8 Areas to Include in SAP Access Control Testing
Information Technology General Controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objective of ITGCs is to ensure the integrity of the data and processes the systems support.
Your SAP ERP applications cross all four systems: IT Infrastructure Applications, Databases, Operating Systems, and the Application Layer. Access control tests, our central focus for this post, are targeted at the Application Layer of your SAP applications. In a recent post, we discussed the importance of security health checks in monitoring SAP access, and today we want to continue the access security conversation by examining the importance of ITGC Access Controls testing in an SAP environment.
Let’s Get Cracking: A Beginner’s Guide to Password Analysis
The Focal Point Attack & Penetration team performs many internal penetration tests that culminate in a compromise of Windows Active Directory domains and access to the password hashes of all domain users. Like many teams that provide pen testing services, we have a high-powered GPU-based password-cracking rig that we use to recover high-value or time-sensitive passwords. But sometimes we’re on-site without access to our VPN or we’re in the the reporting window following a test, and someone is using the rig for an active test. Whatever the reason, we still get a lot of mileage from the classic password cracker, john, even in this age of GPU-based cracking with hashcat (which we also love but is not the focus of this post).
5 Things to Consider before Upgrading from SAP GRC 10.x to GRC 12.0
SAP released a new version of Access Control in March 2018. It became generally available in September 2018, and in January 2019, support pack 3 was issued. In this release, SAP added some new functionality and improved some of the existing functionality. These updates include integration with cloud platforms, enhanced emergency access management, a more robust UI, and more support for Identity Access Governance (IAG). Some of these changes are significant and will require some technical steps before you can upgrade. In this post, we’ll take a look at the increased functionality you’ll gain by moving to v12 and how you can prepare for this upgrade.
Top Trends in Third-Party Risk Management for 2019
You’re a CEO. You’re standing in a room with the CEOs of your two top competitors. You look to your left, and you look to your right. Odds are, two of the three of you will suffer a security breach as a result of a third party.
According to recent research from the Ponemon Institute, which surveyed more than 1,000 CISOs and other security and risk leaders in 2018, roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third party. What’s more alarming, that number is growing – it’s up 5% over 2017 and up 12% over 2016.
What’s fueling the rise in third-party security and privacy incidents?
Implementing SailPoint’s IdentityIQ for an Industry Leading Gas & Electric Company
An industry leading energy transmission and distribution company, delivering electricity and natural gas to an expanding consumer base and serving approximately 302,000 electric customers and 80,000 natural gas customers throughout its service area, which covers one of the most populated geographical areas of the northeastern United States, engaged Focal Point for IAM services.
A CCPA Update: Preparing for Public Forums and the Look-Back Requirement
Since the California Consumer Privacy Act (CCPA) was signed in 2018, it has stirred up considerable controversy among tech companies, privacy advocates, and government officials. This regulation has fueled an increase in state laws and ushered in the possibility of a comprehensive federal privacy law. The road to implementation for the CCPA has been a winding one. Although we are still a year away from the deadline, public forums are underway, and many organizations have already begun preparing to meet the CCPA‘s 12-month “look-back” requirement. This post is an update on the current status of the regulation, the look-back requirement, and what you need to know about the CCPA public forums.