According to the Cambridge dictionary, the word “Mitigation” means:
“a reduction in how harmful, unpleasant, or bad something is”.
In the context of vulnerability management, the word “Mitigation” means the elimination of vulnerabilities, thereby preventing the possible exploitation of them. Once a vulnerability has been mitigated, the risk associated with this exploitation is eliminated and the total risk associated with the SAP infrastructure is reduced.
The “art of mitigation” lies in:
preventing exploitation of a vulnerability, while at the same time allowing business processes to function as normal
reducing the most amount of risk whilst staying inside your security budget
Since there are many different types of vulnerabilities, their corresponding mitigation measures also widely vary. An example of a simple mitigation measure is resetting the default password of a default SAP user while a more complicated mitigation measure could involve the definition of an ACL (Access Control List) file like the secinfo file that protects the SAP gateway.
We classify the mitigation effort in the following terms:
In general, a higher mitigation effort means higher costs. Since security budgets are not unlimited, a smart selection of vulnerabilities to be mitigated is the key to achieve the highest reduction of risk.
To get the most reduction of risk out of your budget, Protect4S enables a smart selection of vulnerabilities to be mitigated by presenting a heat map of all vulnerabilities found according to their mitigation effort:
This heat map shows the risk levels of the checks plotted against mitigation effort. Quick wins for mitigation may can be found in the upper-left-hand side of the heat map (for mitigation effort values Very Low and Low). This way users may identify, select and concentrate on solving the easy-to-fix vulnerabilities first.
When starting out with vulnerability management, it is recommended to start with the ones that are easy to fix (the least mitigation effort) and that have a (Very) High Risk. After this has been done, the more complex vulnerabilities can be tackled.
SAP has published an enormous amount of information on vulnerabilities and the best ways to get rid of them. This information contains specific recommendations for a wide variety of SAP system types and versions. For someone starting out with vulnerability management, finding the right information can be a challenge.
Fortunately, Protect4S provides the best-practice recommendations from SAP for the mitigation of each vulnerability. These recommendations come from OSS Notes, SAP help, SAP Whitepapers and SAP blogs from SAP Developer Network (SDN). This may save you many hours searching.
In general, it is recommended to stick with these best-practice from SAP. This ensures that your SAP systems will always be supported by SAP.