LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 INADEQUATE FIREFIGHTER CONTROLS Key Risk? ! Excessive...

download LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 INADEQUATE FIREFIGHTER CONTROLS Key Risk? ! Excessive access

of 24

  • date post

    08-Oct-2019
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 INADEQUATE FIREFIGHTER CONTROLS Key Risk? ! Excessive...

  • LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360

  • YOUR PRESENTERS Adam Harpool §  Supervisor, McGladrey Consulting Services §  5+ years of IT consulting experience, including SAP

    (all phases of SAP lifecycle), IT internal audit, and IT strategy/effectiveness

    §  Education § MBA, Columbia University Business School (2016) § MS, Carnegie Mellon (2009) §  BS, University of Florida (2008)

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 2

  • YOUR PRESENTERS Luke Leaon §  Supervisor, McGladrey Consulting Services §  9+ years of IT consulting experience, including SAP §  SAP implementation controls work §  Oracle and SAP post-implementation reviews §  IT Internal Audit

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 3

  • INADEQUATE FIREFIGHTER CONTROLS Key Risk? §  Excessive access in the system is utilized inappropriately What is an “industry-leading practice” for FireFighter? §  Functional, not pervasive (e.g., FIRE_FI, FIRE_SD, etc.) §  Absolutely no use of SAP_ALL, SAP_NEW, or equivalents §  Preventative control: Approval required, including:

    §  Justification §  T-Code(s) to be executed §  Ideally, time-limited based on extent of work

    §  Detective control: Log Review after the fact (caution!) §  SM19/SM20 vs. various FF logs

    §  Benchmarked (so that FF doesn’t become standard operating procedure)

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 4

  • SEGREGATION OF DUTIES Key Risk? §  Users can execute mutually incompatible transactions (e.g., classic case—create a

    fictitious vendor and process payment to that vendor)

    What is an “industry-leading practice” for SOD? §  Standardized, corporate-wide SOD matrix §  Preventative control: SOD check during user provisioning

    §  Are you including cross-system SOD? (e.g., JDE vs. SAP) §  Do managers know what they’re approving? §  Consider the use of Role Owners as an approval step

    §  Detective control: Periodic review or continuous control monitoring (CCM) §  Careful on the mitigating controls!

    §  The risk of failure of manual controls is almost always higher than automated controls

    §  And be especially cautious with the administration of risk waivers

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 5

  • CUSTOM RICEWF OBJECT SECURITY Key Risk? §  Custom objects (which may drive key business functionality) may have

    security backdoors that create major vulnerabilities

    What is an “industry-leading practice” for RICEWF object security? §  Preventative control: Strong change management processes (as part of the IT

    General Controls suite) §  Is security plan/security analysis include on change management forms?

    §  Preventative control: Limiting access to key BASIS T-Codes §  SCC4, SE06, SA38, STMS (among many others)

    §  Preventative control: Maintenance of comprehensive, updated RICEWF inventory

    §  Detective control: Periodic IT security audits and vulnerability assessments

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 6

  • APPLICATION CONTROLS MISALIGNMENT Key Risk? §  Key business processes are not appropriately controlled through use of

    appropriate application controls (e.g., three-way match, open/close posting periods, duplicate invoices, etc.)

    What is an “industry-leading practice” for application controls? §  It all starts with having a comprehensive, updated risk and controls matrix

    (RACM) § Key business processes are mapped. Risks are identified; subsequently,

    controls are designed to address these risks §  SAP functionality is then enabled to enforce the control

    §  Caution: What’s the rationale for each control? (e.g., thresholds in three- way match, credit control area settings, etc.) Does it match the business strategy and risk appetite?

    §  How often are your application controls tested?

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 7

  • INFRASTRUCTURE VULNERABILITIES Key Risk? §  The greatest application-level security in the world can be largely undermined

    by vulnerabilities lower in the stack.

    What are areas of particular concern? §  Database security—Particularly “sa” or “sysadmin” type accounts §  Interfaces—Particularly the “at rest” and “at motion” components §  OS—Usual concerns related to patches, anti-virus/anti-malware, etc.

    §  Recent trend with cyber-criminals moving “upmarket” to target enterprise software systems - http://www.infoworld.com/d/security/new-malware-variant-suggests- cybercriminals-targeting-sap-users-230014

    §  Network—Particular attention to port management processes

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 8

  • USER ACCESS REVIEWS 1.  Reviews do not have appropriate ownership assigned; access owners are ill-

    equipped to assess access due to the technical and granular nature of SAP Security.

    2.  Access to key functions is not identified, making it difficult for owners to assess the key access.

    3.  Reviews do not go down to the authorization object level, only the tcode level. §  People may have access to key authorization objects like S_TABU_DIS or

    S_DEVELOP and not be identified during the review because they don’t have one of the key tcodes under review.

    §  There are typically multiple tcodes that can use authorization objects, review access and protection of data, not functions which may change and are numerous.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 9

  • INTERFACES 1.  System IDs used for interfacing have SAP_ALL, these accounts types are

    being changed to dialog to circumvent security controls.

    2.  Completeness and accuracy of data received. 3.  New interfaces potentially introduce systems that are material. 4.  Need to review systems accounts, interfaces, not typically performed in a

    standard SOX ITGC audit.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 10

  • DIRECT DATA UPDATE §  Access to authorization object S_TABU_DIS 02 may be distributed to lots of

    personnel throughout an organization. This allows for direct access to edit tables (assuming the user has one of the many tcodes that can edit tables directly).

    §  It is difficult to determine all of the tcodes that may allow for direct editing of tables; as functionality changes, new tcodes are released: SE16, SE16N, SE17, SM30, SM31, SPRO...

    §  SE16N Edit mode, patched by SAP, though can still enter into edit mode if users have Debug. Debug in general shouldn’t really be in production as it can circumvent authorization checks in code.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 11

  • DIRECT DATA UPDATE (CONTINUED) §  Program execution transactions, like SA38 and SE38, can call the programs that

    the transactions execute. You can look up what programs the transactions call in the table TSTC. This could allow for unauthorized access to direct data update programs.

    §  Authorization groups on tables can help you restrict access, assuming all of the tables are registered in the TDDAT table. (Developers may not register custom tables.)

    §  All transactional and security-related tables should have a defined authorization group, not “&NC&”.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 12

  • DIRECT DATA UPDATE (CONTINUED) §  Some functional modules do not perform authorization checks on

    S_TABU_DIS.

    §  Weak parameter transactions, especially those that are developed, could allow for a user to direct update any table.

    §  Need to specify specific tables if some users need access to direct update via S_TABU_NAM.

    §  The next walk-through will help demonstrate transaction codes don’t always give you the full picture and the potential for security holes in parameter transactions.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 13

  • DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—OB52—Walkthrough, TSTCP table

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 14

  • DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—OB52—Walkthrough—Uses V_T001B

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 15

  • DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—SE12 to identify relevant tables for view.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 16

  • DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—SE12 to identify views the table is used.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 17

  • DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—SE16N to identify parameter transaction.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 18

  • DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—Check for Custom with SM30.

    LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 19

  • DIRECT DATA UPDATE (CON