SAP ERP Security

What is SAP ERP?

SAP Enterprise Central Component (also known as SAP ERP, earlier – SAP R/3) is the heart of Enterprise Resource Management. It is undoubtedly one of the major elements of any business as it enables effective management, storage, and processing of such critical information as employee personal data, financial and tax reports, information on material resources and more, depending on the modules enabled. Unauthorized access to this system can result in disruption of key business processes and data corruption.

SAP ERP Security Risks

There are multiple risks related to SAP ERP systems. Some of them are listed below.

Misappropriation of material resources (Fraud)

Access to the Material Management (MM) module allows an attacker to modify the material recourses data in any way; for example, one can manipulate any data that has to do with the quantity of material resources in stock or those being delivered, or pilfer from warehouses in collusion with organization’s employees.

Embezzlement of funds (Fraud)

By means of VD01 transaction in the Sales and Distribution (SD) module, an attacker can create a fake vendor to generate sales orders on behalf of this vendor via VA01 transaction. The outcome will most probably be embezzlement.

Manipulation of credit limits (Sabotage)

Access to Sales and Distribution module will give an attacker an opportunity to change the limits for credit operations by using FD32 or F.34 transactions. Thus, when there are no limits for purchasing on credit, the organization can fall into a money pit.

Product cost manipulation (Sabotage, Fraud)

With access to the Sales and Distribution module, an attacker can also substitute the data used for product cost assignment. Product pricing in SAP is processed automatically by measuring multiple criteria: monetary value of the transaction, customer type, season, discount availability, markups, etc. These actions are managed by VK11, VK12, and VK14 transactions. Due to the fact that the price is calculated automatically, pricing determination processes may be incomprehensible to an executor. Thus, manipulation of the product cost may remain unnoticed.

Credit card data theft (Espionage)

In the Sales and Distribution module, there are many tables that store credit card data: VCKUN, VCNUM, CCARDEC and more than 50 others. Besides material losses to your organization, stealing credit card data can jeopardize business credibility.

SAP ERP Vulnerabilities

SAP ECC System uses SAP NetWeaver Application Server ABAP as its main platform. Therefore, it is subject to all risks of the platform, which amount to more than 1000 risks. Additionally, there are about 350 specific vulnerabilities in different modules of SAP ECC. Some of them were revealed back in 2007 and are still relevant to many systems. For example, there is a vulnerability in the Gateway service that enables unauthorized access to SAP server and execution of any OS commands.

How can our software help to ensure SAP ERP Security?

ERPScan Smart Cybersecurity Platform for SAP has a wide range of checks aimed at discovering security issues specific to SAP ERP Systems. The solution’s leading position in the field has been confirmed by multiple awards. This is the only SAP SE certified solution on the market able to identify, analyze, and remediate all SAP security issues, and to provide powerful protection against cyber attacks and fraud. It embraces all three areas of SAP security: vulnerability management, source code review for custom programs and segregation of duties (SoD).