ERP Security is a wide range of measures aimed at protecting Enterprise resource planning (ERP) systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the company including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management, etc. Common ERP systems are SAP, Oracle E-Business Suite, Microsoft Dynamics.
Causes for vulnerabilities in ERP systems
ERP systems process transactions and implement procedures to ensure that users have different access privileges. There are hundreds of authorization objects in SAP permitting users to perform actions in the system. In case of 200 users of the company, there are approximately 800,000 (100*2*20*200) ways to customize security settings of ERP systems. With the growth of complexity, the possibility of errors and segregation of duties conflicts increases.
Vendors fix vulnerabilities on the regular basis since hackers monitor business applications to find and exploit security issues. SAP releases patches monthly on Patch Tuesday, Oracle issues security fixes every quarter in Oracle Critical Patch Update. Business applications are becoming more exposed to the Internet or migrate to the cloud.
Lack of competent specialists
ERP Cybersecurity survey revealed that organizations running ERP systems “lack both awareness and actions taken towards ERP security”. ISACA states that “there is a shortage of staff members trained in ERP security” and security services have the superficial understanding of risks and threats associated with ERP systems. Consequently, security vulnerabilities complicate undertakings such as detecting and subsequent fixing.
Lack of security auditing tools
ERP security audit is done manually as various tools with ERP packages do not provide means for system security auditing. Manual auditing is a complex and time-consuming process that increases the possibility of making a mistake.
Large number of customized settings
The system includes thousands of parameters and fine settings including segregation of duties for transactions and tables, and the security parameters are set for every single system. ERP system settings are customized according to customers’ requirements.
Security issues in ERP systems
Security issues occur in ERP systems at different levels.
Traffic interception and modification
- Absence of data encryption
In 2011, Sensepost specialists analyzed DIAG protocol used in SAP ERP system for transferring data from the client to the SAP server. Two utilities were published that allowed to intercept, decrypt, and modify client-server requests containing critical information. This made attacks possible including Man-in-the-middle attack. The second utility operates like a Proxy and was created to identify new vulnerabilities. It allowed modifying requests coming to client and server.
- sending password in cleartext (SAP J2EE Telnet / Oracle listener old versions)
In the SAP ERP system, it is possible to perform administering functions via Telnet protocol, which encrypts passwords.
Vulnerabilities in encryption or authentication protocols’
- Authentification by hash
- XOR password encryption (SAP DIAG)
- imposing the use of outdated authentication protocols
- Incorrect authentication protocols