The US Department of Homeland Security (DHS) has issued a warning against cyber-attacks, launched by nation-states and other groups targeting ERP systems. This alert is inline with recent IDC survey stating that 64% of Oracle and SAP ERP installations have been hacked during the past 3 years.
As these systems are tied to so many aspects of a business, including finance, HR, supply chain management, and more, they make an extremely attractive target for hackers.
Because ERP systems are used across the whole organization, composed of dozens of modules, hundreds of interfaces, and sometimes thousands of custom code modifications, they are difficult to patch or upgrade.
At the same time, companies tend to underestimate ERP vulnerabilities, since these systems are usually not open to the public network and their users feel secure, as they are used to relying on internal controls built into their systems, like separation of duties and other manual controls.
All that leaves the door open to critical flaws. For example, the one that allows fraudsters to change the bank routing and account numbers for transfer orders, bypass all internal controls, and silently redirect payments to fraudulent accounts. One such reported vulnerability affects more than 50% of Oracle EBS customers and a similar one affects more than 50,000 SAP installations.
The combination of an extremely attractive target, which is also very difficult to protect, has already drawn the attention of a growing number of hacking groups. According to IDC, 64% of Oracle and SAP ERP installations have been hacked during the past 3 years, despite the periodic security audits and patches applied to these systems.
These bleak statistics and high number of known ERP security flaws (9,000+ for Oracle and SAP, combined), made the Department of Homeland Security (DHS) issue an alert warning of increased activity from nation-state hackers, criminal groups, and hacktivists against Enterprise Resource Planning systems.
Looking forward, most major ERP providers, including SAP and Oracle encourage their customers to move their ERP systems to the cloud. This process has many benefits, yet it will only further expose these thousands of security flaws to attacks.
Software updates are essential for digital safety and security. Organizations need to keep their ERP systems up-to-date and apply security patches frequently. This could have eliminated cases such as the 2016 US-CERT alert to more than 30 SAP installations, vulnerable to a known exploitation that was patched by SAP seven years earlier.
However, with ERPs, it’s easier said than done. These systems tend to be highly customized and affect every aspect of the organization – from procurement to HR, from finance to supply chain. To fill this gap, new solutions designed to shield ERP systems from cyber-attacks emerge.
The same concept that paved the way to creating email security systems and database security systems is now applied to the ERP ecosystem. One of the first companies to introduce this security concept is nsKnox Technologies, a leading provider of anti-fraud and cybersecurity.
How can PaymentKnox™ help?
PaymentKnox™ was designed to protect ERP finance modules by monitoring, in real time, corporate payments generated by the ERP’s finance module. It identifies any attempt to manipulate data or transfer funds to fraudulent accounts. By using PaymentKnox™, organizations are able to detect cyber-attacks targeting their ERP’s finance systems and prevent the exploitation of flows similar to the Oracle EBS flaw, mentioned above.
Furthermore, PaymentKnox™ also protects ERP users from social engineering and internal embezzlement attempts, as it includes a bank account ownership validation service which authenticates the ownership of your suppliers’ bank accounts. The latter would eliminate cases of social engineering and internal embezzlement, like the ones that caused the loss of dozens of millions of dollars by companies such as Toyota, Google, Facebook, Tesla, Nikkei and others.
We hope that by reading this publication, security practitioners will understand the risks involved in the existing ERP infrastructure and learn about new methods to properly protect their organization.