Protecting ERP Systems: The Case for Zero-Trust
In late July 2018, the US Department of Homeland Security issued an alert, warning United States organizations of an increase in activity related to Enterprise Resource Planning (ERP) by hacktivists, nation-state hackers, and underground criminal organizations. This alert was the result of several security research organizations viewing an upward spike in chatter and underground forum activity related to finding and exploiting vulnerabilities (both zero-day and not) in popular ERP systems such as Oracle and SAP. ERP systems are used by both small and very large organizations to manage various facets of their businesses, such as human resources, payroll, marketing, sales, orders, distribution, as well as many other business critical functions. ERP systems often store highly sensitive information that would catastrophic for the health of the organization if unauthorized access was gained. For example, a competitor could access a price list or bills of material costs. Nation-state attackers could find out the recipients of sanctioned materials and know where and when to steal them. Because of the significant potential for gain, ERP systems are highly targeted systems for attack.
ERP systems are often hosted in an on premise datacenter or cloud-based. In recent years, Oracle and SAP have been pushing its customers (through price pressure) to switch to cloud-based Software as a Service (SaaS) solutions. Moving on-premise applications to the cloud could pose increased risks if the migration is not handled correctly. For example, when the ERP system is on-premise, users would have to physically be in a company facility or use a VPN in order to access the system. With a cloud-based SaaS service, anyone with an internet connection could potentially access the system. If the cloud-based system uses a weak authentication method such as username/password only, moving the system to the cloud greatly increases the attack surface.
Attackers are not just looking for the dozens of zero-day exploits discovered in Oracle and SAP every year; they are using old-school tactics such as phishing, brute force, and password reuse attacks. If the breaches at Yahoo! and the growing database of compromised passwords on haveibeenpwned.com are any indication, it is likely a company user’s password is already available for purchase on the dark web. Simple reconnaissance on LinkedIn can quickly identify potential targets with appropriate access to the ERP system. If access is not strictly controlled and strong authentication is ignored, organizations are putting their crown jewel data at risk. This risk extends to both cloud-based SaaS and on-premise ERP systems. At the time of writing, security researchers have identified over 17,000 ERP applications exposed to the internet with over 500 of those applications exposing their raw file system through misconfiguration and lapses in basic security practices.
Security solution ERPScan is marketed as one of the only known products specifically designed to protect ERP systems against attack. However, in June 2017, the United States Treasury department sanctioned ERPScan for alleged ties to the FSB, the Russian Intelligence Agency. If the only product on the market to protect ERP systems against attack is unavailable, how can an organization limit the risk of having their ERP systems exposed to the internet?
Traditional VPN systems used to gain access to on-premise software, such as ERP, place users on the network and grant too much access unless explicitly controlled. As evidenced by the Target and Home Depot breaches, investment in traditional perimeter security does not automatically configure secure remote access. Additionally, moving the application to a cloud-based SaaS solution also means exposing it to the internet which brings a different set of challenges such as DDoS protection, weak authentication, access control list management, SQL Injection, and the like.
One solution is to use a zero-trust access model protected with strong authentication. Zero-trust access follows the principal of least privilege, a fundamental component of information security; never give anyone or anything more access than is necessary to complete their task. Using the zero-trust framework will allow users to see and only access applications (through microsegmentation) they have been explicitly granted access to and nothing more. A significant benefit of zero-trust being used with remote access solutions such as a software defined perimeter with strong authentication will only connect a properly identified and authorized user to a specific application, not an entire network. Zero-trust is equally applicable to on-premise software as well as cloud-based SaaS solutions. Instead of building security controls around a system that is already full of potential vulnerabilities such as an SSL VPN, the better approach would be to completely change the way users access applications by leveraging a zero-trust model for access.