackers when connected to the Internet. According to the report, there are at least 17,000 SAP and Oracle ERP applications that are directly connected and discoverable over the public internet.
Recent, high profile cases of ERP hacking include a Dridex banking Trojan campaign that targeted SAP user credentials and sensitive business data, which was harvested and used for fraud.
The report that prompted the US-CERT alert warns that ERP vulnerabilities are targeted not only by individual criminals but also by nation-state attackers and hacktivist groups – such as the Anonymous collective – that use them as backdoors into nationwide systems and threaten those with espionage, sabotage, and financial fraud.
Patch Early, Patch Often
SAP and Oracle regularly release security patches for their ERP products. However, applying those patches is not always as straightforward as you’d expect. Surprisingly, security is not a priority in all organizations. In fact, it is often neglected in favor of operational availability. When system architectures are too complex, functionality too customized, or when users lack of knowledge about the patching process, they may neglect to patch. Add internet connection to the mix and there you have it – an open invitation for a breach.
Nevertheless, following these simple steps, organizations can proactively protect themselves by accurately assessing the risk. We’ve put together a webinar to get your organization started on keeping Oracle EBS safe.