SAP security audit programs

SAP- Increasing Demand by Increasing Efficiency

Systems, applications, Products (SAP) is a security auditing program that checks a computer systems data integrity and overall security. This application is accompanied by a user interface that is highly flexible. SAP security audit programs were introduced in the 1980s and provides the best audit resources for major companies and industry leaders.

In SAP, audit security is the foremost requirement enabling access control and separation of duties. These two areas are very important for the integration of control mechanisms. A company must plan prior to implementing SAP to obtain better access and a clear understanding of the system. This includes proper design of profile and removal of surplus IDs. Security audit programs includes many audit procedures that are designed to efficiently access a variety of transactions.

The main administrative function of SAP security Audit Programs includes automatic scheduling of jobs according to different user IDs, monitoring errors, administering backdrop session and access to proper management functionality. As far as security settings are concerned, SAP system audit program helps to execute online programs using different procedures and maintenance of different tables. This allows access to maintain different profile parameters including password and security of default user IDs. SAP system audit programs also allow locking of sensitive codes of transactions and execution of OS commands externally.

The SAP system audit program contains different audit procedures showing steps to extract useful information from a system. Some system audit program resources are highly beneficial and include audit programs for financial accounting, audit programs for basic security, audit programs for Fixed Asset, audit programs for expenditures, audit programs for treasury, audit programs for inventory management, audit programs for HR & payroll and audit programs for revenue. Companies using SAP applications can create different software packages to meet their key objectives. This application is assembled in such a way that allows each department of an organization to get integrated.

facebook privacy

Privacy is really important but unfortunately the default setting of Facebook and other social networks is to push out all posts, links, and media content out to everyone on your “friends” and sometimes even “friends of friends”. The problem with this is that not everyone on your “friends list” are friends. Some maybe immediate family, distant family, co-workers and while others are complete strangers.

There maybe parts of your life you want to share with family that you don’t want co-workers on your friends list to see.

With Facebook you can manage all the content that you post by creating Lists. Once the list is created you can control who has access to what you post and upload.

How to Create Facebook Friends Lists:
1) Login and go to Account | Edit Friends
2) Click on “Create New List” and make a name for your new list
3) Once you have your new list you can add people to that list

Limiting Access to Content:
Anytime you post content you will be given the option of permitting or deny certain lists of friends (or even individuals) to what you are posting. At the bottom of every post near the “Share” button, there is a lock with an arrow to a drop down featuring: Everyone, Friends of Friends, Friends, and Custom. If you click Custom, it will allow you to choose the new list you created or even specific individuals.

With this built in access control feature you have pretty good control over your privacy.

Church File Security

Whether government, corporate or faith-based file security is important.

No matter the denomination, church file security is especially important because it may not only deal with money, and privacy but the sanctity of the church community. The member, guest and family information must be protected just as much as the preacher, reverend, deacons, bishops, nuns, and/or administrators.

Coordination of church file security:
It is important to first identify what are the churches sensitive data. You may have in your mind what is or isn’t important files to protect for the church, but you may not have the authority or prerogative to make such an important determination. Even if you do, it important to get ideas from the staff and or clergy of what files should be protected and what level of protection should be considered. And interview or meeting with information owners is the first step.

Access to the church files:
Anyone with access to the church files should sign a user license agreement. This is a standard for security no matter what organization you enter. This is to make sure that those who are trusted with access understand what they can and can not do when entering the system. Items in a basic user license agreement include: what can be copied and/or installed on the system, what can and can not be done while accessing church files, whether or not church files are monitored for heightened security. User License agreements are usually done when multiple people have access to a medium to large network with critical resource (i.e. privacy data, financial information, sensitive data). They are also done for software, website/forum and data base access.

You can find examples of a user license agreement on the Internet.

What Church Files to Protect:
Files in a church community may include mission, member, drive, donation and service information that need to be protected. Any files dealing with any money should be protected always. Personal files of church members should be protected as well as data bases with potentially sensitive information. Even if the church has NO sensitive information, the files that allow any access from the Internet (such as webpages or ftp files and folders) should protected with various levels of security including: Username password (don’t EVER use anonymous for FTP), mandatory user registrations, and file permission lock down.

The reason this is important even for churches with no sensitive information, is that some malicious hackers like to use other organizations resources to upload viruses, spam, scams and pornography.

Regulations to consider:
The Privacy Act of 1974 make it mandatory to protect the personal information of all individuals

No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, MORE

Health Insurance Portability and Accountability Act (HIPAA) is another important law to consider when addressing church file security. Among other things, HIPAA deals with the protection of peoples medical and health history.

File Permission:
Files that are sensitive for a church should have some permissions assigned to them to allow only authorized users (system administrators, missionaries, clergy, secretaries) access. This is one part of the access control. Most operating systems have this capability. Don’t forget that not only computers need to be protected, routers, switches and databases also need adequate security.

Authentication Chip Under my Skin

RFID Chip implant

I dreamt that I had an authentication chip under my skin in my right palm. It had some sort of RFID proxy reader allowing me so simply wave my hand over a point of sale device in a store and automatically purchase items. I could also get entry into certain facilities with the device. It was an automated authentication device that identified me based on “something I had”, but also included loads of very personal data.

In retrospect, its kind of scary. Reminds me of the “Mark of the Beast” in Revelations or a Philip K. Dick novel.

security vs. liberty

Ben Franklin“He who sacrifices freedom for security deserves neither.” – Ben Franklin

Security is important, but it should be done in wisdom not only fear and paranoia lest we forsake everything we seek to protect.

The military is a good example of security versus liberty.

A U.S. military installation is one of the most secure places you can be in. Depending on the resources therein, there can be fencing around the installation, mobile forces, and only a few active entry points. Entry points are controlled by armed guards, barriers, and sometimes even machine guns and “man traps”. Only authorized personnel may enter and even “authorized personnel” can only enter certain areas once on the base. The installation is controlled by the base commander whose laws are MUCH more strict on the base. Entering the base means you give up things like the right to protest. You can be searched at anytime and you can be shot for going certain places… such as the flightline. All in all, it is the safest place to be in the event of civil unrest off base because on base there are law enforcement, security forces, and back up ready reserve forces capable or mobilizing in a matter of minutes.

All the security, with very, very controlled liberties. Such a controlled environment requires very controlled personnel.

This is why as a security professional I understand what it means to have more security and lose liberties. Although many Americans are willing to give up some liberties for more National Security, I fear that most don’t really realize how much they are really giving up. Perhaps the bigest loss is privacy and in this day and age personal data has become our most valuable asset. No one is going to protect it like you. Certainly not the government. It is such a large entity that it can only summarize you and your family into numbers, statistics.

U.S. servicemen and women are numbers and statistics to the federal government. They are (to some extent) owned by the federal government while serving under oath. Their dedication includes their life, if service calls for it. They service is no trivial event. All the more reason liberty must be preserved… to honor the sacrifices of a few. True American patriotism is the preservation of every remaining freedom at any cost.

Security Now Episode #95

Steve Gibson and Leo Laporte talked about OpenID on Episode 95.  OpenID would provide a single-sign on verification for site logins.  This would not replace something like SSL (which is mutual authentication), but it would be better for simple site logins to sites like del.icio.us, digg.com and others.
openid

BYU professor Philip J. Windley, explains how OpenID works on his site.

US National ID Card: Security or Citizen Tracker

Most American citizens violently oppose a National ID card.  The federal government can get around this in two ways: 

    1. Don’t call it a national ID card 
    2. Don’t put the federally controlled database in a federal building

The U.S. government is doing both of these things (as up 2007, should be complete by 2009).

According the the Department of Homeland Security’s FAQ on REAL ID it is NOT a national ID card & the feds will not create a national database:

“Is this a National ID card?

No. The proposed regulations establish common standards for States to issue licenses. The Federal Government is not issuing the licenses, is not collecting information about license holders, and is not requiring States to transmit license holder information to the Federal Government that the Government does not already have (such as a Social Security Number). Most States already routinely collect the information required by the Act and the proposed regulations.”

“Will a national database be created that stores information about every applicant?

No. The REAL ID Act and these regulations do not establish a national database of driver information. States will continue to collect and store information about applicants as they do today. The NPRM does not propose to change this practice and would not give the Federal government any greater access to this information”  

Well piss on my back and tell me its raining! The government is NOT creating a national ID card.  The only problem with the above statements issued by the DHS is that they are bullshit. 

Imagine.  ME, a security guy of all people, opposed to a National ID Card?  But I’m not the only one.

First off, what is this National ID Card REAL ID Card?

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities.EFF

As stated above, the National ID Card for the U.S. would be based on existing State I.D. Cards and driver’s license programs.  The main issue is linking all state databases together so that the federal government can track citizens.  

Now you may be wondering: Does this sound like something an illegal immigrant and/or criminal would not be able to falsify?  (and even if they are caught current laws for illegal immigrants are not enforced)  If illegal immigrants are not going to abide by the law, does this law really enhance the nation’s security?  

Oppose the Real ID Act of 2005 

My main reason for opposing a US national ID card is that I don’t trust the federal government with a consolidated view and control of all of our information.  I think all the information they gather will eventually fall into the wrong hands (on purpose or by negligence).  I was in the military, so the feds already have my data and the feds have lost MY {privacy act protected} information more than once.  A branch of the U.S. government lost 25.6 million account including the Social Security Numbers for Veterans more than once. They kept this information secret from the victims for 19 days.  19 days is ample time for someone to steal an identity once they have the information they need.  In one case the data was supposedly recovered and deemed by the FBI forensics as un-tampered with.  Supposedly they are not creating a seperate national database… but the linked state system WILL be the national database from which the feds will feed.  Its a play on words and I wish people would wake up screaming about this.

There seems to be a disregard for protecting the privacy and security of citizens.  The resources that would normally be used to protect us are being wasted and sent to serve other purposes.  In my oppinion security is still NOT being done because illegal immigrant laws are not being enforced despite the fact there is a “war on terrorism”.  Now if you don’t think something is seriously wrong about the protection of our borders at a time when their is a “war on terrorism” read the story of Border Patrol Agent Ignacio Ramos being jailed for shoot a drug dealer trying to enter the country. The DHS officials lied to congress about these agents (and got caught).  Drug smuggler Osbaldo Aldrete-Davila is a free man.  Meanwhile, other border patrol agents are being deployed to IraqI believe there is a reason that the law is not enforced but I leave that speculation up to you.

Privacy Clearing House has a chronological list of data breaches starting from 2005.  The more databases of large organizations (schools, federal/state, credit cards) our personal information is in, the greater the risk of ID theft and financial fraud we face.  ID theft is currently the fastest growing crime in the US and UK.  And its been the fastest growing for a long time.  I attribute this to organizations putting security last when it should be implemented from the very begining and maintained aggressively. 

So, a national card REAL ID registry databases at the federal level may only add to on-going issues of personal security of US citizens which the US government does not seem to worried about too much. 

To the credit of the U.S. federal government, the Department of Homeland Security’s Chief Privacy Officer, Hugo Teufel III, issued a Privacy Impact Assessment (PIA).  According to the document the National ID card would be difficult to falsify. 

Other issues addressed in the PIA:

The PIA addresses the key privacy issues posed by the Act: (1) Does the REAL ID Act create a national identity card or database; (2) How will personal information required by the REAL ID Act be protected in the state databases; (3) How will the personal information stored on the machine readable technology on the driver’s licenses and identification cards be protected from unauthorized collection and use; and (4) Do the requirements for a photograph and address on the credential and the DMV employee background check erode privacy.

The REAL ID method will extend the life and legitamacy of the Social Security Number as a national ID number.

The DHS PIA document is exactly right when it states:

Some of the public concern about the REAL ID stems from the history surrounding the expansive use of the SSN beyond its original purpose of recording the information necessary to provide a public pension benefit.

The original purpose of the Social Security Number was to track taxation and payments for social programs under Roosevelt’s New Deal created in the 1930s following the Great Drepression.  These days the Social Security number is a de facto national ID number issued to all citizens and you really can’t do anything signifigant without it (i.e. get a job… unless your are an illegal immigrant.. i guess people in the US have privacy after all).  BTW – Collecting Social Security after age 65 is a joke… it is program that will not support the “baby boomer” (but that is a different issue all together). 

The DHS Privacy Impact Assessment goes through most general concerns the the REAL ID act posses to the privacy of U.S. citizens thoroughly…. except for one. Put on your tin-foil hats for this one.  The government works so closely with private companies (namely lobbyists pushing and paying for certain policies, bid and no-bid contracts, laws and regulations) that I believe that they would give out our con$olidated information for the right price. Realistically, a national database in some form or another already exists (social security).  But the REAL ID database would make it possible to have a REAL-time view of all transactions.

DHS PIA pg. 6: “financial institutions, retailers, hotels, health-care providers, and others may consider the REAL ID credential”. 

It sounds like the ultimate consolidation of all personal data.  It will merge your social, driver’s license, and possibly finacial and medical info. 

You see, the REAL ID system would not just be used in the police but with PRIVATE agencies.  On military installations you can’t do much of anything without a certain government ID card.  The data on this REAL ID will be the cream of the crop.  Particularly if is collects data on where you’ve been.  But conspiracy theories on new American corporate facism aside, people need to know that this is happening.  A wake up is long over due for Americans.  I just hope this cancerous apathy doesn’t kill the priciples of the country I love.

Check out the last line of the DHS Privacy Impact Assessment:

The public is encouraged to comment on the NPRM and on the privacy issues associated with implementation of the Act in order to ensure that the final rule reflects robust public input on these important issues.

Links:

Facial Recognition to deter ID Theft

DHS Privacy Impact Assessment REAL ID Act – Chief Privacy Officer, DHS

Four State Oppose RealID (New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)Ron Paul oppinion on Amnesty for illegal immigrants and the National ID

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)New World Ord… I mean other things that didn’t make it into the REAL ID ACT:

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

Original legislation contained one of the most controversial elements which did not make it into the final legislation that was signed into law. It would have required states to sign a new compact known as the Driver License Agreement (DLA) as written by the Joint Driver’s License Compact/ Non-Resident Violators Compact Executive Board with the support of AAMVA which would have required states to give reciprocity to those provinces and territories in Canada and those states in Mexico that joined the DLA and complied with its provisions. As a part of the DLA, states would be required to network their databases with these provinces, territories and Mexican states. The databases that are accessible would include sensitive information such as Social Security numbers, home addresses and other information. The foreign states and provinces are not required to abide with the Drivers Privacy Protection Act (DPPA) and are free to access and use the sensitive information as they see fit.  – REAL ID wiki

The UK is fighting the same battle of liberties

If I trusted the government, I suppose this would not be that big a deal.

Bonus: Total “Terrorism” Information Awareness – TIA 

 Multiple standardized computing environments can be monitored and controlled using Open Grid Service Architecture (OGSA).  If the federal government is not using this technology togather data from the DMV systems I would be very surprised.

 

 

 

 

Security Testing on my Window 2000 system

I've surfing on my Windows 2000 system while completely exposed to the Internet on my DMZ.  No firewalls, no anti-virus, not even a pop-up blocker.  The box is exploited immediately. 

Many of the default configuration on a fresh Windows 2000 box are just plain ridiculous.  For example, the C$, and parts of the root are shared out on earlier versions of Windows 2000.  Message services, port 139 and other very easy to exploit applications and services are turned on by default on Windows 2000. 

It is no wonder Windows systems are always getting taken down.  Just turning off some of those services do quite a bit to close some of the holes on Windows boxes.  With broadband getting more popular, the combination of unprotected systems and the viral marketing of malicious code are creating a storm on the Internet.  An unprotected system is rendered completely useless in a matter of weeks (days and hours if you surf porn or serial sites).

Here are some of the vulnerabilities on Windows systems at SANS.org.

In all honesty, if you have a good firewall, virus protection, maybe a pop-up stopper and a good security configuration you could have a Windows 98 machine and NEVER get a virus.  

Domain 1.0 – General Security Concepts (Security+)

1.1 Recognize and be able to differentiate and explain the following access control models

 o MAC (Mandatory Access Control)

· Access controls based on security labels (Sensitivity labels) associated with each data item

· Lattice = MAC model

· Uses levels of security to classify users and data is a characteristic of MAC

o DAC (Discretionary Access Control)

· Access controls that are created and administered by the data owner are considered.

· Each object has an owner, which has full control over the object

· Inherent flaw in DAC is that it relies only on the identity of the user or process, leaving room for a Trojan horse

o RBAC (Role Based Access Control)

· Access control decisions are based on responsibilities that an individual user or process has in an organization

· Relationship of user, role, operation: multiple users, multiple roles and multiple operations

http://del.icio.us/rss/tag/access+control

http://del.icio.us/rss/tag/rbac