Protecting SAP HANA from Decrypting Eyes

SAPEncyrptEyes479354122BlogCyber-attacks are a painful reality in today’s ultra-connected world of gadgets, global positioning and gigabytes of everything. It’s very likely that if you’re reading this, you’ve been a victim of some form of cybercrime in the last 12 months. Whether from an attack on your health insurance provider, a mass credit card hack, or intrusion of your favorite big box retailer — malicious invasions come in many different forms and we’re all susceptible. This is especially true for high-profile organizations and mainstream corporations. Who can forget the near constant coverage of the Sony Pictures hack in 2014 that resulted in thousands of confidential articles and emails exposed to the world?

All technology businesses accept a certain amount of risk and must take the steps necessary to mitigate those risks through prevention and early detection. Defending against attacks is a full-time job and provides work for entire departments of security engineers. Staying ahead of the “bad guys” by ensuring a secure data fortress is the goal, but once in a while when a single vulnerability is discovered, potentially everything is compromised. That is the time for the security team to shift gears and act. Fast!

On June 18, 2015, a vulnerability in SAP HANA was revealed at the Black Hat Sessions XIII conference in the Netherlands. Dmitry Chastukhin from ERPScan described an issue relating to static encryption keys used in nearly every SAP HANA implementation. Since it was likely that almost every HANA system was using the exact same static key, anyone with the knowledge to decrypt the algorithm in hdbuserstore could potentially gain access to sensitive information. Decrypting the file would reveal usernames, passwords, and other highly secure information.

To prevent criminals from potentially decrypting the file, the default key needs to be explicitly changed, thus making it unique and virtually impossible to decrypt (see the SAP Security Note 2183624 for tips on how to do it).

Quick Response from SAP

Within five days of Chastukhin revealing the latest vulnerability, the SAP Service Marketplace (SMP) — SAP’s customer and partner support portal — was updated with a news article describing the recommendation to change the default keys in SAP HANA implementations.

The article went on to direct customers to the security note and guide described below:

  • SAP Security Note 2183624
    “Potential information leakage using default SSF master key in HANA”
    The security note outlines exactly how to generate a new master key and discontinue using the default key values.
  • SAP HANA Security Guide
    A guide to securing every aspect of an SAP HANA deployment.
    The document is continually updated and includes technical details for SAP HANA Platform SPS10.

According to the article on the SMP, their security strategy is based on three pillars:

  • Prevent
  • Detect
  • React

Their strategy is built on “a comprehensive security framework of processes, guidelines, tools, and staff training” as part of their “Secure Software Development Lifecycle”.

It sounds like the old adage coined by Benjamin Franklin — “an ounce of prevention is worth a pound of cure” — remains relevant more than ever in today’s high-tech world.

Fending Off Other Attacks

The vulnerability revealed on June 18th wasn’t the first attempted attack on SAP HANA that month. Just two weeks prior, it was revealed that a potential disclosure (relating to Code Inspector) made SAP ABAP vulnerable to an attack.

These types of malicious attacks have kept SAP’s security team on their toes. In 2014, nearly 200 high-priority security patches were released as the various software solutions adapted to potential hacks.

Since data is often a company’s most valuable asset — a secure database along with a business intelligence solution — is of utmost importance. SAP is a reliable partner and continues to help protect their customers from unwanted intrusions through their software. Data breaches and the exposure of sensitive information to hackers are extremely costly and harm organizations much more than “a pound of cure” can correct.

Comfort in Security

Knowing that companies like SAP remain on “high alert” and are able to respond quickly to threats, should help the officers in the C-Suite sleep a little easier at night. As they say in football — offense wins games, but defense wins championships.

Related Training
SAP Training

In this article

Join the Conversation