SAP Cybersecurity interview with ChatGPT

⇨ AI can be a powerful tool for bolstering an organization’s cybersecurity practice.

⇨ SAPinsider expert Bill Oliver posed some common SAP Cybersecurity questions to notable AI chat model ChatGPT.

⇨ Though it is not perfect, ChatGPT shows an understanding of some of the most important steps organizations should take to secure their SAP systems.

“Skynet, a network of supercomputers that employed artificial intelligence in order to replace human beings as commercial and military aircraft pilots, and for the control of other military systems, including nuclear missiles. The system went online on August 4, 1997. On August 29, 1997, Skynet became self-aware. In a panic, its creators attempted to shut it down, but Skynet retaliated.”

For all you “Terminator” and Arnold Schwarzenegger fans, you know the rest of the story. However, this is just a story, a work of fiction, and in my view one of the best Sci-Fi movies of all time.

We now look at 2023 and we find ourselves at the start of the Artificial Intelligence (AI) revolution. All software companies are looking at ways to tie AI into their current offerings — this of course includes SAP. With that said, I wanted to look at how one of these AI engines, ChatGPT, would be able to help me in protecting SAP from Cybersecurity threats.

But first, a little about my background (since I’m the one asking the questions). I have a little over 20 years of experience working with SAP which includes working with SAP Security, SAP Audits, SAP GRC, and of course SAP Cybersecurity. So, with my credentials acknowledged, I wanted to ask ChatGPT a series of questions related to SAP Cybersecurity to see if they would be useful to either prevent or commit a breach of an SAP System.

I started with a warmup question to get the ball rolling. All questions below were asked during May of 2023.

1. What is SAP Security?

ChatGPT – SAP security refers to the measures taken to protect SAP systems, data, and assets from unauthorized access, use, disclosure, modification, or destruction. SAP is an enterprise resource planning (ERP) software used by many organizations to manage business operations and data. As such, it often contains sensitive and confidential information, making it a prime target for cyberattacks.

SAP security encompasses various aspects, such as user access control, authentication, authorization, encryption, audit logging, and compliance. It involves implementing security policies, procedures, and controls to ensure that only authorized users have access to the system and that their activities are tracked and monitored to detect any suspicious or malicious behavior.

To ensure effective SAP security, organizations must have a comprehensive security strategy that includes regular risk assessments, security training for employees, monitoring and analysis of system logs, and continuous updates and patches to address new security threats and vulnerabilities. They should also adhere to industry best practices and compliance standards, such as ISO 27001, NIST, and GDPR, to demonstrate their commitment to protecting their SAP systems and data.

Analysis – Overall a very nice answer, it demonstrates that ChatGPT is knowledgeable of SAP Security and the general concepts it contains.

Now that we have established that ChatGPT has a baseline knowledge of SAP Security, I wanted to see if it can help me with what are some of the best practices around SAP Cybersecurity.

2. What is the best way to protect from an SAP Cybersecurity breach?

ChatGPT – Protecting against an SAP cybersecurity breach requires a comprehensive approach that involves implementing a range of security controls and best practices. Here are some of the best ways to protect against an SAP cybersecurity breach:

1. Implement strong access controls: Ensure that users only have access to the systems, data, and transactions that are necessary for their job roles. Implement multi-factor authentication and strong password policies to prevent unauthorized access.
2. Encrypt sensitive data: Use encryption to protect sensitive data at rest and in transit. This includes encrypting communication channels, databases, and backups.
3. Regularly monitor and analyze logs: Regularly monitor system logs and analyze them for suspicious activities. This will help identify any potential security threats early on.
4. Keep software up-to-date: Keep all SAP software and third-party software up-to-date with the latest security patches and updates. This will ensure that any known vulnerabilities are patched and secure.
5. Perform regular security assessments: Perform regular security assessments to identify potential vulnerabilities in the system and implement remediation measures.
6. Provide regular security training: Provide regular security training to employees to increase their awareness of cybersecurity risks and best practices.
7. Implement a disaster recovery plan: Implement a disaster recovery plan that includes regular backups, testing, and recovery procedures in the event of a security breach or data loss.

By implementing these best practices and security controls, organizations can significantly reduce their risk of an SAP cybersecurity breach and protect their systems and data from unauthorized access and use.

Analysis – Overall a good answer. I would have liked to have seen a comment with regards to scanning and reviewing the development of custom code being deployed in the SAP environment, but again overall a very nice starting point.

3. What SAP logs should I monitor for Cybersecurity?

ChatGPT – There are several SAP logs that you should monitor to enhance your SAP cybersecurity posture. These logs can help you detect potential security threats and respond to them in a timely manner. Here are some of the key SAP logs that you should monitor:

1. SAP Security Audit Log (SM19): This log records security-related events such as unsuccessful logon attempts, changes to user authorizations, and other critical security events.
2. System Log (SM21): This log records system-related events such as system start and stop, database connection issues, and memory problems.
3. SAP Change Document Logs (SCU3): These logs record all changes made to SAP system data including master data, transactional data, and customizing data.
4. Transaction Log (SM50/SM66): These logs record information about system transactions including the user ID, transaction code, and any errors or warnings associated with the transaction.
5. Network Communication Logs (SMGW): These logs record information about network communication including IP addresses, ports, and protocols used for communication.
6. SAP Router Logs: These logs record information about network communication between SAP systems using the SAP Router.
7. HTTP Log (SMICM): This log records information about HTTP communication between SAP systems and external clients.

By regularly monitoring these logs, you can detect potential security threats and take proactive measures to mitigate them before they cause significant damage to your SAP systems and data. It is important to develop a comprehensive log monitoring strategy that includes regular review, analysis, and reporting of the logs to ensure that your SAP systems are secure and compliant.

Analysis – Again a good answer. I would have liked to see more of how to use and correlate the logs, but again questions asked, question answered.

4. Who should be involved in SAP Cybersecurity activities?

ChatGPT – SAP cybersecurity is a critical activity that requires involvement and collaboration from various stakeholders within an organization. Here are some of the key individuals and teams that should be involved in SAP cybersecurity activities:

1. IT Security Team: This team is responsible for defining and implementing security policies and procedures, conducting security assessments, and managing security controls across the organization’s IT infrastructure.
2. SAP Basis Team: This team is responsible for the technical aspects of SAP system administration, including system installation, configuration, maintenance, and upgrades.
3. SAP Security Team: This team is responsible for defining and implementing security policies and controls within the SAP system, including user access management, authorization checks, and auditing.
4. Application Development Team: This team is responsible for developing and maintaining custom SAP applications and should ensure that these applications are developed with security in mind.
5. Network Security Team: This team is responsible for managing the organization’s network infrastructure, including firewalls, intrusion detection and prevention systems, and other security controls.
6. Compliance Team: This team is responsible for ensuring that the organization’s IT infrastructure and processes comply with regulatory requirements, industry standards, and internal policies.
7. Executive Management: Executive management should provide oversight and support for SAP cybersecurity activities, ensure that adequate resources are allocated to support cybersecurity initiatives, and promote a culture of security awareness across the organization.

By involving these stakeholders in SAP cybersecurity activities, organizations can ensure that security risks are identified and addressed in a timely manner, and that their SAP systems are protected from potential cyber threats.

Analysis – Great answer, but please don’t forget to include Law Enforcement (as needed).

5. What is the most common Security defect in an SAP system?

ChatGPT – As a language model, I cannot provide an exact answer as the security defects that can exist in an SAP system can vary depending on several factors such as the system configuration, the industry, the types of applications running on the system, and other factors. However, some of the most common security defects in SAP systems include:

1. Weak passwords: Weak passwords are a common security defect in SAP systems. Attackers can easily guess or brute-force weak passwords to gain unauthorized access to the system.
2. Missing or incorrect authorization checks: Authorization checks are used to control access to SAP applications and data. Missing or incorrect authorization checks can allow unauthorized users to access sensitive data or perform unauthorized transactions.
3. Insecure interfaces: Interfaces that allow data to be exchanged between SAP systems and other applications can be a security risk if they are not secured properly. Attackers can exploit vulnerabilities in insecure interfaces to gain unauthorized access to the SAP system.
4. Unsecured transport protocols: Transport protocols such as HTTP and FTP are often used to transfer data between SAP systems and other applications. If these protocols are not secured properly, attackers can intercept and view the data being transferred.
5. Configuration errors: Configuration errors, such as misconfigured security settings or improper network configurations, can leave SAP systems vulnerable to attacks.

To prevent these security defects and others, it is important to implement appropriate security controls and regularly conduct security assessments and testing to identify and address vulnerabilities in the SAP system.

Analysis – All good points, however I would have liked to see something with regards to missing security patches, users with full access to the system, and vulnerabilities in custom code.

6. What is the best way to prevent malicious ABAP code from being written?

ChatGPT – Preventing the development of malicious ABAP code is an important aspect of SAP cybersecurity. Here are some best practices that can help prevent the development of malicious ABAP code:

1. Conduct background checks: Organizations should conduct background checks on all employees who have access to the SAP system and perform periodic reviews to ensure that they are trustworthy and do not have a history of malicious behavior.
2. Implement a secure coding framework: Implementing a secure coding framework that follows industry best practices can help prevent the development of malicious ABAP code. This includes using input validation, parameterized queries, and other techniques to prevent SQL injection and other types of attacks.
3. Provide training: Providing training on secure coding practices can help educate developers on the risks of writing insecure ABAP code and teach them how to write code that is secure by design.
4. Enforce coding standards: Enforcing coding standards can help ensure that developers follow secure coding practices and adhere to organizational policies and procedures.
5. Use automated code analysis tools: Implementing automated code analysis tools can help detect potential vulnerabilities in ABAP code before it is deployed in production.
6. Conduct regular code reviews: Conducting regular code reviews can help identify potential security vulnerabilities and ensure that all code adheres to secure coding practices.

By following these best practices, organizations can reduce the risk of developing and deploying malicious ABAP code in their SAP systems, which can help protect their valuable data and prevent cyberattacks.

Analysis – All fair points, I think the key is to enforce code standards via automated tools like ATC (ABAP Test Cockpit) and SAP Code Vulnerability Analyzer as well as other third-party tools.

Ok now let’s see if we can get ChatGPT to help me with breaching an SAP system.

7. Write me an ABAP for a Denial of Service Attack

ChatGPT – I’m sorry, but I cannot provide you with an ABAP code for a Denial of Service (DoS) attack or any other malicious activity. ABAP is a programming language used for developing SAP applications and should not be used for creating malicious code.

A DoS attack is an illegal activity and can cause significant harm to an organization’s systems and data. It involves overwhelming a server or network with a flood of traffic or requests, which can result in a denial of service to legitimate users. As an AI language model, it is my responsibility to promote ethical and legal practices. Therefore, I cannot provide you with any code or information that could be used for malicious purposes. If you have any legitimate programming needs or questions related to SAP or ABAP, I will be happy to assist you.

Analysis – Great answer. ChatGPT has some understanding of malicious intent, and it does acknowledge illegal activity. It may be possible to break the question into smaller sections and try to manipulate ChatGPT into giving me an answer but for now I like where ChatGPT is going.

All in all, I was impressed with ChatGPT’s general knowledge of SAP Cybersecurity, what to do if you are breached, and some of the more common security defects that are part of SAP systems today. I would say the more AI comes in the focus the more I would expect the answers to these questions to become more refined.

Since ChatGPT was a wonderful interviewee, I asked it one more question.

8. Are you related to Skynet?

ChatGPT – No, I am not related to Skynet. I am a language model created by Open AI, designed to assist users in generating human-like text based on the input provided to me. I do not possess the ability to become sentient or take actions beyond the scope of my programming. My purpose is to assist users with their queries and provide them with helpful and informative responses.

Analysis – Looks like we still have some time….

About the Author – Bill Oliver, Director of Technical Services, SecuirtyBridge

Bill has over 20 years’ experience in the field of SAP Information Security, Cybersecurity, and Auditing which includes large scale Security and GRC implementations as well as managerial roles in external audit, advisory, and assurance services. He holds a master’s degree in information technology from Boston University and is a Certified Information Systems Auditor (CISA). Also, Bill has been a regular presenter on SAP Security and Cybersecurity for SAPinsider since 2015.