If you are not worried about the security of your ERP system, you ought to be.
Considering that ERP is the repository of much of a corporation's most important customer and financial data, it's scary how often the security of ERP systems is neglected. It happens for many reasons, including the organizational disconnect among different teams responsible for security and ERP applications. Security specialists tend to focus on security-specific systems and controls, delegating responsibility for the ERP environment to the applications team.
The common but often-dangerous assumption is that applications, databases and middleware are secure as long as they are fully patched.
Depending on software vendors to remedy vulnerabilities in a timely manner can be hazardous to the health of your organization. Patches don't solve the problem of zero-day attacks in real time for which no defense is available, and in most cases the vulnerability lasts far beyond day zero because it can take months or years for a patch to be released and for enterprises to implement it. Keeping up with patches when they are released can be expensive, time consuming and disruptive - like any software update, a security patch has the potential to break important customizations and integrations.
One recent survey of 504 CIOs and CFOs found that 81% admitted they have refrained from implementing an important security patch because of the concern that it would disrupt business operations.
Vulnerability patching ought to be part of a much broader strategy for solidifying your defenses in terms of people and processes as well as technology. Security can fail at any level and needs to be reinforced at every level.
The video embedded here is a replay of a webinar presentation I gave shortly before the Collaborate19 Oracle user conference. The timing is one reason the examples I share focus on Oracle, but another is that Oracle products such as Java and Oracle Database are often part of the application infrastructure for customers of SAP and other enterprise software.
In my experience, Java has proven to be a weak link in application security, and the majority of Oracle applications are written in Java. But the issues aren't limited to Oracle or to Java. One of my main points is that applying vendor security patches is insufficient as a security strategy when you consider unknown vulnerabilities that can be exploited.
Promptly and completely fixing vulnerabilities is a challenge for all major vendors. When a vulnerability is reported by security researchers (or is identified as part of real-world attacks), it often takes months for the vendor to confirm the issue, devise a strategy for addressing it, and develop and distribute new code.
Patches sometimes take years to develop. An April 2019 Oracle Critical Patch Update (CPU) addressed a flaw present in many Oracle products that had been reported three years earlier. Further, upon release, such patches don't always fix the issue. A CPU from 2018 that was supposed to correct a critical vulnerability in Oracle's Java-based WebLogic middleware (CVE-2018-2628) was quickly followed by reports that it was possible to bypass the fix.
Some categories of vulnerabilities can linger for years - for example, both of the examples just cited involve a vulnerability in the way Java serializes and deserializes objects. While the Java core developers work to address an architectural flaw that dates back to the earliest days of the language, deserialization exploits have continued to emerge.
You are not helpless in the face of these threats, but we recommend addressing them with a multilayered, defense-in-depth strategy that blocks attacks at every opportunity, even if the core code has not been patched.
We recommend a five-pronged approach:
- Understand your environment
- Harden and manage your configuration
- Monitor privileged account activity
- Secure the web tier and other application infrastructure
- Secure the database
My presentation goes into more depth, but let me call out an example of how understanding and hardening your environment is important. If you do a thorough inventory, you are likely to find unnecessary software exposed where hackers can exploit it. For example, default installations may include old versions of Java and insecure demo scripts. Particularly on any server that potentially could be accessible from the internet, a good practice is to inventory and disposition code that does not serve a business purpose.
In addition to advising you on strategy, the security team at Rimini Street can recommend specific software defenses against zero-day exploits, including Rimini Street Advanced Database Security and Rimini Street Advanced Application and Middleware Security. Both address the scenario where there is a known patch in your application infrastructure that is not patched - whether because the vendor has not issued a patch or you have not yet implemented it.
One of our clients, CareTech, called late on a Friday afternoon because it was under attack from cryptocurrency miners trying to plant software on its servers via a WebLogic vulnerability. Even though Oracle had issued a patch to address this same vulnerability, the attackers were finding ways around it and siphoning off resources from the healthcare IT company's operational systems. Over a weekend, we helped CareTech implement runtime protection that quickly blocked those attacks, even as the hackers continued to evolve their tactics. We used the same runtime vulnerability remediation technology that is at the heart of our Advanced Application and Middleware Security product.
Similarly, Rimini Street offers actionable security intelligence for databases. Rimini Street Advanced Database Security is enhanced with technology from McAfee and is designed to block attacks on databases, including attacks against vulnerabilities for which no patch is available. Clients such as Suburban Propane that utilize the technology say that, in addition to improving their security at a reasonable cost, they have improved visibility because they now get alerts when their databases are under attack.
New security threats are emerging all the time, and your defenses must keep pace. Please watch the webinar replay video for more about the five ways to improve ERP security we recommend. Then talk to us about how Rimini Street can help you improve enterprise application security.
Rimini Street Global Security Services
Learn more about how Rimini Street Global Security Services can help you implement multi-layered security.
Gabe Dimeglio, Sr. Director, Global Security Services
Gabe is an Information Technology and Security veteran with 20 years of experience in private and public sector organizations. Gabe’s management background includes responsibility for the development and management of technology and security teams, operations, business development, client facing programs, budgets, and compliance programs throughout organizations. His consulting background includes providing strategic consulting services, performing risk analysis, and providing risk mitigation recommendations and guidance to highly diverse organizations from the Global 100 to defense, healthcare, financial and educational institutions.