In my past life as an IT auditor and throughout all these years at Onapsis, I have always seen a lack of cybersecurity focus on IT General Controls. Yes, it is very common to find a “security administration” section as part of these lists of controls. However, they often refer to users' ability to create other users, to assign roles, modify authorizations, change password policy parameters, assessing default accounts in the systems, etc. While those controls are critical for any organization, they are just covering a portion of the biggest risks those systems have. Security vulnerabilities in critical IT assets can have much higher risks than the ones currently being mitigated by IT General Controls.
Let me give you a clear example of what I am saying. Imagine a set of IT General Controls for the SAP ERP system with the following risks and controls:
Significant information resources may be modified inappropriately, disclosed without authorization, and/or unavailable when needed.
The password policy parameters are appropriately configured.
Control activities within the significant operations and transactions may be ineffective, and significant information resources may be disclosed without authorization, or become unavailable.
Access to the system is not allowed for former employees or temporary staff who have left the organization.
Only authorized users have access to execute programs in production environments.
What should the conditions be for a disgruntled employee to commit a specific type of fraud in the system?
- A user still valid in the system (active, unlocked)
- The user should have specific authorizations to execute a program in production
- The user should know he/she has the specific authorizations to commit fraud
- The user should find a way to avoid being detected. Most likely running several very small financial operations.
If the controls above are properly in place, it is very hard to comply with all these conditions at the same time. Even if one of these controls fails, there are other controls that still work. It is very unlikely that all these controls fail in this scenario.
Certain critical vulnerabilities (such as the known misconfigurations targeted by the public 10KBLAZE exploit) allow anyone to bypass authentication (access without user credentials), authorizations (execution without privileges), and change logs (changes without traces).
Now, what should the conditions be for a disgruntled employee to execute the same type of fraud in the system if one single critical vulnerability is there?
- A user needs access to Google to download an exploit
- The user needs access to Google to understand SAP master tables
- The user needs to follow the steps explained in the exploit documentation
Even if all the controls mentioned above are working properly. The fraud can still be executed.
These critical vulnerabilities allow bypassing all the “traditional” IT General Controls as they focus mostly on preventing bad actions from happening in the “traditional” way. If any kind of malicious action is executed in a different way, then those controls can be bypassed.
After reading this, some people may say “well... What is the likelihood of something like that actually happening?”
In 2016 and 2018, the U.S. Department of Homeland Security released two different US-CERT alerts about malicious cyber activity targeting ERP systems. In May 2019, the public release of 10KBLAZE exploits made the DHS publish another US-CERT alert to make organizations aware of this new threat targeting existing SAP misconfigurations. While these misconfigurations were previously known, the impact of a potential attack was always high, but the release of the public exploits significantly increased the likelihood of an attack.
Last but not least, IDC just published a survey of 430 IT decision-makers that found 64% of respondents reported that their ERP systems have been breached in the last 24 months.
The Department of Homeland Security is alerting about serious threats to ERP systems and now we have the results of this survey confirming the fact that these ERP systems are being breached. How can we provide the right assurance with traditional IT General Controls while these other risks are happening? If IT General Controls are not constantly reviewed and updated, they can generate a false sense of security.
After reading this blog, you may wonder where and how to start an internal cross-departmental conversation with executives. Here you have some key questions you can ask that will trigger new discussions:
- How has the scope of IT General Controls (ITGC) been defined for each business-critical application?
- Are cybersecurity controls part of the scope defined by ITGC? For example: vulnerability management, log configuration, and management, configuration baselines, network interfaces between systems, etc.
- Has continuous monitoring of threats (both internal and external) in the business-critical application been properly established?
- What tools have been implemented to monitor specific financial reporting systems?
- How often are critical security patches for your business-critical applications reviewed and implemented?
- What cybersecurity controls have been established for customized code used in business-critical applications for financial reporting?
- How are key cybersecurity controls being mapped to other regulations (besides SOX), such as NERC-CIP, PCI, GDPR, etc?
- How can the external auditor, internal auditor and management assess and test these controls above to provide the right level of assurance?
If you are interested in running a free assessment of your SAP or Oracle EBS systems to determine the level of exposure to serious deficiencies, learn more about how to get started here.