Security in ERP Systems By Jason Rhodewalt & Marcel Gibson

Why is ERP Security Important? All of the business's vital data All of the business's vital data Employee/customer personal data Employee/customer personal data Social Security Numbers Social Security Numbers Credit Card Numbers Credit Card Numbers Addresses Addresses

Background of Security Problem Hacking began in the ‘70s Hacking began in the ‘70s Simple wiretaps or “blue boxes” Simple wiretaps or “blue boxes” Today, complex malicious programs Today, complex malicious programs Estimated that 1 and 4 US computers infected with a virus Estimated that 1 and 4 US computers infected with a virus Signs that viruses are becoming professionally made for monetary/ political incentives Signs that viruses are becoming professionally made for monetary/ political incentives

Background of Security Problem

Legal Considerations Sarbanes-Oxely Sarbanes-Oxely CEO liability CEO liability  External tampering  Internal tampering Auditing Auditing

Legal Considerations – cont. California Civil Act SB 1386 California Civil Act SB 1386 Companies must notify customers of compromised data Companies must notify customers of compromised data  Applies even to companies not incorporated in California Notification must be in a timely matter Notification must be in a timely matter

Legal Considerations – cont. McLaren v Microsoft Corp (1999) McLaren v Microsoft Corp (1999) Suspended employee has personal data on work machine and password protected Suspended employee has personal data on work machine and password protected Microsoft access files – employee sues for right to privacy Microsoft access files – employee sues for right to privacy Employee looses Employee looses  Work computer and work are Microsofts property

ERP System Authentication Not only employees need access Not only employees need access Customers, suppliers, and 3 rd party software developers Customers, suppliers, and 3 rd party software developers Local and remote access Local and remote access

Passwords User names and passwords User names and passwords Don't use SSN! Don't use SSN!  Custom user names are like 2 nd password Strong passwords Strong passwords  Combination of uppercase/lower case words and numbers

Encryption Algorithms Encrypting data protects it from unauthorized viewing Encrypting data protects it from unauthorized viewing Blowfish Algorithm (1993) Blowfish Algorithm (1993) RC4 Algorithm(1987) RC4 Algorithm(1987)

Unauthorized Access Easiest method: Guess a password Easiest method: Guess a password Use random user names and strong passwords Use random user names and strong passwords Try all the combinations Try all the combinations Limit log on attempts Limit log on attempts Only allow access from certain IP addresses Only allow access from certain IP addresses  Tough to implement with remote access Phishing Phishing Educate the end users Educate the end users

Unauthorized Access – cont. Phishing Phishing Educate end- users Educate end- users Key-logging software Key-logging software Limit installation privileges on public machines Limit installation privileges on public machines

Auditing and Monitoring Authorization and authentication protocols allow ERP systems to keep a detailed account of system events Authorization and authentication protocols allow ERP systems to keep a detailed account of system events Auditing required by statute Can be very costly and time consuming.

Auditing and Monitoring –cont. Steps to prepare for audits: Steps to prepare for audits: 1. Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists. 2. Make sure to list perceived risks. Sort them in descending order with the highest risks at the top, along with the controls you created to mitigate them. 3. Document your preventative controls, and have detective controls in place to show they work. Document the change management process. 4. Keep a current and accurate asset inventory of hardware and software. 5. Document all internal audit procedures.

RFID Technology Used to track parts and products through supply chain Used to track parts and products through supply chain Passive electronics Passive electronics Included in shipments and/or product packaging Included in shipments and/or product packaging

RFID Technology –cont.

Using RF ID Data Immediate decisions Immediate decisions Will we be on time this week? Will we be on time this week? Executive decisions Executive decisions Should we build this part first? Should we build this part first? Should we build this product? Should we build this product?  Cash-To-Cash time

What to do in case of a breach!!! 1. Asses the situation/ level of breach 2. Report the breach to proper authorities FBI FBI Management Management Person effected Person effected 3. Track/ investigate the breach 4. Seal breach and rectify the problem

Disaster Recovery The purpose of disaster recovery is to ensure that in the event of a disaster, all business operations can continue relatively smoothly, including security. The purpose of disaster recovery is to ensure that in the event of a disaster, all business operations can continue relatively smoothly, including security. Plan ahead: a good plan might save the entire company. Plan ahead: a good plan might save the entire company.

Disaster Recovery –cont. 1. Setup a secondary site 2. Mirror content in real time at secondary site 3. Implement Disaster Recovery Plan 4. Test, rehearse, and test some more 5. Continuously update plan 6. Be aware, disasters will happen!

Image Reference Enron picture Enron picture RF ID RF ID Phishing Phishing Encryption Encryption