SAP Security Assessment V3 English

SAP Security Assessment SAP R/3 Security Assessment The first step towards the secure management of your ERP

Why Openware - Insside

Through the “SAP Security Assessment” practice, we offer a solution which leads to management awareness, making them viable for the existent security problems in R/3 environments.

The suggested approach combines processes, policies, practices and technology so as to offer a wide variety at the time of diagnosing and securing your ERP.

In addition, we propose a holistic, incremental and evolutionary perspective that permits scalability to its different components and maturing stages, in order to assure a successful adoption.

We possess a solid and extensive track record.

+14 years of experience

Projects in Latin America and Europe

We have qualified and committed Professionals

International Acknowledgments:

Endeavor Foundation

Avina Foundation

Junior Achievement

Junior Chamber International

Within the TOP50 of Argentinian companies in terms of CSR

Within the TOP10 of Argentinian information security companies

Track record

Track record Assessment and Revision of SAP R/3 Platform Terra Networks Argentina T-Manages Argentina Telephonic Group (T-Gestiona Grupo Telefónica Argentina) Assessment and Revision of SAP Profiles T-Manages Spain Telephonic Group (T-Gestiona Grupo Telefónica España) AES Chile – Implementación Sarbanes Oxley Remote Access and SAP Security Monsanto Famiq Penetration Test DELSUR – El Salvador Liberty Argentina Insurance Company (Liberty Compañía de Seguros Argentina) Rosario’s City Council (Municipalidad de Rosario) Argentina Movile Telephonic (Telefónica Moviles Argentina) Audit and Information Security Implementation Emergia (Telephonic Group) Sesa Select (Vedior Group) Telefónica Empresa (Telephonic Group) Revisión de Seguridad Portal Terra Networks (Telephonic Group) Adquira Spain Security Audit (Auditoría de Seguridad Adquira España) Telefónica Comunicaciones Personales (Telephonic Group) Argentina Municipal Bank of Rosario (Banco Municipal de Rosario) CEICOM Spain (CEICOM España) DPS Best Select Chile Terminal 6 Minera Lumbrera Meridiam Bank (Banco Meridiam) Argentina Federal Police (Policia Federal Argentina) Vulnerability Assessments New Bisel Bank (Nuevo Banco Bisel) Toyota Globant Microglobal NCA Globalstar – TESACOM Globant Neuralsoft

Why to secure SAP?

Generally, ERP platforms are designed for international markets which have to be customized. Thus, some functions and parameters are not always consistent with the requirements or particular regulations.

The main users participate only partially in the implementation of the new ERP systems. Therefore, some parameters settings can be skipped because they are unknown for the ordinary users or consultants.

Figures that show its complexity:

+28,000 tables and views

240,000 functions and programs

1,000 parameter accesses of security administration

+15,000 vulnerabilities in operating environments

What is the importance of security in the ERP world ?

Risk areas: Causes

A system which manages all the business information.

In 90% of the revisions that were carried out, there are profile incompatibilities that may cause frauds to the Company.

The possibility of “Authorized Frauds”.

Accesses to mandators with possibilities of service unavailability, through critical transactions.

The financial data not identified in the ERP systems as “productive” can be deleted.

The audit tracks can be activated or deactivated account by account.

Wrongly assigned profiles may generate frauds.

Problems in the architecture design of the environment and infrastructures.

Risk areas: Consequences

Access to confidential information.

Access to Productive Databases.

Connection of equipment which does not comply with security policies.

Operation errors which cause service unavailability due to the excessive permissions of the administrator users.

No detection of Security events in a timely manner.

No preventive or mitigation actions due to the lack of a device of events correlation.

Abuse in profile assignation which increases the probability of frauds.

No strategy for the management of users and passwords to access the application, Operating System, and Databases.

Incoherence between the values assigned in the transactions and the activity values in those transactions.

What do we propose?

Carry out an integral diagnosis of SAP R/3 security (SSA) that shows the risk to which the organization is exposed, as regards:

Possibility of Fraud

Application availability and business continuity

Confidentiality of business information

Integrity of the Information in the application, operating environments and Interface systems

Level of incompatible functions assigned to users

SSA- Security Model

We take into consideration 3 basic principles:

Base the security strategies on business risks and technical risks jointly.

Attain an effective security environment which involves and combines strategy and policies, implementation and administration, event monitoring and technological architecture.

Apply integral processes of risk administration to the components, business processes, and connected computing science technology, as well.

SSA Process Vulnerability & Risk Analysis 1

Vulnerability Analysis

Risk Analysis

Recommendations

Analysis of the Actual Context 0

Analysis of

actual context:

- Organization

- Technology

- Security

- Processes

- People

SSA: Stage 1 Security Deployment: Stage 2 Awareness 3 4 2

Security Hardening

Identity Management

Event Management

Patch Management

Other…

Security Hardening & Mgmt Monitoring for compliance

Validation of objectives already set

Compliance

Development of the normative frame

Analyze users’ profiles

Define functions

Segregate functions

Standardize processes

Definition de accesses

Normative Frame

SOX ISO17799/270001 COBIT Organizational Capacity Technical Complexity Business Benefits (Critical Success Factors)

SSA: Regular participants Client

Sponsor User

Project Coordinator

SAP/networks administrators

Representatives of the user sector/HR

Openware

Senior Strategist

Architect

Security Consultant (CISA)

SSA- In depth Analysis of actual context

Define the scope of the project

Contextual assessment

Users’ control.

Authorization system.

Profile Incompatibility / Possibility of Frauds.

Network infrastructure.

Operating system security.

Protection of database accesses.

Control of the transportation system.

External communications security.

Security mechanisms in document exchanges.

Internet security.

Migration to upper versions.

Methodology and tools

As a whole, the suggested methodology adapts itself to the standard control objectives COBIT / COSO / ISO.

Utilization of tools which belong to the applications, for instance AIS (Audit Information Systems), which are part of the SAP R/3 SYSTEM and tools developed by INSSIDE and Openware.

Vulnerability and risk analysis 0 1

SSA- Submissions

Report on detected vulnerabilities, main risks which generate those weaknesses and recommendations to solve them

Users’ Control

Authentication in SAP.

Password Policies.

SAP standard users’ passwords.

External authentication methods.

Monitoring through the Security Audit Log.

Control of changes in the users’ registers.

Licenses Administration.

Authorizations System

BASIS Administration (Mandators’ structure).

Powerful Profile Management

Access to Transactions and critical Authorization Objects

Notes updating.

Strategies for the application of Hotpackages.

Performance and response times.

Transportation System

Work environment.

Program passage among environments.

TMS (Transportation Managing System).

SSA- Submissions

Report on detected vulnerabilities, main risks which generate those weaknesses and recommendations to solve them

Internet Security

ITS (Internet Transaction Server).

Control over firewalls, services, ports, directories and critical files protection.

Utilization of generic users

Network Infrastructure

SAP and general networks servicies (Routers, Firewalls, SAPRouter).

SNC use (Secure Network Communication).

Communications through public networks (Internet, Modem).

SAPNet connection (OSS).

Operating System Security

User configuration policies and logs.

Monitoring.

Permissions over the directories and SAP main files.

Protection of Database Access

SQLServer / Oracle configuration.

Verify if the standard SAP users’ passwords were modified.

SAPDBA protection.

Existent controls over the critical tables of the system.

SSA- How does it develop?

By obtaining a general knowledge of SAP implantation.

Test the protection level of standard users that is provided by the system (SAP*, DDIC, etc.) in the production environment for each mandator.

Check the configuration quality of the system from the access security’s perspective.

Analyze users with critical rights from the security’s and control’s perspective.

Verify the existence of activity monitoring mechanisms which assure the trace of the operations.

Verify the existence of system management procedures, users’ administration, and verify their implantation and monitoring.

Analyze the effectiveness and efficiency of users’ profiles utilized in the R/3 system, and assigned to users.

Analyze the security scheme of the SAP environment, that is to say, Operating System, networks, Databases and Interfaces.

SSA- Own tools

Attaka assess more than 15,000 security vulnerabilities in SAP environments

It includes the following modules:

Discovery:

Consolidation of assets and assessment (internal and external)

Reporting:

Interactive and historical reports and dashboard with key indicators

Remediation:

It includes documentation processes and workflow

Support:

Online access 7x24 based on ITIL, to specialiazed PS

(*) It is the only security tool in Spanish America under authorization process by cve.mitre.org Vulnerability assessment & management platform