Enterprise Resource Planning (ERP) systems are quickly becoming a popular target of hackers. It used to be that these systems were on private networks behind firewalls, but as companies move to the cloud and include their vendors and subcontractors in their ERP systems, the systems are becoming more public.
More public means easier to hack.
Two of the major ERP vendors are Oracle and SAP. These systems can be incredibly complex and incredibly expensive,
But also incredibly easy to hack.
Oracle, for example, patched a record 334 vulnerabilities in the July 2018 patch release.
Patches may not be available if companies are running an older version of the software.
Even if a company is running the current version of the software, installing patches to fix 334 bugs is always risky, so companies often do not install the patches. Either ever or for a long time. Often months, which is plenty of time for hackers to use those bugs to work their way into a company’s system.
Hacking into a company’s ERP system could give hackers access to a company’s finances, plans, designs, production schedules, inventory, customers and a whole range of other information.
So what should a company be doing?
For EVERY SINGLE PUBLIC FACING system, you need to make sure that patches are being installed on a timely basis. The more severe the bug, the quicker the patches need to be installed. Hackers will start targeting systems within 24 hours of a patch being released, so waiting 30 days, for example, to install patches make be a greater risk than the possibility of the patch causing an outage.
And, there are ways to mitigate the risk of failure due to an errant patch.
Second, run third party penetration tests against all of your publicly facing servers at least once a year. For sensitive servers, run the tests more often. It will cost some money, but so will losing sensitive company information to competitors or the Chinese.
Run vulnerability scans on all servers at least monthly to find missing patches and potential vulnerabilities.
While ERP systems may be popular attack targets today, any public facing server is a target. As we saw in the 2013 Target Stores breach, an attack on a vendor management portal led to the loss of 100 million credit card numbers.
It is important to understand that it does not matter who’s capital paid for the server that is running the software. If it is in the cloud and therefore technically owned by a cloud service provider like Amazon or Microsoft, it is still a target.
Information for this post came from Bleeping Computer.