Well I would say that, wouldn’t I? It’s how I make my living (sorry, couldn’t face doing the it/IT pun twice in three sentences). It’s true, though.
Consider your line of business application. Probably cost a good deal to put in; probably has at least some hardware and software resilience – being mission-critical and all. But do you:
- Run separate test, training and production environments
- Subscribe for vendor support for all elements of the system
- Watch daily for exploit alerts and patches to firmware and software
- Keep the underlying operating system and database on the latest version (or at least the one before)
- Life out the hardware religiously, replacing disks according to age (or at least SMART status)
- Apply all patches and updates to the test system first, then test them, then apply them live
- Test & apply critical security patches within 72 hours of release
- Run proper configuration and change management
- Monitor the database for internal consistency, including rerunning and comparing historic reports
- Keep your transaction logs until you’re happy with the historic consistency check
- Validate your software supplier’s secure development lifecycle process
- Routinely test your resilience provision and test restore from backup
- Perform regular security audits checking user activity and privileges
- Monitor, filter or block all in- and outbound network traffic
If you do all of these things, congratulations – you’re one step closer to being secure. But I bet you don’t, because all of this takes time – which is money – requires scheduled downtime – which is money – and needs user co-operation – which is…you get the idea.
If you don’t, then the critical question is do you – and your board – understand the associated risks and accept or insure them? If not then one day you may find that watching the pennies did not let the pounds take care of themselves.
But at least you’ll be in good company. The US government CERT just issued a don’t-name-but-do-shame note pointing out that there are (at least) 36 SAP installations out there whose sysadmins haven’t applied a patch that came out in 2010. A patch that protects against an exploit which allows an attacker to take complete control of the SAP system. Oh well, the hackers have only had six years to work out how to use it, then.