Every good hacker story ends with the line: "and then he's got root access to your network and can do whatever he wants." But the story really doesn't end there. This is just the beginning of the real damage that the hacker can inflict.
While most information security initiatives focus on perimeter security to keep outsiders from gaining access to the internal network, the potential for real financial loss comes from the risk of outsiders acting as authorized users to generate damaging transactions within business systems.
The continued integration of enterprise resource planning software only increases the risk of both hackers who break through perimeter security and insiders who abuse system privileges to misappropriate assets - namely cash - through acts of fraud.
Security in the e-business, integrated enterprise resource planning (ERP) world requires a new way of thinking about security - not just about the bits and bytes of network traffic, but about business transactions that inflict financial losses from systems-based fraud, abuse and errors.
The ERP market has matured to a point where heightened competition has brought declining sales. As a result, ERP vendors are committed to bundling new functionality, such as CRM and Web services-based architecture, to provide more value to their customers. Unfortunately, security remains an afterthought.
While external threats from attacks and intrusions continue to rise, the opportunity for insider fraud and systems abuse has increased exponentially with the advent of a single automated system that manages accounts payable, employee benefits and other sensitive information.
Historically, ERP security focused on the internal controls that aim to limit user behavior and privileges while organizations rely on network perimeter defenses - firewalls, VPNs, intrusion detection, etc. - to keep outsiders from accessing the ERP system. However, increasingly integrated information systems with numerous system users require new levels of transaction-level security.
According to Gartner, "enterprises should consider the overall set of security functions and controls that permeate the entire environment that will be running trusted transactions." The analyst firm contends that "vulnerabilities can be exploited, mostly by insiders to create business threats at the transaction level."
And while ERP systems allow enterprises to integrate information systems with trusted partners through supply chain management, the number of authorized users continues to grow. This effectively introduces new entry points to business systems from outside the traditional IT security perimeter. Enterprises must not only trust the actions of employees but also trust partners' employees and perimeter security.
ERP Security Today
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.