SAP security awareness as a main line of defense
The human element within the organization is probably the most neglected element in the organizational cyber defense strategy. I have read lots of interesting blog posts and articles talking about generating security awareness. Often I read about users being your last line of defense. I personally completely disagree to such a statement. Your SAP user community shall be a main line of defense, one which can be mobilized with relatively low efforts and costs, but returning positive and measurable results!
At GRC2018, a premier event around SAP GRC solutions, I will have a dedicated session on how to enable your SAP user community to help improve the security posture of your SAP landscape.
I changed all my passwords to “incorrect”. So whenever I forget, it will tell me ”Your password is incorrect”.
Some of the security assessments I recently executed again confirm the same:
- Event though standard users having common / known passwords are pretty well documented and standard identification tools are available (like program RSUSR003, the SAP early watch report) we still encounter SAP systems containing sensitive data having unlocked and directly usable standard users.
- SAP users still utilize predictive or brute-force sensitive passwords. Especially when passwords are recycled across non-production and production environments it becomes relatively easy to steal someones identity.
So, why still use password based logons?
Rules written differ from rules applied
I am surely guilty myself. No doubt many reading this post will have to confess the same. Having access to the debugger with variable overwrite capabilities it is quicker to bypass a coded authorization check compared to following the paved process of requesting authorizations the official way. Especially for urgent, temporary or occasional requirements people tend to follow the path of the least resistance.
To avoid security failure, security shall be workable but unavoidable.
If you want to learn more please join us at GRC2018!
Looking forward to meeting many of you in Prague.