In this article, we would like to explain what known-unknowns or unknown-unknowns are and how those affect your SAP security risk. In February 2002 already, the former United States Secretary of Defense, Donald Rumsfeld, answered a question with the following statement:
As a result, he was almost universally lampooned since many people initially thought the statement was nonsense. Rumsfeld's statement sounded weird, however, what he said was not wrong. Like the apocryphal “you don’t hear the bullet that gets you” the phrase about “known unknown” and “unknown unknown” threats are worth remembering. Much scientific research is based on investigating known unknowns. In other words, scientists develop a hypothesis to be tested, and then in an ideal situation experiments are best designed to provide the proof.
SAP Risk Potential
I ran into this 2x2 matrix in the German translation of a Wikipedia page [link, external]. As a somewhat interesting side note, this matrix was invented by a psychologist and is a well-known analyst-tool for the sense of self or others. In fact, this also perfectly works with the risks residing from Cyber Security threats.
Examples with SAP security context
We know that our support team has display all rights and access to transaction SE16, and we know that they can access all data stored in tables, access they need while working on support incidents.
We know that our SAP developers have debug rights and the permission to overwrite variable values. We assume that, some of them also use these permission to bypass authorisation checks, but we have no proof.
We did not execute a security assessment recently, hence we do not know which vulnerabilities exist nor who is using them.
Recap what Rumsfeld said after understanding the classification. Now, it makes perfect sense. And not only that, it becomes obvious that the "unknown unknowns" should be of utmost interest. Not only because you probably will not see what is coming to get you, but because of the potential size and impact of the risk.
Cyber Security is not a task that can ever be ticked off your to-do list, it requires a constant state of vigilance and constant updating of your understanding to minimize the “unknown unknowns”. Especially now, with new legislation (GDPR) forcing all European businesses to report breaches. But how do you address the “unknown unknown” Cyber Security risks to protect your enterprise i.e. against SAP GDPR violations?
Cyber Risk Management
The National Cyber Security Centre is a good source of information and guidelines. You may start by looking at
10 steps to Cyber Security [link, external].
Following measures are essential to securing the SAP application level:
- Secure SAP Configuration
Hardening of the system after an installation. Profile- and system parameters shall be securely configured (in reference to your SAP security baseline document) for all installed and used components.
- Secure SAP Development
Educate your SAP development team to apply threat modelling for their coding. Implement a Quality Assurance gateway, before code gets released. Use tools like the SAP Code Inspector and deploy a code vulnerability scanner.
- Managing SAP user privileges
Apply proven principles for your authorizations, like "least privileges" or "need to know".
Continuously monitor all SAP activity, evaluate the security risk and generate actionable security alerts. Enable cross-platform visibility by combining generic security events (Hardware, OS, ...) with SAP security events using a holistic security monitoring approach.
You can find various best practices guidelines, sadly most of them focus on "Secure Configuration" and "User Privilege Management". Monitoring all SAP activity throughout your landscape, without an extensive workforce and/or tools, is a major challenge - if not simply impossible!"
Run a secure IT organization
SecurityBridge will help you to master this hurdle throughout your journey.
I recommend you to also read the blog article SAP® Cybersecurity monitoring made easy.