ERP security
ERP Security is a wide range of measures aimed at protecting Enterprise resource planning systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the organization including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management.
Review
ERP system integrates business processes enabling procurement, payment, transport, human resources management, product management, and financial planning.As ERP system stores confidential information, the Information Systems Audit and Control Association recommends to regularly conduct a comprehensive assessment of ERP system security, checking ERP servers for software vulnerabilities, configuration errors, segregation of duties conflicts, compliance with relevant standards and recommendations, and recommendations of vendors.
Causes for vulnerabilities in ERP systems
Complexity
ERP systems process transactions and implement procedures to ensure that users have different access privileges. There are hundreds of authorization objects in SAP permitting users to perform actions in the system. In case of 200 users of the company, there are approximately 800,000 ways to customize security settings of ERP systems. With the growth of complexity, the possibility of errors and segregation of duties conflicts increases.Specificity
Vendors fix vulnerabilities on the regular basis since hackers monitor business applications to find and exploit security issues. SAP releases patches monthly on Patch Tuesday, Oracle issues security fixes every quarter in . Business applications are becoming more exposed to the Internet or migrate to the cloud.Lack of competent specialists
ERP Cybersecurity survey revealed that organizations running ERP systems "lack both awareness and actions taken towards ERP security".ISACA states that "there is a shortage of staff members trained in ERP security" and security services have the superficial understanding of risks and threats associated with ERP systems. Consequently, security vulnerabilities complicate undertakings such as detecting and subsequent fixing.
Lack of security auditing tools
ERP security audit is done manually as various tools with ERP packages do not provide means for system security auditing. Manual auditing is a complex and time-consuming process that increases the possibility of making a mistake.Large number of customized settings
The system includes thousands of parameters and fine settings including segregation of duties for transactions and tables, and the security parameters are set for every single system. ERP system settings are customized according to customers' requirements.Security issues in ERP systems
Security issues occur in ERP systems at different levels.Network layer
Traffic interception and modification- Absence of data encryption
- Sending password in cleartext
Vulnerabilities in encryption or authentication protocols
- Authentication by hash
- XOR password encryption
- Imposing the use of outdated authentication protocols
- Incorrect authentication protocols
RFC protocol is used to connect two systems by TCP/IP in SAP ERP. RFC call is a function that enables calling and running a functional module located in a system. The ABAP language that is used for writing business applications for SAP have functions to make RFC calls. Several critical vulnerabilities were found in SAP RFC Library versions 6.x and 7.x:
- RFC function "RFC_SET_REG_SERVER_PROPERTY" allows determining an exclusive use of RFC server. Vulnerability exploits lead to a denial of access for the legitimate users. denial of service becomes possible.
- Error in RFC function "SYSTEM_CREATE_INSTANCE". Exploiting vulnerability allows executing arbitrary code.
- Error in RFC function "RFC_START_GUI". Exploiting vulnerability also allows executing arbitrary code.
- Error in RFC function "RFC_START_PROGRAM". Exploiting vulnerability allows executing arbitrary code or gain information about RFC server configuration.
- Error in RFC function "TRUSTED_SYSTEM_SECURITY". Exploiting vulnerability allows obtaining information about existing users and groups in RFC server.
Operating system level
OS software vulnerabilities- Any remote vulnerability in OS is used to gain access to applications
- Remote password brute-forcing
- Empty passwords for remote management tools like Radmin and VNC
- NFS and SMB. SAP data becomes accessible to remote users via NFS an SMB
- File access rights. Critical SAP and DBMS Oracle data files have insecure access rights such as 755 and 777
- Insecure hosts settings. In the trusted hosts, servers can be listed and an attacker easily accesses them
Application vulnerabilities
ERP systems transfer more functionality on the web applications level with a lot of vulnerabilities:- Web application vulnerabilities
- Buffer overflow and format string in web-servers and application-servers
- Insecure privileges for access
Role-based access control
In ERP systems, RBAC model is applied for users to perform transactions and gain access to business objects.In the model, the decision to grant access to a user is made based on the functions of users, or roles. Roles are a multitude of transactions the user or a group of users performs in the company. Transaction is a procedure of transforming system data, which helps perform this transaction. For any role, there is a number of corresponding users with one or multiple roles. Roles can be hierarchical. After the roles are implemented in the system, transactions corresponding to each role rarely change. The administrator needs to add or delete users from roles. The administrator provides a new user with a membership in one or more roles. When employees leave the organization, the administrator removes them from all the roles.