Alexander Polyakov con SAP Security Risks: Real ways to destroy business by breaking company's SAP applications (English Edition)
ERP system is the heart of any large company. It enables all the critical business processes, from procurement, payment and transport to human resources management, product management and financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can mean enormous losses, potentially leading to termination of business processes. In 2006 through 2010, according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 7% of yearly revenue on average. Global fraud loss is estimated at more than $3.5 trillion for 2010–2012. Thus, a typical entity loses 5% of annual revenue to fraud.
It is unlikely for one to have heard much about business systems’ vulnerabilities, in SAP in particular. The truth is that since 2006, during the sessions of numerous conferences on info-security, researchers have been highlighting technical defects and security holes. Currently, the numbers of vulnerabilities found in SAP systems total more than 3000.
Nevertheless, the information about real cases and business risks, related to attacks on business systems with SAP systems among them is quite fragmented and not always directly obvious.
This book not only endeavors to collect the key risks in one place to lend a helping hand to SAP owners and info-security officers, but also contains some examples from the real life about existing incidents or similar situations.
Thus the document presented contains only key and typical problems of popular Business Systems like ERP, CRM, SRM, PLM and some others. The threats mentioned in this document are taken into account under following three key categories:
• Espionage – Accomplishing non-authorized access to the different types of secret information;
• Sabotage – Causing a system disruption or a reputational risk;
• Fraud – Manipulating company activities;
Also, in the end of each section there is some information on total extent of the vulnerabilities in the system and comments about how they can potentially be exploited.