April 13, 2010, 4:30 PM — As noted in the article Hacker conference to address emerging Web threats, the Black Hat Europe conference is underway in Barcelona this week. Black Hat conferences are one of the venues that information security pros attend to learn about and discuss the latest security issues, bugs, and vulnerabilities and how to counteract them. In a world where even sovereign nations are using "hacking" techniques to penetrate and disrupt computer systems, information security is a big deal.
One of the briefings is entitled SAP Backdoors: A ghost at the heart of your business, and is delivered by Mariano Nunez Di Croce. As the title suggests, he will be discussing backdoors into the SAP system, and he offers a solution to mitigate against the threat.
The exploit is to breach security by bypassing SAP and going instead to the Oracle database in which SAP stores its data, and getting to the systems that way. It is obviously a good idea to close that gap, and I recommend the article, but I could not help but think: How does the hacker get to the Oracle database in the first place? That is the bigger problem. If a hacker can access the Oracle database directly, you already have a security breach whether you have patched this SAP security problem or not. Your Oracle database should be on the inside of the firewall, with no direct external access at all.
Information security is a bedrock when putting in place your IT infrastructure. All you need to do to convince yourself that your organization is under constant threat of "bad hats" is to just look over your firewall logs for a day or two. You will see all kinds of probes, bad connections, etc. You need to have in place good security, which is actually more of a process than it is a technology. By that I mean that you have to think it through, and have a plan for what technologies and techniques you will use to combat unauthorized access to your systems.
One thing is for sure. You do not want to have a "Blanche DuBois" approach to security: "I have always depended on the kindness of strangers." Most strangers are kind, but why take the chance?
You have to balance your and your company's need to get to your own data, with the need to ensure that no one else can get to it. Your executives may want to access their reports and systems from home or from their wireless devices. That is great, and you should endeavor to put that in place -- but not at the expense of opening up your business to the world. Security also has legal ramifications -- if you take customer orders and mishandle credit card data, you are in trouble. If someone can hack into your Oracle database where this data resides, you are toast.
So, what do you do? The most important thing to do is to understand that information security is an important issue and that your company needs to have a strategy. Recognition of the problem is the first step.
Then, bring in security professionals. A security audit is an enlightening process. If you have never had one done for your organization, you will be shocked. Ensure you are sitting down when the results are presented!
I think that once you see the results, you'll know what to do.