Transcription
LIKE WHAT YOU HEAR?TWEET IT USING: #SEC360
YOUR PRESENTERSAdam Harpool§ Supervisor, McGladrey Consulting Services§ 5 years of IT consulting experience, including SAP(all phases of SAP lifecycle), IT internal audit, andIT strategy/effectiveness§ Education§ MBA, Columbia University Business School (2016)§ MS, Carnegie Mellon (2009)§ BS, University of Florida (2008)LIKE WHAT YOU HEAR?TWEET IT USING: #SEC3602
YOUR PRESENTERSLuke Leaon§ Supervisor, McGladrey Consulting Services§ 9 years of IT consulting experience, including SAP§ SAP implementation controls work§ Oracle and SAP post-implementation reviews§ IT Internal AuditLIKE WHAT YOU HEAR?TWEET IT USING: #SEC3603
INADEQUATE FIREFIGHTER CONTROLSKey Risk?§ Excessive access in the system is utilized inappropriatelyWhat is an “industry-leading practice” for FireFighter?§ Functional, not pervasive (e.g., FIRE FI, FIRE SD, etc.)§ Absolutely no use of SAP ALL, SAP NEW, or equivalents§ Preventative control: Approval required, including:§ Justification§ T-Code(s) to be executed§ Ideally, time-limited based on extent of work§ Detective control: Log Review after the fact (caution!)§ SM19/SM20 vs. various FF logs§ Benchmarked (so that FF doesn’t become standard operating procedure)LIKE WHAT YOU HEAR?TWEET IT USING: #SEC3604
SEGREGATION OF DUTIESKey Risk?§ Users can execute mutually incompatible transactions (e.g., classic case—create afictitious vendor and process payment to that vendor)What is an “industry-leading practice” for SOD?§ Standardized, corporate-wide SOD matrix§ Preventative control: SOD check during user provisioning§ Are you including cross-system SOD? (e.g., JDE vs. SAP)§ Do managers know what they’re approving?§ Consider the use of Role Owners as an approval step§ Detective control: Periodic review or continuous control monitoring (CCM)§ Careful on the mitigating controls!§ The risk of failure of manual controls is almost always higher than automatedcontrols§ And be especially cautious with the administration of risk waiversLIKE WHAT YOU HEAR?TWEET IT USING: #SEC3605
CUSTOM RICEWF OBJECT SECURITYKey Risk?§ Custom objects (which may drive key business functionality) may havesecurity backdoors that create major vulnerabilitiesWhat is an “industry-leading practice” for RICEWF object security?§ Preventative control: Strong change management processes (as part of the ITGeneral Controls suite)§ Is security plan/security analysis include on change management forms?§ Preventative control: Limiting access to key BASIS T-Codes§ SCC4, SE06, SA38, STMS (among many others)§ Preventative control: Maintenance of comprehensive, updated RICEWFinventory§ Detective control: Periodic IT security audits and vulnerability assessmentsLIKE WHAT YOU HEAR?TWEET IT USING: #SEC3606
APPLICATION CONTROLS MISALIGNMENTKey Risk?§ Key business processes are not appropriately controlled through use ofappropriate application controls (e.g., three-way match, open/close postingperiods, duplicate invoices, etc.)What is an “industry-leading practice” for application controls?§ It all starts with having a comprehensive, updated risk and controls matrix(RACM)§ Key business processes are mapped. Risks are identified; subsequently,controls are designed to address these risks§ SAP functionality is then enabled to enforce the control§ Caution: What’s the rationale for each control? (e.g., thresholds in threeway match, credit control area settings, etc.) Does it match the businessstrategy and risk appetite?§ How often are your application controls tested?LIKE WHAT YOU HEAR?TWEET IT USING: #SEC3607
INFRASTRUCTURE VULNERABILITIESKey Risk?§ The greatest application-level security in the world can be largely underminedby vulnerabilities lower in the stack.What are areas of particular concern?§ Database security—Particularly “sa” or “sysadmin” type accounts§ Interfaces—Particularly the “at rest” and “at motion” components§ OS—Usual concerns related to patches, anti-virus/anti-malware, etc.§ Recent trend with cyber-criminals moving “upmarket” to target enterprisesoftware systems 30014§ Network—Particular attention to port management processesLIKE WHAT YOU HEAR?TWEET IT USING: #SEC3608
USER ACCESS REVIEWS1. Reviews do not have appropriate ownership assigned; access owners are illequipped to assess access due to the technical and granular nature of SAPSecurity.2. Access to key functions is not identified, making it difficult for owners toassess the key access.3. Reviews do not go down to the authorization object level, only the tcodelevel.§ People may have access to key authorization objects like S TABU DIS orS DEVELOP and not be identified during the review because they don’thave one of the key tcodes under review.§ There are typically multiple tcodes that can use authorization objects,review access and protection of data, not functions which may changeand are numerous.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC3609
INTERFACES1. System IDs used for interfacing have SAP ALL, these accounts types arebeing changed to dialog to circumvent security controls.2. Completeness and accuracy of data received.3. New interfaces potentially introduce systems that are material.4. Need to review systems accounts, interfaces, not typically performed in astandard SOX ITGC audit.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36010
DIRECT DATA UPDATE§ Access to authorization object S TABU DIS 02 may be distributed to lots ofpersonnel throughout an organization. This allows for direct access to edittables (assuming the user has one of the many tcodes that can edit tablesdirectly).§ It is difficult to determine all of the tcodes that may allow for direct editing oftables; as functionality changes, new tcodes are released: SE16, SE16N, SE17,SM30, SM31, SPRO.§ SE16N Edit mode, patched by SAP, though can still enter into edit mode if usershave Debug. Debug in general shouldn’t really be in production as it cancircumvent authorization checks in code.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36011
DIRECT DATA UPDATE (CONTINUED)§ Program execution transactions, like SA38 and SE38, can call the programs thatthe transactions execute. You can look up what programs the transactions callin the table TSTC. This could allow for unauthorized access to direct dataupdate programs.§ Authorization groups on tables can help you restrict access, assuming all of thetables are registered in the TDDAT table. (Developers may not register customtables.)§ All transactional and security-related tables should have a definedauthorization group, not “&NC&”.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36012
DIRECT DATA UPDATE (CONTINUED)§ Some functional modules do not perform authorization checks onS TABU DIS.§ Weak parameter transactions, especially those that are developed, could allowfor a user to direct update any table.§ Need to specify specific tables if some users need access to direct update viaS TABU NAM.§ The next walk-through will help demonstrate transaction codes don’t alwaysgive you the full picture and the potential for security holes in parametertransactions.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36013
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—OB52—Walkthrough, TSTCP tableLIKE WHAT YOU HEAR?TWEET IT USING: #SEC36014
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—OB52—Walkthrough—Uses V T001BLIKE WHAT YOU HEAR?TWEET IT USING: #SEC36015
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—SE12 to identify relevant tables for view.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36016
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—SE12 to identify views the table is used.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36017
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—SE16N to identify parameter transaction.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36018
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—Check for Custom with SM30.LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36019
DIRECT DATA UPDATE (CONTINUED)Parameter Transactions—Poor Development? Check. Is there a *?LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36020
USER ADMIN CONTROLS§ Ineffective provisioning and de-provisioning controls§ Dependent on your environment, single sign-on? Federated passwords?§ Approvers not knowledgeable§ Access not role-based§ Relying on Automated AD/HR record to remove, potential for technologyissues, accounts renamed§ Technology changes could make control ineffective§ Status of users, system of record§ Managers not communicated rehired contractors, temps§ Contractors not in HR system§ May not be connected to infrastructureLIKE WHAT YOU HEAR?TWEET IT USING: #SEC36021
USER ADMIN CONTROLS (CONTINUED)§ Contractors§ Contractors set to expire?§ Conversion, users with more than one ID with different access§ Transfers§ Transfers retaining access§ Access cumulating§ Cloning§ Users cloned giving excessive access§ Not role-based§ Inaccurate information (users not named correctly)§ Super user§ Access not approved, informally given out§ Super users leaving, accounts embedded to processing (SAP, DB, OS) potentialvulnerabilitiesLIKE WHAT YOU HEAR?TWEET IT USING: #SEC36022
QUESTIONS?LIKE WHAT YOU HEAR?TWEET IT USING: #SEC36023
CONTACT INFO§ Please feel free to contact us with questions:§ Luke Leaon§ Luke.Leaon@mcgladrey.com§ Adam Harpool§ Adam.Harpool@mcgladrey.comLIKE WHAT YOU HEAR?TWEET IT USING: #SEC36024
Absolutely no use of SAP_ALL, SAP_NEW, or equivalents ! Preventative control: Approval required, including: ! Justification ! T-Code(s) to be executed ! Ideally, time-limited based on extent of work ! Detective control: Log Review after the fact (caution!) ! SM19/SM20 vs. various FF logs
