際際滷

際際滷Share a Scribd company logo

ESSMEF2015 speaker presentation_Tunde_Ogunkoya

Download as PPT, PDF
Tunde Ogunkoya
Tunde Ogunkoya

This document introduces Tunde Ogunkoya and their consulting company DeltaGRiC. It discusses how myths around SAP ERP security being limited to segregation of duties matrices have been dispelled, as attacks on SAP systems through interfaces, routers, web clients, and customized ABAP programs leave vulnerabilities. Most vulnerabilities allow unauthorized access to critical business data, so a specific SAP security system is necessary. The document then shifts to discussing cyber attacks across industries globally and lists several high-profile data breaches from 2014. It suggests anyone could be the next target and outlines five steps of best practices for security, noting that many organizations only implement the first two levels. The document promotes continuous improvement and integrating security and business goals.

1 of 14
Download to read offline
Welcome; Journey to Cyber-Maturity TundeOgunkoya, DeltaGRiCConsulting tunde@deltagricconsulting.com
The wide-spread myth that SAP ERP security is limited to SOD matrix has been dispelled lately and seems more like an ancient legend now. Within the last 7 years SAP security experts have spoken a great deal about various attacks on SAP from RFC interface, SAPROUTER, SAP WEB and SAP GUI client workstations. Also, the programs developed in SAPs own language ABAP, which exists in almost every company to customize ERP solutions, can store program vulnerabilities left by unqualified developers or special backdoors which can help insiders to gain illicit access to business data Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the security of business applications like SAP & Oracle. Welcome Tunde Ogunkoya [MBA, GRCP, SAP GRC AC10.0, OWASP] Consulting Partner, DeltaGRiC Africa
Mobility & Cloud; Next Drivers of Technology. Where does that leave Cyber Security?
4 Cyber Attacks? Where?Global Pandemic, Across All Industries USA 42% South America 17% Asia 25%Africa 3% Australia 13% Cybersecurity expertssay thisenormousdatabreach isjust thelatest evidencethat cybercrimehasbecomeaglobal businessone that, including all typesof cybercrime,coststheworld economyan estimated $400 billion ayear http://time.com/3087768/the-worlds-5-cybercrime-hotspots/
Who's Next? Me? You? Him?
Who's Next? Me? You? Him?
Who's Next? Me? You? Him? Date (2014) Company Numberof records exposed Types of records 25 Jan Michael's 2,600,000 payment cards 6 Feb HomeDepot 20,000 employeeinfo 14 Mar Sally Beauty Supply 25,000 credit/debit card 17 Apr Aaron Brothers 400,000 payment cards 22 Apr IowaStateUniversity 48,729 student social security numbers 30 May HomeDepot 30,000 credit/debit card 22 Jul Goodwill Industries 868,000 payment systems 18 Aug Community Health Systems 4,500,000 patient data 21 Aug United Postal Service 105,000 credit/debit card 28 Aug JPMorgan Chase 1,000,000 financial information 2 Sep HomeDepot 56,000,000 credit/debit card 2 Sep Viator/Trip Advisor 880,000 payment cards 25 Sep Central Dermatology 76,258 patient data 7 Nov HomeDepot 53,000,000 email addresses 10 Nov USPostal Service 800,000 personal data 18 Nov Staples 1,200,000 credit/debit card
Global Leaders; Where does this leave us? Africa thinking
Global Leaders; Where does this leave us? Africa thinking
What is the worth of your data on SAP? SAP holds the corporate crown jewels: Over 280,000 customers run SAP 87% of the global 200, 90 % of fortune 1000 in Africa 98% of the most valued brands SAP touches 74% of all global transactions USD 16 Trillion of retail sales Criminal Hackers Competitors Partners Nation State Unhappy Employees Contractors #feesmustfall
Global Leaders; Where does this leave us? Africa thinking
Global Leaders; Where does this leave us? Africa thinking
5 Steps Best Practice What step do Stop at? Almost 33% of organizations stop at level 2 Continuous Improvement Business Risk Management Scanning Assessment & Compliance Analysis & prioritization Attack Management Scanning Vulnerability Assessment, Ad-hoc Solution, Rudimentary Patching, Basic process and Metrics Assessment & Compliance Driven by regulations, Scheduled scanning, Scan to Patch lifestyle, Emerging process, little measurability Analysis & Prioritization Risk Focused, Scan data prioritization, Measurable process, Emerging Metrics AttackManagement Threat focused, Vectors scanned and prioritized, Patching based on risk to critical Assets, Efficient, Metric based processes, Threat driven metrics and trends Business RiskManagement Risk Aligned with business goals, All vectors scanned and prioritized, Continuous patching, Unified business and IT processes, Measurable Integrated Enterprise Management
Thankyou tunde@deltagricconsulting.com +27606587180 Questions?

More Related Content

ESSMEF2015 speaker presentation_Tunde_Ogunkoya

  • 1. Welcome; Journey to Cyber-Maturity TundeOgunkoya, DeltaGRiCConsulting tunde@deltagricconsulting.com
  • 2. The wide-spread myth that SAP ERP security is limited to SOD matrix has been dispelled lately and seems more like an ancient legend now. Within the last 7 years SAP security experts have spoken a great deal about various attacks on SAP from RFC interface, SAPROUTER, SAP WEB and SAP GUI client workstations. Also, the programs developed in SAPs own language ABAP, which exists in almost every company to customize ERP solutions, can store program vulnerabilities left by unqualified developers or special backdoors which can help insiders to gain illicit access to business data Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the security of business applications like SAP & Oracle. Welcome Tunde Ogunkoya [MBA, GRCP, SAP GRC AC10.0, OWASP] Consulting Partner, DeltaGRiC Africa
  • 3. Mobility & Cloud; Next Drivers of Technology. Where does that leave Cyber Security?
  • 4. 4 Cyber Attacks? Where?Global Pandemic, Across All Industries USA 42% South America 17% Asia 25%Africa 3% Australia 13% Cybersecurity expertssay thisenormousdatabreach isjust thelatest evidencethat cybercrimehasbecomeaglobal businessone that, including all typesof cybercrime,coststheworld economyan estimated $400 billion ayear http://time.com/3087768/the-worlds-5-cybercrime-hotspots/
  • 5. Who's Next? Me? You? Him?
  • 6. Who's Next? Me? You? Him?
  • 7. Who's Next? Me? You? Him? Date (2014) Company Numberof records exposed Types of records 25 Jan Michael's 2,600,000 payment cards 6 Feb HomeDepot 20,000 employeeinfo 14 Mar Sally Beauty Supply 25,000 credit/debit card 17 Apr Aaron Brothers 400,000 payment cards 22 Apr IowaStateUniversity 48,729 student social security numbers 30 May HomeDepot 30,000 credit/debit card 22 Jul Goodwill Industries 868,000 payment systems 18 Aug Community Health Systems 4,500,000 patient data 21 Aug United Postal Service 105,000 credit/debit card 28 Aug JPMorgan Chase 1,000,000 financial information 2 Sep HomeDepot 56,000,000 credit/debit card 2 Sep Viator/Trip Advisor 880,000 payment cards 25 Sep Central Dermatology 76,258 patient data 7 Nov HomeDepot 53,000,000 email addresses 10 Nov USPostal Service 800,000 personal data 18 Nov Staples 1,200,000 credit/debit card
  • 8. Global Leaders; Where does this leave us? Africa thinking
  • 9. Global Leaders; Where does this leave us? Africa thinking
  • 10. What is the worth of your data on SAP? SAP holds the corporate crown jewels: Over 280,000 customers run SAP 87% of the global 200, 90 % of fortune 1000 in Africa 98% of the most valued brands SAP touches 74% of all global transactions USD 16 Trillion of retail sales Criminal Hackers Competitors Partners Nation State Unhappy Employees Contractors #feesmustfall
  • 11. Global Leaders; Where does this leave us? Africa thinking
  • 12. Global Leaders; Where does this leave us? Africa thinking
  • 13. 5 Steps Best Practice What step do Stop at? Almost 33% of organizations stop at level 2 Continuous Improvement Business Risk Management Scanning Assessment & Compliance Analysis & prioritization Attack Management Scanning Vulnerability Assessment, Ad-hoc Solution, Rudimentary Patching, Basic process and Metrics Assessment & Compliance Driven by regulations, Scheduled scanning, Scan to Patch lifestyle, Emerging process, little measurability Analysis & Prioritization Risk Focused, Scan data prioritization, Measurable process, Emerging Metrics AttackManagement Threat focused, Vectors scanned and prioritized, Patching based on risk to critical Assets, Efficient, Metric based processes, Threat driven metrics and trends Business RiskManagement Risk Aligned with business goals, All vectors scanned and prioritized, Continuous patching, Unified business and IT processes, Measurable Integrated Enterprise Management