Biometric Security for SAP R3 - Mihaylo College of Business and

Biometric Security for SAP R/3: New Information Security Strategies in an Environment of Terrorism, Cyberterrorism, and of Internal Control System Failures Paul Sheldon Foote Vijay Karan Malini Krishnamurthi Curtis Williams foote@chapman.edu vkaran@fullerton.edu mkrishnamurthi@fullerton.edu curtiswilliams@fullerton.edu 1 Panel Discussion and SAP Demonstration  Panel Discussion Vijay Karan – Cal State Fullerton Curtis Williams - Cal State Fullerton Thomas Neudenberger - realtimenorthamerica.com  SAP Demonstration  There will be a demonstration of a biometric system customized for SAP R/3 users. Curriculum Development Web references will aid you in preparing handouts and research. 2 What do faculty teaching SAP need to know about Biometrics ? Security Issues to introduce in the classroom 3 What are the security needs for AIS (Accounting Info Systems) ?  The Growth of E-commerce & M-commerce environments    At the heart of any Accounting Information System is a transaction processing system that captures transaction data electronically. Financial statements prepared by these systems are only as good as the data captured by these systems. So, data has to be reliable, accurate and secure. Accountants and auditors have to assess the integrity and security issues when the Internet is relied upon to conduct commerce. 4 What are the risk factors ?   Typical risk factors include theft, destruction, interception and alteration of financial data. Accountants have to recognize the need for greater control over data input, processing and output to minimize the risk factors. In the computer jargon Garbage in is Garbage out. “GIGO”. 5 Information System Threats and Failures   Identity theft and information systems breaches Mandatory requirements imposed by the Sarbanes-Oxley Act of 2002, the California Privacy Act, and HIPAA 6 Sarbanes-Oxley and IT  “When it first came out, everybody was thinking about finances and the accuracy of year end reports. But it starts to take on a life of its own. Because when you ask that one question- ’Is this number accurate?’ – then you have to insure its accuracy. On the IT side, all these other things have to happen to answer that one question.” Bernie Donnelly, VP Quality Assurance and Control, Philadelphia Stock Exchange 7 Sarbanes-Oxley Act of 2002 SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS  (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall--  responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (1) state the (2) contain an assessment, as of the end of the most recent fiscal year of the  effectiveness of the internal control structure and procedures of the issuer for financial issuer, of the reporting. 8 IT and Internal Controls  Is this number accurate? SOX Compliance is first and foremost an identity management issue. “With Sarbanes-Oxley, the regulators want to know who was in what system, what they did, why they were there, whether they were authorized to be there, and how long were they there. You have to be able to answer those questions for almost everything”. Phil Blank, Vice-President of IT for ProBusiness division of ADP in Pleasonton, California 9 Summarizing the ‘Threat’ The SAP system is the ‘heart’ of any vital information. It holds all data about production, purchasing, selling, marketing, finances, suppliers, customers and employees. It also stores critical records such as health insurance information, social security numbers, salaries or medical records and more… Any unauthorized access or changes of these data could result in multi million dollar damages, lawsuits or bad press and image loss! Protect the SAP system from unauthorized access… and know with certainty, who did what, and when within system. Comply with mandatory regulations, but also protect the company from preventable damages. Costs of passwords Summarizing the Threat 10 Statistics: Threat In numbers… 82% of all passwords are written down (SAP-Info Online) 40% say they share passwords frequently (Source: Rainbow) Is ID Theft an Enterprise concern? 81% YES / 19%No (Security Pipeline) Attacks which involved guessed passwords: 14%(InfoWorld 2003) 92% of corporations and government agencies detected computer security breaches in the last 12 month 75% acknowledged financial loss due to these breaches (Computer Security Institute 2003) The FBI statistics confirm: 65% of all security breaches by disgruntled, former employees! 95% result in significant finical losses (Source Gartner) ‘Businesses will lose $48 billion this year to fraud’ ssfff……s(CSO Magazine, Cover Page, March 2004) 11 Authentication Definition: To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. 12 Authentication methods There are 3 ways to protect physical or data access: 1. What you know… 2. What you have… 3. Who you are… Truth about passwords 3 Wa ys to pro tec t1 13 The three factors of authentication What you know… Passwords / PIN / Codes What you have… Smart Cards / Tokens / Keys Who you are… Biometrics – Fingerprint etc. 14 The 3 ways to protect information Biometrics is the only true protection since the user will be UNIQUELY identified! Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not be identified or held responsible… Password are historically accepted to attempt protecting computer systems… Lawyers love these two ways and call it: They offer limited protection and no identity management at all !!! SODDI 15 SODDI? SODDI* means: “Some Other Dude Did It” No one can prove that this was done by my client! (a very popular legal defense) We call it: Get out of Jail FREE Card ! *(pronounced sahd-ee) 16 The truth about passwords… • Highly insecure • Not very convenient • Administration is expensive Therefore our mission is to close these accepted IT security ‘gap’ with modern, innovative technology Truth about passwords 17 Get the password the hard way… Need a password for a website? Try www.bugmenot.com ! How to get get access to another profile with more authorization capabilities (the hard way)… • Look for the password near the computer and in drawers • • • • Look over shoulders of employees when the enter it Go to the computer while owner leaves their desk Get the password the hard way… Ask colleagues (40% admit sharing password) Get the Emergency password (in some companies at the security guard) • • • • Check the ‘history’ of the first ‘login field’ for password entry Call hotline with a different name or user login to get a reset Fake password login screen emails password to intruder Check ‘.INI’ files in Windows for non encrypted passwords • • Try the Default USER: SAP* - Default Password: 06071992 Or simply associate with the owner (hometown, car, children, wife, etc.) 18 …or get the password the easy way! Password Cracker: • 4 character - a few seconds 6 character - 1 minute to 6 minutes 8 character - 15 minutes to 58 hours 16 character - 21 months to 7 years • Shareware programs of the Internet can run over 4 Million • passwords in one minute. • For $70 you can purchase a ‘KEYKatcher’ - plug it into any computer and ‘record’ any passwords - www.business-security.ws Free Software / Password Stealer will do the same ! KEYKatcher Locksmith And there is still the ‘Electronic Locksmith’…Pay $20 with your credit card online and the ‘Locksmith’ will send you the password! Fact is – if you want somebody's password - you will get it ! Crack the password 19 Administrators monitor passwords… Did you know, that your SAP Password is not encrypted between the SAP GUI and the SAP Server? You don’t believe us – try with the free download below: Administrators monitor passwords 20 Who could be a target? Who has access to critical information and would be a good target… • • • • • • • • • • Users of the ‘Emergency Profile’ (SAP*, DDIC) Management with extended access System Administrators Customers (B2B) / Suppliers Telecommuters / Travelers (any remote access) External consultants Accounting / Finance Purchasing HR Sales Who else can you think of ? Who could be a target 21 Why ‘Fingerprint’ for you … Real cases – what employees have done • • • Cisco accountants issued almost $8 million in stock to themselves Cisco employee obtained and sold proprietary information Omega employee caused $10 million in damages by deleting programs • • • UBS/Paine Webber employee caused $3 million in damage and drove the stock price down A system administrator at the IRS wiped out 3 servers Former Employee at Marsh Inc. altered and deleted salary information • A relative changed blood type of a patient in hospital the victim died! 22 Why ‘Fingerprint’ for you … Average damage caused by a Hacker $57,000 Average damage caused by a Disgruntled Employee $2.7 Million Source: Encentuate 2003 Why Fingerprint for youII 23 Identity Management  Is two-factor authentication the solution for identity theft? Biometric solutions improve information systems and financial audit trails 24 What is Biometrics ?   “measurable physiological and / or behavioral trait that can be captured and subsequently compared with another instance at the time of verification”. Matching of finger prints, voice patterns, hand geometry, Iris & Retina Scans, vein patterns are physiological characteristics. 25 Biometric Security Solutions  Who would need biometric security? Auditing -Need for individual transaction authorization in SAP and Compliance with SOX Section 404 26 Advantages of Biometric Systems   The biggest advantage that biometrics can offer is security and convenience. A biometric cannot be transferred between individuals and represents a unique identifier. While passwords and PINs can be stolen and recreated. Templates are useless when stolen since they will work only with live sample for comparison. 27 Biometric Authentication   How do biometric systems validate the data and substitute for identity management? Biometric systems neither validate data nor substitute for identity management. Biometric systems respond automatically to biological or behavioral traits of individuals as recognized or as not recognized. 28 Biometric Standards   Are there any standards organizations publishing formal standards for biometrics? ISO (International Organization for Standardization) Joint Technical Committee 1’s sub-committee on biometrics (SC37). American National Standards Institute (ANSI). http://www.jtc1.org/sc37/ 29 Fingerprint technology in current use Visa’s – US Borders Car Manufacturing Physical Access (door locks) Cell Phones PDA’s Cash Registers Printers / Copiers Gun Holster (Police Officer) Safe’s / Weapon boxes Key boxes (car dealers) Anywhere, where proof of identity is important ! Payment in Beer garden (digiPROOF) 30 Forensic and Identification Standards   What are forensic and identification standards? To support the automatic, international exchange of machine readable biometric data, there must be standards for: data elements to be printed or stored on identity cards, formatting, image quality, and for image compression and decompression. 31 Data Standards   What are standard methods of packaging biometric data? CBEFF (Common Biometric Exchange File Format) of the National Institute of Standards and Technology (NIST) has a standard header (mandatory and optional data elements), biometric specific memory block (BSMB), optional digital signature. http://www.itl.nist.gov/div893/biometrics/documents/N ISTIR6529A.pdf 32 XML Data Standards   Is there an XML version of the CBEFF data structure? XCBF is the XML version, the product of the Organization for the Advancement of Structured Information Standards (OASIS). http://www.oasisopen.org/committees/tc_home.php?wg_abbr ev=xcbf 33 CBEFF Registration Authority   How can we ensure that the CBEFF values we select for the Format Owner and Format Type fields are unique? Register with the International Biometric Industry Association (IBIA). http://www.ibia.org/ 34 Application Programming Interface (API) Standards   Are there standard biometric APIs providing common interface methods across current and future technologies? BioAPI is an open-system standard developed by many biometric vendors and others. For ANSI and ISO versions, see: http://www.bioapi.org/internationalversion.html 35 Security Standards   Are all implementations of biometric systems secure? No. ANSI X9.84-2003 is an example of a standard for secure implementations of biometric systems, including: physical and logical access controls, encapsulation of biometric data, secure transmission, secure storage, physical hardware security. http://webstore.ansi.org/ansidocstore/dept.as p?dept_id=80 36 Testing and Certification Standards   When vendors report accuracies of their biometric systems are they using standard methods of data collection and of statistical analysis? Biometric vendors might be using proprietary templates and their own data (with different samples and sample sizes). 37 Testing and Certification Standards 2   Are there international standards for performance measurement? INCITS M1 (InterNational Committee for Information Technology Standards) is developing common standards for measuring and reporting biometric algorithm performances. See: http://www.ncits.org/tc_home/m1.htm 38 How is the biometric template created ?  There is an enrollment process where in each new user is required to register on to the biometric system. A few samples are taken to measure the physical traits such as finger print or a retinal scan. An average is taken from these readings which is then used to produce a template. 39 Continued  A template is a very small amount of information when compared to the original measurement of the biometric and is nothing more than a collection of numbers which have no meaning except to the biometric system that produced them. Once the biometric data is collected it is encrypted and stored. 40  Proprietary Templates   How can you be sure that proprietary templates have been protected? Tampering with encrypted templates can result in incorrect checksums or header information. For work in this area, see NIST: http://www.ncits.org/tc_home/m1.htm 41 Non-technical Standards   How can you document that a biometric system satisfies legal issues: preventing identity theft while protecting personal privacy and equal rights? The International Biometrics Industry Association (IBIA) posts newsletters, events, solutions, white papers, case studies, and industry news at: http://www.ibia.org/ 42 Smart Cards   How can smart cards improve biometric systems? Biometric performance improves by using more than one method (such as fingerprints and smart cards). For details of the Government Smart Card Interoperability Specification, see: http://smartcard.nist.gov/ 43 Biometric-related Web Sites             AFB (Association For Biometrics) http://www.afb.org.uk BioAPI Consortium http://www.bioapi.org The Biometric Consortium http://www.biometrics.org Biometric Testing Services (BIOTEST) http://wwwnpl.co.uk/sections/this/biotest Commercial Biometrics Developer's Consortium (CBDC) http://www.icsa.net/biometrics The Connecticut Biometric Web Page http://www.dss.state.ct.us/digital.htm 44 Biometric-related Web Sites               Financial Services Technology Consortium http://www.fstc.org International Biometric Industry Association http://www.ibia.org The Human Identification System Project http://www.asti.dost.gov.ph/~shoreadm/HIS.html International Association for Identification (IAI) http://www.iaibbs.org National Biometric Test Center http://www.biometrics.org/html/testcenter.html National Center For Identification Technology http://www.ncit.org Security Industry Association http://www.siaonline.org/ 45 Biometric Publications       Biometric Technology Today http://www.sjb.co.uk Biometric Digest http://biodigest.com Biometric Watch Newsletter http://www.biometricwatch.com 46 What are the factors that affect the adoption of biometric authentication System ?        Economics Managerial Operational Technological Process Related Governmental Standard Related factors. 47 What are the issues to consider at the time of Implementing the System ?  The process of implementing the system should consider the following issues:    Users Administration Environment     Infrastructure Usability Communication Maintenance 48 Are there Hardware and software vendors ?  Currently biometric authentication is not in widespread use, however it is expanding. Hardware and software vendors are constantly developing new and improved ways of assuring access to information. One such vendor is Realtime North America. 49 BioLock  The company Realtime North America, Inc. has added to the SAP market keyboards with built in biometric (fingerprint) scanners. Given the sensitive data that most SAP installations contain, securing ERP systems from unauthorized users is a critical concern. 50