Transcript
ERP security. And it's an interesting time because it's a change of seasons, right? In some parts of the world, we're coming to the end of summer, in some parts of the world, we're coming to the end of winter. So we'd like to welcome you here as we kick off our August edition. It's again, if you're not aware, JP and I both come together to talk about ERP security. So let's go ahead and kick it off, JP. Absolutely. Thank you, Paul. And actually, I was thinking while you were speaking, and we are in opposite seasons, right? And we typically go in the opposite direction. But it's always good when we have these seasons changing. In some places getting colder, some places getting warmer. Absolutely. I'm hot and you're wearing a sweatshirt. Yeah. But we all share, even though we are in opposite seasons, we all share the same passion for ERP security. So let's go into Patch Tuesday for SAP. We are in August Patch Tuesday here. We're going to cover the summary of the 25 new and updated SAP security nodes coming in August, including two hot news and four high priority nodes. I'm very happy to share that almost 25% of the nodes that were released by SAP fixing security vulnerabilities were fixing vulnerabilities reported by the Onapsis Research Labs. So it's always good to see this significant contribution by this team of professional researchers that know so much about the technology that supports SAP applications. But I also wanted to cover two special nodes that are these hot news. SAP security node 3479478 with a CVSS of 9.8. This is a vulnerability affecting SAP business objects. There was a lot of media attention from this vulnerability because of the high CVSS and the criticality because an attacker can fully compromise the system in impacting confidentiality, integrity and availability. So if you're running business objects, go ahead and patch this vulnerability, upgrade the system on the security node. And the second one is SAP security node 3477196. This one holds a CVSS score of 9.1 and it affects the Node.js library. But if you think about SAP technology, wait a minute, where is Node.js in the SAP technology stack? Well, it's in a couple of places. One of them is when you deploy a new application using SAP build apps. So if you create a new app using SAP build apps and you deploy it with Node.js versions prior to 4.11.130, then that application is vulnerable to this CV202429415. So go ahead and take a look at your applications. Make sure that if you have deployed applications with Node.js, you need to rebuild them and redeploy these applications, including the newest version of Node.js, or at least the one which is not vulnerable to this CV202429415. So that's it in terms of the summary of the SAP security nodes for August. Back to you, Paul. Thanks, JP. Well, as with the change of seasons, there's also this continual situation that we have with data breaches. And the data breaches include all sorts of companies, all sorts of websites. This newest one is from National Public Data, and it is concerning a social security breach here in the United States. It's a pretty large one, and it's also indicative of a larger challenge with security breaches. So this breach was done a few months ago, and it was initially put on the market for $3.5 million. It contains social security data, along with names, addresses, telephone numbers. It's now available for free, but there's some information that's not included with it, like telephone numbers, for instance. It's always a challenge, right? You have your data with these companies, companies like this one that are generally used for employers, doing background checks on prospective employees, as well as other criteria. So your information is just shared. It's used for purposes, for things like, again, getting hired. But it's these companies that we don't know, and we don't know what their security posture is. So if you're having data, right, the most important thing is to follow the cybersecurity framework, right? And this publishes it. You want to go ahead and set up the right technology stacks. You want to have the right professionals, the training, the right programs. You want to monitor. You want to make sure that you're patching. These are all so very important to a security lifecycle. But if your data is breached and stolen, because it happens, right, today's technology stacks are complex between cloud and on-prem, with all the different laptops and ways to access that data, one hole can be devastating. But as a person that might be impacted by this as a consumer or as a victim, your options are basically to go and make sure that you put alerts on your credit profile. You put alerts on your credit cards. You put alerts on your digital profile to make sure that your profile is being protected. The last thing that you want to find happening is that your information is being used to submit fraudulent IRS tax forms. So probably best bet to go to the IRS and make sure that you have protections there. It's a whole compendium of things that you should probably take a look at to protect your digital identity. But this underscores that we are one big system in this digital space, right? One impact somewhere can have an impact on us elsewhere. So it is up to all of us to be accountable for our own digital footprint and to make sure that our own digital profile is protected, much in like the same way when you're driving a car, right? We have rules, we have laws, and when we go out there, we not only drive, but we have to be defensive drivers as well. We have to stay a certain length behind cars. We have to, you know, look in our blind spots to make sure that when we're turning into lanes, we're not hitting somebody or someone's going to hit us. It's the same right in the digital landscape. We need to also have a good security curation of our digital profiles. So just something to be aware of, check to make sure that you have those security precautions in place. JP, handing it back over to you. Thank you, Paul. And I wanted to share a couple of additional items for today's or this month's Defenders Digest. One of them being a recent zero-day vulnerability that was shared from researchers from the company Oligo Security, that they found a way of exploiting browsers, bypassing certain protections. And this includes major web browsers, Safari, Chrome, Firefox. By sending requests to a specific address, and that specific address being 0.0.0.0, this allows attackers to bypass specific protections and gain unauthorized access to resources that are locally available. So there is another option to go ahead and update your browsers. That's a fundamental security rule that we need to stay on top of the latest vulnerabilities, but stay on top of the latest updates for browsers, right? You shouldn't be browsing the internet with an outdated browser, because we know that there are sites that will potentially incorporate the exploitation of vulnerabilities if those browsers are not up to date. So it's possible to mitigate this by disabling JavaScript, but I don't know how many of you can actually browse the internet without JavaScript today. It's almost granted for the majority of websites that we navigate in. So it's very, very important to keep our browsers up to date. And I wanted to also share with you some of the latest results from SAP. When we think about SAP security, the importance of SAP applications, we're always talking about that with Paul, and from the Onapsis perspective, hey, some of the biggest organizations that run our lives, that provide for the energy, the food, the healthcare, pretty much everything, these organizations run their business processes through SAP. So they operate depending on SAP up and running, and most of them would not be able to operate if those systems are down. And that footprint continues to grow, right? SAP is not reducing their customer base. It's actually increasing. Just to share a couple of examples with you, the cloud backlog went up 28% on the last quarter. Cloud revenue up 25%. Customer revenue up 10% considering everything cloud and on cloud. So it continues to grow, and the revenue is a proxy to understanding the new customers, the new implementations, the new deployments. So the surface of SAP applications continues to grow, and these are very, very critical for everyone, right? For us as well, because we depend in many different ways of SAP customers to be up and running for the things that we do day in, day out. So just a thought to give you, to keep on the back of our heads, SAP applications are critical. They continue growing in terms of the technology and the number of customers. So it's important to continue putting security front and center for these applications. And with that, Paul, back to you to wrap up. Yeah, thanks for sharing those key two results for SAP and the results that they post. I mean, that just goes to speak to how important it is for companies to have good controls on financial reporting. So when we see those numbers, I mean, SAP is doing amazing. Let's finish up. This week, we're doing a webinar on a C2 botnet research that we had done. And it kind of is a follow on from the Chatter report. So the Chatter report was this higher level business conversation about what was happening in the underground and the interest in SAP. This C2 botnet webinar that we're conducting on Wednesday this week, if you can join us, great. If you joined us, fantastic. I'm not sure when this is playing. But this is a technical dive into what we've observed in an attack in our space. So if you've joined us, or if you can join us, please do. It's going to be fascinating. We look forward to seeing you there. If you have any questions about it, please go ahead and contact us. Thank you once again for joining us. JP, as always, fantastic and looking forward to seeing you in a month. Thank you all. Yeah, this is me at the beach. Yeah.
