Businesses are paying too little attention to securing their SAP
systems, a security expert has warned.
In a presentation at the Black Hat 2008 security conference in
Las Vegas later this week, security researcher Mariano Nuñez Di
Croce, at Cybec Security Systems will explain why he thinks users
need to pay more attention to SAP security.
Speaking to Computer Weekly, prior to the
event, Nuñez Di Croce, said, "As installing, customising and
going-live with an SAP implementation is a really tough project,
the security measures are often ignored or postponed in the best
case". Nuñez Di Croce has published
a
number of security problems in SAP systems.
He warned that default settings in SAP systems were not secure,
which could result in the system being exposed to high risk threats
that could be exploited by potential intruders.
Nuñez Di Croce, said, "The SAP infrastructure handles all the
daily business-critical processes and information. Therefore, the
confidentiality, integrity and availability of this systems is
highly critical for any organisation."
He urged anyone embarking on a SAP implementation project to
take time to lock down default users, secure the interfaces with
other systems, encrypt sensitive traffic and remove insecure
configurations. He also recommended that users ensure the databases
and operating systems used by SAP were also secure.
Nuñez Di Croce advised IT managers implementing SAP to implement
a strict control on users' authorisations. In particular he
suggested that businesses could enforce security by using
Segregation of Duties to limit what individual end-users can access
to avoid fraudulent activities that would result in financial
losses for the organisation.
