The first “culprit” of this series in a unique lineup of SAP access risks is Configurations, Parameters, and Patching. This culprit does its work by exploiting weaknesses in the system security that many implementers, developers, and administrators simply overlook.
This culprit has been responsible for a wide array of control violations and audit findings. Most notable work includes:
- Cyber-Security Vulnerabilities
- Insecure Password and Logon Settings
- Lax System Configuration Settings
- Configurations Leading to Unintended Behaviors
SAP Cyber-Security Vulnerabilities
Cyber-security can be compromised when hackers identify security weaknesses in an application and exploit it. These weaknesses are well known in the hacker community and failure to address these vulnerabilities can leave your organization susceptible to attack. The 10KBlaze attacks are an example: Systems without an Access Control List (ACL) allowed hackers access using Python, bypassing the traditional SAP application login, and change or access data, all while being undetected using traditional access controls.
Most think of cyber-security and hacking as an individual behind a screen coding and scripting their way into forbidden areas of the virtual world like the example above. We associate networks, firewalls, SQL injections, and other components to security, but there is another aspect: configurations and application patching.
SAP publishes security patches on the second Tuesday of every month “focused solely on security to protect against potential weaknesses or attacks”. The security patch day highlights a series of SAP notes containing guidance, configurations and parameters, code vulnerabilities, missing authorization checks, and much more.
It is important to review the release in a timely manner to identify applicable notes and perform an impact analysis. Some notes may require updates to flow through a system and organization’s change management program which can take time. Keep in mind that these could easily be accessed and leveraged by those looking to exploit vulnerabilities in our systems as well.
There are many other examples of cyber-threats not covered within this series. The SAP Secure Operations Map published by SAP is a good resource when evaluating environment (network, OS, and client security) and client (system hardening, source code/patching, and monitoring & forensics) security.
Password and Logon Configurations
One key configuration familiar to all of us are password configurations. We may not think about it as configurations per se, but as an annoying requirement when setting up an online account or trying to access an application on our phone. Our SAP application and enterprise applications are no different. Organizations should ensure password and logon requirements are defined in a security policy and reflected in the SAP application. This should consist of things like password length, special characters, number of max logon attempts, and more. SAP provides system default values as well as sufficient system documentation to facilitate the configurations process.
Review your SAP application’s configurations utilizing the RSPARAM or RSPFPAR ABAP report(s). Below is an example of configurations detailed in this report.
Figure 1 – Logon and Password Parameters
Lax System Configuration
Inadequate system configurations can lead to critical access violations both inside and outside the organization, for example, ACL parameters leading to the 10KBlaze attacks highlighted above. There are other system and client configurations that are critical and often reviewed as part of IT General Controls (ITGC) testing.
Client Administration (SCC4) is a critical transaction and a prime example of application configurations with substantial implications. Auditors will assess these configurations, often by pulling table T000 or a screenshot within SCC4 and determine if changes were made during the audit period. If changes were made, thorough testing follows by inspecting tickets, identifying approvals, and a variety of other change management controls. Restricting access to critical transactions and reviewing configurations with a defined cadence is a key component to a controlled environment.
Figure 2 – Client Administration Example
Configurations Leading to Unintended Behaviors
Business Partner (BP) is a key concept with major implications across the S/4HANA landscape. The business configurations and security components have a symbiotic relationship with overriding configurations and no shortage of customizations. It is imperative to consider configurations for BPs and Account Groups in addition to the security and authorization restrictions. These must all align to meet both business, security, and compliance objectives.
Figure 3 – Business Partner Configuration
Figure 4 –Business Partner Overview
Catching the Culprit: Configurations, Parameters, and Patching
For all “culprits” in this series, there is no silver bullet or one-size-fits-all approach. There are considerations such as control framework(s), policies and procedures to establish the guardrails of a compliance program, the people/owners/approvers who are accountable, and the technology to improve the efficiency and effectiveness of overall operations. Below are some approaches to managing the risks associated with Configurations, Parameters, and Patching:
- Enact a patch management program with appropriate cadence
- Review key configurations and enhance the control environment with monitoring capabilities
- Restrict and monitor access accordingly by leveraging a critical access and segregation of duties (SoD) ruleset that is reviewed periodically
- Ensure configuration, security, and business objectives are aligned
How Fastpath Can Help
One way to help catch this criminal is to implement detective and preventative control capabilities to manage access risk with Fastpath Assure. Fastpath offers a suite of security products designed specifically for SAP:
Access Risk Monitor – Expose Segregation of Duties (SoD) risk and identify users having access to critical data. SoD tools come with pre-defined rulesets built by Fastpath’s team of certified internal auditors.
Audit Trail – Track user activity, noting critical changes to data and configuration settings, when, and by whom, including before and after values.
Identity Manager – Streamline the process for setting up users. Add mandatory approvals and audit trails to ensure compliance. Assign emergency/temporary access ("Firefighter Access") to change a person’s access privileges for specified periods of time (vacations, illness, etc.).
Audit Trail – Monitor activity to identify changes in critical data changes in SAP. Audit Trail will identify potential mistakes and fraud by showing who made the changes, when the changes were made, and the before and after values of the data.
Security Designer – Security Designer for SAP lets you create new roles and then test them for Segregation of Duties conflicts. You can also identify where conflicts already exist in your current roles. Once a role has been optimized, it can be written directly to your SAP environment.
Risk Quantification – Quantify the financial exposure of Segregation of Duties conflicts in your ERP environment and assign a value to those risks. Delivering this critical information to auditors allows them to focus on the key areas with the greatest monetary impact on the organization.
Custom Code Checker – Interrogate the target SAP environment line by line to identify all objects that begin with Z* and Y*. The Custom Code Checker identifies whether these custom programs call any SAP standard objects to determine if there is indirect, unintended access being granted to users.
Download your free copy of Succeeding at Managing Enterprise Risk in Today’s Connected World. This eBook covers common areas of cross-platform risk in your SAP environment and how Fastpath can help your organization manage those risks.