Pratum Blog

The ISSA Des Moines Chapter will be hosting a free-for-all hacking event at Iowa State University's Internet Scale Event and Attack Generation Engine (ISEAGE) Lab in October.

The ISEAGE lab will be configured as a model real world environment and opened up for attendees to attack as they see fit.  Attendees to the event can work on their or in teams to attack the hosts in the ISEAGE lab.  Tools such as Metasploit, Backtrack and others will be available.  This is a great way to get some real world experience, learn from peers and network with others in the security field.

Date: Monday 10/26/2009
Location: ISEAGE Lab at ISU
Time: 9am to 2pm
Cost: Free for chapter members, $25 for non-members (if you join at the event, $20 goes toward membership)
Lunch: Provided for all attendees at no cost

If you are interested in attending please contact me by 10/19.  We need an RSVP to ensure we order enough food.

So last week I promised to provide more tips on securing and monitoring Oracle E-Business Suite (11i). I wasn’t able to get it all in during the week but I’ll make up for it this week.

One of the key concerns of any security or audit professional is tracking actions which have been taken by end users. This is especially true for tracking administrative access. If you’ve properly provided for separation of duties and limited end user access, a malicious user can only get so far before they need to rely on others to make their planned attack successful.

As soon as you add collusion to the mix of requirements for a successful attack, the risk typically drops for two reasons. The first is you have to have two bad apples. The second is that with more people involved, the larger the footprint. These both lead to a higher chance of discovering the attack and possibly even thwarting it.

Administrators on the other hand have the keys to the kingdom. End-to-end access in some rare (and never recommended) cases. Separation of duties on the technical side is just as important as on the business side. Developers should never have access to move code to production; system administrators shouldn’t have the ability to modify security monitors, and so on.

When configuring Oracle databases there is an easy way to get some basic security auditing information about what your users have done. Running the command SELECT * FROM SYS.DBA_STMT_AUDIT_OPTS; will help you identify if actions taken by DBA or other sensitive accounts are being monitored. If they are not, your first order of business is to turn auditing on. Be careful though as auditing can eat up disk space and processor time quickly.

Another good idea is to run SELECT * FROM SYS.DBA_ROLE_PRIVSWHERE ADMIN_OPTION = ‘YES’; to see which roles have been created with the WITH ADMIN option. This option allows those who have been granted a specific privilege to grant that to others. This is an easy way to let your access security get out of control before you even know the problem exists.

By checking to ensure auditing of privilege account access is turned on and that only very specific roles are able to grant access you are able to lock down your environment and have a small window into the core security of your system.

Securing an enterprise resource planning (ERP) application such as SAP or Oracle’s E-Business Suite (EBS) can be a daunting task. ERP environments are massive collections of databases, applications and interfaces to other systems. Just trying to figure out what is core to the ERP suite itself can be difficult.

I personally am not a database administrator (DBA). I know enough SQL to work my way through an audit, build reports and generally follow a technical discussion. What I cannot do however is build a schema from scratch or do heavy performance tuning. But that’s ok. From a security standpoint we don’t need to be an expert with every possible application or infrastructure component.

When considering security for an ERP you really have three layers to worry about. Infrastructure, which includes your servers, OS, firewalls, routers, etc. would be the first layer. The second layer is the database layer which includes the data dictionary, tables, fields, etc. The third and final layer is the application with which end users interact with the database and create records or transactions. The focus of this article is the actual database layer. We focus a lot on the infrastructure and applications so I wanted to shed some light on the actual database.

Note: Commands in the following sections refer to Oracle environments. They may need some tweaking for other databases such as Sybase, MS SQL or MySQL.

So in such a complex environment, where do we begin? Let’s start with simple user access. In an ERP system, user authentication will often be done within the backend database environment. This is a good place to start looking at security. Running the command SELECT * FROM DBA_USERS will provide you listing of all the users of the database. This includes attributes such as password, default tablespace and profile. With this you can begin a review to see if there are any stale users or potential shared accounts.

Another good query is SELECT * FROM DBA_PROFILES which will list out all the profiles and their attributes. This is a great method to determine the settings for profiles and begin to look at actual user access.

Once you have the users and profiles enumerated you can then move on to roles. Run SELECT * FROM DBA_ROLE_PRIVS and SELECT * USER_ROLE_PRIVS. You can now compare a user with their role and determine their core level of access.

With this information you should be able to begin building a basic security profile of the system. Does every user have the Sysadmin role? Have any of the profile option defaults such as SignOn:Notification been modified? If you have little confidence in security at the user access level you might as well skip going further. There is simply no way to ensure data integrity if you can’t control who has access to that data and what they can do with it.

Hopefully this will help you in your attempts to tame the beast which is ERP. I’ll provide some additional tips later this week.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.