Today we circle back to enterprise cybersecurity and its role in effective corporate compliance. Why? Because researchers recently discovered a vulnerability in SAP software that lets attackers infiltrate your IT systems to steal personal data, alter financial transactions, or otherwise cause all sorts of mischief that would saddle your business with huge compliance concerns.
The weakness is known as the RECON Vulnerability, and it was discovered in July by cybersecurity firm Onapsis. The flaw exists in what’s known as the SAP JAVA NetWeaver layer — basically, the foundation layer upon which many other SAP applications run. So if your business hasn’t patched the RECON vulnerability, attackers could worm their way into your SAP systems at that base layer, and then proceed upward to execute commands in all those other applications.
The scary part: RECON allows unauthenticated attacks. So long as your SAP system is connected to the Internet — and, spoiler alert, plenty of SAP systems are — attackers could bypass all the user IDs, passwords, and other access controls businesses use to keep unwanted visitors off your IT applications.
Those measures only help to authenticate users of your IT systems. Sure, hackers do try to pierce those systems too; such as by launching a phishing attack that dupes employees into visiting fake websites, where they share log-on credentials. But RECON lets attackers evade those authentication steps entirely.
Instead, the attacker just needs to find an SAP system connected to the Internet. Then he or she enters some command line code that looks to me like something out of Mr. Robot. Anyway, you get the idea. The attacker can then access all your company’s SAP data, and even execute transactions such as sending a wire payment or creating a new vendor. So you’re now at risk for violations of the GDPR, Sarbanes-Oxley, the FCPA, and other compliance obligations.
And because all this happens without an authentic user, your system would show no user logs, no audit trail, no transaction records — zilch. You might not know about the attack for weeks or months, and forensic reconstruction of what went wrong would be painstaking.
We’ve Been Here Before
If RECON sounds familiar, that’s because it’s quite similar to a vulnerability discovered in Oracle business software in June, known as BigDebIT. RECON just affects SAP, which is the other kingpin player in enterprise resource planning (ERP) software used by countless thousands of businesses worldwide.
The good news is that SAP is fully aware of RECON, and SAP issued a software patch in July to seal up the weakness. The bad news is that if your business hasn’t yet implemented that patch, and done so properly, your data and your compliance posture are still vulnerable.
In other words, we have yet another example of how poor enterprise cybersecurity is very much a corporate compliance issue. Two of the largest ERP software providers in the world are vulnerable to attacks that could let someone evade standard internal controls and GRC management tools. That’s not good.
Remediation vs. Remediation
This is where risk and audit executives might think, “OK, I understand the threat here. What am I supposed to do about it? Isn’t this the responsibility of the CISO?”
In theory, yes. In practice, the threat is so significant — and can cause so many regulatory compliance programs further downstream — that it demands the attention of all risk assurance functions.
RECON isn’t like the more commonly understood cybersecurity threats, where hackers steal access credentials to gain unauthorized access to IT systems. In those cases, remediation might include tighter access control (such as two-factor authentication), security training for employees, and analytics tools to review audit trails swiftly.
Well, unauthenticated attacks don’t involve employees or access controls, or other types of internal control that an auditor might typically test and a company then remediate. So the steps outlined above don’t much help here. RECON requires a more sweeping remediation that addresses cybersecurity at the enterprise level.
That is, the company needs governance policies to assure that software patches, ERP configurations, and application development all happen with strict attention to cybersecurity. For example…
- At many businesses, the IT department might develop an application first, and let security teams handle the security risks of that new application later. How do you assure a security-by-design approach to app development?
- Software patches might not happen promptly, or happen across the whole enterprise — but one unpatched terminal is all a RECON attacker needs. How do you assure that patch management is done in a timely, correct manner?
- Large enterprises configure SAP, Oracle, and other ERP systems in a zillion different ways. Who oversees that configuration process, to be sure it doesn’t create the next vulnerability after RECON and BigDebIT are gone?
If your company can’t answer those questions well, then it’s at risk of regulatory failures from a privacy breach, to FCPA violations, to material weakness in financial reporting, and more.
So the compliance, audit, and risk functions now need to wade into areas that historically you would have left to the CISO or IT development director— because remediation isn’t so much about testing and improving access controls, as it is about improving processes and governance.
That’s trickier to do, and involves closer collaboration between risk assurance teams. That collaboration may not always have existed within your organization. So you’re going to need to cultivate those relationships, and build consensus around governance and policy.
Security risks. You gotta love ’em.
Bonus: RECON Vulnerability Content Series
Update: The folks at Onapsis have published a detailed series of posts about the RECON vulnerability! Radical Compliance has agreed to add this post to that series. Below is a description from Onapsis of what’s going on:
Back in July, SAP issued patches for the RECON vulnerability that was identified and disclosed to SAP by the Onapsis Research Labs. Because of the severity and the amount of potentially vulnerable Internet-exposed SAP systems, the DHS-CISA along with many other global organizations issued CERT Alerts warning organizations of the criticality of the RECON vulnerability. Both SAP and Onapsis urged organizations using SAP Applications to apply the patches immediately.
In the days following the release of the patches for RECON, the Onapsis Research Labs and other security/threat intelligence organizations and researchers witnessed and reported rapid threat activity including scanning for vulnerable systems and ultimately weaponized exploit code posted publicly. This content is part of coordinated effort with threat intelligence experts, researchers, and organizations to provide further insight, intelligence and actions you should take to ensure your organization is protected from the RECON vulnerability. All the parts can be found here:
- Part 1: The Vulnerability @Onapsis Blog
- Part 2: The Mitigations @SAP Community Network
- Part 3: Relevance to the Cloud @Cloud Security Alliance
- Part 4: Threat Intelligence @DigitalShadows
- Part 5: Active Scanning @Stratosphere Labs
- Part 6: Tools Techniques and Procedures @BlueLiv
- Part 7: Active Exploitation @Onapsis Research Labs
- Part 8: Compliance @The Institute of Internal Auditors
- Part 9: Data Privacy @Radical Compliance
- Part 10: Programmatic Approach @Linkedin