Posted On: September 7, 2018

US Cert ERP Security Advisory Broken Down for Oracle JD Edwards and E-Business Suite Users

In late July, the US Department of Homeland Security’s Computer Emergency Readiness Team (US CERT) issued an advisory alert directed at ERP (Enterprise Resource Planning) systems. USCERT’s alert was prompted by “ERP Applications Under Fire” a joint report published by Digital Shadows and Onapsis, Inc.

Even prior to the US CERT alert, cyber security has been a top concern of every IT executive today and one only need scan headlines to understand why. But, as “ERP Applications Under Fire” details, cyberattacks on ERP applications are rising sharply. The report documented some worrisome trends including:

  • Cyberattacks targeting ERP applications have increased by 100% over the last three years.
  • Cybercriminal interest in ERP vulnerabilities, as measured by metrics taken from the conventional Internet and the Dark Web, have increased by 160% from 2016 to 2017.

Digital Shadows and Onapsis document several Common Vulnerabilities and Exposures (CVEs) tied to this increase in cyberattacks against ERP applications.

Syntax would like to take time out to highlight what these vulnerabilities mean to Oracle JD Edwards and E-Business Suite users and provide tips for protecting against these threats.

Failure to Keep ERP Patching Updated

Insufficient patching is one of the leading causes of vulnerabilities exploited by cybercriminals targeting ERPs.

ERP systems are by nature part of a complex system architecture, relying on customized functionality, and deployed with detailed and comprehensive access control.  The businesses that these systems serve have zero tolerance for downtime, which often complicates and/or delays the application of critical patches.

  • The report asserts that IT staff supporting many ERP systems lack adequate knowledge and processes for sound ERP security.

Citing patching complexity and lack of internal IT knowledge as a key ERP vulnerability sounds an awful lot like security software vendor speak. However, Digital Shadows and Onapsis share a forensic study of a major cyberattack suffered by a 30,000 employee SAP deployment. In this case, the attacker exploited a critical Invoker Servlet vulnerability despite the fact that the SAP Corporation had released a patch to correct this vulnerability 5 years prior to the attack.

The moral of the story for JD Edwards and E-Business Suite users is to keep your system and application patching up to date.

Syntax ensures that patching is up to date for all of our JD Edwards and Oracle E-Business Suite clients and we prioritize security patches. This is true for clients that we support remotely, as well as clients who host their Oracle ERP applications in the Syntax Enterprise Cloud.

Exposure of ERP Applications to the Internet

As the report observes, “Implementing internet-facing ERP applications is not a risk, per se, but to avoid it becoming a potentially high-risk situation, it is imperative that organizations implement the correct security measures.” As the report documents, it was possible to document over 100 SAP ITS components and similar Oracle ERP vulnerabilities using nothing other than simple Google searches.

Exposure of ERP applications to the internet is an issue that JD Edwards and Oracle E-Business Suite users will need to continually manage as footprints become more complex and more interdependent. And there is no universal approach for keeping these applications secure.

In general, ERP development, testing and middleware tiers will not be internet facing. If they are, then keeping these tiers, along with your Cloud tier adequately patched is the best strategy for mitigating security threats posed by exposure to the internet.

  • In other cases, additional security measures are required.

For example, an Oracle E-Business Suite deployment consisting of “I” modules such as iSupplier or iRecruitment would probably need to ensure that its ERP Applications are protected by security measures that go beyond a traditional firewall. Likewise, a JD Edwards client that uses the Supplier Self-Service or Customer Self-Service modules would also need to insure both its production and non-production environments are protected by security that goes beyond a traditional firewall.

In the context of these threats, Syntax has the experience and expertise to customize the right security controls, including deploying application layer firewalls on the Syntax Enterprise Cloud™, that best fit your business needs.

Unintentional Leaking of ERP Login Credentials and Other Sensitive Information

Another common vulnerability cited by the report pertains to unintentional leakage of critical technical information. This can occur when things happen like contractors sharing credentials on public message boards and/or cloud project management tools or when information is shared via File Transfer Protocol (FTP) or Web Services.

As the report concludes, organizations with internet-facing ERP applications who expose this type of information play right into the hands of cybercriminals.

Accordingly, ERP users that need to rely on FTP or Web Services to share sensitive information should ensure that these services are not directly public facing.

The second step that Oracle JD Edward and Oracle E-Business Suite users can take to protect themselves against this vulnerability is to employ sound security practices. Login credentials for both employees and contractors should be invalidated when they’re no longer needed. Organizations must incorporate sound password hygiene policies such as requiring strong passwords, employing well planned access controls such as requiring frequent password changes, prohibiting recycling of passwords and using multi-factor authentication whenever possible.

While measures like the ones above provide a solid first line of defense against cyberattacks on ERP applications, most JD Edwards and Oracle EBS users will need to do more.

To help protect against this threat, for JD Edwards and Oracle E-Business Suite users Syntax takes added precautions by offering payload security and limiting the scope of available Web Services.

JD Edwards and Oracle E-Business Suite Security Tailored to Your Needs

The key take away from “ERP Applications Under Fire” is ERP platforms are now on the radar screen of cybercriminals and they are getting more aggressive.

Syntax has been deploying and supporting ERP solutions for over 40 years, which gives us the expertise needed to tailor ERP security solutions to meet each client’s unique requirements and, moreover, we’re able to do so a non-intrusive manner.

Click here to learn more about Syntax’s ERP Cloud Security solutions.