Here is a live example the company is XXX insurance Group, Further name in this blog as XXX Group.
1.0 Here is a live example the company is XXX insurance Group, Further name in this blog as XXX Group.
The main issues are:
- The main Security and Critical Business Risks are:
- No security baselines.
- No security awareness end users (end users are being forced within current structure to apply to security, this has an opposite effect since awareness is not acknowledged by these users).
- There are no standard security criteria defined within XXX Group.
- High and very critical business risk related to external audit (a sudden audit will reveal all the security and business risks with all consequences for the business).
- None of the security Compliancy directives are implemented within XXX Group, see section 9.1 Regulatory Compliance, No GDPR compliancy last one is a major risk for XXX since data is being transported regular from and between locations (national & international).
The big question is how to establish a stable secure environment within XXX Group to secure the current business processes and operation.
The proposed solution:
1.1 Introduction
1.2 Portrait of the xxx Group
XXX is one of the major insurance groups in Germany with more than 17-billion-euro contribution income. Major shareholder is Munich Reinsurance Company. 20 million customers in Germany trust in the companies in the group.
Outside Germany, XXX is active in more than 30 countries, with the focus on retail business. Main activities abroad are in Europe and Asia. In Europe, XXX is market leader in the health and legal expenses insurance, in the home market of Germany XXX is a leading insurance player across all insurance segments.
ITXXX is the central IT service provider of the XXX Group. ITXXX develops and implements IT strategies and service concepts at home and abroad, ensuring that XXX is constantly working with the latest state of information technology. In Germany, ITXXX has offices located in Düsseldorf, Hamburg, Cologne and Munich.
Founded at the turn of the century, ITXXX is now one of the largest IT service providers based in Germany. The focus of our activities is on XXX and its companies in Germany and abroad.
IT XXX develops and implements IT strategies and service concepts for software, hardware and network architectures. For over 40,000 users in more than 30 countries, ITXXX provides innovative application systems based on Web technology, client-server platforms, SAP-ALICE and modern large-scale computer technology.
ITXXX employs around 1,400 people at four locations in Düsseldorf, Cologne, Hamburg and Munich. ITXXX’s goal is to further develop a uniform, group-wide system landscape, focusing on the latest technologies and above all the creative potential of our employees.
With more than 150,000 person-days a year, ITXXX makes a valuable contribution to the value-enhancement of the XXX Group and have thus become one of the leading IT service providers in the insurance industry. ITXXX’s services are recognized as a benchmark in the industry.
- High-performance computing center with a capacity of about 25,000 MIPS, over 1,000 TB disk space, and 4,000 servers.
- 15 million online transactions per day.
- Print volume of 240 million print pages per year.
- Approx. 45 million postal items / letters per year.
- Support for more than 28,000 workplaces and more than 10,000 printers for internal and external service in Germany.
- 20,000 network ports for voice and data with a gigabit backbone.
- 20,000 stationary and 1,200 mobile phones.
- 56,000 programs, about 61 million lines of code.
- 400 medium and large projects per year, 150,000 person-days project performance per year.
The ITXXX is divided into six divisions:
- IT Architecture, Strategy and Security
- Application management global
- Infrastructure and Operations
- IT Demand
- Project Management Global
- IT Leben Klassik
Most common Security Risks:
• Vulnerabilities
• Denial of Service
• Brute force attacks
• Authentication token attack
• Suspicious logons
• Critical authorization assignments
• User manipulations/morphing
• Critical changes to users
• Unusual communication & downloads
• Security configuration changes
• Cross-landscape communication
• Access to critical resources
• Data manipulation
• Debugging in productive systems
Open questions:
- Attack Detection Patterns of SAP Enterprise Threat Detection
- SAP Threat Detection versus SAP Fraud Management
- SAP Threat Detection and SIEM. What is the difference?
- SAP Threat Detection (ETD) and Read Access Logging (RAL). What is the difference?
How to:
- Integration options with SAP Enterprise Threat Detection
- Explaining the change cyber-attackers and cyber-attack patterns
- Targeting core business systems and critical industries
- Cyber-risks becoming business risks
- Requiring risk mitigation processes that are connected to Enterprise Risk Management and Enterprise GRC
- Overview of a comprehensive cyber-risk incident management and response process
- The role Real Time Security Intelligence (RTSI) plays in mitigating cyber-risks
- SAP Enterprise Threat Detection (ETD) as a RTSI solution for SAP environments and beyond
3.0 What needs to be secured?
- Application – appropriate security controls need to be enforced in SAP
- Infrastructure – the supporting infrastructure needs to be secured as well
- Network – routers, switches, firewalls
- Server – application server and database server
- Operating system
- Database
- PC/Laptops/Thin Clients – presentation layer SAS system
4.0 Security controls in SAP
4.1 Business Process Controls
- Refers to automated (and IT dependent) controls available in SAP for various business processes such as purchasing, sales, financial reporting, inventory, HR, etc
- Broadly classified under the following three categories:
- Inherent controls
- Sales order cannot be created with an invalid customer
- Configurable controls
- Switches that can be set by turning them on or off based on the business requirements
- Configured through Implementation Guide (IMG)
- Tolerance limits for three-way watch, PO approval hierarchy
- Procedural controls
- IT dependent control
- Inherent controls – Enforced by default in SAP
- Inherent controls
4.2 Authorization Controls
- Allow users in SAP to perform their work while securing transactions from unauthorized access.
- It is a complex and scalable concept
- Determines WHAT activity can be performed by a user as well as WHERE it can be performed.
- Enforced through a pseudo object-oriented concept using authorization objects.
- Authorizations are assigned to Roles, which are then assigned to Users.
- It is a complex and scalable concept
4.3 Basic Controls
- SAP checks user master record for required authorizations
- SAP provides information on which authorizations are required for each transaction codes.
- Policies and procedures
- Technical settings in SAP
- IT procedures related to SAP administration and maintenance
4.4 Segregation of Duties (SOD)
- Ensure that no one individual has complete control over major phase of a process.
- Key component of any effective internal controls’ environment.
- Typically enforced through a combination of access control and mitigating controls.
- SoD framework has been defined
- Users do not have SoD conflicts
- Roles do not have SoD conflicts
- If SoD conflicts exists in users, there are appropriate mitigation controls
4.5 Mitigation Controls
- It is important to check whether the mitigation controls work
- Mitigation controls should be documented and tested regularly!
4.6 Technical controls
- Password controls
- User administration
- Privileged users
- Auditing
- Change controls
- Batch job management
- Direct access to data through tables
4.7 Security Controls
- It is equally important to enforce security controls in the underlying infrastructure components
- SAP interacts with the underlying infrastructure components in unique ways
- Therefore, it is important to consider controls related to these interactions at the infrastructure level
4.8 SAP network security
- Can users directly connect to the Database through backend?
- Is the data transmission over the network secure?
- What network communication is allowed between user machines and application server(s)?
- Apart from the usual network security controls, consider SAP specific controls such as SAP Router and SNC
- SNC is used to secure SAP network connections
- Provides reliable authentication as well as encryption of the data to be transferred
- SAPRouter allows SNC connections to be setup
4.9 SAPRouter
- SAPRouter is an SAP program that serves as an intermediate station (proxy) in a connection between SAP systems or programs
- Control access to your network (application-level gateway)
- Useful extension to an existing firewall
4.10 SAP server(s)
- Both application and Database servers need to be hardened
- Consider SAP specific hardening requirements such as transport tools security, profile parameter file security and security audit logs security
4.11 SAP changes are controlled by OS
- Change and Transport (CTS) is a set of tools to organize development projects in the ABAP Workbench and in customization, and then transport the changes between the SAP systems and clients
- It broadly consists of Change and Transport Organizer (CTO) Transport Management System (TMS) and some operating system level transport tools
4.12 CTS depends on OS files
- There are two global configuration files
- TP_DOMAIN_<SID>.PFL and TPPARAM
- That must include entries for each SAP systems taking part in transports
- ´tp´ uses these files for making transports.
- Stored in /usr/sap/trans or <DRIVE>/usr/sap/trans
- Access rights should be configured so that all SAP systems within the transport group can access these files.
- Imports can be performed using ´tp´ program at the OS level by logging in to the target systems as user <SID>adm, going to /usr/sap/trans/bin directory and calling the program
- SAP audit cover both technical and functional areas
- Requires integration between IT and internal / operational auditors
- Within IT audit team, coordination between infrastructure and Sap auditors is important to ensure that important infrastructure controls are covered
- Excellent opportunity to understand business and align IT audit with business risks!
5.1 Basic SAP basic out role requirements:
- Basic out of the box SAP modules (BP, ICM, FS-CD, OM)
- Customization
- Prepare data migration
6.0 For the XXX program
The following requirements should be taking care of:
6.1 Out of the box SAP modules (BP, ICM, FS-CD, OM)
6.2 Customization SAP in cooperation with supplier and ITXXX
6.2.1 To secure SAP, it is not sufficient to enforce controls inside SAP only
7.0 Implementing Security basic guidelines
7.0.1 Identity Management
7.0.1.1 Local Identity Management
7.0.1.2 Integrated Identity Management
7.0.1.3 Identity Management Interfaces
7.0.2 Authorization Concepts and Management
7.0.2.1 Protecting Business Processes
7.0.2.2 Protecting Data
7.0.2.3 Protecting Applications
7.0.2.4 Authorization Management
7.0.3 Authentication and Single Sign-On
7.0.3.1 SAP GUI
7.0.3.2 Web Browsers
7.0.3.3 Web Services
7.0.3.4 Communication between Systems
7.0.3.5 Developing Authentication Enhancements
7.0.3.6 SSO with Non-SAP Systems and Applications
7.0.3.7 Supported standards
7.0.4 Network and Communications Security
7.0.4.1 Network Architecture Blueprint
7.0.4.2 Firewalls and Proxies
7.0.4.3 Secure Communication
7.0.4.4 Secure Database Connection
7.0.4.5 Intrusion Detection
7.0.5 Operating System and Database Security
7.0.5.1 Operating System
7.0.5.2 Database
7.0.5.3 Virus Detection
7.0.5.4 Intrusion Detection (host based)
7.0.6 Front End Security
7.0.6.1 Input validation
7.0.6.2 Output validation
7.0.6.3 Secure Session Handling
7.0.6.4 Secure Data Replication
7.0.6.5 Content Security
7.0.6.5 Digital Right Management
7.0.6.6 Document Encryption
7.0.6.7 Document Signatures
7.0.6.8 Secure Storage
7.0.6.9 Virus Detection
8.0 Security Targets
8.0.1 Authenticity
8.0.2 Integrity
8.0.3 Privacy
8.0.4 Trace ability
8.0.5 Availability
9.0 Secure Collaboration
9.0.1 SSL / TLS
9.0.2 GSS-APIv2
9.0.3 SAML 1.071.1
9.0.4 SAML 2.0
9.0.5 JAAS
9.0.6 Kerberos
9.0.7 X 509 Digital Certificates
9.0.8 WS-Security
9.0.9 WS-Security Policy
9.0.10 WS-Trust
9.0.11 WS-Security SAML token profile
9.0.12 S/MIME
9.0.13 PKCS#7
9.0.14 XML Encryption
9.0.15 XML Signature
9.0.16 LDAP
9.0.17 SPML
9.0.18 XACML
9.1 Regulatory Compliance
9.1.1 Audit ability regulations
9.1.2 Data protection / privacy and identity theft regulations
9.1.3 Sarbanes-Oxley Act
The legislation came into force in 2002 and introduced major changes to the regulation of financial practice and corporate governance. Named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, it also set a number of deadlines for compliance.
The Sarbanes-Oxley Act is arranged into eleven titles. As far as compliance is concerned, the most important sections within these are often considered to be 302, 401, 404, 409, 802 and 906.
An over-arching public company accounting board was also established by the act, which was introduced amidst a host of publicity.
Sarbanes-Oxley Compliance with the legislation need not be a daunting task. Like every other regulatory requirement, it should be addressed methodically, via proper analysis and study.
Also, like other regulatory requirements, some sections of the act are more pertinent to compliance than others. To assist those seeking to meet the demands of this act, the following pages cover the key Sarbanes-Oxley sections:
- Sarbanes-Oxley Section 302
- Sarbanes-Oxley Section 401
- Sarbanes-Oxley Section 404
- Sarbanes-Oxley Section 409
- Sarbanes-Oxley Section 802
Miscellaneous
Having studied the above pages, even if you are considering using an external consultant or legal expert, it is well worth taking some basic steps to enhance your position immediately. This not only demonstrates due diligence, but may well reduce the consultancy costs themselves.
One area that perhaps falls into the category is security. In many respects security underpins the requirements of the Sarbanes-Oxley Act. It is therefore important to quickly establish a credible and detailed security policy, which can often be done readily via off the shelf packages.
Finally, perhaps the most important statement on the entire web site: don’t put off until tomorrow what can be done today! With other legislation and regulation, we have seen far too often organizations leave compliance until the last few days, and subsequently suffer adverse consequences.
9.1.4 NIS Directive
9.1.5 Payment Card Industry (PCI) Data Security Standard
9.1.6 HIPAA (Health Insurance Portability and Accountability Act of 1996)
9.1.7 H2020 Directive
9.1.8 GDPR (General Data Protection Regulation)
9.1.9 2015/16 German Security Act
9.2 Review infrastructure
9.2.1 Access to critical/ sensitive activities are controlled.
9.2.2 User access is appropriate (i.e., based on their roles and responsibilities)
9.2.3 Roles are appropriate (i.e., authorizations within roles are as per the role definition)
10.0 Audit
10.0.1 Process audit
10.0.2 Configuration audit
10.0.3 Master data audit
10.0.3 Change management
10.0.4 Transaction audit
10.0.5 System audit
10.1 Prepare data migration and validation
10.2 Conduct testing phases
10.2.1 Product
10.2.2 Integration
10.2.3 Mock Data migration / Load Tests
10.2.4 Performance
10.2.5 UAT
10.2.6 E2E
10.2.7 Security
10.2.7.1 Penetration testing (security)
10.2.7.2 Availability
10.3 Pre-implementation review
10.3.1 has to be conducted before SAP is implemented (i.e., before go-live) and may include
10.3.1.1 Blueprint / configuration / Business process controls review
10.3.1.2 Authorizations and SoD review
10.3.1.3 IT general controls / BASIS review
10.3.1.4 Data migration / conversion / cutover review
10.3.1.5 Project management review
10.3.1.6 Program development review
10.3.2 System may not exist or controls may not have been implemented
10.3.3 A document review of the following documents is mandatory
10.3.3.1 Business blueprints
10.3.3.2 Authorization design documents
10.3.3.3 Project plan, strategy and other project documents
10.3.3.4 Data migration plan, and cutover plan
10.3.3.5 SAP technical design documents
10.3.3.6 UAT documents
10.4 Post-implementation review
10.4.1 Conducted after system stabilization
10.4.2 It usually includes the following areas
10.4.3 Configuration and SoD review
10.4.4 IT general controls / BASIS review
10.4.5 Reviewing system settings
10.5 Deployment
10.5.1 Cutover Management
10.5.2 Data migration
10.5.3 Training support
So, after reading all this within this example, how would you approach this issue at this customer?
Many companies are still in denial when it is in relationship with security and therefor attacks on these companies are pretty simple. Imaging that XXX Group was/is the company you working for how would you try to resolve this security flaw? It sounds all so simple but remember this, focus yourself on how you like to start, where would you even start. Well, I would suggest by starting to block unnecessary network traffic, check what the bandwidth is from applications, which layer is demanding the most of the network and which one has a direct dependency to security, would you do a security scan first? I know I would do this in the first place and secondly would create a WBS with all the discovered topics and vulnerabilities and tackle them one by one in a more appropriate way.
Well, that is all from me now and if you like to learn or even know more you can always ask me via LinkedIn or send me a message.
