ERP Security Short Bytes
Espionage, fraud, sabotage and insider embezzlement are the act of stealing company’s patent, copyright, intellectual property, or valuable information that could ultimately paralyze or cause a significant damage on company’s future. Cybercriminal could be an industrial spy, an intentional hacker or a competitor targets for unencrypted or exposed information in a company’s ERP.
Cyber criminals are perilous for densely populated IoT (Internet of Things) digital landscape. A digital eco-system is implanted with ERP (Enterprise Resource Planning) systems, as ERP is used across horizontal industries, such as education, defense, medicine and biotech, financial and supply chain. Next-generation security solutions, policies, and models for ERP systems focus on data confidentiality, availability and integrity.
ERP is mostly a software platform comforts business owners and customers to determine secure business practices and educates on optimization of available resources, and incorporation of security models and controls. Every users, systems and process interaction in use of technology and trends with ERP systems interfaces are strongly tie up to deliver better deliverables to CRM (Customer Relation Management), that enhances the consumer confidence and cyber security.
Business Process Re-engineering involves monitoring of events and logs, transactions or data flows and analyzing to streamline secure business operations to identify changes required on functioning cyber security systems. Cyber security along with BPR enables to orchestrate cross-functional security orientation, secure process innovation, and customer focus by integrating security measures at every step to boost the confident across CRM platforms.
ERP + BPR = Better & Secure CRM
ERP = Continuous Security Process Management + Secure Technology & Trends Management
BPR = Change Security Management + Secure Project Management & Resources Planning
In general security aspects for an ERP system are classified as,
- Network layer defines communication among business components spun globally, all security related issues must be covered by network security domain. LAN, WAN, CLOUD, Big Data, AI and Enterprise networks and systems infrastructures must be protected by various security trends and technologies, and security models and controls mechanisms.
- Presentation layer defines GUI interfaces, APIs, browsers, and IoT devices used by users or automated systems to function business activities. Any security related issues must be covered by security domain with policies and procedures that are in place. Such as CITRIX systems to provide layers of security between users and ERP system.
- Application layer defines an effective way to conduct business where business data and processes are secured, efficiency is measured by quality and quantity of services or products, and reports are generated based on used function specific tasks or real-time monitoring systems. For an instance, web server forwards requests to application servers, where the app servers utilize backend databases and storage securely for required business. Monitoring systems enable secure business transparency to the customers and business owners.
Cyber Security Aspects in ERP & CRM Systems
- Security policy and administrator: – Well defined policies will offer rules for subject accessing objects and constraints are applied based on the label of information and type of users defined by the policy. Such as access privilege control based on the level of trust and need to know.
- User authentication and authorization: – Identity of users based on their biometric property as verified who they are, what they have, authentication based on what users know, and authorization rules or restrictions, applied to intended or relevant systems based on what they need to know.
- Access control: – Adopt access control strategies, such as strong passwords, SSO, OTP, passphrase, and use of cognitive passwords based on opinion or fact-based information. Expand access control criteria based on roles, groups, location, time, transaction type. Also the proper design of access control models such as administration, physical of logical type or the combination of all, and control types such as corrective, deterrent, compensative, recovery, preventative or detective.
- Separation of duties: – Strictly tasks are required to classify and apply rules or roles to users to allow to perform specific tasks.
- Time restriction: – Time-based access lists or rules are created to perform tasks. Race condition must be secured from hijacking the programmed systems.
- Sandboxing: – API, apps, ActiveX type of programs must be constrained by CPU or memory from the systems and isolate for testing or lookup tasks.
- Resources restriction: – CPU, Memory, Processes and Storage must be restricted or limited to serve priority applications and programs. For an instance QoS, bandwidth limit, URL filtering and limiting guest traffic, and stop unauthorized programs execution to preserve memory.
- Log and events: – Logs, events and data flows are logged and monitored to race relevant events to prevent from compromise.
- Tier security: – Apply professional measures across all 4 tiers of e-commerce infrastructure layers systems. For an instance, security on database, application and web servers along with encryption and backup facility for storage. For an instance use of Kerberos or SESAME authentication between app to database systems, app to app systems and app to web systems. And the use of client-service control access systems with RADIUS, TACACS+.
- Unauthorized Disclosure of Information: – UDI must be controlled at physical premise with object reuse (erase residual information of tapes and HDDs), methods can be used are destruction, degaussing, and overwriting. Emanating or electric signals compromises security are major concerns and must control by limiting emanations with shielding materials such as Faraday cage (TEMPEST), Jammer testing for white noise and build specific electromagnetic walls to control forensic labs, e-Discovery and malware re-engineering labs, Data Centers and electronic information storage areas.
ERP Cyber Security Risks, An Author’s Views
- Obsolete, unsupported software, BIOS, flash lead to ERP systems crashes and challenges during integration
- Weak programming tactics creates vulnerabilities and bugs lead to security compromise and crashing
- Poor monitoring and reporting capability lead to loss of control and weakening ISM (Info Sys Mgmt.)
- Poor IAM (Identity Access Management) and authorization leads to compromise and espionage
- Delayed updates and patches and frequent software evaluation leads to zero-day vulnerability
- Lack of compliance (PCI DSS, FISMA, HIPAA, ISO 2700 and FISP) leads to poor security standards, cheesy process, and weak guidelines.
- Lack of adopting frameworks such as OWASP, SDLC during development and testing leads to software or entire ERP failure as backdoors, maintenance hooks and vulnerabilities are wide opened.
- Avoiding rules and regulations related to software development and security causes unprecedented damages or catastrophic failure.
- Hiring unreliable third party (not certified) and inexperience vendor leads to a total crash, for an instance the provider loss of support after filing for bankruptcy, no escrow support and out of business due to legal or regulation challenges.
- Protection of networks, apps, and data: – Protecting from persistence cyber-attacks can be achieved via security audit. Auditing security practices, policies, and processes and improve wherever necessary, and examining frequently security postures and access controls via pen testing and vulnerability assessments, and constant monitoring.
Security Threats Vector at ERP or Enterprise Infrastructure Arena
Threats vectors identified at ERP and development systems can be leveraged by an adversary to exploit and attack the ERP systems, data breaches, espionage, and in some cases total destructions. Common threats identified are as follows:
- Website trolling
- Information or email spamming
- Malvertising & Adware attacks
- Viruses and malware code plantation
- Credentials or privilege exploitation
- DDoS attacks
- Ports and open entry scanning
- IP, DNS, DDNS exploitation
- Cross-site scripting, cross-site forgery, SQL injections
- XML exploitation by manipulating configuration and methods definition
- Applets exploitation as ActiveX, Java
- Real-time logs, events or data flows exploitation
- OS, memory, flash, BIOS, HDD or CPU hijacking
- TCP or session hijacking
- Software exploitation
- Trojan Horse
- Advance persistent threats Malware
- Dictionary attack
- Brute Force Attack
- Password Guessing
- Covert channels, backdoors or maintenance hooks attacks
- Spoofing/ARP Poisoning
- Man-in-the-middle attacks
- Social engineering
- Dumpster Diving/War Driving
- Jamming electronic signals and communications
- WAP Gap/Rogue AP
- Insertion attacks/Masquerading
- Eavesdropping/packet sniffing
- And much more……
Best Practices for System vulnerabilities and threats
- Process isolation: – One process from interfering with another is prevented with the logical control by isolating or allocated the required amount of resources for a specified time for individual processes, for an instance Multiuser OS as UNIX, MS are designed to deal with.
- Data hiding: – Data are separated at different security levels and activities are maintained at the different security levels for access and controlled on constrained manner for users and processes. For an instance, data diddling within database systems.
- Abstraction: – Hiding unnecessary details from the users, only need to know is available. As complex a process it is considered less secure and managing the complexity is maintained by abstraction.
- Cryptographic Protection: – Defines ways to protect sensitive systems functions, features and belonging data, where data can be hidden from less privileged parts or the system for process, users and automated processes. Encryption, PKI etc.
Cyber Security Architecture & Designing Concepts for ERP
IT service management framework ITIL with an architectural framework to develop secure ERP solutions. The role of an architect to transform business requirements into architectural design establishes common practices for ERP systems designing, integrating, development and re-engineering whenever necessary.
Enterprise Security Architecture
- ESA is a unit or blocks of info sec infra across the entire organization, it provides foundational security components putting together for better security IT and solutions.
- SABSA Matrix adopts the business requirements that are to be transformed into security architecture and integration of recommended technologies and trends to fulfill the cyber enterprise security architecture.
System Security Architecture
- Focused on designing security services and products within individual computing systems.
- Distributed Systems with Decision support systems (DSS) & Management Support System (MSS) backing with Artificial Intelligence technologies.
- Defined as a SDN (Software Defined Networks) and SDS (Software Defined Software) where resources such as storage, memory, CPU, servers, applications and services are distributed across the systems and shared on enterprise networks.
Common Security Frameworks used for ERP
ISO/IEC 27001:2005 ISMS focused on the standardization and certification, such as ISMS requirements, management responsibility, internal & external ISMS audits and ongoing monitoring, management review of the ISMS and ISMS improvement via BPR.
ISO/IEC 27002 is focused on code of practice for information security management as
- Security policy
- Org and info security
- Asset management
- HR security
- Physical and environment security
- Communications and operations Management
- Access control
- Information systems acquisitions, development, and maintenance
- Information security incident management
- Business continuity management
Common Security Models
Security models are focused on maintaining confidentiality, integrity, and availability
- Bell-LaPadula for confidentiality
- Biba for integrity
- Clark-Wilson integrity at transaction level
- Harrison-Ruzo-Ullaman (HRU)
- Brewer and Nash (Chinese Wall)
Evaluation Criteria and its Uses
Evaluation methods and criteria focused on the real-world security of systems and products provides a common mechanism to evaluate vendor products based on the benchmark, a rating of the product tests are published as it give a level of security assurance attached to the product and allows customers to select products based on the evaluating rating and certified thereafter.
Types of Evaluation Criteria
- TCSEC (Orange Book) was developed by US DoD in 1980’s only evaluates confidentiality.
- ITSEC European standard for security evaluation and only evaluates confidentiality, availability, and integrity.
- PCI-DSS created by the payment card industry international security of council for credit card payment and verification.
- Common Criteria supersedes TCSED and ITSED and it is an international standard (ISO/IEC 15408), internationally agreed upon standards for subscribing and testing of IT products.
Certification and accreditation
The process adopted to evaluate and approve a system for use. Intensely used on government, Military and the highly regulated entity such as biotech and medicine industries. C&A has two steps process:
- Certification: – A process incorporates evaluation of a product, system or service’s architecture, design, and control to establish the evaluation of common criteria.
- Accreditation: – It is a formal management internal, external or mutual approval of the use of a certified system.
- DCID 6/3