Last month, ISACA released the 4th edition of their book Security, Audit and Control Features SAP ERP. The previous version was published in 2009. Some updates include detailed security guides for assessing different SAP business processes. We had been waiting for ISACA's updates since 2009, and now we would like to share some thoughts about this update.
Before reading this article, I recommend that you have a look at our thoughts about different SAP Security Guides, where we analyzed existing guides and recommendations from various sources such as SAP, ISACA, DSAG, and EAS-SEC.
Reviewing ISACA Security, Audit and Control Features SAP ERP, 3rd edition
ISACA published what was probably the first SAP security guideline in 2002. Two other previous versions were released in 2006 and 2009. In general, the checks in the 3rd edition covered configuration and access control areas. The part about application platform security covered less than access control and missed some critical areas. The guideline consisted of 4 parts and about 160 checks in total.
Briefly speaking, the previous edition of Security, Audit and Control Features SAP ERP had the following advantages and disadvantages:
Advantages: detailed coverage of access control checks in different business processes.
Disadvantages: Outdated. The technical part is missing. Guideline consists of too many checks and can't be easily applicable by a non-SAP specialist. Also, it can't be applied to any system without a prior understanding of the business processes. And finally, this guideline could only be legally acquired as part of a book you had to buy.
Changes in ISACA Security, Audit and Control Features SAP ERP, 4th edition
Now let’s check what has changed in more than 6 years.
The first and probably the main change is that now audit guides and the book itself are separated, and to get the guides, you need to buy an additional document with a checklist. Second, 4 new areas were added in addition to the 4 covered in the previous version. According to the official statement, new features include risk, controls and assessment techniques to audit SAP FI/CO, HCM, BASIS, and SAP security, an overview of the SAP GRC Suite, updated Sarbanes-Oxley control objectives and a list of sensitive tables and transaction codes.
There are now 7 Audit / Assurance Program guides and BASIS including security. But, as mentioned before, while in the 3rd edition Assurance programs were parts of the book itself as an appendix, in the 4th edition they removed it from the book. Audit programs based on COBIT 5 can be offered separately. Here are 7 Audit Programs available now:
1. Revenue Business Cycle Audit/Assurance Program and ICQ
2. Expenditure Business Cycle Audit/Assurance Program and ICQ
3. Inventory Business Cycle Audit/Assurance Program and ICQ
4. Financial Accounting (FI) Audit/Assurance Program and ICQ
5. Managerial Accounting (CO) Audit/Assurance Program and ICQ
6. Human Capital Management Cycle Audit/Assurance Program and ICQ
7. BASIS Administration and Security Audit/Assurance Program and ICQ
Those are the main good changes and now it’s time for bad news. What is disappointing is that all configuration recommendations for BASIS and security remained the same or even became worse.
Here is a couple of examples:
- Information about default passwords is outdated. There is nothing about the TMSADM user and its default passwords, while it is one of the most common ways to get access to the system during SAP Penetration Testing. Detailed information about default passwords in SAP is available here.
- There are no checks for RFC connections that may store passwords. This is probably the second most common attack we perform during security assessments of SAP landscapes when we escalate privileges in the network by hacking connected systems.
- Almost nothing is written about the security of different SAP services, such as MMC, SAPHostControl, Enqueue Server, Message Server, IGS server, and others. Some details about SAP services security are available in our previous blog posts.
- The main section of the book lacks information about encryption; however, there are some questions related to this topic in FAQ.
- Some of the authorization checks were excluded such as S_ADMI_FCD, S_NUMBER, as well as some transaction checks.
- Some of the parameter checks were deleted such as:
- The list of top vendors which provide alternatives to SAP GRC for SoD checks is short and subjective. It doesn’t agree with lists and surveys provided by independent analyst companies such as KuppingerCole.
- Overview of SAP GRC is based on version 10.0, which was released a long time ago, the latest (10.1) version has significant improvements.
So, as a result, the part related to authorization checks in different modules was improved. Unfortunately, everything regarding technical security and the real issues that intruders exploit during cyber attacks (such as new configuration parameters, default passwords, unnecessary functionality, etc.) remains absolutely the same as it was in 2009.
In our opinion, the advantages and disadvantages of ISACA Guidelines remain pretty much the same.
Advantages: overall picture of access control checks including SAP FI/CO and SAP HCM.
Disadvantages: Technical part is outdated, some aspects are even missing. The guideline includes many checks and can't be easily applied by a non-SAP specialist. Also, it can't be applied to any system without a basic understanding of the business processes. And finally, this guideline is only officially available as part of a book or an additional set of documents which you have to buy.
Comparing those changes with the changes in DSAG guidelines, which were also recently updated, we can say that DSAG updates brought much more new insights (they will be reviewed later in the separate post).
So, it’s quite a good guide for analyzing access control issues in different modules, but almost nothing beyond that.
For those who are interested in other SAP security guidelines and checklists, we’d like to recommend our SAP NetWeaver ABAP Platform Vulnerability Assessment guide.