ERP SECURITY

ISSUES AND
PRIVACY ISSUES
SUBMITTED BY
HASNA C K
A BATCH
 ERP-INTRODUCTION
• Enterprise resource planning (ERP) is the integrated management of main
business processes, often in real-time and mediated by software and technology.
• ERP is usually referred to as a category of business management software,
typically a suite of integrated application, that an organization can use to collect,
store, manage, and interpret data from many business activities.
• ERP provides an integrated and continuously updated view of core business
processes using common databases maintained by a database management
system.
• ERP systems track business resources cash, raw materials, production capacity
and the status of business commitments: orders, purchase orders, and payroll.
•  The applications that make up the system share data across various departments
(manufacturing, purchasing, sales, accounting, etc.) that provide the data.
•  ERP facilitates information flow between all business functions and manages
connections to outside stakeholders.
• The ERP system integrates varied organizational systems and facilitates error-free
transactions and production, thereby enhancing the organization's efficiency.
• However, developing an ERP system differs from traditional system development.
• ERP systems run on a variety of computer hardware and network configurations,
typically using a database as an information repository.
DIAGRAM SHOWING TYPICAL ERP
MODULE
 ERP SECURITY
• ERP Security is a wide range of measures aimed at
protecting Enterprise resource planning (ERP) systems
from illicit access ensuring accessibility and integrity of
system data. ERP system is a computer software that
serves to unify the information intended to manage the
organization including Production, Supply Chain
Management, Financial Management, Human Resource
Management, Customer Relationship
Management, Enterprise Performance Management.
Common ERP systems are SAP, Oracle E-Business
Suite, Microsoft Dynamics.
CAUSES FOR VULNERABILITIES IN
ERP SYSTEM
• Complexity: ERP systems process transactions and implement procedures to
ensure that users have different access privileges. There are hundreds of
authorization objects in SAP permitting users to perform actions in the system. In
case of 200 users of the company, there are approximately 800,000 (100*2*20*200)
ways to customize security settings of ERP systems. With the growth of complexity,
the possibility of errors and segregation of duties conflicts increases.
• Specificity: Vendors fix vulnerabilities on the regular basis since hackers monitor
business applications to find and exploit security issues. SAP releases patches
monthly on Patch Tuesday, Oracle issues security fixes every quarter in Oracle
Critical Patch Update. Business applications are becoming more exposed to the
Internet or migrate to the cloud.
• Lack of competent specialists: ERP Cyber security survey revealed
that organizations running ERP systems "lack both awareness and
actions taken towards ERP security“. ISACA states that "there is a
shortage of staff members trained in ERP security” and security
services have the superficial understanding of risks and threats
associated with ERP systems. Consequently, security vulnerabilities
complicate undertakings such as detecting and subsequent fixing.
• Lack of security auditing tools: ERP security audit is done manually
as various tools with ERP packages do not provide means for system
security auditing. Manual auditing is a complex and time-consuming
process that increases the possibility of making a mistake.
• Large number of customized settings: The system includes
thousands of parameters and fine settings including
segregation of duties for transactions and tables, and the
security parameters are set for every single system. ERP system
settings are customized according to customers' requirements.

The above mentioned are the various causes for vulnerabilities in

the ERP system.
 SECURITY ISSUES IN ERP
SYSTEMS
Security issues in ERP occur at different levels:
1. NETWORK LAYER:
Traffic interception and modification:
• Absence of data encryption
• Sending password in cleartext (SAP J2EE Telnet / Oracle listener old versions)
• Authentication by hash
• XOR password encryption (SAP DIAG)
• Imposing the use of outdated authentication protocols
• Incorrect authentication protocols
2. OPERATING SYSTEM LEVEL:
OS software vulnerabilities
• Any remote vulnerability in OS is used to gain access to applications
Weak OS passwords
• Remote password brute-forcing
• Empty passwords for remote management tools like Radmin and VNC
Insecure OS settings
• NFS and SMB. SAP data becomes accessible to remote users via NFS an SMB
• File access rights. Critical SAP and DBMS Oracle data files have insecure access
rights such as 755 and 777
• Insecure hosts settings. In the trusted hosts, servers can be listed and an attacker
easily accesses them
3. APPLICATION VULNERABILITIES:
ERP systems transfer more functionality on the web applications
level with a lot of vulnerabilities:
• Web application vulnerabilities (XSS, XSRF, SQL Injection, Response
Splitting, Code Execution)
• Buffer overflow and format string in web-servers and application-
servers (SAP IGS, SAP Netweaver, Oracle BEA Weblogic)
• Insecure privileges for access (SAP Netweaver, SAP CRM, Oracle E-
Business Suite)
 ERP SECURITY ISSUES-
INTRODUCTION
• ERP (enterprise resource planning) systems have evolved significantly
in recent years. Modern systems can now automate practically all day-
to-day business processes, including human resources, sales, stock
management, and so on. That’s why many organizations are now choosing
ERP systems.
• The advantage of all-in-one solutions like ERP systems is that they remove the
need for multiple software applications to improve data consistency and
ensure all aspects of daily operations are compatible and accessible.
• However, as with any sort of fully comprehensive system which covers such a
broad spectrum, there are naturally going to be some weak spots and
vulnerabilities that are important to keep an eye out for.
 ERP SECURITY ISSUES
• Delayed updates
• Full access rights
• Inadequate training
• Failure to comply
• Use of unauthorized systems
• Automatic trust
• Single authentication
 DELAYED UPDATES
• It’s reported that a whopping 87 percent of business computers
feature outdated software, including ERP systems which are not up-
to-date. If your version is currently unsupported, it can make it
difficult to rectify any issues, such as crashes.
• More importantly, it leaves your business vulnerable to risk.
Updates happen for a reason; sometimes to introduce new features,
but mostly to address weaknesses that have been identified in the
software.
• The world of cybercrime is changing constantly, and hackers are
finding ways to get around even the latest of measures. That’s why
installing updates as soon as possible is vital.
How to avoid delayed updates:
 If you’re finding you’re often lagging behind when it comes
to installing ERP updates, then it might be worth looking
into an automatic updater which applies any software
updates when available.
 FULL ACCESS RIGHTS
• The biggest threat to businesses undoubtedly comes from external sources,
but that doesn’t mean we can sit back and ignore potential in-house risks.
• Full access rights shouldn’t come as default; instead, it’s important to look
at who has access to what data.
• For example, in most cases, a software developer wouldn’t require access
to employee salary information. It’s also worth looking into which
employees have permissions to make changes to the system.
• Access rights and permissions will largely depend upon the needs and
requirements of your business, but as a general rule, it should be a ‘need to
know’ basis.
How to avoid full access rights:
It’s important to maintain audit logs to track any changes.
It’s also worth adding ‘authorizations’ to checklists for new
hires, promotions, and any role change documentation.
 INADEQUATE TRAINING
• Following on from the above, it is certainly worth considering the security
risk posed by internal sources in more detail.
• In some cases, the risk may be intended and malicious, but in most cases,
it is more likely to be the result of a lack of understanding.
• This could be a lack of understanding of the ERP system as a whole, or it
could be a lack of understanding of what is expected by the organisation
in terms of security. This is especially true for new hires who do not have
an in-depth knowledge of internal processes.
• While any errors may be classed as ‘innocent mistakes’, it still leaves your
business open to security risks.
How to avoid inadequate training
 Ask your ERP provider if system training is including as
standard, nominate staff to train new hires, and ensure
business protocols are widely available and easily accessible
to all employees.
 FAILURE TO COMPLY
• If your ERP system is being used to store confidential sales information,
including personal details and payment details, then it’s essential that
the system meets local security standards requirements.
• This could include PCI DSS requirements if credit card data is involved.
The system itself should store details in encrypted form only, without
retaining the 3-digit security code, and there are also requirements for
the business, too.
• You’ll be required to maintain secure passwords, restrict access to ‘need
to know’, and track access to the data that you keep. You may also need
to comply with regulations within your sector.
How to avoid failure to comply:
Choose an ERP system that’s designed to comply with
necessary regulations. It’s also important to change your
vendor-issued password and adhere to good security
practices at all times. 
 USE OF UNAUTHORISED
SYSTEMS
• The whole point of ERP is integration; to remove the need for what is
known as ‘Frankensteining’.
• Frankensteining happens when multiple software programs are used
simultaneously to achieve a single goal, such as maintaining sales data on
an ERP but running reports using Excel.
• This practices still takes places across many businesses, even if it is not
office protocol. It mostly comes down to familiarity and preference for a
specific application, and ease of use.
• This means that data could exist within a number of different programs at
the same time, where it is not adequately maintained, updated, or secure.
How to avoid unauthorized systems
Firstly, look into preventing data export unless absolutely
required. Secondly, if your ERP system isn’t doing
everything you need it to, then perhaps it’s time to upgrade
to a new system. 
 AUTOMATIC TRUST
• Cloud ERP systems are becoming increasingly popular. This means that
any data that you choose to enter into the system isn’t stored locally,
but is instead stored by a third party cloud hosting service.
• There are a number of advantages to cloud ERP; they can mean much
less work for your IT department, freeing them up for more profitable
tasks, they can save you money, and it’s less drain on your internal
networks.
• However, there is a slight downside, and that’s the need to place 100
percent of our ERP system security into someone else’s hands.
Businesses need to have peace of mind that their data is safe.
How to avoid automatic trust:
Consider your cloud provider very carefully, paying
particular attention to their security processes and their
data regulations. Ask around, read reviews, and don’t be
afraid to ask questions.
 SINGLE AUTHENTICATION
• As ERP systems have evolved, they’ve become capable of handling not
only a much wider range of information but also more sensitive
information as well.
• Single authentication passwords, for example is standard, but we have
to ask ourselves whether 1FA (one-factor authentication) is enough for
modern ERP systems.
• Password cracking is one of the simplest and most common forms of
hacking, so it really doesn’t make sense to protect our most important,
sensitive, and confidential business data through the use of passwords
alone which can be stolen or even guessed relatively easily by experts.
How to avoid single authentication:
The obvious solution is 2FA. The good news is that the 2FA
industry has changed in recent years and there is no longer
a need for a physical device. Instead, a code can be sent to
an email address.
 ROLE BASED ACCESS
CONTROL
• In ERP systems, RBAC (Role-Based Access Control) model is applied for users
to perform transactions and gain access to business objects.
•  In the model, the decision to grant access to a user is made based on the
functions of users, or roles. Roles are a multitude of transactions the user or a
group of users performs in the company.
• Transaction is a procedure of transforming system data, which helps perform
this transaction. For any role, there is a number of corresponding users with
one or multiple roles. Roles can be hierarchical.
• After the roles are implemented in the system, transactions corresponding to
each role rarely change. The administrator needs to add or delete users from
roles. The administrator provides a new user with a membership in one or more
roles. When employees leave the organization, the administrator removes them
from all the roles.
 SEGREGATION OF DUTIES
• Segregation or Separation of duties, also known as SoD, is the concept according to
which a user cannot make a transaction without other users (e.g. a user cannot add a
new supplier, write out a cheque or pay to a supplier)and a risk of fraud is much
lower.
• SoD can be implemented by RBAC mechanisms, and a notion of mutually exclusive
roles is introduced. For instance, to pay a supplier, one user initiates payment
procedure and another accepts it. In this case, initiating payment and accepting are
mutually exclusive roles. Segregation of duties can be either static or dynamic.
• With static SoD (SSoD), a user cannot belong to two mutually exclusive roles. With
dynamic SoD (DSoD), a user does but cannot perform them within one transaction.
Both of them have their own advantages.
• SSoD is simple, while DSoD is flexible. Segregation of Duties is explained in SoD
matrix. X and Y matrixes describe system roles. If the two roles are mutually
exclusive, there is a flag at the interception of the corresponding rows and columns.
 ERP SECURITY SCANNERS
• ERP Security scanner is a software intended to search for vulnerabilities
in ERP systems. Scanner analyzes configurations of ERP system, searches
for misconfigurations, access control and encryption conflicts, insecure
components, and checks for updates. The scanner checks system
parameters for compliance with the manufacturer's recommendations
and auditing procedures ISACA. ERP Security scanners produce reports
with the vulnerabilities listed according to their criticality. The examples
of scanners:
• ERPScan for SAP ERP
• Onapsis for SAP ERP
• AppSentry for Oracle E-Business Suite
• MaxPatrol for SAP ERP
THANKYOU