LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360

YOUR PRESENTERS Adam Harpool §  Supervisor, McGladrey Consulting Services §  5+ years of IT consulting experience, including SAP

(all phases of SAP lifecycle), IT internal audit, and IT strategy/effectiveness

§  Education § MBA, Columbia University Business School (2016) § MS, Carnegie Mellon (2009) §  BS, University of Florida (2008)

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 2

YOUR PRESENTERS Luke Leaon §  Supervisor, McGladrey Consulting Services §  9+ years of IT consulting experience, including SAP §  SAP implementation controls work §  Oracle and SAP post-implementation reviews §  IT Internal Audit

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 3

INADEQUATE FIREFIGHTER CONTROLS Key Risk? §  Excessive access in the system is utilized inappropriately

What is an “industry-leading practice” for FireFighter? §  Functional, not pervasive (e.g., FIRE_FI, FIRE_SD, etc.) §  Absolutely no use of SAP_ALL, SAP_NEW, or equivalents §  Preventative control: Approval required, including:

§  Justification §  T-Code(s) to be executed §  Ideally, time-limited based on extent of work

§  Detective control: Log Review after the fact (caution!) §  SM19/SM20 vs. various FF logs

§  Benchmarked (so that FF doesn’t become standard operating procedure)

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 4

SEGREGATION OF DUTIES Key Risk? §  Users can execute mutually incompatible transactions (e.g., classic case—create a

fictitious vendor and process payment to that vendor)

What is an “industry-leading practice” for SOD? §  Standardized, corporate-wide SOD matrix §  Preventative control: SOD check during user provisioning

§  Are you including cross-system SOD? (e.g., JDE vs. SAP) §  Do managers know what they’re approving? §  Consider the use of Role Owners as an approval step

§  Detective control: Periodic review or continuous control monitoring (CCM) §  Careful on the mitigating controls!

§  The risk of failure of manual controls is almost always higher than automated controls

§  And be especially cautious with the administration of risk waivers

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 5

CUSTOM RICEWF OBJECT SECURITY Key Risk? §  Custom objects (which may drive key business functionality) may have

security backdoors that create major vulnerabilities

What is an “industry-leading practice” for RICEWF object security? §  Preventative control: Strong change management processes (as part of the IT

General Controls suite) §  Is security plan/security analysis include on change management forms?

§  Preventative control: Limiting access to key BASIS T-Codes §  SCC4, SE06, SA38, STMS (among many others)

§  Preventative control: Maintenance of comprehensive, updated RICEWF inventory

§  Detective control: Periodic IT security audits and vulnerability assessments

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 6

APPLICATION CONTROLS MISALIGNMENT Key Risk? §  Key business processes are not appropriately controlled through use of

appropriate application controls (e.g., three-way match, open/close posting periods, duplicate invoices, etc.)

What is an “industry-leading practice” for application controls? §  It all starts with having a comprehensive, updated risk and controls matrix

(RACM) § Key business processes are mapped. Risks are identified; subsequently,

controls are designed to address these risks §  SAP functionality is then enabled to enforce the control

§  Caution: What’s the rationale for each control? (e.g., thresholds in three-way match, credit control area settings, etc.) Does it match the business strategy and risk appetite?

§  How often are your application controls tested?

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 7

INFRASTRUCTURE VULNERABILITIES Key Risk? §  The greatest application-level security in the world can be largely undermined

by vulnerabilities lower in the stack.

What are areas of particular concern? §  Database security—Particularly “sa” or “sysadmin” type accounts §  Interfaces—Particularly the “at rest” and “at motion” components §  OS—Usual concerns related to patches, anti-virus/anti-malware, etc.

§  Recent trend with cyber-criminals moving “upmarket” to target enterprise software systems - http://www.infoworld.com/d/security/new-malware-variant-suggests-cybercriminals-targeting-sap-users-230014

§  Network—Particular attention to port management processes

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 8

USER ACCESS REVIEWS 1.  Reviews do not have appropriate ownership assigned; access owners are ill-

equipped to assess access due to the technical and granular nature of SAP Security.

2.  Access to key functions is not identified, making it difficult for owners to assess the key access.

3.  Reviews do not go down to the authorization object level, only the tcode level. §  People may have access to key authorization objects like S_TABU_DIS or

S_DEVELOP and not be identified during the review because they don’t have one of the key tcodes under review.

§  There are typically multiple tcodes that can use authorization objects, review access and protection of data, not functions which may change and are numerous.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 9

INTERFACES 1.  System IDs used for interfacing have SAP_ALL, these accounts types are

being changed to dialog to circumvent security controls.

2.  Completeness and accuracy of data received.

3.  New interfaces potentially introduce systems that are material.

4.  Need to review systems accounts, interfaces, not typically performed in a standard SOX ITGC audit.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 10

DIRECT DATA UPDATE §  Access to authorization object S_TABU_DIS 02 may be distributed to lots of

personnel throughout an organization. This allows for direct access to edit tables (assuming the user has one of the many tcodes that can edit tables directly).

§  It is difficult to determine all of the tcodes that may allow for direct editing of tables; as functionality changes, new tcodes are released: SE16, SE16N, SE17, SM30, SM31, SPRO...

§  SE16N Edit mode, patched by SAP, though can still enter into edit mode if users have Debug. Debug in general shouldn’t really be in production as it can circumvent authorization checks in code.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 11

DIRECT DATA UPDATE (CONTINUED) §  Program execution transactions, like SA38 and SE38, can call the programs that

the transactions execute. You can look up what programs the transactions call in the table TSTC. This could allow for unauthorized access to direct data update programs.

§  Authorization groups on tables can help you restrict access, assuming all of the tables are registered in the TDDAT table. (Developers may not register custom tables.)

§  All transactional and security-related tables should have a defined authorization group, not “&NC&”.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 12

DIRECT DATA UPDATE (CONTINUED) §  Some functional modules do not perform authorization checks on

S_TABU_DIS.

§  Weak parameter transactions, especially those that are developed, could allow for a user to direct update any table.

§  Need to specify specific tables if some users need access to direct update via S_TABU_NAM.

§  The next walk-through will help demonstrate transaction codes don’t always give you the full picture and the potential for security holes in parameter transactions.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 13

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—OB52—Walkthrough, TSTCP table

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 14

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—OB52—Walkthrough—Uses V_T001B

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 15

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—SE12 to identify relevant tables for view.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 16

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—SE12 to identify views the table is used.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 17

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—SE16N to identify parameter transaction.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 18

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—Check for Custom with SM30.

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 19

DIRECT DATA UPDATE (CONTINUED) Parameter Transactions—Poor Development? Check. Is there a *?

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 20

USER ADMIN CONTROLS §  Ineffective provisioning and de-provisioning controls

§ Dependent on your environment, single sign-on? Federated passwords? § Approvers not knowledgeable § Access not role-based §  Relying on Automated AD/HR record to remove, potential for technology

issues, accounts renamed §  Technology changes could make control ineffective

§  Status of users, system of record § Managers not communicated rehired contractors, temps §  Contractors not in HR system § May not be connected to infrastructure

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 21

USER ADMIN CONTROLS (CONTINUED) §  Contractors

§  Contractors set to expire? §  Conversion, users with more than one ID with different access

§  Transfers §  Transfers retaining access §  Access cumulating

§  Cloning §  Users cloned giving excessive access §  Not role-based §  Inaccurate information (users not named correctly)

§  Super user §  Access not approved, informally given out §  Super users leaving, accounts embedded to processing (SAP, DB, OS) potential

vulnerabilities

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 22

QUESTIONS?

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 23

CONTACT INFO § Please feel free to contact us with questions:

§ Luke Leaon § Luke.Leaon@mcgladrey.com

§ Adam Harpool § Adam.Harpool@mcgladrey.com

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 24