SAP System Security Assignments

103

Requirement

Task 1.1 Discuss what is a transaction code and its main purpose in the SAP R/3 System. Research the following related SAP
Transaction Codes SM19 and SM20 and explain how you would use these two related SAP Transaction codes to under- take a security audit of an organisation’s SAP R/3 System.
Task 1.2.1 Discuss the important role that the user master record in SAP plays in ensuring assignment of appropriate rights, activity groups / roles and authorisations for individual users.
Task 1.2.2 As it is not possible to delete the SAP* user account describe two suggested controls to secure this account from misuse.
Task 2.1.1 Identify and describe the key ethical concerns raised in this case study?
Task 2.1.2 Identify and describe how specific values of ACS Code of Professional Practice would provide guidance on how to deal with key ethical concerns raised by Faisal in a recent distributed Records Management system project.
Task 2.2.1 Identify and describe key ethical concerns raised by Carol’s actions outlined in this case study?
Task 2.2.2 Identify and describe how specific values of ACS Code of Professional Practice would provide guidance on how to deal with key ethical concerns raised by Carol’s actions in this case study.
Task 3: Research the concept of an advanced network attack known as an Advanced Persistent Attack. Explain what is meant by an Advanced Persistent Attack and describe the steps, resources and activities that would need to be under-taken by a hacker to mount such as attack on an organisation and the possible consequences for an organisation if compromised by an Advanced Persistent Attack.

Solution

Task 1.1

The SAP Transaction Code is basically a short cut key which is attributed to the screen. With the help of this shortcut feature in SAP, we can easily navigate to a specific location in SAP by using the Transaction code (T-Code) in the required field of the toolbar. The transaction code is associated with each and every function in SAP system. The code is a four character command and fundamentally consists of letters, numbers or may be both. It is inherently meant for saving time and the navigation could take place in a single step (Ingvaldsen & Gulla, 2007). The command that is used is – Type/n and then followed by the required transaction code and press Enter/Return key. As an example, suppose the intended navigation path is User Menu >> Role ZMIT >> Purchasing >> Requisition >> Create a Requisition. Instead of that we can type/nme51 in the given command field.   
SAP Transaction Codes SM19
Description: Security Audit Configuration
Main Category: Basis
Sub Category: Security
SM19 SAP T-Code is associated with the Security Audit Configuration. It is a standard SAP T-code that is used within R/3 SAP systems which depends on the version which is being released. The command options that are available using this code are:

• a)    SAP GUI for HTML: it is a function that generates HTML pages for every SAP screen. The use of this command is that any template is not needed to be created. However, because of some restrictions, a few specific transactions are not able to run in this interface.

• b)    SAP GUI for JAVA: it is a plug in that is executed by downloading from the browser. The GUI version for Java supports more controls as compared to HTML but the transaction is still needed to be tested (Wun-Young & Hirao, 2009). The users are needed to install it on their PC in order to make it the second choice after SAP GUI for HTML.

• c)    SAP GUI for Windows: the windows also provide transactions to run on it. So, it is also needed to be flagged with SAP GUI for Windows.

Menu Path for Transaction SM19: SAP Menu->Tools->Administration->Monitor->Security Audit Log->Configuration

SAP Transaction Codes SM20
Description: Analysis of Security Audit Log
Main Category: Basis
Sub Category: Security
SM20 SAP T-Code is associated with the Analysis of Security Audit Log is a standard SAP T-code used in R/3 SAP systems. It is basically a software tool being designed to be used by the Auditors in order to monitor the activities in the SAP system (Linkies & Off, 2006). It helps to see the Audit log. Once the Audit log is activated, it is easier to keep a record for those activities that are considered for auditing. This information can be accessed later on to evaluate the audit analysis report. There is a foxed period of time for which the Audit log can be scanned.
The navigation path for accessing Security Audit Log is:
Tools->Administration->Monitor->Security Audit Log->Analysis 
or
Transaction SM20 – Analyzing the Audit Log
Task 1.2.1
User Master Record in SAP
The user master record is a function that is used to assign the required authorizations to the users in order to execute transactions in SAP systems. It is primarily used in the process of administrative and authorization management. The process starts with an SAP user that has users ID having an authorization of transaction and each and every details of users could then be monitored by SAP administrator (Hauge, 2007). All the essential details of users such as login session, user rights and passwords etc. are listed under User Master Control. In other words, the main purpose of user master record is to provide a storage that contains the user id along with a huge amount of information that could be used by the administrators of SAP system for the effective management of users. 

Various components of User master record:

• Address: it is the location where each and every detail of the user are stored. These details are: personal data, communications details as well as company address.

• Login data: in this location user type, validity period and cost center are stored.

• Parameters: in this location all the default parameters are stored that are invariably assigned to the user.

• Roles: it is the location where roles to user are assigned.

• Profiles: in this component a user group is assigned to the user, for example SAP provides the predefined system authorizations as: SAP_ALL. 

• Personalization: it is the component where personalization to the user id is assigned.

• License data: in this component the license data to the user are assigned such as user access transactions, passwords, authorization profiles etc.

Whenever a user id is created for a user in SAP system and then he requires to perform certain business activities according to his job profile, then the required number of T-codes are used to perform the corresponding actions and the access to perform all the job tasks is granted through the roles only. 
Any user can only be given an authorization to log on to a SAP system whenever a user master record exists with the corresponding passwords. Commonly the users are defined by one or more than one roles in which they are restricted by assigning proper authorization to perform their operations. The user master records are client based and therefore the users have to maintain their clients’ records in SAP system (Föse, Hagemann & Will, 2012). If a user has two clients in SAP system with different roles for different clients, then the user has to perform activities in his client only. The user master record has the following SAP objects:
Object S_USER_ GRP - Authorization to create and/or maintain user master records
Object S_USER_ PRO - Authorization for the authorization profiles
Object S_USER_ AUTH - Authorization to create and maintain authorizations     
Object S_USER_ AGR    - Authorization to protect roles
Object S_USER_ TCD - Authorization for transactions      
Object S_USER_ VAL- Authorization to restrict the values        

Task1.2.2

Securing User SAP* Against Misuse

In order to make sure that nobody could misuse the standard user SAP*, a new super user is defined and at the same time SAP* is to be deactivated in all the clients that were existed in the table T000. However, SAP* is coded in AS ABAP which is a difficult platform and it doesn’t need any user master record. Even if a client doesn’t have a user master record for SAP*, anyone can have an access to the AS ABAP as the user SAP* with the help of password PASS.     In this condition, SAP* can hardly be termed as vulnerable towards the authority checks and therefore has all the authorizations. So, do not delete SAP* account of any client ("Securing User SAP* Against Misuse -  User and Role Administration of Application Server ABAP - SAP Library", n.d.). 
The mitigation of creation of SAP* is done by profile parameter. The code for that is: login/no_automatic_user_sapstar. The parameter is activated by default. Just after the setting of this profile parameter and deleting SAP* user master record, it will straight away activate hard-coded SAP* with a password PASS and hence there will be an unrestricted system authorizations.
As the clients are always stored in table T000 and in order to find out any particular client, the report used is: RSAUDIT_SYSTEM_STATUS and the transaction used is SA38. 

Procedure of securing User SAP*:

• 1.    A user master record is created for new super user.

• 2.    This super user is assigned an emergency role

• 3.    Change initial password

• 4.    User master record for SAP* is created

• 5.    SUPER user group to SAP* is assigned to ensure that only authorized administrators can have access to change user master record. 

• 6.    All authorizations for SAP* are deactivated.

Task 2.1.1

In the present scenario, the software program developed by Faisal had performed reasonably well in the first run and therefore was declared as state of the art and was expected to function well in the future as well. So, in this premise, it was about to be dispatched to the two companies for the deployment. However, later on it was discovered that the software contained a serious security hole and company Y’s database system became vulnerable for the hackers to be attacked and easily steal confidential information about clients. Also, even the company X’s database system is not secure on account of security flaw. On top of that, the manager told Faisal to continue the way the project was going on. So, Faisal is in dilemma whether to obey his manager’s instructions or follow his moral conscience. Now, there are two important situations that have developed here – professionalism and public interest. As, Faisal is the employee of the company Z, he has to be somehow remain loyal to his own company and therefore it is fine to follow what his manager has told him. However, as per the ACS code of ethics, the primacy to public interest is the pertinent thing to do so that the action taken at that time by any professional should not bring any harm to the public (Bowern, Burmeister, Gotterbarn, & Weckert, 2006).

Task 2.1.2   

According to the ACS Code of Professional Practice, there are three different points of view, through which the above scenario should most likely be looked at – Professionalism, The Primacy of the Public Interest and Honesty. Professionally, there are certain compulsions for Faisal to obey the orders of his manager, even if he thinks there needs to be done something towards fixing the problem, because he is working for the company and he will have to put the interests of his company first. Secondly, from another perspective, the primacy of the public interest should take precedence above all and if there is any conflict because of that, it should be resolved in the favor of public. The public interest invariably includes matters of public health, safety as well as environment. Moreover, it is the job of the professional to identify those elements that are potentially impacted by his work and therefore explicitly consider their interests. Also, Faisal being in the work, should feel the priority to safeguard the interests of his immediate stakeholders (manager and company), however, the interests of these stakeholders should not coincide with the duty and loyalty that he owes to the people. The third and very crucial perspective is honesty and by virtue of it any professional should not breach the trust of his stakeholders and public trust as well. So, Faisal needs to understand here that after knowing a certain loophole is being developed in the software, he should try to fix the problem so that his the two companies would be saved from the attack of hackers. He should remain true to himself and listen to his conscience first. The principle of honesty, according to the ACS codes of professionalism, also say that any professional should not knowingly mislead the client for the suitability of his product/service (Davison, 2000).

Task 2.2.1    

Although Carol had financial problems and at the same time a medical treatment was necessary for her child, therefore, on account of that she took a decision to go ahead and forge signatures to embezzle $5,000 from the reserves of the branch. So, as per the ACS Code of Ethics, Carol has clearly breached the prerequisite values here. The values that were breached are – primacy of the public interest by embezzling the public money, honesty by making forged signatures, competence by not being diligent to her stakeholders and breach of professionalism by not enhancing the integrity of ACS and disrespecting its members (Burmiester, 2000). So, it will not be easy for her team members to forget the act that she had committed. However, to some extent her compulsions to perform the act seem to be motivated by the illness of her child. So, from the viewpoint of empathy, they would somehow try to reconcile with her.

Task 2.2.2

According to the ACS Code of Professional Practice, there are certain ethical concerns that emerge here on account of actions taken by Carol. The first concern is the breach of public interest. As she is playing an important role in the society by getting elected as a treasurer, she is always expected to put the interest of the people and the society first, no matter what, because that was what she had been elected for. Even though she was facing a serious crisis in her personal life but that doesn’t mean that she would forget her position as a responsible professional in the social forum. She should have find other options such as taking consultation to the other member of the group about the money that she needed. Secondly, as per the ACS codes of ethics, honesty is something which always guides anyone to remain true to oneself. But Carol threw her honesty out of the window the moment she tried to forge the signatures. The clear intention of this act is to embezzle money out of the reserve ("ACS Code of Professional Conduct", 2014). Thirdly, the breach of competence stopped her from using due diligence in order to taking care of the interest of the organization. The stakeholders or the public would have been the first priority of Carol. Moreover, being an ACS member she must not have done any such act that would send a wrong message to the public at large. It does not suffice on her part that she would do exactly opposite of what she is expected to do. It is understandable that she was helpless and that’s why went this far but there are certain rules that should remain unbroken and how the people would view this, the jury is out. 

Task 3

Advanced Persistent Attack

An Advanced Persistent Threat (APT) refers to a cyber-attack that utilizes multiple phases in order to break into a network by avoiding detection and gain extremely valuable information over a longer period of time. So, staying in the network for long that too by remaining undetected points at the only one intention of the attack that is, to steal data rather than causing damage to the organization (Tankard, 2011). The organizations that are the primary targets of such attacks are the databases of national defense, manufacturing company and financial industry. The cyber criminals that carry out such attacks use the full potential of advance hacking techniques. Even if the individual components may not be the termed as advanced, but the expert criminals typically develop more advanced tools and software. When combined together, the multiple attack methodologies are utilized and directed towards the target organizational system. Being persistent makes it even more dangerous because these attacks are intended to carry out specific tasks, rather than achieving immediate financial gains. The attack is carried out with the help of continuous monitoring and supervision so that the stated objectives are achieved successfully (Brewer, 2014). The threat is very real as a coordinated human intelligence is being applied to carry out this attack not any random piece of code. These cyber criminals are highly skilled, extremely motivated, properly organized and well-funded.
The following methods are used by the hackers to carry out APT:

• 1.    Reconnaissance: the hacker utilizes the information by leveraging a different set of factors to take a clear idea about their target.

• 2.    Incursion: by processing all the information taken above, the hackers break into the network by using advanced computer engineering in order to deliver the targeted malware to the organizations that are vulnerable.

• 3.    Discovery: while keeping a low key to avoid detection, the attackers find an opportune moment to try and map the organization’s secret information from the inside.

• 4.    Capture: the hackers then take an access of unprotected systems and absorb as much as information as it can for a longer period.

• 5.    Exfiltration: the information being absorbed is then sent back to the team for the analysis to check its relevance and further exploitation is carried out

References

• ACS Code of Professional Conduct. (2014). Australian Computer Society. Retrieved 16 September 2016, from https://www.acs.org.au/__data/assets/pdf.../Code-of-Professional-Conduct_v2.1.pdf

• Bowern, M., Burmeister, O., Gotterbarn, D., & Weckert, J. (2006). ICT Integrity: bringing the ACS code of ethics up to date. AJIS, 13(2). http://dx.doi.org/10.3127/ajis.v13i2.50

• Brewer, R. (2014). Advanced persistent threats: minimising the damage. Network Security, 2014(4), 5-9. http://dx.doi.org/10.1016/s1353-4858(14)70040-6

• Davison, R. M. (2000). Professional ethics in information systems: A personal    

•        perspective. Communications of the AIS, 3(2es), 4.

• Föse, F., Hagemann, S., & Will, L. (2012). SAP NetWeaver AS ABAP System Administration.   

•       Galileo Press.

• Hauge, O. C. (2007). Application Based IDS Reporting in the ERP system SAP R/3.

• Ingvaldsen, J. E., & Gulla, J. A. (2007, September). Preprocessing support for large scale process   mining of SAP transactions. In International Conference on Business process management (pp.  30-41). Springer Berlin Heidelberg.

• Linkies, M., & Off, F. (2006). SAP Security and Authorizations. Galileo Press.

• Securing User SAP* Against Misuse -  User and Role Administration of Application Server ABAP - SAP Library. Help.sap.com. Retrieved 16 September 2016, from https://help.sap.com/saphelp_nw73/helpdata/en/4f/3eb3f249aa2eb5e10000000a42189c/content.htm

• Tankard, C. (2011). Advanced Persistent threats and how to monitor and deter them. Network Security,2011(8), 16-19. http://dx.doi.org/10.1016/s1353-4858(11)70086-1

• Wun-Young, L. & Hirao, J. (2009). SAP security configuration and deployment. Burlington, MA: Syngress Pub.