top 10 sap audit security risks

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360

YOUR PRESENTERS

Adam Harpool Supervisor, McGladrey Consulting Services 5+ years of IT consulting experience, including SAP

(all phases of SAP lifecycle), IT internal audit, and IT strategy/effectiveness

Education MBA, Columbia University Business School (2016) MS, Carnegie Mellon (2009) BS, University of Florida (2008)

LIKE WHAT YOU HEAR? TWEET IT USING: #SEC360 2

YOUR PRESENTERS

Luke Leaon Supervisor, McGladrey Consulting Services 9+ years of IT consulting experience, including SAP SAP implementation controls work Oracle and SAP post-implementation reviews IT Internal Audit


INADEQUATE FIREFIGHTER CONTROLS

Key Risk? Excessive access in the system is utilized inappropriately What is an industry-leading practice for FireFighter? Functional, not pervasive (e.g., FIRE_FI, FIRE_SD, etc.) Absolutely no use of SAP_ALL, SAP_NEW, or equivalents Preventative control: Approval required, including:

Justification T-Code(s) to be executed Ideally, time-limited based on extent of work

Detective control: Log Review after the fact (caution!) SM19/SM20 vs. various FF logs

Benchmarked (so that FF doesnt become standard operating procedure)


SEGREGATION OF DUTIES Key Risk? Users can execute mutually incompatible transactions (e.g., classic casecreate a

fictitious vendor and process payment to that vendor)

What is an industry-leading practice for SOD? Standardized, corporate-wide SOD matrix Preventative control: SOD check during user provisioning

Are you including cross-system SOD? (e.g., JDE vs. SAP) Do managers know what theyre approving? Consider the use of Role Owners as an approval step

Detective control: Periodic review or continuous control monitoring (CCM) Careful on the mitigating controls!

The risk of failure of manual controls is almost always higher than automated controls

And be especially cautious with the administration of risk waivers


CUSTOM RICEWF OBJECT SECURITY

Key Risk? Custom objects (which may drive key business functionality) may have

security backdoors that create major vulnerabilities

What is an industry-leading practice for RICEWF object security? Preventative control: Strong change management processes (as part of the IT

General Controls suite) Is security plan/security analysis include on change management forms?

Preventative control: Limiting access to key BASIS T-Codes SCC4, SE06, SA38, STMS (among many others)

Preventative control: Maintenance of comprehensive, updated RICEWF inventory

Detective control: Periodic IT security audits and vulnerability assessments


APPLICATION CONTROLS MISALIGNMENT Key Risk? Key business processes are not appropriately controlled through use of

appropriate application controls (e.g., three-way match, open/close posting periods, duplicate invoices, etc.)

What is an industry-leading practice for application controls? It all starts with having a comprehensive, updated risk and controls matrix

(RACM) Key business processes are mapped. Risks are identified; subsequently,

controls are designed to address these risks SAP functionality is then enabled to enforce the control

Caution: Whats the rationale for each control? (e.g., thresholds in three-way match, credit control area settings, etc.) Does it match the business strategy and risk appetite?

How often are your application controls tested?


INFRASTRUCTURE VULNERABILITIES

Key Risk? The greatest application-level security in the world can be largely undermined

by vulnerabilities lower in the stack.

What are areas of particular concern? Database securityParticularly sa or sysadmin type accounts InterfacesParticularly the at rest and at motion components OSUsual concerns related to patches, anti-virus/anti-malware, etc.

Recent trend with cyber-criminals moving upmarket to target enterprise software systems - http://www.infoworld.com/d/security/new-malware-variant-suggests-cybercriminals-targeting-sap-users-230014

NetworkParticular attention to port management processes


USER ACCESS REVIEWS

1. Reviews do not have appropriate ownership assigned; access owners are ill-equipped to assess access due to the technical and granular nature of SAP Security.

2. Access to key functions is not identified, making it difficult for owners to assess the key access.

3. Reviews do not go down to the authorization object level, only the tcode level. People may have access to key authorization objects like S_TABU_DIS or

S_DEVELOP and not be identified during the review because they dont have one of the key tcodes under review.

There are typically multiple tcodes that can use authorization objects, review access and protection of data, not functions which may change and are numerous.


INTERFACES

1. System IDs used for interfacing have SAP_ALL, these accounts types are being changed to dialog to circumvent security controls.

2. Completeness and accuracy of data received. 3. New interfaces potentially introduce systems that are material. 4. Need to review systems accounts, interfaces, not typically performed in a

standard SOX ITGC audit.


DIRECT DATA UPDATE

Access to authorization object S_TABU_DIS 02 may be distributed to lots of personnel throughout an organization. This allows for direct access to edit tables (assuming the user has one of the many tcodes that can edit tables directly).

It is difficult to determine all of the tcodes that may allow for direct editing of tables; as functionality changes, new tcodes are released: SE16, SE16N, SE17, SM30, SM31, SPRO...

SE16N Edit mode, patched by SAP, though can still enter into edit mode if users have Debug. Debug in general shouldnt really be in production as it can circumvent authorization checks in code.


DIRECT DATA UPDATE (CONTINUED)

Program execution transactions, like SA38 and SE38, can call the programs that the transactions execute. You can look up what programs the transactions call in the table TSTC. This could allow for unauthorized access to direct data update programs.

Authorization groups on tables can help you restrict access, assuming all of the tables are registered in the TDDAT table. (Developers may not register custom tables.)

All transactional and security-related tables should have a defined authorization group, not &NC&.



Some functional modules do not perform authorization checks on S_TABU_DIS.

Weak parameter transactions, especially those that are developed, could allow for a user to direct update any table.

Need to specify specific tables if some users need access to direct update via S_TABU_NAM.

The next walk-through will help demonstrate transaction codes dont always give you the full picture and the potential for security holes in parameter transactions.



Parameter TransactionsOB52Walkthrough, TSTCP table



Parameter TransactionsOB52WalkthroughUses V_T001B



Parameter TransactionsSE12 to identify relevant tables for view.



Parameter TransactionsSE12 to identify views the table is used.



Parameter TransactionsSE16N to identify parameter transaction.



Parameter TransactionsCheck for Custom with SM30.



Parameter TransactionsPoor Development? Check. Is there a *?


USER ADMIN CONTROLS

Ineffective provisioning and de-provisioning controls Dependent on your environment, single sign-on? Federated passwords? Approvers not knowledgeable Access not role-based Relying on Automated AD/HR record to remove, potential for technology

issues, accounts renamed Technology changes could make control ineffective

Status of users, system of record Managers not communicated rehired contractors, temps Contractors not in HR system May not be connected to infrastructure


USER ADMIN CONTROLS (CONTINUED) Contractors

Contractors set to expire? Conversion, users with more than one ID with different access

Transfers Transfers retaining access Access cumulating

Cloning Users cloned giving excessive access Not role-based Inaccurate information (users not named correctly)

Super user Access not approved, informally given out Super users leaving, accounts embedded to processing (SAP, DB, OS) potential

vulnerabilities


QUESTIONS?


CONTACT INFO

Please feel free to contact us with questions:

Luke Leaon [email protected]

Adam Harpool [email protected]


top 10 sap audit security risks

Documents