En Español | Site Map
 
Soluciones de Seguridad Informática Cybsec Security Systems
Home PageAbout UsServicesTrainingNewsArticlesResearchContact Us Contact Us via Email
 
 

 

  CYBSEC is a security partner to the Global Security Alliance (GSA), advising SAP users on security issues. Our most outstanding professional services include: SAP architecture design within a secure environment, Security configuration and parametrization in SAP, Security audits, Compliance (SOX, PCI and ISO 27001), and Penetration Testing.
 

CYBSEC has been working and advising in SAP security issues since 2001, under UNIX, Windows and AS/400 platforms. As from 2005, they show an intense activity in the detection of vulnerabilities and have made significant contributions towards their solution.

In 2007, CYSEC began to work directly with SAP Ag Germany, establishing a fluent and highly constructive contact with security areas.

Following is a description of SAP system security related services rendered by CYBSEC:

1. Design of SAP architecture within a secure environment

The object of this service is to design or re-design the architecture of SAP with the highest security level possible.

This service is focused on defining security in the network topology of SAP components (SAP Applications Servers, Database Servers, Administrators and Final Users).

It covers the development of a secure network scheme and the security measures to be adopted: Firewalls, DMZs, Encryption, applications Firewalls, Operating system security, Database security and SAP security, among others.

2. SAP Internal security configuration and parametrization

This service provides Organizations with the necessary advise to specify the internal security level they expect for their SAP applications.

Among others, various aspects taken into consideration are:

  • Security of implemented SAP version and modules.
  • Hot Packages installed.
  • Definition and distribution of Clients.
  • Password parameters.
  • Ability to alter Systems and clients.
  • Default users password.
  • Users with unlimited transaction access.
  • Existence of blocked transactions.
  • Access to sensitive transactions.
  • Modification of system parameters and profiles.
  • Workbench Organizer Configuration.
  • Transport system access.
  • Table editing.
  • Users access level to software.
  • Existence of transportation order logs
  • Use of SAP*, SAPCPIC, Earlwatch.
  • Use of SAP_ALL, SAP_NEW profiles.

CYBSEC shall apply all the security measures necessary to achieve the highest security level.

3. SAP Infrastructure assurance

This service is aimed at reaching the highest security level possible along the entire infrastructure supported by SAP: Operating System, Database, SAP Application, Interfaces and user access.

CYBSEC will assist in the implementation of the security measures needed to reach the highest security level.

In order to ensure the security level of the operating system we work at: security configurations; audit logs; users, access passwords and profiles; permissions to critical directories, installed patches, security of enabled services, among others.

For database security purposes, we work with computer security patches, database auditing, permissions in Database directories and files, analyses of the Database owner, default passwords and specific database security parameters, among others.

For SAP Application assurance, we work in each of the aspects mentioned in item 2, SAP Internal security configuration and parametrization.

Existing interfaces (strong encryption, authentication, etc.) with other external systems providing or receiving SAP are assured.

We work on secure access on SAP users’ and administrators’ side.

The outcome of this service will be the operation of SAP with the highest security level possible.

4. Security compliance audits (SOX, PCI e ISO 27001)

These are aimed at assessing and determining the current and actual security level of SAP infrastructure, applying security auditing techniques. To complement the audits, a GAP analysis regarding regulations such as SOX, PCI* and ISO 27001 can be conducted.

The audit consists of:

  • Security review of the operating system, data base and SAP application.
  • Security analysis of SAP parametrization.
  • Security analysis of connectivity to external systems.
  • Analysis of defined users and profiles

As an outcome, companies who are SAP users will have objective information about their own security level available.

The GAP analysis allows you to assess the fulfilment levels to the international regulations on the matter.

* CYBSEC is a Qualified Security Advisor certified by the PCI Council. Click here for further information

5. Revision and assurance of Web Services (Enterprise Portal/ICM/ITS/BC/Applications)

In its continuous evolution, SAP, through the use of tools such as ITS and Business Connector, allows systems to be available from outside with the subsequent increase in the risk level.

CYBSEC experts assess the actual security level of the implementation of tools for external access to SAP through the Web establishing existing vulnerabilities, bringing forward and implementing alternatives to address them so as to increase their security level to the utmost.

Our work covers the assessment of network topology, the analysis of the current operating system and web server security. The security level of the implemented tools (ITS, Business Connector, etc), and the interconnection with the internal SAP system are assessed as well.

This service will result in the Organization having a secure use of remote functionalities at their disposal.

6. Analysis, design and implementation of secure interfaces

Interfaces meant for sending and receiving information have always been the Achilles’ heel of a system’s security.

The object of this service is to make available secure interfaces among the several systems that operate with SAP.

CYBSEC can develop a secure interface model taking into account data encryption, authentication between the involved parties, the interface internal security and its secure programming, among others.

The secure model developed is applied to the existing interfaces.

7. SAP Penetration Testing

This is aimed at having an objective external assessment on the actual security level in SAP infrastructure.

In order to carry out this test, CYBSEC experts will connect to the external network without having any kind of information available, and will try to access the systems supporting SAP infrastructure (base operating systems, databases, application servers, etc.).

This methodology allows us to determine the actual security level and rapidly detect security risks so as to move towards their solution.

8. Course on SAP Security

CYBSEC has designed a course on SAP Security, in which their experts share their experience regarding SAP security.

The course can be given in two forms: theoretical learning (8 hours) or practical training (16 hours)

Subjects for discussion are:

  • Computer Security Fundamentals in SAP.
  • Operating System Security ( Windows / UNIX ).
  • Database Security ( MS SQL Server / Oracle ).
  • Basic Security Concepts in SAP R/3.
  • SAP R/3: Transport System Security .
  • SAP R/3: User and Authentication Administration.
  • SAP R/3: Communications security.
  • SAP R/3: Security in connectivity.
  • SAP R/3: System Updating.
  • Log Analysis and Audit.
  • SapytoTool.
  • Click here to see the subjects in detail.

    If you wish to contact us, please send an e-mail to Claudia Macri, cmacri@cybsec.com or call us at 54-11-4371-4444.

     

      ©2007 Cybsec S.A. All rights reserved
    About Us | Strategic Management | Operation Management | Control Management | Incident Management | PCI Audits | Training | News | Articles | Research | Contact Us Design by Alfadesign