Businesses are paying too little attention to securing their SAP systems, a security expert has warned.
In a presentation at the Black Hat 2008 security conference in Las Vegas later this week, security researcher Mariano Nuñez Di Croce, at Cybec Security Systems will explain why he thinks users need to pay more attention to SAP security.
Speaking to Computer Weekly, prior to the event, Nuñez Di Croce, said, "As installing, customising and going-live with an SAP implementation is a really tough project, the security measures are often ignored or postponed in the best case". Nuñez Di Croce has published a number of security problems in SAP systems.
He warned that default settings in SAP systems were not secure, which could result in the system being exposed to high risk threats that could be exploited by potential intruders.
Nuñez Di Croce, said, "The SAP infrastructure handles all the daily business-critical processes and information. Therefore, the confidentiality, integrity and availability of this systems is highly critical for any organisation."
He urged anyone embarking on a SAP implementation project to take time to lock down default users, secure the interfaces with other systems, encrypt sensitive traffic and remove insecure configurations. He also recommended that users ensure the databases and operating systems used by SAP were also secure.
Nuñez Di Croce advised IT managers implementing SAP to implement a strict control on users' authorisations. In particular he suggested that businesses could enforce security by using Segregation of Duties to limit what individual end-users can access to avoid fraudulent activities that would result in financial losses for the organisation.