Browse archive

Latest news

Microsoft to pay up to 150k for vulnerabilities

(IN)SECURE Magazine issue 38 released

Collected data helped foil 50 terrorist plots, says NSA chief

65+ websites compromised to deliver malvertising

Customized spam uses cell phone users’ data against them

Facebook once again accessible via Tor

Oracle releases critical security updates for Java

Employees biggest IT threat to businesses

Google asks secret court permission to publish FISA numbers

How to detect hidden administrator apps on Android

Hacking charge stations for electric cars

Security in an ERP World

by Mark Van Holsbeck, Director of Enterprise Network Security for Avery-Dennison and Jeffrey Z. Johnson, Vice President of Solutions & Services for Oversight Technologies. - Monday, 24 May 2004.

For most enterprises, ERP security starts with user-based controls where authorized users log in with a secure username and password. Enterprises then limit a user's system access based on their individual, customized authorization level. For example, an accounts payable clerk should not have access to human resources or inventory management modules within the ERP system

Most ERP systems offer data encryption which limits someone's ability to export the database but does not address the need to protect authorized insiders from accessing unauthorized modules in the system.

Audit logs within an ERP system track individual transactions or changes in the system but provide little detail into the relevance of the transaction. With each transaction documented individually, the audit log does not consider the context of the transaction, such as the events that occurred before or after the transaction. Internal auditors can then sample the audit logs for irregular transactions.

However, about half of all organizations do not configure their ERP system to maintain audit logs because they are concerned about performance degradation and they don't think they need it. Regrettably, these organizations believe IT security only focuses on the layers of traditional perimeter security. In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that's relevant to the transaction.

For organizations that do utilize audit logs, system administrators can configure customized audit reports that employ simple logic to identify "outliers" - system transactions that fall outside of normal parameters, such as date and time, location of the user logging into the system and checks larger than a predefined setting.

While it's time consuming to customize these reports, they provide hundreds of data points to manually process and are invariably riddled with false positives. Each flagged event requires manual human analysis of the event because the audit reports cannot analyze the event to determine the cause for concern.

Security Failures

When you consider that the average business loses 3 percent to 6 percent of annual revenue due to fraud, most agree that the ERP security features listed above are not working. Worse yet, businesses suffer additional losses through duplicate payment errors. The average enterprise submits duplicate payments for 2 percent of its total accounts payable. Of these duplicate payments, 10 percent are never recovered, which leads to total losses equivalent to 0.2 percent of total accounts payable.