This document introduces Tunde Ogunkoya and their consulting company DeltaGRiC. It discusses how myths around SAP ERP security being limited to segregation of duties matrices have been dispelled, as attacks on SAP systems through interfaces, routers, web clients, and customized ABAP programs leave vulnerabilities. Most vulnerabilities allow unauthorized access to critical business data, so a specific SAP security system is necessary. The document then shifts to discussing cyber attacks across industries globally and lists several high-profile data breaches from 2014. It suggests anyone could be the next target and outlines five steps of best practices for security, noting that many organizations only implement the first two levels. The document promotes continuous improvement and integrating security and business goals.

1. Welcome; Journey to Cyber-Maturity
TundeOgunkoya, DeltaGRiCConsulting
tunde@deltagricconsulting.com

2. The wide-spread myth that SAP ERP security is limited to SOD matrix has been dispelled lately and
seems more like an ancient legend now. Within the last 7 years SAP security experts have spoken a
great deal about various attacks on SAP from RFC interface, SAPROUTER, SAP WEB and SAP GUI
client workstations. Also, the programs developed in SAP’s own language – ABAP, which exists in
almost every company to customize ERP solutions, can store program vulnerabilities left by unqualified
developers or special backdoors which can help insiders to gain illicit access to business data
Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data,
so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many
information security officers are scarcely informed about the security of business applications like SAP &
Oracle.
Welcome
Tunde Ogunkoya [MBA, GRCP, SAP GRC AC10.0, OWASP]
Consulting Partner, DeltaGRiC Africa

3. Mobility & Cloud; Next Drivers of
Technology. Where does that leave Cyber
Security?

4. 4
Cyber Attacks? Where?Global Pandemic, Across All Industries
USA
42%
South
America
17%
Asia
25%Africa
3%
Australia
13%
Cybersecurity expertssay thisenormousdatabreach isjust thelatest evidencethat cybercrimehasbecomeaglobal business—one
that, including all typesof cybercrime, coststheworld economy an estimated $400 billion ayear
http://time.com/3087768/the-worlds-5-cybercrime-hotspots/

5. Who's Next? Me? You? Him?

6. Who's Next? Me? You? Him?

7. Who's Next? Me? You? Him?
Date
(2014) Company
Numberof records
exposed Types of records
25 Jan Michael's 2,600,000 payment cards
6 Feb HomeDepot 20,000 employeeinfo
14 Mar Sally Beauty Supply 25,000 credit/debit card
17 Apr Aaron Brothers 400,000 payment cards
22 Apr IowaStateUniversity 48,729 student social security numbers
30 May HomeDepot 30,000 credit/debit card
22 Jul Goodwill Industries 868,000 payment systems
18 Aug Community Health Systems 4,500,000 patient data
21 Aug United Postal Service 105,000 credit/debit card
28 Aug JPMorgan Chase 1,000,000 financial information
2 Sep HomeDepot 56,000,000 credit/debit card
2 Sep Viator/Trip Advisor 880,000 payment cards
25 Sep Central Dermatology 76,258 patient data
7 Nov HomeDepot 53,000,000 email addresses
10 Nov USPostal Service 800,000 personal data
18 Nov Staples 1,200,000 credit/debit card

8. Global Leaders; Where does this leave us?
Africa… thinking

9. Global Leaders; Where does this leave us?
Africa… thinking

10. What is the worth of your data on SAP?
SAP holds the corporate crown jewels:
•Over 280,000 customers run SAP
•87% of the global 200, 90 % of fortune 1000 in Africa
•98% of the most valued brands
•SAP touches 74% of all global transactions
•USD 16 Trillion of retail sales
Criminal Hackers
Competitors
Partners
Nation State
Unhappy Employees
Contractors
#feesmustfall

11. Global Leaders; Where does this leave us?
Africa… thinking

12. Global Leaders; Where does this leave us?
Africa… thinking

13. 5 Steps – Best Practice
What step do Stop at? Almost 33% of organizations stop at level 2
Continuous
Improvement
Business Risk
Management
Scanning
Assessment
&
Compliance
Analysis &
prioritization
Attack
Management
Scanning
Vulnerability Assessment, Ad-hoc Solution, Rudimentary Patching, Basic process
and Metrics
Assessment & Compliance
Driven by regulations, Scheduled scanning, Scan to Patch lifestyle, Emerging
process, little measurability
Analysis & Prioritization
Risk Focused, Scan data prioritization, Measurable process, Emerging Metrics
AttackManagement
Threat focused, Vectors scanned and prioritized, Patching based on risk to
critical Assets, Efficient, Metric based processes, Threat driven metrics and
trends
Business RiskManagement
Risk Aligned with business goals, All vectors scanned and prioritized, Continuous
patching, Unified business and IT processes, Measurable Integrated Enterprise
Management

14. Thankyou
tunde@deltagricconsulting.com
+27606587180
Questions?