Auditing Oracle ERPAuditing Oracle ERP

Reshad Alam is the manager of IT risk management for Regal-Beloit Corporation. Alam has 15 years experience in IT and IT audit with firms such as Andersen Consulting and Merril. He is a Six Sigma Green Belt and recently sat for his CISA and CISM exams.

Tim Van Ryzin, CISA, CISM, is the director of security and IT risk management for Regal-Beloit Corporation. Regal-Beloit is a maker of consumer and industrial motors, employing over 25,000 employees at 100 global locations. Van Ryzin has global responsibility for disaster recovery, security, and compliance. Prior to his current position he had 20 years experience in IT and IT audit with firms such as Arthur Andersen, Deloitte, and Harley-Davidson. He is a CISA, CISM, PMP, and Six Sigma Black Belt. In addition to his current role he is an adjunct instructor of MIS at Cardinal Stritch University.

SPEAKER BIOGRAPHIES

Learning ObjectivesLearning Objectives• Overview of Regal Beloit• Scope

– Oracle version 11i (11.5.7 – 11.5.10)– Relevant for R12 

• Key Risks/Vulnerabilities• Key Risks/Vulnerabilities• Oracle Audit Layers• Oracle Demo• Change ControlChange Control• User Access process

– Tool Demo: ResQ• SOD Analysisy

– Tool Demo: Fulcrum GRC• DBA access control• References

IntroductionIntroduction

• Tim Van Ryzin • Reshad AlamTim Van Ryzin– Director, Security & IT Risk Management

Reshad Alam– IT Risk Manager

– 16 years of Oracle – Prior internal audit manager & external auditor

experience with 6 years in Audit

auditor

– CISA, CISM

Regal Beloit CorporationRegal Beloit Corporation

• $3 5B global manufacturer of electrical$3.5B global manufacturer of electrical and mechanical motion control products, serving an expansive array of marketsserving an expansive array of markets from heavy industry to high technology

• 104 locations in 24 countries• 104 locations in 24 countries

“We convert power into motion to help the world run more efficiently.”

Top 10 security vulnerabilitiesTop 10 security vulnerabilities

• Default database passwords• Default application passwords• Direct database access

P li ti it d i• Poor application security design• External application access configuration• Poor patching policies and proceduresp g p p• Access to SQL forms in application• Weak change control process• No database or application auditing• Weak application password controls

F t ti b J ff T H d St h K t– From presentation  by Jeffrey T Hare and Stephen Kost

Auditing LayersAuditing Layers

User Access

Application Database Operating System

Auditing layersAuditing layers

• Operating SystemOperating System– Live Demo• LoginLogin

• Init parameters

• Oracle folder structure

Auditing LayersAuditing Layers

• DatabaseDatabase– Live Demo• LoginLogin

• Standard dictionary views• Audit columns

System ConfigurationSystem Configuration

• Default ConfigurationDefault Configuration– Instance startup/shutdown

– Session/user auditing/ g

– Creation date, Created By, Last update login, Last update date, Last update by

– User logon, unsuccessful password attempts, concurrent process execution

– Application audit tracks inserts updates or deletes– Application audit tracks inserts, updates or deletes

Change ControlChange Control

• Impact of Change Control in OracleImpact of Change Control in Oracle– Data ChangesSecurity changes– Security changes

– Development, code changes

M t d t h lik li hi i–Master data changes like supplier, shipping etc..

User AccessUser Access

• Orcale Application SecurityOrcale Application Security– Oracle Security access demo• Create userCreate user

• Set password• Set password expirationp p

• Assign responsibility• End date responsibility• End date user

Greenlight Technologies OverviewGreenlight Technologies Overview

Incorporated 2004− Headquartered in New Jersey

Pioneer in enterprise business controls monitoring of user access             p g& transaction risks

C tCustomers− Leading Global 2000 organizations across financial services, manufacturing, 

energy/utilities, telecommunications, high technology, media & pharmaceuticals

− Emergency super‐user management customers include:Emergency super user management customers include:

Greenlight ResQGreenlight ResQ

User AccessUser Access

• ResQ Demo (5 minute)ResQ Demo (5 minute)– Create ResQ template

Add responsibilities– Add responsibilities– Assign template

C t j l t– Create a journal entry– Look at the ResQ report

Role based AccessRole based Access

• Role based SecurityRole based Security– ResponsibilitiesMenus–Menus

– FunctionsD (5 i )– Demo (5 min.)

Role based AccessRole based Access

Responsibility

Menus

Functions

SOD AnalysisSOD Analysis

• SOD AnalysisSOD Analysis• Responsibilities• Menus

• Functions

• ToolsTools

SOD AnalysisSOD Analysis

• Fulcrum GRC Monitor DemoFulcrum GRC Monitor Demo– Example of conflicts

Example of reports– Example of reports

– Example of Exceptions

D ti j tifi ti– Documenting justification

DBA AccessDBA Access

• Operating SystemOperating System• Use Sudo

• Database• Database• Avoid direct login through ‘System’ or ‘sys’

• No shared accountNo shared account

• Application• Avoid direct login through Sysadmin• Avoid direct login through Sysadmin

• Limited usage of System Administrator responsibility

Auditing OracleAuditing Oracle

• Patch ManagementPatch Management

• Additional controlsD l T bl h– Developer Table changes

– Oracle Directory Changes

ReferencesReferences• Isaca.org

A di• Auditnet.org

• Oracle E‐Business Suite Controls: Application Security Best Practices – Jeffrey T. Hare

• How to Audit the top 10 E‐Business Suite Security risk – Stephen Kost and Jeffrey T. Hare

• Regal Beloit Oracle Infrastructure Group

Handout‐Auditing Oracle ERPHandout Auditing Oracle ERP• OS overview (AIX)

If ‘S do’ is being enforced check for sers ho ha e administrati e accessIf ‘Sudo’ is being enforced, check for users who have administrative access– # view /etc/sudo*– /var/adm # lsgroup usa (‘usa’ is the group name)– /var/adm # grep usa /etc/sudoersCheck for users who are currently logged on to the system, check for multipleCheck for users who are currently logged on to the system, check for multiple 

sessions, generic Ids etc.– more /var/adm/sulog– /etc/security/user (AIX specific)– /etc/security # more lastlogCheck the scheduler for a list of jobs that are currently scheduled– /var/adm/cron # more logCheck for users who have access to the server– cat /etc/passwd

cat /etc/group– cat /etc/groupLook up Oracle’s Init parameters to check the default configurations such as session 

logiins, audit on/off etc.– cd $ORACLE_HOME– more *.ora

Handout‐Auditing Oracle ERPHandout Auditing Oracle ERP

• Apps and DB overviewCheck who has direct database access. Run the following query in Toad or similar 

Oracle app

– Select username from all_users

Check the users that are currently logged directly in to the database (Look for ‘osuser’ y gg y (not applmgr or oracle)

– Select username, osuser from V$SESSION

Check who has System Administrator responsibility in Oracle Apps

Use concurrent program ‘Users of a Responsibility’ to find users with ‘System– Use concurrent program  Users of a Responsibility  to find users with  System administrator’ responsibility and compare that with the konown administrator list

Collaborate – Contribute – Connect

• www.isaca.org/knowledge-center • The Knowledge Center is a collection of

resources and online communities that connect ISACA members – globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!