Using the System's Security Audit Process and Ethical Hacking to Protect Systems Vulnerabilities in Applications Such As Lotus Notes and SAP
Benjamin S. Holtman
Info Sys 6840
November 7th 2011
TABLE OF CONTENTS
- Background on the Lotus Notes and SAP, System’s Security Audit Process, Ethical Hacking, and JAD
- An Example of How Systems Could Be Compromised
- SAP and Lotus Notes Specific Vulnerabilities
- Use of the Systems Security Audit Process, Ethical Hacking, and JAD to protect against vulnerabilities
Today’s world is one that is more and more connected and smaller. A coworker just arriving in the morning to work in New York can instantly chat in Lotus Notes with his counterpart in Switzerland who is wrapping up his work day and getting ready to leave for the night. Along with this increased connectivity and freedom comes further vulnerability to breaches within a company’s information systems which can cost corporations both time and money. Systems like Lotus Notes and SAP are used in many large corporation today and need to be protected from unauthorized intrusions that can expose them to viruses, worms, and other malware that can disrupt their operations. Ways do exist to protect valuable corporate assets such as Lotus Notes and SAP. Some of the most effective ways of protecting these systems assets are using the System’s Security Audit Process and internalized ethical hacking to continually test these systems for vulnerabilities. The idea is that penetration testers, i.e. ethical hackers, can work in tandem with users, management, and systems analyst in iterative JAD (Joint Application Design) like sessions to continually test the system for vulnerabilities and develop and educate the users as to the best ways to avoid security breaches from their end. In this instance, the idea is to use such a process to protect against vulnerabilities in SAP and Lotus Notes, but this process could be used in any information system that has vulnerabilities. By institutionalizing and making iterative these processes, a corporation can insure that it protects its assets on an ongoing basis. The corporation must also implement this process in the most cost effective means possible using prioritization based on risk management principles.
Back to Top
SAP, German for Systems, Applications, and Products, is an ERP System that includes modules that help to integrate the key business functions of financials, operations, human capital management, and corporate services into one centralized database. SAP come in a vanilla version but does have the ability to be customized. It “includes literally thousands of elements in its various enterprise systems that can be customized for a particular industry based on SAP’s perception of the best way to do things (i.e., industry best practices)” (Valacich and Schneider 295). The system itself is written in ABAP which stands for Advanced Business Application Programming and is said to have syntax similar to that of COBOL. SAP communicates using SAP specific protocols and http and https protocols. The vanilla version of the software does not have encrypted communication, but since SAP AG recently acquired identity and access management software from SECUDE, it now has the ability for secure login. Overall and from this author’s perspective as a user of SAP, it offers a solid product for integration of large corporate functional areas into one database, but lacks an intuitive user interface and requires the memorization of cumbersome commands for toggling between pages requiring information to be entered for processing daily transactions.
The System’s Security Audit Process according to S. Anantha Sayana, deputy general manager of corporate audit services with Larsen & Toubro, contains the following key elements as per his essay “The IT Audit Process” in the 2002 edition, volume 1 of the ISACA’s (Information System Audit and Control Association) Journal:
Throughout his essay, he stresses the fact that a risk/cost-benefit analysis must be done as well to assess the risk that each system’s vulnerability represents and that the following four things must be done during such a risk assessment:
- Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors.
- System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance.
- Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.
- Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
- Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.
- Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques) (Sayana 2003).
- Inventory the information systems in use in the organization and categorize them.
- Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate.
- Assess what risks affect these systems and the severity of impact on the business.
- Rank the systems based on the above assessment and decide the audit priority, resources, schedule and frequency (Sayana 2002).
Sayana is essentially organizing and prioritizing the different systems based on the impact/loss that a breach in security would represent for the company. By using a structured risk management approach, a corporation can be the most cost effective while implementing required changes that are needed to reduce systems vulnerabilities.
Ethical Hacking, in a business sense, is the process by which a company can use people trained in penetrating systems vulnerabilities in order to create fixes for such vulnerabilities. The EC Council, (the International Council of E-Commerce Consultants) offers CEH (Certified Ethical Hacking) Certification. By employing people with such skills that are similar to those offered through CEH certification, companies can proactively test their systems for weaknesses and make corrective action before the real bad guys take advantage and cost the company both time and money.
JAD (Joint Application Design) is a structured process in with users, managers, and analysts work together for several days in a series of intensive meetings to specify or review systems requirements (Hoffer et al. 178). Traditionally, JAD focuses on determining systems requirements. In this instance, the idea is to use JAD like sessions along with a formally established corporate information security group in order fix the vulnerabilities that the security group has found and in part to educate the users involved as to how to protect against those vulnerabilities that pertain to the users.
Back to Top
There is both a human and technical aspect to how systems are compromised. Concerning the human aspect of how systems are compromised, it is possible to see that security breaches can happen by user mistakes. For instance, a worker can leave his user ID and password on a stick it note on his or her computer terminal or a coworker could give out their log in ID and password to someone who might not be trustworthy. Another instance could involve wireless connections for corporate laptops that are used when at home that use both SAP and Lotus Notes applications. By allowing for such wireless connections at home, a corporation opens itself up to vulnerabilities while connecting through a person’s home router and from war driving type activities that take advantage of VPN vulnerabilities. Street describes war driving as any “person who would drive around a certain region area while a Wi-Fi-enabled laptop or other wireless device scans for wireless access points. All wireless access points are stored into a database with GPS coordinates so that they can later be found and accessed, if necessary” (Street et al 175). McClure describes the VPN (Virtual Private Network) as “a broader concept than a specific technology or protocol, but most practical manifestations involve “tunneling” private data through the Internet with optional encryption” (McClure et al 284). Although giving employees the ability to work from home does allow the employee to increase productivity and flexibility, it does at the same time make him or her vulnerable to exploitation from war driving and if the VPN is not encrypted that could represent vulnerability as well. Both these situations could results in SAP and Lotus Notes becoming corrupted.
Back to Top
Due to SAP’s tendency to be an inward facing and more internally encapsulated, it is inherently safer than Lotus Notes which is conversely inherently a more outwardly facing program. As was previously states, SAP in its vanilla version did not include a secure login, but since SAP AG recently acquired identity and access management software from SECUDE it now has the ability for secure login. It uses standard http and https communication protocols. It faces the same security any more standard inwardly facing program would. Lotus Notes in its outwardly facing posture, leaves it more vulnerable for malware through the email messages themselves, attachments to email messages, and the use of external emoticons (smiley face icons used in the instant messaging part of Lotus Notes). There are various ways in which malicious software can enter through Trojan horse type schemes that make email look like it is from an authentic contact when in fact it is not. Jones states that the “fundamental flaw with email is that certain headers can be forged. This is what allows spam and all other scams to flourish, even in the face of sophisticated filters and detection software” (Jones 34). Jones also talks about the dilemma one faces when receiving email from unknown sources that implore one to open the attachment stating “we cannot easily determine its content without examining it, but that process alone can expose us to any computer virus that it might contain” (Jones 34). Overall, Lotus Notes represents more of a threat than SAP.
Back to Top
As has been previously mentioned, the use of the System’s Security Audit Process along with Ethical Hacking, and a JAD type process can effectively create a barrier to protect corporate information systems assets. One aspect of the System Security Process is analysis of the network vulnerabilities which can affect access to programs like SAP and Lotus Notes which Sayana describes as three broad categories. The first of which is interception of “data that are transmitted over the network through some medium that consists of a carrier and other equipment” (Sayana 2003). The second is availability which he describes as “the control to ensure availability and reliability of a network is through good network architecture and monitoring. The design of the network should ensure that between every resource and an access point there are redundant paths and automatic routing to switch the traffic to the available path without loss of data or time “ (Sayana 2003). Sayana describes the third vulnerability as “Access points—Most controls in a network are built at the points where the network connects with an external network” (Sayana 2003). Here Sayana points out that these connection points represent vulnerabilities in corporate information systems. These and other systems vulnerabilities can be remedied through the formation of a corporate systems security department that is trained in ethical hacking, i.e. penetration testing. These specialists would not only work on exposing system’s vulnerabilities to protect them but would also work on developing defensive measures. These individual would have a “defensive arsenal” as described in the Young and Aitel’s book “The Hacker’s Handbook”:
Back to Top
This group of security specialist would work in tandem in iterative JAD type sessions with users, management, and analysts in order to continually determine the requirements for maximum system security. These sessions could be educational as well for users so that are made knowledgeable in the best practices that they can follow to protect the corporate information assets that they use. Such practices as Perkel’s tips for cyber security could be revealed like teaching users to “do enable automatic operating-system updates” and “do install and update your antivirus and anti-malware software” amongst other things (Perkel 1261). Additionally, the involvement of “business users were found to add value to IS security risk management, when they participated in the prioritization, analysis, design, implementation, testing, and monitoring of user-related security controls within business processes” (Spears and Barki 520). Essentially, these two quotes are reinforcing the fact that value can be added by getting users involved in the system’s security audit process along with systems security specialists. Finally, as was previously mentioned, the genesis and implementation of systems security changes that would come out of these sessions would have to be weighed based on risk/cost/benefit analysis in order to determine which changes are worth pursuing.
- “Access Controls - Controlling access to specific systems via access control lists, i.e. firewalls.
- Authentication - The binding of a user “identity” to a specific user via the presentation of authentication credentials.
- Auditing and Logging – OS, application, or third party facilities that track user or system operations and record these to a log file.
- Resource Controls – The utilization of a group of systems and network technologies that can protect against denial-of-service attacks.
- Nonrepudiation - The binding of an identity to a specific transaction in a manner that prevents an individual from being able to deny that he or she was the author or source of the transaction.
- Privacy - The use of cryptographic security technologies to ensure the confidentiality of data in transit via protocol encryption.
- Intrusion Detection - Intrusion detection encompasses a range of security techniques designed to detect (and report on) malicious system and network activity or to record evidence of intrusion.
- Data Integrity - Data integrity encompasses tools and techniques aimed at protecting data, transaction, and information integrity.
- Platform Integrity – Platform integrity management involves the use of “hardening” techniques aimed at preventing code anomalies or configuration issues from being exploited as a means of system/network intrusion and/or denial-of-service (Young and Aitel 105-106)”.
Systems like SAP and Lotus Notes have inherent vulnerabilities. Through an iterative system's security audit process that includes users, management, analysts, and ethical hackers/penetration testers, one can create a protective, adaptive barrier around a corporation’s systems assets. At the core of this process is located the ethical hacker who works to invade a corporations systems with the goal of establishing ways to protect these vulnerabilities in the future. Another important element is the user who will be educated through the use of JAD type sessions as to what things he or she should do to best protect the system from a human error perspective. Overall, the changes made through the JAD type sessions would be based on a risk/cost-benefit analysis in which only the changes that represented the highest level of benefit for the company would be chosen.
Back to Top
Back to Top
- ABAP. N.p., n.d. Web. 7 Nov 2011. http://en.wikipedia.org/wiki/ABAP.
- Certified Ethical Hacking. N.p., n.d. Web. 7 Nov. 2011. http://www.eccouncil.org/certification/certified_ethical_hacker.aspx.
- ECLIPSE. N.p., n.d. Web 7 Nov 2011. http://www.eclipse.org/org/.
- Formula. N.p., n.d. Web 7 Nov 2011. http://en.wikipedia.org/wiki/Formula_language.
- Hoffer, Jeffery A., Joey F. George, and Joseph S. Valacich. Modern Systems Analysis and Design. 6th ed. Upper Saddle River: Prentice Hall, 2011. 178-82. Print
- JAD. N.p., n.d. Web. 7 Nov 2011. http://www.bee.net/bluebird/jaddoc.htm.
- Jones, Robert. Internet Forensics. Sebastopol: O'Reilly Media Inc., 2006. 34-50. Print.
- Lotus Notes. N.p., N.d. Web. 7 Nov 2011. http://www-01.ibm.com/software/lotus/products/notes/features.html?S_CMP=wspace.
- LotusScript. N.p., n.d. Web 7 Nov 2011. http://en.wikipedia.org/wiki/LotusScript.
- McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Network Security Secrets and Solutions. Berkeley: Osborne/McGraw-Hill, 1999. 284-88. Print.
- Perkel, Jeffrey. How Safe Are Your Date? N.p.: Macmillan Publishers Limited, 2010. 1261. Print.
- Sanyana, S. Anantha. Approach to Auditing Network Security. http://www.isaca.org/Journal/Past-Issues/2003/Volume-5/Pages/Approach-to-Auditing-Network-Security.aspx
- Sanyana, S. Anantha. The IT Audit Process. http://www.isaca.org/Journal/Past-Issues/2002/Volume-1/Pages/The-IS-Audit-Process.aspx
- SAP ERP. N.p., n.d. Web 7 Nov 2011. http://en.wikipedia.org/wiki/SAP_ERP.
- SAP TO ACQUIRE SOFTWARE SECURITY PRODUCTS AND ASSETS FROM SECUDE. N.p., 12 Jan. 2011. Web. 7 Nov. 2011
- Spears, Janine L., and Henri Barki. User Participation in Information Systems Security Risk Management. Vol. 34. N.p.: MIS Quarterly, 2010. 520. Print.
- Street, Jayson E., Kent Nabors, Brian Baskin, and Marcus Carey. Dissecting The Hack: The Forbidden Network. Revised ed. Burlington: Elsevier, 2010. 175. Print.
- Valacich, Joe, and Christoph Schneider. Information Systems Today: Managing in the Digital World. 5th ed. Upper Saddle River: Prentice Hall, 2012. 294-97. Print.
- What is the EC Council. N.p., n.d. Web. 7 Nov. 2011. http://www.eccouncil.org/about_us/frequently_asked_questions.aspx.
- Young, Susan, and Dave Aitel. The Hacker's Handbook. Boca Raton: Auerbach Publications, 2004. 103-07. Print.