Secure mySAP ERP and Enforce Accountability for SOX Compliance with BiometricsCyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime North America Inc.  

Email: cyndi.wolf@polk-fl.net or thomas@realtimenorthamerica.com

Learning Points • SAP Security and ALL compliance efforts (SoD) are solely

based on password protected USER Profiles

• Passwords are not secure and offer very limited protection and no accountability at all

• Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc.

• Experts agree… Biometrics is the most promising solution approach

Expert Statements – SAP Movie

http://realtimenorthamerica.com/download/Expert_statements.wmv

5 Facts about IT Security1. Data theft and espionage is a rapidly growing crime* 2. Intruders target user profiles with

extended authorizations

3. Profiles are protected with passwords that offer very limited protection

4. Long-term damages include financial damages, image lossdeclined stock, law suits and compliance violations

5. Without biometrics deterring, prevention and conviction is impossible

*$ 400 Mio in damages at Dupont Espionage Case

82% of all passwords are written down (SAP-Info Online)

40% say they share passwords frequently (Source: Rainbow)

95% result in significant financial losses (Source Gartner)

92% of corporations and government agencies detected computer security breaches in the last 12 months

U.S fraud costs were $52.6 billion in 2005Article ID Theft, Page 70,SC Magazine January 2006, referring to Better Business Bureau survey

Intellectual property theft costs U.S. companies between $200 billion and $250 billion a year in sales

Counterfeit Facts, Page 44, CSO Magazine, January 2006

Statistics: Threat in numbers…Statistics: Threat in numbers…

Hackers shift focus from ‘causing damage’ to ‘stealing data’

2003: $168.000 ( Average loss from Theft per company )

2004: $355.000 ( Average loss from Theft per company )

2005: ?

One of the Largest (reported) Computer Crimes:

Scott Levine of Snipermail.com stole over 8.2 gigabytes of data from Acxiom Corp (Apr. 02 – Aug. 03)

BY DECRYPTING PASSWORDS TO GAIN ACCESS!!!

Recent News about HackersRecent News about Hackers

SAP Logon: Unauthorized users use or share SAP User ID’s even at

different locations at the same time

HR: Protecting and securing HR information including heath insurance info,

salaries and social security numbers

Finance: Prevent tempering with payment release, salaries wire transfers,

requesting or changing budgets

Balance Sheets: Access to critical company information

Research Data: Research data is stolen or changed

Purchasing: Unauthorized users purchase unauthorized items

Workflow Approval: People use supervisors passwords

Fast User Switching: Users are supposed to log in and out for minimum tasks

but never do (bank, hospital, warehouse etc.)

Remember multiple passwords that could require up to 15 characters

True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls)

Customer Pain Points

There are 3 ways to protect physical or data access:

1. What you know…

2. What you have…

3. Who you are…

The 3 Ways to Protect -- The 3 Ways to Protect -- II

What you know…

Passwords / PIN / Codes

What you have…

Smart Cards / Tokens / Keys

Who you are…

Biometrics – Fingerprint etc.

The 3 Ways to Protect -- IIThe 3 Ways to Protect -- II

Biometrics is the only true protection since the user will be UNIQUELY identified!!!

Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not be identified or held responsible…

Passwords are historically accepted to attempt protecting computer systems…

They offer limited protection and no identity management at all !!!

Lawyers love these 2 ways and call it:

SODDI

The 3 Ways to Protect -- IIIThe 3 Ways to Protect -- III

• Look in drawers or on the “yellow sticky note”• Look over shoulders of co-workers (shoulder Surfing)• Ask colleagues – 40% admit to sharing passwords• Get emergency password (at security guard)• Call hotline to get password reset for any user• Check unencrypted .ini files• Try SAP default password for SAP* - 06071992• Key Catcher, Password Cracker – Now: Recovery Tools• Monitoring / Sniffers (transfer from GUI not encrypted)• Or simply associate with owner (pet, family, hometown)

20 Ways to get anybody's Password:

Download the “Fishing for Passwords” document at www.bioLock.us

Old Verification:

SAP User/

Password

Smart card or Logon /

Biometrics

Advanced Identification:

Searches Database of 100’s or 1000’s of biometric templates

Uniquely identifies Thomas and launches Thomas SystemMight identify and reject Thomas based on authorization

Thomas Tasks or Attempts will be logged in an auditing log file

Verification versus IdentificationVerification versus Identification

Independent Additional ProtectionIndependent Additional Protection

Until now you had to worry about protecting access for ALL SAP Users…

• bioLock will protect individual functions in the system

• You only need to protect the users that have access to those functions

• ALL OTHERS will not be able to access them anyway – even SAP ALL

• Functions can either be protected Globally or on Individual Basis

• You only have to worry about a few hundred Users

Protected:

NO NEEDto protect!

Protect selected – NOT all – UsersProtect selected – NOT all – Users

Level ILevel ISECURITYSECURITY

Level IILevel IILevel IIILevel III

Security Level - OverviewSecurity Level - Overview

Protect The King*Quote Keynote Speech RSA 2007 with Bill Gates

- Not The Castle!*

Existing SAP Security

Additional bioLock Security

bioLock will not “touch” or change your existing security roles or profiles!

bioLock “sits” on top of SAP bioLock “sits” on top of SAP SecuritySecurity

• Prevent critical lawsuits, image loss and bad press

• Protect themselves from monetary damages and espionage

• Comply with mandatory regulations such as:

Biometric technology will prevent most attacks, log uniquely identified users and their activities,

and ‘scare off’ potential attackers !!!

HIPAA The California Act Data Protection Act FDA (Part 11-Electronic Records) Sarbanes-Oxley Act – Section 404

Why should any company invest in biometrics?

• In 2001/2002 some of the largest US companies went bankrupt – like Enron or WorldCom

• Their management had hidden and changed financial data and betrayed investors

• In 2002 The Sarbanes-Oxley Act was made law to establish better controlling and accounting transparency

• The strongest focus is on Internal Controls• An average US company spends

$1Mio for Every $1Billion of Revenue every year on SOX compliance

• Using Compliance Tools for SoD

Sarbanes Oxley – Overview

Without biometrics “TRUE” SoD can’t be accomplished!

• Certifying SOX Statements under Section 906fines up to $1Mio + 10 years in jail

• WILLFUL certifying same statementfines up to $5Mio + 20 years in jail

• Enron CEO was facing 45 years for corporate trialand 120 years for personal trials

• Fact is: No Management has any control of which Internal or External person could change any statements or data

• Biometrics will only allow authorized users to make changes, but more importantly, will uniquely identify them and their activities

Prevent jail time for your management

Don’t Let this happen to your management

Introduction:Polk County Public Schools• The eighth-largest school district

in Florida and among the largest 40 nationally

• Nearly 93,000 students at almost 160 school sites

• Largest employer in Polk Countywith more than 11,500 employees, half of whom are teachers

• Bartow High’s International Baccalaureate School was ranked by Newsweek magazine in 2006 as #169 of the nation's top 1,000 public high schools

Abdu Taguri, CIO

• User ID’s and passwords are written down and posted on or near workstations at an alarming rate

• SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems

• Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105

• Concern for “Accountability” of the principal as the CEO of the individual school• “Delegation” of responsibility to school secretary via

User ID and password sharing• “True Story”

The Security Challenge:Polk County Public Schools

True Story explained :At the school district a lady in the finance department paid most of her personal bills from the school district’s accounts. She would create fake invoices from non existing vendors over the exact amounts and than paid her personal bills with school funds. Her setup was so perfect that she got away with it for a long time.

Unfortunately “as a joke” one of her personal vendors called the school district and asked for a job opening. When asked for a reason he answered that he was looking for an employer that would pay his personal bills.

It was fortunate for the school that this person tried to make a joke and ended up stopping a financial fraud on a large scale.This story was presented by Cindy Wolf, Director of Systems Integration, who was in the schools finance department, when it happened

• Logon to the principal’s SAP User ID is protected to prevent:• unauthorized access• well-intentioned “delegation”

• Transactions protected:• Requisition release• Payroll (time entry) approval

• Biometric segregation of duty• Electronic signature in workflow (future)

Biometric Approach:Polk County Public Schools

This is your “Security” now…

This is Security we suggest:

Live Demo following now…

Do we need this ‘High Level Security’?Do we need this ‘High Level Security’?

Contact realtime at info@bioLock.us or 1877-bioLock to schedule a personalized online education for your team!

Session Code 0910