Securing an enterprise resource planning (ERP) application such as SAP or Oracle’s E-Business Suite (EBS) can be a daunting task. ERP environments are massive collections of databases, applications and interfaces to other systems. Just trying to figure out what is core to the ERP suite itself can be difficult.
I personally am not a database administrator (DBA). I know enough SQL to work my way through an audit, build reports and generally follow a technical discussion. What I cannot do however is build a schema from scratch or do heavy performance tuning. But that’s ok. From a security standpoint we don’t need to be an expert with every possible application or infrastructure component.
When considering security for an ERP you really have three layers to worry about. Infrastructure, which includes your servers, OS, firewalls, routers, etc. would be the first layer. The second layer is the database layer which includes the data dictionary, tables, fields, etc. The third and final layer is the application with which end users interact with the database and create records or transactions. The focus of this article is the actual database layer. We focus a lot on the infrastructure and applications so I wanted to shed some light on the actual database.
Note: Commands in the following sections refer to Oracle environments. They may need some tweaking for other databases such as Sybase, MS SQL or MySQL.
So in such a complex environment, where do we begin? Let’s start with simple user access. In an ERP system, user authentication will often be done within the backend database environment. This is a good place to start looking at security. Running the command SELECT * FROM DBA_USERS will provide you listing of all the users of the database. This includes attributes such as password, default tablespace and profile. With this you can begin a review to see if there are any stale users or potential shared accounts.
Another good query is SELECT * FROM DBA_PROFILES which will list out all the profiles and their attributes. This is a great method to determine the settings for profiles and begin to look at actual user access.
Once you have the users and profiles enumerated you can then move on to roles. Run SELECT * FROM DBA_ROLE_PRIVS and SELECT * USER_ROLE_PRIVS. You can now compare a user with their role and determine their core level of access.
With this information you should be able to begin building a basic security profile of the system. Does every user have the Sysadmin role? Have any of the profile option defaults such as SignOn:Notification been modified? If you have little confidence in security at the user access level you might as well skip going further. There is simply no way to ensure data integrity if you can’t control who has access to that data and what they can do with it.
Hopefully this will help you in your attempts to tame the beast which is ERP. I’ll provide some additional tips later this week.
One thing I've noticed over the past year is that the majority of information on the web relating to digital forensics is geared toward two audiences. The first is law enforcement and the second are consulting firms. This makes complete sense. Law enforcement probably does more evidence collecting and review that anyone else and most companies don't need (or want) a full time forensics team. So it completely understandable that the bulk of materials cater to these groups.
What concerns me is how underserved those in corporate incident response are by the larger forensics community. Even if incident response at the corporate level is a small market, it is a market nonetheless. Many times companies want to add these capabilities to their in-house arsenal but have no idea where to start. If you are in that camp....keep reading. This article is just for you.
Companies which are considering adding digital forensic investigation capabilities in-house need to ask themselves several questions upfront.
Why do we need this capability?
Who's going to provide the services and where will they report?
Is the cost to purchase and maintain a lab and provide continuing education worth the expense?
Questions 1 and 2 are typically easy to answer. Number three is more difficult. A typical 1 week engagement from one of the well know consulting groups like IBM, Deloitte and others can easily surpass $10,000. Can you provide this in house cheaper? If you plan to do investigations once or twice a year, probably not. If you plan to do it once or twice a month, then likely so. Many times though we forget to look at all of the costs associated with standing up a unique environment like a forensic lab. It shouldn't be hooked to your network which creates management concerns around patching, updating, etc. The hardware most likely will be vastly different that what you purchase for other needs. If you choose to utilize commercial software packages they must be continually updated and software maintenance is a must.
Once an organization decides to offer these services, some immediate steps need to be taken to ensure uniformity in your investigations. An incident response plan must be developed which lays out who can request or initiate an investigation, what the grounds for cause are, who can perform the investigation, who sees the results and what actions should or must be taken based on the outcome. One thing organizations must protect against is the witch hunt mentality. You've got suspicion someone is up to no good but nothing more than that. Just a hunch. I advise my clients never to start an investigation this way. Make sure there is always a reason to investigate. Last thing you want is for your employees to feel there is a culture of mistrust and accusations within the organization. At best your morale will sink to new lows. At worst you could be sued by employees for harassment, privacy or other accusations.
The next thing to guard against is who can call for an investigation. I usually like to see a 2nd level manager be in the approval chain. Let's say Bob is an employee who's manager suspects he's creating fraudulent transactions. If Bob works for Sally and Sally works for Meg then Sally would make the request for investigation and Meg has to approve it. This again helps reduce the chance for a witch hunt and ensures a level of accountability in the process.
You'll also want to make sure investigations are only completed by those who've had some specialized training in acquiring and handling evidence, digital forensic processes and reporting of results. I wish I could say you'll never have to worry about your internal investigations ending up in civil or criminal court but I can't. You should always approach new cases as having the potential to have aspects of civil or criminal law to them. This will save you a lot of headache later.
In terms of who should have access to the final reports, that will vary by organization. Needless to say it should be restricted by need to know. Also remember that many times an initial investigation will lead to one or more follow on investigations and the fewer people who are privy to this fact the better.
So as you begin to build a forensic unit within your organization, here are some things you'll want to consider.
Develop an Incident Response Plan prior to doing any investigations
Create a dual or dotted line reporting structure to maintain independence
Build a self-sustaining lab and staff it appropriately
Create a set of criteria for requesting and initiating investigations to ensure objectivity
Build a communication framework for investigators to ensure they have support of executives, HR and Legal.
Develop a plan for when and how to call for outside help including law enforcement or more experienced investigators.
By following these steps you'll be well on your way to providing these services in house. I can't promise everything will be picture perfect. In fact I can almost guarantee at one or more points along this path you'll wonder if this was the right decision. Adding forensic capabilities to your internal service offering will change the culture at your organization. Make sure you're leadership, all the way to the top, are on board and understand this decision.
The Washington Post published a story last week about the rising threat of fraud against small business in the US. (Read) Brian Krebs does a good job of finding some examples of small businesses as well as government agencies like a school district which have been hit with financial fraud.
The FBI has begun to investigate cyber crime rings in Eastern Europe which are targeting US businesses. One of the concerns is the lack of data to support there is a problem. Many companies fear the bad publicity of announcing they are the victim of cyber crime. This creates a big dilemma. First, if not reported as a crime the company has few legal options in trying to recover any loses. Second, crime is investigated based on statistics. If nobody reports cyber crime, law enforcement agencies will never staff those investigative divisions appropriately and the waves will continue to roll.
Mr. Krebs' article included a quote from the controller of a small electronics calibration company in Louisiana. The company lost close to $98,000 in two attacks days apart. There real loss however was the investigation and recovery which is estimated to be 3 times their hard financial loss. That's nearly half a million dollars. This would effectively cripple most small businesses from a cash flow and operations perspective. Many of which might never recover.
If you own a small or medium business and think information security is an expenditure you can't afford, I beg you to reconsider. Not because I want your business, but because I BELIEVE in small business. It's the foundation of our economy. A risk assessment, vulnerability scan and some help with remediation efforts will most likely cost you between $20,000 and $50,000 when using a reputable and experienced consultant. That's no small chunk of change. But when compared with the staggering losses, both soft and hard, which are being felt by others it's really a drop in the bucket.
I can't guarantee you won't be a victim just because you spend some money on security. I can however assure you that you have reduced your risk of being a victim. That's what smart business people do on a daily basis, manage risk.