---

Introduction

Cyber attacks make for all too common headlines these days. Recent examples are Talk Talk, HSBC, the BBC, the Irish Lottery, plus there are many many more. An increasing number of attacks have involved SAP systems, perhaps most notably the Greek Ministry of Finance.

This article is designed to explore how you can be better protected from the potential or actual breach of data theft, fraudulent activity or cyber attack within your SAP systems by using user behaviour profiling.

The most common type of attack is Distributed Denial of Service, or DDoS, which is aimed largely at causing disruption to the operation of a business; for instance, the recent January 2016 HSBC attack caused a two day outage which prevented their customers from being able to perform any online banking.

As serious and disruptive as DDoS attacks are, there is probably an even greater fear that most organizations share and that is the theft of their data and the fraudulent use of it. Such threats can come from outside an organization via cyber attacks or from within the organization. As could be seen from the effects of the cyber attack and data theft from Talk Talk (October 2015), the ensuing media focus caused immense financial and reputational damage to the company; not only because of the public perception of them having weak security, but equally because the company was so slow in being able to identify and confirm which actual data had been stolen.

---

"TalkTalk says the cyber attack it suffered in October has lopped £15m off trading revenue as well as forcing it to book exceptional costs of £40m-£45m, and losing it up to 101,000 customers"

---

Data Security: Layers of Protection

In our home lives, as well as within Information Technology, we like to have multiple layers of protection to secure the things that we value.

For instance, our motor cars might be protected by the following security layers;

• A perimeter fence around our property
• A locked garage within the perimeter fence
• A highly sophisticated car key required to deactivate the car alarm, open the doors and be able to start the engine.
• And, of course, we keep the car key locked in the house away from the car (segregation)

---

However, Security Is Only As Good As Its Weakest Point

Unfortunately, one well known phenomena of recent times is that the high levels of sophistication built into the car security itself has meant that the easiest way to now steal a car is actually to break into the owners house and steal the key.

Or in other words - obtain valid credentials to the gain access to the car.

As a final layer of protection, you may have therefore added a real-time tracking device to your car. This layer of protection provides two vital additional security mechanisms; (a) You may receive a phone call to alert you that the car is moving (i.e. unusual behaviour has been detected) and (b) the tracking device will also provide GPS information as to where your car is now.

---

This additional layer of protection is what we like to refer to as the
"user behaviour layer of protection".
If we have knowledge of what each users normal behaviour is then we can use this knowledge to also identify abnormal behaviour.

---

The User Behaviour Layer of Protection

As with our car, we also protect our corporate data using various layers. There are a number of Data Security Protection Layer models published but, generally speaking, they will cover;

• The physical security protecting access to our offices and computer rooms
• Network security protecting access to our networks (Network security will in itself contain multiple layers)
• Operating System Security protecting access to our servers and infrastructure etc.
• Application Security which protects access within each application; such as the SAP security mechanism which restricts access in terms of what activities people can perform (transactions) and what data they can access (objects)
• Governance, Risk and Compliance; providing corporate policies and ensuring best practice in a wide range of things such as password policies, access to high risk activities (e.g. creating new users) or access to sensitive data (e.g. customer credit card details) and the segregation of duties - for example, ensuring that the same person within an organisation cannot create a new supplier and make a payment to that supplier.

However, as with our car, the levels of sophistication within each of these layers has become so high that the most effective way to steal data or defraud a company is to first obtain some valid user credentials.

---

Valid User Credentials: The biggest risk to Data Security?

Gaining access to valid user credentials is the ultimate prize to a hacker or fraudster. Not only is having valid user credentials valuable to gain access to corporate IT systems, but the most valuable asset they want to steal is actually more valid user credentials; usually in the form of credit card information or account access details. We have experience of a case where an employee attempted to steal 15,000 employee records from SAP HR to try and sell on to an insurance company, and of sales employees taking sales data to sell on to competitors.

Sadly, gaining access to an initial set of valid user credentials can be all too easy. Common methods include;

• Malware
• Network/WiFi scanning and sniffing
• Spear Phishing (eMail spoofs)
• Guessing or Socially Engineering credentials
• Stealing credentials
• Inside access (internal fraud or collusion)
• Default user account settings and passwords
• Using dormant or rarely used accounts
• Creating bogus accounts

SAP Systems can have some additional risks with valid user credentials such as;

• Accounts with the SAP_ALL, SAP_NEW profile
• RFC account authorizations that have been left too open because no one has really undertaken to review the exact authorization requirements of each one (especially with the prolific growth in mobile apps)
• RFC default configurations
• Default SAP accounts and passwords. For example SAP*, DDIC, EARLYWATCH, SAPCPIC, TMSADM etc.
• Unused new UserIds with default settings
• Dormant/rarely used UserIds
• Pivoting across SAP landscapes (e.g. accessing Production SAP systems using lower level RFC security from a Development or QA SAP system)
• ABAP/J2EE backdoors created by dishonest developers

---

Governance, Risk Management and Compliance is not enough

Governance, Risk Management and Compliance goes a long way to protect your systems from many Data Security threats but it does relatively little to protect you from data theft, fraudulent activity or malicious attack via the use of valid user credentials.

---

GRC is not enough because it primarily focuses on the risks of what a user can do with their Userid (static) and not on the risks of what a user actually is doing with their Userid (dynamic).

If you have given an employee the authorization necessary to directly read SAP tables then will you always know when and what they have actually used that authorization for? What if they, or someone who has gained access to their user credentials, has downloaded a copy of your customer credit card table, or a list of customers names and addresses? Would you know? When would you know? Immediately? Next month? At next audit time?

SAP Basis employees often, and quite validly, have broad levels of access to data which could potentially be used to circumvent corporate procedure. What if they directly updated their HR absence record instead of going through the SAP Portal? What if their userid was used to view other employees bank details or salary details? Would you know?

If you are a bank, telecommunications company, or a utility company then the likelihood is that some of your employees are also customers? How do you know if they have used their quite valid authorizations within SAP to directly update their own account information; perhaps they reduced their phone usage data prior to their next bill?

---

Behaviour Profile Alerting is the last line of defence

Behaviour Profiling is therefore the last line of defence when it comes to detecting potential threats to the security of your systems and data.

---

Behaviour Profiling goes beyond asking the typical GRC question of "can they or can they not do something?" and instead asks "is what they are doing right now normal for this user?"

More specifically, behaviour profiling is concerned with 3 main areas;

 

User Specific Unusual Behaviour

This involves learning and building a behaviour profile of each user based upon their actual typical day-to-day activity. We can exactly this by using intelligent software such as Xpandion's ProfileTailor™ Dynamics which would then alert us when a user acts outside of their typical day-to-day behaviour.

For instance, if we have automatically learnt that 'USERABC' normally uses SAP between 9am and 5pm during Monday to Friday, but their Userid was used at 2am on a Sunday morning then we would want to be alerted. Normal GRC will not cater for such an occurrence as the userid is valid, it was used within the scope of thier authorizations, and no SoD violations occurred. The access may also have come from an IP address that was outside the normal expected address range causing further suspicion.

Another example might be that 'USERXYZ' has just used transaction code VA01 to create a sales order. 'USERXYZ' has always had access to use VA01 so no violation has occurred, however, they have not used the transaction code in over 4 months. Why have they suddenly started using it now? Has someone gained access to their credentials in order to create a bogus order?

As well as comparing a user's behaviour against their own 'typical' behaviour we could also compare their behaviour against others from their department or against others with equivalent roles within their department.

We could also deploy a scoring system to provide potential severity levels against such monitoring. For instance, an HR user looking at HR salaries for the first time = low risk but a SAP BASIS user looking at HR salaries for the first time = high risk.

 

Generic Unusual or Undesired Behaviour

There can also be more generic unusual behaviour that can indicate a cyber threat. An example of this could be that two different userids were logged in from the same IP address. Could this indicate that someone has access to another employees credentials and is using the two sets of credentials in order to circumvent Segregation of Duties detection?

Another example might be that an HR employee has updated their own SAP HR record. As they are an HR employee then they have the correct authorizations to do this so suspicion would not normaly be aroused. Not so with user behaviour profiling as that would detect the unusual (or undesired) behaviour of them accessing their own HR data.

Perhaps a user has logged into SAP without first logging into Active Directory, which could mean that an AD user has access to another user’s SAP credentials.

 

Specific Unusual and Undesired Behaviour

When we look at specific unusual behaviour we are referring to protecting our most valuable assets. It is unavoidable that some user credentials have to be powerful; for instance SAP BASIS employees, PowerUsers, Superusers, Firefighter IDs. Such Userids are essential within a crisis, however, in the wrong hands they can also seriously damage a business.

Even though you may not want to limit the capabilities of these userids there are always going to be some activities that (a) you would NEVER expect one of these userids to be used for and (b) you would always want to be alerted to regardless.

For instance, an emergency firefighter ID would legitimately have the capability to read and update SAP data tables directly. However, you would still never expect such an ID to be used to directly download data from your Credit Card table. Again, user behaviour profiling can be used to look for such activity and to alert you in near real-time as to when such events actually occur.

 

Next Steps...

Hopefully this article has provided a thought provoking insight into how using SAP user behaviour profiling can provide a crucial line of defence in the ever increasing threats that our corporate systems and data come under.

If you would like to find out more about how ProfileTailor™ Dynamics can help with user behaviour profiling then please do contact us.

You can also share this page via the following buttons:

---

---