Sap Security Assessment V3 English

SAP Security Assessment SAP R/3 Security Assessment

The first step towards the secure management of your ERP

Set 25, 2006Openware - Insside, Información confidencial2

Through the “SAP Security Assessment” practice, we offer a solution which leads to management awareness, making them viable for the existent security problems in R/3 environments.

Why Openware - Insside

The suggested approach combines processes, policies, practices and technology so as to offer a wide variety at the time of diagnosing and securing your ERP.

In addition, we propose a holistic, incremental and evolutionary perspective that permits scalability to its different components and maturing stages, in order to assure a successful adoption.

We possess a solid and extensive track record.

Set 25, 2006Openware - Insside, Información confidencial

+14 years of experience Projects in Latin America and Europe We have qualified and committed Professionals

International Acknowledgments: • Endeavor Foundation• Avina Foundation• Junior Achievement• Junior Chamber International

Within the TOP50 of Argentinian companies in terms of CSR

Within the TOP10 of Argentinian information security companies

Track record


Track record


Track record

Assessment and Revision of SAP R/3 Platform

Terra Networks Argentina

T-Manages Argentina Telephonic Group (T-Gestiona Grupo

Telefónica Argentina)

Assessment and Revision of SAP Profiles

T-Manages Spain Telephonic Group (T-Gestiona Grupo

Telefónica España)

AES Chile – Implementación Sarbanes Oxley

Remote Access and SAP Security

Monsanto

Famiq

Penetration Test

DELSUR – El Salvador

Liberty Argentina Insurance Company (Liberty Compañía

de Seguros Argentina)

Rosario’s City Council (Municipalidad de Rosario)

Argentina Movile Telephonic (Telefónica Moviles Argentina)

Audit and Information Security Implementation

Emergia (Telephonic Group)

Sesa Select (Vedior Group)

Telefónica Empresa (Telephonic Group)

Revisión de Seguridad Portal Terra Networks (Telephonic Group)

Adquira Spain Security Audit (Auditoría de Seguridad Adquira España)

Telefónica Comunicaciones Personales (Telephonic Group) Argentina

Municipal Bank of Rosario (Banco Municipal de Rosario)

CEICOM Spain (CEICOM España)

DPS

Best Select Chile

Terminal 6

Minera Lumbrera

Meridiam Bank (Banco Meridiam)

Argentina Federal Police (Policia Federal Argentina)

Vulnerability Assessments

New Bisel Bank (Nuevo Banco Bisel)

Toyota

Globant

Microglobal

NCA

Globalstar – TESACOM

Globant

Neuralsoft


Why to secure SAP?

Generally, ERP platforms are designed for international markets which have to be customized. Thus, some functions and parameters are not always consistent with the requirements or particular regulations.

The main users participate only partially in the implementation of the new ERP systems. Therefore, some parameters settings can be skipped because they are unknown for the ordinary users or consultants.

Figures that show its complexity:+28,000 tables and views

240,000 functions and programs

1,000 parameter accesses of security administration

+15,000 vulnerabilities in operating environments


What is the importance of security in the ERP world ?


Risk areas: Causes

A system which manages all the business information.

In 90% of the revisions that were carried out, there are profile incompatibilities that may cause frauds to the Company.

The possibility of “Authorized Frauds”.

Accesses to mandators with possibilities of service unavailability, through critical transactions.

The financial data not identified in the ERP systems as “productive” can be deleted.

The audit tracks can be activated or deactivated account by account.

Wrongly assigned profiles may generate frauds.

Problems in the architecture design of the environment and infrastructures.


Risk areas: Consequences

Access to confidential information. Access to Productive Databases. Connection of equipment which does not comply with security policies. Operation errors which cause service unavailability due to the excessive permissions of the administrator users. No detection of Security events in a timely manner. No preventive or mitigation actions due to the lack of a device of events correlation. Abuse in profile assignation which increases the probability of frauds. No strategy for the management of users and passwords to access the application, Operating System, and Databases. Incoherence between the values assigned in the transactions and the activity values in those transactions.


What do we propose?

Carry out an integral diagnosis of SAP R/3 security (SSA) that shows the risk to which the organization is exposed, as regards:

• Possibility of Fraud

• Application availability and business continuity

• Confidentiality of business information

• Integrity of the Information in the application, operating environments and Interface systems

• Level of incompatible functions assigned to users


SSA- Security Model

We take into consideration 3 basic principles:

Base the security strategies on business risks and technical risks jointly.

Attain an effective security environment which involves and combines strategy and policies, implementation and administration, event monitoring and technological architecture.

Apply integral processes of risk administration to the components, business processes, and connected computing science technology, as well.


SSA Process

Vulnerability &

RiskAnalysis

1 Vulnerability Analysis Risk Analysis Recommendations

Analysis of the Actual

Context

0 Analysis of

actual context:- Organization- Technology- Security- Processes- People

SSA: Stage 1 Security Deployment: Stage 2

Awareness

3 42 Security Hardening Identity

Management Event Management Patch Management Other…

Security Hardening

&Mgmt

Monitoringfor

compliance

Validation of objectives already set

Compliance

Developmentof the

normative frame

Analyze users’ profiles

Define functions Segregate functions Standardize

processes Definition de

accesses Normative Frame

Organizational Capacity

Technical Complexity

Business Benefits (Critical Success Factors)

SOX ISO17799/270001 COBIT


Client

•Sponsor User•Project Coordinator•SAP/networks administrators•Representatives of the user sector/HR

Openware

•Senior Strategist•Architect •Security Consultant (CISA)

SSA: Regular participants


SSA- In depth

Analysis of actual context

• Define the scope of the project

• Contextual assessment

0

1

• Users’ control. • Authorization system. • Profile Incompatibility / Possibility of Frauds.• Network infrastructure. • Operating system security. • Protection of database accesses. • Control of the transportation system. • External communications security. • Security mechanisms in document exchanges. • Internet security.• Migration to upper versions.

Methodology

and

tools

• As a whole, the suggested methodology adapts itself to the standard control objectives COBIT / COSO / ISO.

• Utilization of tools which belong to the applications, for instance AIS (Audit Information Systems), which are part of the SAP R/3 SYSTEM and tools developed by INSSIDE and Openware.

Vulnerability

and

risk analysis


SSA- Submissions Report on detected vulnerabilities, main risks which generate those

weaknesses and recommendations to solve them

Users’ Control Authentication in SAP.

Password Policies.

SAP standard users’ passwords.

External authentication methods.

Monitoring through the Security Audit Log.

Control of changes in the users’ registers.

Licenses Administration.

Authorizations System BASIS Administration (Mandators’ structure).

Powerful Profile Management

Access to Transactions and critical Authorization Objects

Notes updating.

Strategies for the application of Hotpackages.

Performance and response times.

Transportation System Work environment.

Program passage among environments.

TMS (Transportation Managing System).


SSA- Submissions Report on detected vulnerabilities, main risks which generate those

weaknesses and recommendations to solve them

Internet Security ITS (Internet Transaction Server).

Control over firewalls, services, ports, directories and critical files protection.

Utilization of generic users

Network Infrastructure SAP and general networks servicies (Routers, Firewalls, SAPRouter).

SNC use (Secure Network Communication).

Communications through public networks (Internet, Modem).

SAPNet connection (OSS).

Operating System Security User configuration policies and logs.

Monitoring.

Permissions over the directories and SAP main files.

Protection of Database Access SQLServer / Oracle configuration.

Verify if the standard SAP users’ passwords were modified.

SAPDBA protection.

Existent controls over the critical tables of the system.


Vulnerability assessment & management platformVulnerability assessment & management platform

SSA- Own tools

Attaka assess more than 15,000 security vulnerabilities in SAP environments

It includes the following modules:

Discovery:

•Consolidation of assets and assessment (internal and external)

Reporting:

•Interactive and historical reports and dashboard with key indicators

Remediation:

•It includes documentation processes and workflow

Support:

•Online access 7x24 based on ITIL, to specialiazed PS

(*) It is the only security tool in Spanish America under authorization process by cve.mitre.org


S I A (Sap Insside Audit) S I A (Sap Insside Audit)

SSA- Own tools

R/3 Security audit system

It includes the following modules:

Profile:

•Consolidates, analyzes and processes the relation between profiles and transactions

User Integrity:

•Validates the integrity and relation between R/3 users, DB users and operating system users

•Checks the configuration quality of the system from the access security’s perspective

Password Hardening:

•Verifies the security level of the passwords assigned in the R/3 environment

•Checks the protection level of standard users that is provided by the system (SAP*, DDIC, etc.) for each mandator.


SSA Process

Vulnerability &

RiskAnalysis

1 Vulnerability Analysis Risk Analysis Recommendations

Analysis of the Actual

Context

0 Analysis of

actual context:- Organization- Technology- Security- Processes- People

SSA: Stage 1 Security Deployment: Stage 2

Awareness

3 42 Security Hardening Identity

Management Event Management Patch Management Other…

Security Hardening

&Mgmt

Monitoringfor

compliance

Validation of objectives already set

Compliance

Developmentof the

normative frame

Analyze users’ profiles

Define functions Segregate functions Standardize

processes Definition de

accesses Normative Frame

Organizational Capacity

Technical Complexity

Business Benefits (Critical Success Factors)

SOX ISO17799/270001 COBIT


SSA makes it viable..

Awareness of the management and final users in terms of security.

Development of a normative frame of security and control, and standardize the processes to follow for the management and administration of users, profiles, and access authorizations that assure the protection of the Organization’s information.

•SAP Compliance

•SOX Compliance

•ISO17799/27001 Compliance

Component hardening actions and management of assets and resources

Monitorig the regularization level (compliance) of the observations presented in the first stage.


Stage 2 (potential)

Security must be focused on as a strategic aspect of the company, which should include:

Products, tools and Products, tools and automationautomation

Profiles and roles Profiles and roles properly assigned properly assigned

Knowledge, functions Knowledge, functions and responsibilities and responsibilities

ModulesModules

PeoplePeopleTechnologyTechnology


Stage 2 (potential)

Development

of the normative frame

• SAP Compliance• SOX Compliance• ISO17799/27001 Compliance

2

3

Monitoring

for

compliance

• Monitoring the regularization level of the observations presented in the first stage and compliance

4

Security

Hardening &

Management

• Security Hardening• Identity Management• Event Management• Patch Management• Other


Thank you!

SSASSASAP Security Assessment

http://www.openware.biz/index_en.shtml