By Alan Bavosa, VP of Security Products at Appdome

The mobile app economy will continue to expand at an increasing pace, as evidenced by consistent data from Appdome’s consumer surveys, spanning over 75,000 consumers across 12 countries in 2021, 2022, and 2023, that reveal a migration to the mobile app channel to buy, save, share and support the brands they love. Mobile app traffic is now the dominant channel for brand interaction. As the mobile security space transforms from a niche, specialty market to a mature industry, regulatory and compliance scrutiny are also heightened. With scrutiny and compliance requirements intensifying in regions like LATAM, APAC, the US and the UK – the cybersecurity industry will witness a surge in emphasis, and demand, for mobile security and mobile-centric hiring practices in 2024.

Consumer expectations for mobile app security are growing and so is regulatory and compliance scrutiny. This means that mobile brands and developers must accept that the onus of protecting global consumers from cyber threats – be it hacking, data theft, fraud, or malware – falls squarely on their shoulders. More directly stated: users do not want to own security and are holding brands accountable for the protection of all personal data, and beyond.

In the U.S. alone, according to Appdome’s 2023 consumer survey, an eye-opening 73% of consumers confessed they would drop an app quickly if they sensed even the slightest weakness in security – and will abandon brands that don’t seem to care about their security or protect them.

Mobile consumers are becoming more and more cyber-savvy and expect app makers to build comprehensive security into mobile apps, moving the baseline from basic cyber protections to comprehensive mobile app defense. In fact, the survey found that consumers expect mobile brands to go one step further by preventing fraud instead of detecting and reimbursing them after it occurs. A staggering 82% of mobile consumers said they preferred mobile brands to stop mobile fraud before it started. Only 15% said they prefer to be reimbursed after it happens, and only a negligible amount (about 2%) said fraud protection is not important to them.

When asked who should bear the responsibility for mobile app protection, the majority of global consumers (56%) said they expect the mobile brand or developer of the app to protect them.

To meet the growing demands of consumers and regulatory entities alike, cybersecurity teams must start adopting developer best practices to ensure not only compliance but also cyber resilience. Cyber resilience in mobile apps is the ability to withstand and recover from security incidents or attacks in real time. For the longest time, the thought has been that mobile app developers should adopt cybersecurity best practices.

The release cycle for developing or updating mobile apps is very rapid – and short – with the entire workflow, including every tool used within, being automated. Traditional mobile app security tools, however, are the exact opposite of this as they rely on manual effort or impose cumbersome operations, and do not fit into the DevOps workflow – at all. This leads to security being ignored altogether, or the implementation of “bare minimum” security measures, which still requires a large time and effort commitment by the development team.

Tools, such as those provided by Appdome, that give developers a way to implement comprehensive security in a way that fits right into their existing, automated workflow, without any work on their part, are crucial for effectively implementing cybersecurity best practices in the development cycle.

Put simply, the only way that cybersecurity is going to have a true seat at the table is when the industry starts to adopt DevOps best practices. Cybersecurity would thus have an agile and rapid way to build their security model to protect against new threats and attacks that they were able to identify in production.

As before, data from Appdome’s 2023 consumer survey revealed that mobile applications dominate the consumer share of mind and wallet. Additionally, consumers now ‘feel the pain’ and have begun to take any lack of protection in the mobile apps they use personally. Going further, they openly place the responsibility for mobile app defense on the mobile brand and developer providing the app.   Mobile brands are advised to listen to consumers’ biggest fears like hacking, fraud, and malware, and respond to the high cyber and anti-fraud expectations consumers have in using mobile apps for life and work.

A company’s mobile cyber defense culture should always protect the customer first. What is encouraging is that the reward for developers for protecting Android and iOS apps and users is better than ever – an overwhelming 93.6% of global consumers confirm a willingness to promote mobile apps and brands to others if they felt like mobile apps were protecting them, their data, and use. All the more reason to make mobile app protection a top priority.

Photo by Towfiqu barbhuiya: https://www.pexels.com/photo/close-up-of-a-smart-phone-with-a-lock-11391947/

By Christoph Nagy, SecurityBridge

As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default – there will always be security challenges, and SAP is no exception.

In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them.

1. Incomplete Patch Management:

Patching is one of the most significant tasks and security concerns in SAP. Patches, or “SAP Security Notes” (that are, in general, released every 2nd Tuesday of the month) often contain critical security fixes that address vulnerabilities. Failing to apply these patches promptly can leave systems vulnerable to known exploits, as cybercriminals often target systems with known vulnerabilities.

2. Default Credentials:

One of the most prevalent SAP security issues is the use of default or weak passwords. SAP systems often come with default usernames and passwords that are well-known. If organizations do not change these defaults or enforce strong password policies, it becomes relatively easy for attackers to gain access or escalate privileges.

3. Inadequate User Authorization controls:

Role-based access control (RBAC) is crucial in SAP systems, but many organizations struggle with proper role and authorization management, with poorly managed user access being a common issue. Organizations must implement robust role-based access controls (RBAC) to ensure that users have only the permissions necessary for their roles. In fact, failing to do so can lead to data breaches and unauthorized activities. Overly permissive roles or insufficient segregation of duties (SoD) can lead to unauthorized access and fraud – conversely, overly restrictive roles can hinder productivity.

4. Unsecured Interfaces:

SAP systems often have multiple interfaces for communication, including RFC (Remote Function Call) and HTTP. Attackers can exploit inadequately secured interfaces to access and manipulate SAP data or move easily between SAP systems and compromise the entire landscape. There are several ways to secure the interfaces, for example, by avoiding passwords by configuring trust between systems or by using UCON functionality of SAP to lower the attack surface drastically. Another measure is to enable data encryption, as it is essential for protecting sensitive information both at rest and in transit: without proper encryption measures, data can be exposed to eavesdropping and theft.

5. Inadequate Authentication:

Weak authentication mechanisms, such as: simple passwords and insufficient authorization checks, can result in unauthorized access and privilege escalation. Organizations should implement multi-factor authentication (MFA) and regularly review and update authentication policies. When it comes to SAP, enforcing Single Sign-on greatly reduces the attack surface and the password reset effort by the teams.

6. Insecure Custom Code:

Again, no digital system is perfect and the custom-developed code within SAP environments can introduce security vulnerabilities. Organizations must enforce regular code reviews and security testing to identify and remediate issues in custom code.

7. Poorly Managed Security Logs:

Many organizations still do not activate SAP Security Audit Log in their systems, which leaves a huge gap in terms of incident investigation. Proper logging and monitoring are essential for detecting and responding to security incidents. Inadequate or misconfigured logging can make it challenging to identify suspicious activities or breaches. Organizations need to establish robust monitoring and alerting systems to stay vigilant against potential threats.

8. Configuration errors and leaving settings on insecure defaults:

Misconfigured SAP systems can expose sensitive data and functionality to unauthorized users. This includes incorrect or overly permissive settings / parameters for database and application servers, network configurations, SAP components like Message Server, RFC Gateway and the ICM, and user authorizations. Configuration errors are often the result of human oversight or lack of expertise. Hence, 4-eye principle must be applied wherever possible, while performing configurations.

9. Lack of Security Awareness:

Employees and users can inadvertently introduce security risks through actions like social engineering or falling victim to phishing attacks; regular security training and awareness programs are essential to mitigate this risk.

10. Obsolete and Unsupported Systems:

Running outdated or unsupported SAP systems, Operating systems, and Databases can be a significant security risk. These infrastructures are more likely to have known vulnerabilities that attackers can exploit. If an SAP system is decommissioned, proper steps must be taken to ensure that all users are locked out, and the data is deleted to prevent unwanted data usage; sometimes, even decommissioned systems may contain sensitive business data.

In conclusion, SAP security and proper configuration management are critical concerns for organizations due to the sensitive nature of the data managed within SAP systems and how business-critical they are. To mitigate these top 10 security issues, organizations should establish a comprehensive SAP security strategy that includes regular patch management, robust access controls, secure custom code development, and ongoing user training. Organizations should stay informed about the latest SAP security vulnerabilities and best practices to adapt their security measures accordingly. Addressing these security challenges is essential to safeguard the CIA triad (Confidentiality, Integrity, and Availability) of SAP systems and the information they contain.

Christoph Nagy

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

By James Allman-Talbot, Head of Incident Response & Threat Intelligence, Quorum Cyber

There are few things scarier than having your account compromised. It doesn’t matter if it’s a corporate account or a personal one that’s fallen into the hands of a bad actor. The initial wave of confusion—Hey, why isn’t it letting me in, or I don’t remember making that change—quickly turns to dread as you realize what has actually happened: someone has gained access to your account and all the information in it, and has the power to act on your behalf, likely to a damaging degree.

Before that dread can turn into panic, take a breath. There are in fact things you can, and should, do in the event of a valid account compromise, and once you’ve taken a moment to collect yourself you should jump right on them. Panicking is bad, but you still don’t want to delay.

• If you can still access the account, change your password—immediately. Don’t reuse a password utilized on other accounts, and don’t change it to some variation of the old one (adding an exclamation point to the end of the old password is probably the first thing the hacker would guess if they try to get in again).
• If the account is one where you can see and edit active sessions: close all of them. Obviously, if you see a session that is active on your account from halfway across the world, that’s probably where the person is who is in your account, but geographical data can sometimes be spoofed so it’s best to shut down all sessions to be safe.
• You also want to contact people who can help you lock down the account and undo any damage. If it’s a corporate account that was hacked, reach out to your IT and/or security department—if you have a data protection officer, they’re the best contact—and let them know what happened. They’ll direct you on the next steps and help you determine what data was accessed and actions taken by the attacker.
• Alternatively, if it’s your own personal account, contacting customer support for the application, site, or service should be your next step. They should have the tools to help you ensure your account is secured and undo any actions that the account took that you did not authorize.
• Two-factor authentication (2FA), where you have to enter a code sent to your email or phone via text, is your friend. If 2FA wasn’t enabled on the account before, do it now. It makes it more difficult for someone to gain access to your account even if they’ve managed to discover your password. Yes, we all feel that mild ping of annoyance when we have to toggle over to another app to get the code, but I promise you that dealing with a hacked account is far, far more irritating (and lasts a lot longer).
• Similar to closing out active sessions on an account, check for suspicious activity that might point to how the account was compromised or what the person who broke in got up to. Unauthorized purchases, odd activity, or specific data accessed—figuring out what damage they did will help you undo as much of it as possible.
• Use that same password for other accounts? Change your repeated passwords elsewhere, starting with the email address tied to that account; oftentimes, hackers don’t stop at one account, and the email address (which is usually the most reliable backup for regaining access after an account locks down) is usually their next stop. For any accounts you have to change this way, it’s a good idea to do all of the above steps as well to see if they already accessed those accounts without you realizing.
• It’s best to use a fully unique password for every account (again, especially your email). We all have countless accounts that are secured by passwords, so use a password manager to help keep track of those passwords and generate strong, unique ones you don’t have to worry about forgetting.

Accounts are compromised all the time, and while it’s nearly impossible to guarantee it’ll never happen to you, the above steps can limit the damage that is done when you’re hacked and help prevent it from happening again. Remember, if you notice weird activity on your account or start receiving authentication requests from 2FA-enabled accounts that you didn’t generate, that’s a sign that something is amiss and action should be taken quickly.

James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity, and has worked in a variety of industries including aerospace and defense, law enforcement, and professional services. Over the years he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations, and has worked closely with board level executives during incidents to advise on recovery and cyber risk management.

By John Wilson

Realizing a cybercriminal has used your personal information to attempt fraud is like a punch in the gut.

I’ve spent my career working to stop scammers in their tracks and educating businesses and individuals alike on how to protect themselves. Now I’ve become a victim myself. I feel violated and vulnerable.

My job as senior fellow for threat research at Fortra is to track down fraudsters, figure out how they’re running their schemes, and help the authorities shut them down. From common scams to well-coordinated campaigns sponsored by foreign countries, I’ve seen enough in my career to make your head spin.

The Situation: Legitimate or Scam?

Here’s how it began. A few months back, I received a voicemail from a random number. The caller, Amy, said she was with the fraud team at a bank where I no longer have an account, and had received an application for a credit card. They’d had to deny it because the address information was incorrect, and I needed to call in to discuss the situation.

The whole thing felt dicey. Why would I receive a call from the fraud department of a bank that I hadn’t done business with in several years?

On the other hand, I knew this type of swindle was commonplace. I hadn’t applied for a credit card, and I couldn’t tell offhand if the call was legitimate. One way or another, I knew some low-life had all my information. They’d probably only paid a few bucks for it too.

Taking Action

As I always tell anyone who will listen to me, the first step toward looking into potential fraud is to find the phone number to call using a second avenue of verification in case it’s a phishing or vishing (voice phishing) scam. Never call the number given in the voicemail or email. You can use your physical card or the institution’s website to find the right one.

I found the bank’s fraud reporting webpage. The number I’d been given was nowhere to be seen. Suspicious. I did, however, have a close contact in the bank’s fraud detection department who I’ve worked with professionally for many years. So, I called him.

“Believe it or not,” he said after I’d filled him in, “The call you got was legitimate. It came from our fraud team, and someone did try to open a credit card in your name.” (Here’s where I must recommend that organizations should promote their fraud reporting phone number front and center on their website!)

My next step was to write to the bank to request a copy of the application the scammers submitted, something anyone can do under the Fair and Accurate Credit Transactions Act of 2003 Provision 151. Sure enough, the perpetrator had it all—my name, birthdate, social security number, email address and phone number—just not my actual mailing address. They’d used one across the country, which is why the application didn’t go through. To be fair, I’m sure they had my home address as well, but sending a new credit card to my home address wasn’t part of their plan.

After doing a little digging, I found that the building the scammer listed actually exists, and my guess is the criminal has acquired a master key to the suite of apartments there to retrieve incoming mail related to these schemes.

I reached out to one of my FBI contacts, and he told me they’d received several reports of attempted credit card fraud at that same address. Case solved, suspect arrested, tried, and convicted in 60 minutes including commercials. Well, not exactly. This is the real world, and the FBI doesn’t have the bandwidth to investigate every would-be identity theft.

Credit Freezes Are Critical: Get Them in Place Pronto

My bank urged me to freeze my credit reports immediately, which I did. This is important to prevent scammers from using your information to take out mortgages, apply for loans, or establish bank accounts or credit cards in your name. Once they do, they will destroy your credit. The sad part is, if I’d simply followed my own advice, the identity thief would have been stopped dead in their tracks during the application process and I likely wouldn’t have ever received the call that started this whole story. Do as I say, not as I did!

By law, you can request a free copy of your credit reports every year from each of the three bureaus (Equifax, Experian and TransUnion). You have to call each agency individually, and they’ll either let you select a PIN or assign one to you. Then it will be your job to remember the PIN to unlock your credit when you need to have it checked for any reason.

The Messy Truth: Our Personal Information Is Already Out There

As a cybersecurity professional, I know how easy it is for threat actors to purchase “Fullz,” full sets of personally identifiable information (PII). They can get thousands of records as easily as buying milk at the store. It’s just a matter of time before each of our tickets gets pulled and someone decides to act on the information to wreck our good names.

What I didn’t know though, was how I’d feel about it when it happened. And I was ticked. That’s the G-rated version of how I actually felt.

I was also concerned about the impact of this application on my credit score. Fortunately, when I contacted the credit bureaus, they used the proof of fraud to remove the “hard inquiry” from my reports, so it won’t affect my scores.

My best guess is this resulted from the Equifax breach of 2017, when sensitive data was exposed for 147 million people. I’m lucky the bank denied the application. Had they not, I wouldn’t have frozen my credit, and the scammer could have applied for 20 different cards in my name. Some may even have been approved, and I wouldn’t have known until I defaulted on paying for something I’d never had anything to do with in the first place.

Resources for Reporting Fraud

If you find yourself in a similar situation, contact the Federal Trade Commission or the FBI’s Internet Crime Complaint Center, IC3. Depending on the nature of the theft, you may also want to involve your local authorities.

About the Author

John Wilson is a Senior Fellow, Threat Research at Fortra.

By Christoph Nagy, CEO, SecurityBridge

A conundrum persists in the cybersecurity industry: Why do cybersecurity risks forever multiply while skilled professionals remain in short supply? It sounds like an enigmatic statement the Riddler would use to pose a question to Batman. But in reality, the lack of cybersecurity professionals is a real growing issue.

According to the US Bureau of Labor Statistics, “Employment of information security analysts is projected to grow 35 percent from 2021 to 2031, much faster than the average for all occupations. About 19,500 openings for information security analysts are projected each year, on average, over the decade.” And Statista reports that “As of February 2023, there were 755,743 cybersecurity job openings in the United States.” California had the highest number of job openings, with 81,584 open positions in cybersecurity-related fields. Given these facts, high school guidance counselors should consider cybersecurity the best career option for students.

In some ways, it seems that the industry is making it more difficult to become a cybersecurity professional by introducing a constant flow of new regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX),  and the EU’s General Data Protection Regulation (GDPR). The conundrum is exacerbated when security specialists are required for specific business process systems such as SAP.

SAP systems are being used by 99 of the Fortune 100 companies and have over 280 million Cloud subscribers throughout the world. Organizations typically operate their SAP ERP systems next to an SAP SRM and an SAP HCM environment, while existing SAP implementations are constantly moving to the cloud. Companies rely on a hybrid-cloud architecture to maintain the flexibility required for each environment. The ERP environment operates with the “RISE with SAP” model. The other two SAP environments work at a hyper-scaler, while only the SAP HCM has been shifted to the cloud thus far. The internal SAP team will still be responsible for managing these. Given this enormous footprint and all the data at stake—it boggles the mind to think that SAP cybersecurity experts are not only rare but simply unavailable to hire.

While organizations lose track of the complexity of their environment, they are constantly expanding. Using hyper-scalers, SaaS models, and combining them with on-premise systems requires new cyber security expertise. IT professionals are put under additional strain to handle these situations. I suggest reading the NTT Security Holdings 2022 Global Threat Intelligence Report for organizations comfortable with cybersecurity protection and trained IT professionals—it’s a wake-up call to those who think their systems are secure.

There’s No Shame In Needing Assistance–A Piece of Advice

First and foremost, organizations must take ownership and introduce a cybersecurity strategy that embeds the protection of critical SAP applications with Patch Management,  Vulnerability Detection, and even Vulnerability Remediation or Threat Monitoring. Organizations lacking the in-house IT expertise to meet this criteria need to consider an SAP Managed Service Provider (MSP). MSPs fill the SAP IT gaps for companies and work on Service Level Agreements (SLAs) while using Key Performance Indicators (KPIs). In the specific case of managed SAP Security Services, the monitoring period (e.g., 24×7, 8×5), or the time lapsed until reporting a detected incident, serves as a criterion.

Specifically, SAP MSPs realize that any SAP attack surface is the sum of all possible entry points or attack vectors through which an unauthorized attacker can access a system or application. The smaller it is, the better it can be protected. In the SAP context, web-based access, for which the Internet Communication Manager (ICM) and the SAP Web Dispatcher are responsible, and the Internet Communication Framework (ICF) (via the SAP transaction SICF) should be particularly monitored and secured. Connecting via the RFC interface (Remote Function Calls) is also vulnerable and can cause data leaks to the outside world.

All exposed services (HTTP, HTTPS, SOAP, WebService, APIs) must be continuously evaluated and inventoried. Any system service that is not used or does not serve a specific SAP business scenario should be disabled to reduce the attack surface. SAP services that do not require authentication should be given special attention. In SAP, they are located in the /public/ namespace (found in transaction SICF). Services such as /public/system_info are the first port of call for attackers to gather information about the SAP system during the reconnaissance phase of an attack.

Conclusion

There is no superhero coming to take ownership of your cybersecurity enigma. If you think that out-of-the-box SAP cybersecurity is enough—think again. According to the University of North Georgia, “Since 2013, 3,809,448 records have been stolen from breaches every day. 158,727 per hour, 2,645 per minute, and 44 every second of every day.”

SAP systems are among the world’s most interconnected data warehouses touching every part of an organization, and need special attention regarding cybersecurity. If a company lacks the in-house expertise to help mitigate risks, an SAP MSP is the next best resource. SAP MSPs bring a high level of cybersecurity acumen at a predictable cost.

###

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member, and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.