Insight
8 Areas to Include in SAP Access Control Testing
Information Technology General Controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objective of ITGCs is to ensure the integrity of the data and processes the systems support.
Your SAP ERP applications cross all four systems: IT Infrastructure Applications, Databases, Operating Systems, and the Application Layer. Access control tests, our central focus for this post, are targeted at the Application Layer of your SAP applications. In a recent post, we discussed the importance of security health checks in monitoring SAP access, and today we want to continue the access security conversation by examining the importance of ITGC Access Controls testing in an SAP environment.
Insight
Let’s Get Cracking: A Beginner’s Guide to Password Analysis
The Focal Point Attack & Penetration team performs many internal penetration tests that culminate in a compromise of Windows Active Directory domains and access to the password hashes of all domain users. Like many teams that provide pen testing services, we have a high-powered GPU-based password-cracking rig that we use to recover high-value or time-sensitive passwords. But sometimes we’re on-site without access to our VPN or we’re in the the reporting window following a test, and someone is using the rig for an active test. Whatever the reason, we still get a lot of mileage from the classic password cracker, john, even in this age of GPU-based cracking with hashcat (which we also love but is not the focus of this post).
Insight
5 Things to Consider before Upgrading from SAP GRC 10.x to GRC 12.0
SAP released a new version of Access Control in March 2018. It became generally available in September 2018, and in January 2019, support pack 3 was issued. In this release, SAP added some new functionality and improved some of the existing functionality. These updates include integration with cloud platforms, enhanced emergency access management, a more robust UI, and more support for Identity Access Governance (IAG). Some of these changes are significant and will require some technical steps before you can upgrade. In this post, we’ll take a look at the increased functionality you’ll gain by moving to v12 and how you can prepare for this upgrade.
Insight
Top Trends in Third-Party Risk Management for 2019
You’re a CEO. You’re standing in a room with the CEOs of your two top competitors. You look to your left, and you look to your right. Odds are, two of the three of you will suffer a security breach as a result of a third party.
According to recent research from the Ponemon Institute, which surveyed more than 1,000 CISOs and other security and risk leaders in 2018, roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third party. What’s more alarming, that number is growing – it’s up 5% over 2017 and up 12% over 2016.
What’s fueling the rise in third-party security and privacy incidents?