词条 | ERP security |
释义 |
ReviewERP system integrates business processes enabling procurement, payment, transport, human resources management, product management, and financial planning.[2] As ERP system stores confidential information, ISACA recommends to regularly conduct a comprehensive assessment of ERP system security, checking ERP servers for software vulnerabilities, configuration errors, segregation of duties conflicts, compliance with relevant standards and recommendations, and recommendations of vendors.[3][4] Causes for vulnerabilities in ERP systemsComplexityERP systems process transactions and implement procedures to ensure that users have different access privileges. There are hundreds of authorization objects in SAP permitting users to perform actions in the system. In case of 200 users of the company, there are approximately 800,000 (100*2*20*200) ways to customize security settings of ERP systems.[5] With the growth of complexity, the possibility of errors and segregation of duties conflicts increases.[6] SpecificityVendors fix vulnerabilities on the regular basis since hackers monitor business applications to find and exploit security issues. SAP releases patches monthly on Patch Tuesday, Oracle issues security fixes every quarter in [https://www.oracle.com/technetwork/topics/security/alerts-086861.html Oracle Critical Patch Update]. Business applications are becoming more exposed to the Internet or migrate to the cloud.[7] Lack of competent specialistsERP Cybersecurity survey[8] revealed that organizations running ERP systems "lack both awareness and actions taken towards ERP security".[9] ISACA states that "there is a shortage of staff members trained in ERP security"[10] and security services have the superficial understanding of risks and threats associated with ERP systems. Consequently, security vulnerabilities complicate undertakings such as detecting and subsequent fixing.[11][12] Lack of security auditing toolsERP security audit is done manually as various tools with ERP packages do not provide means for system security auditing. Manual auditing is a complex and time-consuming process that increases the possibility of making a mistake.[13] Large number of customized settingsThe system includes thousands of parameters and fine settings including segregation of duties for transactions and tables, and the security parameters are set for every single system. ERP system settings are customized according to customers' requirements. Security issues in ERP systemsSecurity issues occur in ERP systems at different levels. Network layerTraffic interception and modification
In 2011, Sensepost specialists analyzed DIAG protocol used in SAP ERP system for transferring data from the client to the SAP server. Two utilities were published that allowed to intercept, decrypt, and modify client-server requests containing critical information. This made attacks possible including Man-in-the-middle attack. The second utility operates like a Proxy and was created to identify new vulnerabilities. It allowed modifying requests coming to client and server.[14]
In the SAP ERP system, it is possible to perform administering functions via Telnet protocol, which encrypts passwords. Vulnerabilities in encryption or authentication protocols
RFC protocol is used (Remote Function Call) to connect two systems by TCP/IP in SAP ERP. RFC call is a function that enables calling and running a functional module located in a system. The ABAP language that is used for writing business applications for SAP have functions to make RFC calls. Several critical vulnerabilities were found in SAP RFC Library versions 6.x and 7.x[15]:
Operating system levelOS software vulnerabilities
Weak OS passwords
Insecure OS settings
Application vulnerabilitiesERP systems transfer more functionality on the web applications level with a lot of vulnerabilities:
Role-based access controlIn ERP systems, RBAC (Role-Based Access Control) model is applied for users to perform transactions and gain access to business objects.[16] In the model, the decision to grant access to a user is made based on the functions of users, or roles. Roles are a multitude of transactions the user or a group of users performs in the company. Transaction is a procedure of transforming system data, which helps perform this transaction. For any role, there is a number of corresponding users with one or multiple roles. Roles can be hierarchical. After the roles are implemented in the system, transactions corresponding to each role rarely change. The administrator needs to add or delete users from roles. The administrator provides a new user with a membership in one or more roles. When employees leave the organization, the administrator removes them from all the roles.[17] Segregation of DutiesSegregation or Separation of duties, also known as SoD, is the concept according to which a user cannot make a transaction without other users (e.g. a user cannot add a new supplier, write out a cheque or pay to a supplier)[18] and a risk of fraud is much lower.[19] SoD can be implemented by RBAC mechanisms, and a notion of mutually exclusive roles is introduced. For instance, to pay a supplier, one user initiates payment procedure and another accepts it.[20] In this case, initiating payment and accepting are mutually exclusive roles. Segregation of duties can be either static or dynamic. With static SoD (SSoD), a user cannot belong to two mutually exclusive roles. With dynamic SoD (DSoD), a user does but cannot perform them within one transaction. Both of them have their own advantages. SSoD is simple, while DSoD is flexible.[21] Segregation of Duties is explained in SoD matrix. X and Y matrixes describe system roles. If the two roles are mutually exclusive, there is a flag at the interception of the corresponding rows and columns. ERP Security scannersERP Security scanner is a software intended to search for vulnerabilities in ERP systems. Scanner analyzes configurations of ERP system, searches for misconfigurations, access control and encryption conflicts, insecure components, and checks for updates. The scanner checks system parameters for compliance with the manufacturer's recommendations and auditing procedures ISACA. ERP Security scanners produce reports with the vulnerabilities listed according to their criticality. The examples of scanners:
References1. ^ {{cite news |title=ERP (enterprise resource planning) |url=https://searcherp.techtarget.com/definition/ERP-enterprise-resource-planning |newspaper=SearchERP TechTarget|date=May 2017 |accessdate=6 April 2018}} 2. ^{{cite web|url=https://www.oracle.com/applications/erp/what-is-erp.html|title=What Is ERP?|accessdate=6 April 2018}} 3. ^Security issues in ERP http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/sap-erp.aspx 4. ^ {{cite news |title=Why security should be a priority for an ERP ecosystem |url=http://www.information-age.com/security-priority-erp-ecosystem-123468295/ |newspaper=Information Age|date=31 August 2017 |accessdate=6 April 2018}} 5. ^ERP Security and Segregation of Duties Audit: A Framework for Building an Automated Solution https://csbweb01.uncw.edu/people/ivancevichd/classes/MSA%20516/Extra%20Readings%20on%20Topics/Database/ERP%20Security.pdf 6. ^Security issues in ERP http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/sap-erp.aspx 7. ^ {{cite news |title=ERP Security Deserves Our Attention Now More Than Ever |url=https://www.forbes.com/sites/forbestechcouncil/2017/07/07/erp-security-deserves-our-attention-now-more-than-ever/ |newspaper=Forbes |date=7 July 2017|accessdate=6 April 2018}} 8. ^ERP Cybersecurity survey 2017 https://erpscan.com/research/white-papers/erp-cybersecurity-survey-2017/ 9. ^ {{cite news |title=Survey reveals the damage of fraud attacks against SAP system is estimated at $10m |url=https://www.cso.com.au/article/621185/survey-reveals-damage-fraud-attacks-against-sap-system-estimated-10m/|newspaper=CSO from IDG |date=27 June 2017|accessdate=6 April 2018}} 10. ^ERP Security and Segregation of Duties Audit: A Framework for Building an Automated Solution https://csbweb01.uncw.edu/people/ivancevichd/classes/MSA%20516/Extra%20Readings%20on%20Topics/Database/ERP%20Security.pdf 11. ^ {{cite news |title=ERP Security Deserves Our Attention Now More Than Ever |url=https://www.forbes.com/sites/forbestechcouncil/2017/07/07/erp-security-deserves-our-attention-now-more-than-ever/ |newspaper=Forbes |date=7 July 2017|accessdate=6 April 2018}} 12. ^ {{cite news |title=Six classic ERP system security problems – and how to avoid them |url=https://www.cloudcomputing-news.net/news/2017/may/10/six-classic-erp-system-security-problems-and-how-avoid-them/ |newspaper=CloudTech|date=10 May 2017|accessdate=6 April 2018}} 13. ^Security issues in ERP http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/sap-erp.aspx 14. ^ERPScan warns about new vulnerabilities of DIAG protocol in SAP 15. ^SAP RFC Library Multiple Vulnerabilities http://www.cnet.com/forums/post/7986898c-0a03-43d4-af70-b8427164c8e2 16. ^Security for Enterprise Resource Planning Systems http://www.utdallas.edu/~bxt043000/Publications/Journal-Papers/DAS/J46_Security_for_Enterprise_Resource_Planning_Systems.pdf 17. ^Role-Based Access Controls http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf 18. ^ISACA Glossary Terms http://www.isaca.org/Knowledge-Center/Lists/ISACA%20Glossary%20Terms/DispForm.aspx?ID=1700 19. ^A risk-based approachto segregation of duties http://www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_dutie/s.pdf 20. ^R. A. Botha and J. H. P. Eloff Separation of Duties for Access Control Enforcement in Workflow Environments 21. ^Simple Search http://www.bth.se/fou/cuppsats.nsf/all/52d12689b4758c84c12572a600386f1d/$file/mcs-2006-16.pdf ERP Security 1 : Computer security |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。