Knowledgeable users of SAP ERP can access extremely powerful system functions beyond what they should need for their daily work, simply by learning about SU01 (user functions), SE16 (system data browser), DDIC (generic administrator logon) and so forth. It is important to realize that these are powerful system management queries that can result in extensive damage or data loss. Knowledge of these functions, combined with a “borrowed” password, may be all that stands between your organization and a serious data breach.
For example, if a disgruntled employee intends on leaving, they can export the entire list of customers or vendors, no matter if the list is 1,000 or 1,000,000 records. A DDIC logon completely conceals the user executing it, unless a second factor of biometric identification is added to the process. If a malicious employee uses such an anonymous log-on to upload malware into the system, or move it from DEV to PROD, only a biometric credentialing component will be able to identify the user correctly, assign the appropriate credentials for the requested action, and even deny the user’s action.
If a former employee, contractor, auditor, intern, or temporary worker can still access the system because they have knowledge of a valid password, they would effectively be what is known as a “ghost worker”. In the absence of biometric credentialing that would help prevent such unauthorized access, the security breaches shown above are not preventable.
Threats in Data Security include:
- Browser functions such as SE16, SU01
- Generic logon such as DDIC, firefighter
- Transport Manager
- Perimeter Access Control
Related Case Studies
