Enterprise Resource Planning (ERP) Security Assessment - Solution Approach:
The Business Issue:
To consolidate numerous financial management systems, this Fortune 500 multinational client migrated to a major ERP software solution which included a family of web-enabled applications, Java client-server applications, and complex database back-ends.
While the migration offered significant business benefits, the client recognized that the following risks had to be addressed:
 |
Numerous legacy financial systems would be replaced by the ERP architecture thereby concentrating the firm’s crown jewels in one system. |
|
|
Implementation such a complex system combined with an aggressive schedule increased the risk of implementation-related security vulnerabilities. |
|
|
While the ERP vendor is one the top 3 software vendors, their software ranges from legacy code to web services and could not simply be accepted as “secure” as delivered by the vendor. |
KoreLogic’s Approach:
The sheer size of the ERP architecture ruled out an end-to-end security test and only key components were tested using a “sampling” method. To focus the ERP application-layer testing, several of the client’s “power users” were interviewed to identify the most critical financial business processes. KoreLogic performed testing on the following components of the ERP architecture:
|
ERP Component |
Test Approach |
|
Business-critical ERP Applications |
Perform custom web- and client-server-based application testing to gauge the application’s ability to resist an unauthorized user gaining access to the applications; or authorized users escalating their privileges or viewing data they are not authorized to see. |
|
Representative Sample of Back-end Databases |
Used a KoreLogic database harvester to gather configuration settings, Verified they are effectively configured to resist attack. |
|
Servers that host the ERP databases and applications |
Used a KoreLogic operating system harvester to gather server configuration settings, Verified they are effectively configured to resist attack. |
The following are representative findings from the testing:
|
|
Vendor used proprietary encryption to protect data in transit. KoreLogic was able to defeat the encryption and successfully conduct man-in-the-middle attacks. |
|
|
KoreLogic discovered flaws with a different vendor's encryption implementation, which allowed KoreLogic to decrypt and encrypt sensitive data. |
|
|
KoreLogic conducted a web application assessment and identified numerous vulnerabilities that would result in compromise of the financial system. |
|
|
The KoreLogic Harvester tool was run on a representative cross-section of ERP servers to determine how the servers were configured, managed, accessed and used from a security perspective. KoreLogic identified system configuration deficiencies and recommended corrective action. |
Business Benefits Delivered:
|
|
The client realized the benefits of the new ERP solution (improved financial management efficiency, lower operational costs, numerous legacy financial systems retired) while increasing the protection of its business-critical information assets. |
|
|
Previously unknown critical and high risk database and server vulnerabilities were corrected. Appropriate changes to the client’s security configuration procedures and operational practices were recommended. |
|
|
The client referred the ERP application critical and high risk vulnerabilities to the vendor for corrective action. This will also provide the client with leverage to keep pressure on the vendor to continue to improve the security of its ERP software. |
|
|
Improvements were made at a security process and procedural level to more securely implement future additions to any system, database, or application added to the ERP architecture. |
|
|
KoreLogic’s testing as an independent third party security expert will be leveraged by the client for business partner and regulatory security due diligence. |