Are Your ERP Systems Vulnerable?
February 09, 2011
An Executive Briefing
(Note: This is the first installment in a multipart series on how to identify, assess, and address vulnerabilities within our key systems. Our next installment will focus on how to ensure your Cloud Computing systems are secure.)
Enterprise Resource Planning (“ERP”) systems are increasingly being used by organizations to process the transactions flowing through most of their key business functions including accounting, procurement, payables (including electronic fund transfers), sales, receivables, manufacturing, inventory, payroll, human resources, etc. Some examples of the ERP systems used by many organizations include SAP, Oracle, PeopleSoft, Microsoft Dynamix and SagePro. Are these systems vulnerable to security breaches?
Traditionally, the risks to ERP systems were primarily considered to come from insider threats, as processing occurred behind the Company’s firewalls and system access was limited to only company employees. Management’s efforts to address these risks, would focus on ensuring segregation of duties existed for key financial transactions and within the IT area to reduce the risk of internal fraud.
However, most ERP systems are now web-enabled, allowing company users and customers to access these systems over the Internet or even on smart phones or other mobile devices. This 24/7 connectivity has increased the risks to organizations as their systems are now exposed to the world. This increased connectivity could lead to unauthorized access and losses, including industrial espionage, fraud and system outages.
Hacking into ERP systems is possible using weaknesses in the configuration of the systems, including things as simple as using default passwords that are the same as when the systems were installed. To see how easy it is to find default passwords for almost all computer applications and hardware devices used by your organization, try entering the term: “default password list” in your favorite search engine. A recent Google search result displayed approximately 156 million entries. If you click on some of the first few links provided, you will see comprehensive lists of default passwords for many applications, database systems, routers, firewalls, and other systems and devices.
As recently reported in the Dark Readings newsletter, published by Information Week, one researcher, Nunez Di Croce, has provided examples on how to exploit web enabled SAP systems at the recent “Black Hat” security conference in Washington DC. Some of the methods he demonstrated include ways to bypass authentication in the SAP Enterprise Portal, and injecting a backdoor into the system that will allow future access into these compromised systems.
The bigger ERP vendors are starting to address these risks. SAP has recently published a whitepaper for its customers that recommends security practices to further secure their systems from internal and external threats. Additionally, there are a number of organizations focused on helping spread awareness of the security risks to user organizations. The SANS Institute has published a “Top Cyber Security Risks” list as well as a checklist for assessing web application security. These publications should be required reading for your IT professionals or consultants. Management should also consider utilizing the Open Web Application Security Project (OWASP) vulnerability assessment tools that are available free-of-charge to determine whether your organization has potential exposure to these threats. OWASP is a not-for-profit worldwide charitable organization focused on improving the security of application software.
Some of the areas that organizations should focus on now include the following:
• Changing all default vendor passwords and implementing strong password policies that incorporate automated controls to enforce, at a minimum, regular changing of passwords and requirements for longer and more complex passwords;
• Developing procedures for assessing and implementing applicable vendor security patches that are released;
• Restricting access to data and transactions on an as-needed basis;
• Performing periodic reviews of user access permissions;
• Limiting the web services that are running on your servers to only those needed by your organization;
• Securing the database and operating systems that your ERP applications reside on;
• Installing intrusion detection/prevention systems within your network;
• Running periodic vulnerability scans against your external networks and key applications;
• Closing any unnecessary firewall ports and implementing rigorous change control procedures for your firewalls.
If you look at the old audit reports that have been gaining dust on your shelves (or on your hard drives), you will notice that many of the above steps are the types of recommendations that your auditors have been promoting for years. If you are running any web-enabled applications or have internet connections within your network, then you should look at the above list which will serve as the minimum areas that need to be addressed by your IT departments.
This publication is intended to provide general information to our relationships. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.