Security Threats For SAP Standards

Critical Analysis of SAP System Security Parameters

Describe about the Security Threats for SAP Standards.

SAP stands for Systems, Applications and Products in a data processing system. SAP is basically used for handling accounts related activities and it is an ERP software solution. SAP system is commonly used in business organizations. SAP security system is considered a secure solution and security parameters of this system make it secure and powerful as compare to other ERP solutions.

Transaction Code of SAP and Its Purpose

Transaction code consists of numbers, letters and both and this code is entered into command field. Transaction code is used in SAP software to go to any task in SAP application quickly. Instead of using menu to start a task, by using transaction code, we can start function in single step. This is main advantage of SAP’s transaction code. Transaction code is also known T-Code.

Purpose of Transaction Code in R/3 Systems

When transaction code is used in SAP R/3 system by its users then it is actually a query that is performed in SQL from applications level to database level. This code transfers data from relational database to frond end system. The conversion of data is held from one consistent state to another state. Besides this, input data into transaction gets updated in database. Due to these reasons transaction code is used in R/3 Systems. There are many transaction codes available in SAP security system and these are used for different purposes. SM19 and SM20 are two important SAP transactions codes and following are its purposes and uses: (Saponlinetutorials.com, 2016)

Purpose and Usage of SM19:

In SAP security system, SM19 is used as Security Audit Configuration and its purpose to record information about security of system such as modifications of user master records and information about unsuccessful logon attempts. This tool of keeping log is basically made for auditors who want to take a detail look that what is happening in SAP system. With the help of SM19 transaction code, we can activate an audit log that can help to keep records of activities that are required for audit. The security audit configuration provides long-term data access. Following information is record into Security Audit Log:

• Information about logon attempts both successful and unsuccessful.
• Both successful and unsuccessful logon attempts those are related to RFC.
• RFC calls to function modules.
• Changes to master records of users.
• Log of both successful and unsuccessful transaction start.
• Modifications regarding audit configurations.

Purposes and Uses of SM20:

The purpose of SM20 Transaction code of SAP is to analysis of security audit log and it is available in R/3 Systems. Like other transaction codes of SAP, this code is used through command line. SM20 is used to see Audit log and by activating this audit log, those activities can be considered those are relevant for auditing. The recorded information of audit log report can be accessed for further evaluation. Audit log can be scanned for period of time, transaction of user and report and for some other purposes. These purposes of SM19 and SM20 transactions codes are to under-take a security audit of SAP R/3 system. (Saphub.com, 2016)

Transaction Code of SAP and Its Purpose

User master record in SAP plays an important role in a way that it helps to assign the essential authorizations to users so that they can execute various transactions into SAP systems. User Master Record is basically used for administrative and authorization management. As we know that a SAP user contains user id with transaction authorization and all details of users can be monitored by SAP administrators. Most important information about users’ records such as login session, user rights, passwords and profile etc. are contained into User Master Record in SAP. If we talk about that how user master record plays an important role in ensuring assignment of appropriate rights, activity groups and authorizations of individual users, then we can say that without User Master Record, user unable to log onto SAP system. It means an authorized user must have a record in User Master Record.  Besides this, it also allows access to functions and objects in it with some restrictions of authorized users. This feature of User Master Record reduces the risk of hacking of data. Information about corresponding user is also stored into user master record for authorization purpose. Any changes those are done in master records will be effected when user will login next time in system. These changes will not take place in current logged section. In this way, User Master Record is considered helpful for maintaining security and privacy of users’ rights, records and their authorization. (Tcodesearch.com, 2016)

Basically the authorization process of SAP protects transactions, programs and services of SAP systems from attackers or unauthorized users. To access any information, objects and to execute SAP transactions, corresponding authorization is required and this is managed by User Master Record of SAP system.  This authorization of users is done under authorized process of SAP system. The authorization system of SAP allows flexibility for organizing and authorizing the maintenance of master records and roles. The distribution and maintenance of user master records and authorization among multiple administrators is limited with areas of responsibilities. This is done to achieve maximum system security. In this way, authorization process of SAP is implemented through User Master Record. Due to these reasons, user master record is considered to be important for maintaining security and privacy of SAP users. Other essential thing about user master data is its assignment of one or more roles to the user. This master record in SAP maintains authorization of users for long time. This feature of security makes SAP a more secure system for handling finance and accounts activities in a business organization. (Scribd, 2016)

Purpose of Transaction Code in R/3 Systems

As we know that SAP user account is not possible to delete, but its security and privacy is necessary to maintain. Therefore, there are some controls that use to secure SAP user accounts.

Alignment of SAP Configuration Settings and Organizational Policies

When SAP is used by employees of an organization, then it is responsibility of organization that security policy should specify mandatory requirement of software such as minimum length of password, strength of password and change of password after a particular time period. It is responsibility of security administrator to check that all applicants must follow these rules. All security parameters must be followed by users. Password protection will help to get prevention from misuse of SAP user account that cannot be delete. The commonly used security parameters are login/passwords_expriation_time(), login_min_password_lng() and others. (STechies, 2016)

Access to Sensitive Functions

Other way to protect SAP account from misuse is the way to access sensitive functions. Sensitive functions of SAP are basically used to access sensitive information from individuals’ account. The main activities those are performed by sensitive SAP functions are access to creation and maintenance of users’ roles and accounts, access to run commands of operating system and access to change and create programs and debugging of programs is also done by sensitive functions of SAP. These functions must be used properly by users and system administrators.

Therefore, by implementing these security controls, it will become easy to prevent user account from its misusage. Both above discussed controls are concerned with secure access of sensitive information and usage of SAP configuration with proper alignment of policies. In this way, if user cannot delete SAP account then still they can make security of SAP system easily from unauthorized attacks. (ComputerWeekly, 2016)

This segment of report is related to ethical behavior for an information security professional. Ethics of business are necessary to follow by every business organization where information security systems are used. Here we have case studies to discuss about ethical behavioral for an information security professional. After discussing about case study of Company X and Company Y and according to this both companies can use records of each other clients. Here Faisal is programmer of Company Z and task of developing a software is assigned to him and he handles access and retrieval of records from database system of every company. Faisal takes normal test on software developed and he got a serious security hole in database system of company Y and due to this hole, it is easy for hackers to get confidential information from database. If this hole will not be removed then it can put bad impact over Company X’s database system. Faisal reported to manager of company about this but he said “it is not our problem, our system should work properly”.  This is a wrong answer that is provided by manager. If we talk about key ethical concerns that raised in this case study then major concern is that manager is being selfish regarding security of his company’s system and he is not careful about database security of other company. This is against law of business. According to ACS code, a business organization does not have right to harm other company for its benefits as manager of Company Y is doing to Company X.

Purposes and Uses of SM19:

The main values of ACS i.e. Australian Code of Ethics are listed as below:

• The primacy of public interests
• Increment in Quality of Life
• Honesty
• Competence
• Professional Development
• Professionalism (Barton, 1992)

In above listed values of Australian Code of Ethics, Competence and Professional Development are specific values for practice of professional practice that will help to deal with key ethical concerns raised by Faisal in distributed management system of records. Here competence of ACS is related to that a organization will work completely and diligently for its stakeholders or investors. On other side, professional development is related to that an organization will enhance integrity of the ACS and all members of company are respected equally. Besides this, honesty can also be considered a main value for professional practice for Company X and Company Y and according to this, Company Y must be cleared about skills, knowledge, products and services and any kind of issue among one of these factors should be clearly defined to other members. Therefore, on the behalf of these values of ACS, Company Y must focus on security hole that is found by Faisal who is software developer and must discuss this problem with Company X. Nothing should be hidden between both companies. Only then a better business can be run between both companies, otherwise heavy loss can occur. Every business organization must follow this ACS code. In given case of security hole, now Company Y should allow Faisal to implement its solution that can protect databases of both companies from various vulnerabilities that can occur due to this security issue. If both companies are connected with each other and can share their client’s information then maintenance of security is also responsibility of both companies.

As per the given case study, Carol has done embezzlement in branch’s reserves amount $5000 and also her fake signatures are found on cheques. She has done this for medical treatment of her child and she was inevitably found then she returned the money but her membership in ACS is terminated. In next segment we will discuss that, how other members of ACS would treat her, who are still in team at her job. (Help.sap.com, 2016)

Ethical Concerns raised by Carol’s Action

Everything that is done by Carol was not right ethics of business, whether she did it for medical treatment of her child or for anything else. But this action of Carol for embezzlement is against values of code ethics such as honesty and professionalism. Therefore, it is possible that her other team members may not behave well with her due to this fraud. Those people may not trust further on Carol for official works. This is actually related to reputation of Carol and this action of embezzlement puts bad influence of her reputation. All team members who are working under guidance of Carol will also influence fr5om this act and may not consider her as their guide. These kind of ethical concerns may cause problem for Carol in future regarding her job.

Purposes and Uses of SM20:

As per given scenario of Carol, we can say that the specific values of ACS code of professional practice that can help to deal with key ethical concerns are Honesty and Professionalism. By doing fraud in business, Carol has tried to make fool ACS and lost their trust. The reason that is provided for this embezzlement may not be considered right because Carol can ask for financial help to her company for medical treatment of her child. But she did not do this and violate code of business ethics. Here the value of honesty is that Carol must be honest for her work and duty towards her company and ACS. She has not followed this. On other side, in case of professionalism, Carol must enhance the integrity of ACS and respect of its members. Therefore, we can say that Carol has done ethically wrong to Australian code of ethics for business. So for future, it is responsibility of Carol to remain honest and should work with professionalism. Any kind of fraud may cause problem for her career opportunities. (Help.sap.com, 2016)

This is another important segment of this report and here we will discuss about an essential topic of Advanced Persistent Attack.

It is a popular network attack and in this attack an unauthorized persons try to gain access over network to get confidential information of users. These attackers remain undetected for long period of time. The purpose of this attack is to steal data rather than to cause damage to network.

Advanced Persistence Attack is implemented by attackers in form of following steps:

Reconnaissance

This is first step of Advanced Persistence attack and in this step, attackers try to leverage a variety of factors for understanding their target. Here hackers try to use information stored from websites of company. Besides this, social media websites are also used to collect information about individuals.

Incursion

After collecting information about an individual, hackers deliver targeted malware to vulnerable systems and people. (Bruce, R, 2016)

Discovery

In this step of Advanced Persistence Attack, hackers map defense of organization from inside, create plan for battle and multiple attack channels are deployed.

Capture

In this step of attack, unprotected systems are accessed by hackers and data is captured over an extended period of time. Here malware is also installed for stealing data and for disrupting operations.

Exfiltration

At this stage of attack, collected information is sent back to team of attackers for analysis and this information can be used further for exploitation and fraud.

By following these steps, Advanced Persistence Attack is implemented.

To implement any attack, hackers need to use some resources. In this persistence attack, hackers need access of network, vulnerable programming scripts that can spread virus into system and other security violation tools. There are some essential activities that are performed by hackers while implementing this attack and from those activities we can know that Advanced Persistence Attack is implemented. Those activities are listed as below:

• Increment in Elevated log-ons late at night
• Searching for Widespread Trojan Virus by Hackers
• Unexpected flow of Information

If these things are happening into your system then we can say that it is Advanced Persistence Attack.

As we have discussed above that how this persistence attack is conducted by hackers and if an organization is suffering with this attack then it will have following consequences:

• Through this attack hackers can access information from system without any damage to network.
• Malware attack is implemented here which is difficult to detect for long period.
• Before implementation of this attack, hackers try to collect information about targeted individual and then that information is used for attack on his/her system.

These are some consequences of Advanced Persistence Attack and not only information but heavy loss of system cost and resources is also faced by business organizations. Therefore, it is necessary for developers to find out advanced solutions to get rid of this problem. (Itbusinessedge.com, 2016)

References

Saponlinetutorials.com. (2016). Definition of SAP ERP Systems. [online] Available at: https://www.saponlinetutorials.com/what-is-sap-erp-system-definition/ [Accessed 6 Sep. 2016].

Tcodesearch.com. (2016). SAP sm19 tcodes (Transaction Codes). [online] Available at: https://www.tcodesearch.com/tcodes/search?q=sm19 [Accessed 6 Sep. 2016].

Saphub.com. (2016). What is SAP transaction code? - SAPHub. [online] Available at: https://www.saphub.com/abap-tutorial/what-is-sap-transaction-code/ [Accessed 6 Sep. 2016].

Help.sap.com. (2016). The Security Audit Log - Auditing and Logging - SAP Library. [online] Available at: https://help.sap.com/saphelp_nw70ehp2/helpdata/en/c7/69bcb7f36611d3a6510000e835363f/content.htm [Accessed 6 Sep. 2016].

STechies. (2016). Transaction code SM 20.. [online] Available at: https://www.stechies.com/transaction-code-sm-20/ [Accessed 6 Sep. 2016].

Scribd. (2016). SAP Authorization Concept. [online] Available at: https://www.scribd.com/document/27882203/SAP-Authorization-Concept [Accessed 6 Sep. 2016].

Help.sap.com. (2016). AS ABAP Authorization Concept - User and Role Administration of AS ABAP - SAP Library. [online] Available at: https://help.sap.com/erp_fao_addon10/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm [Accessed 6 Sep. 2016].

ComputerWeekly. (2016). SAP security tutorial: Top 10 SAP security implementation steps. [online] Available at: https://www.computerweekly.com/tip/SAP-security-tutorial-Top-10-SAP-security-implementation-steps [Accessed 6 Sep. 2016].

Code of ethics. (1992). Barton, A.C.T.: The Institution.

Bruce, R. (2016). 5 Stages of an Advanced Persistent Threat Attack on Your Network. [online] Whymeridian.com. Available at: https://www.whymeridian.com/blog/bid/399610/5-Stages-of-an-Advanced-Persistent-Threat-Attack-on-Your-Network [Accessed 6 Sep. 2016].

Itbusinessedge.com. (2016). The Impact of Advanced Persistent Threats to Enterprises. [online] Available at: https://www.itbusinessedge.com/slideshows/the-impact-of-advanced-persistent-threats-to-enterprises-07.html [Accessed 6 Sep. 2016].