Contenu connexe Similaire à The Risk of SQL Forms within Oracle Applications (20) Plus de KBACE Technologies, Inc. (18) The Risk of SQL Forms within Oracle Applications1. The risk of SQL forms within the
Oracle Applications-
How did that Happen?
Daryl Geryol, Practice Director - GRC Services, KBACE
Jeffrey Hare, CPA CISA CIA - ERP Seminars
August 13, 2008
1 .
2. Webinar Logistics
• Hide (and unhide) the Webinar control
panel by clicking on the arrow icon on the
top right of your screen
• The small window icon toggles between a
resizable window and full screen mode
• Ask questions throughout the
presentation using the chat dialog
• Questions will be reviewed at the end of
the presentation
2 © 2006 KBACE Technologies, Inc.
3. Agenda
• Introductions
• Objective
• Survey Findings
• Risks
• Scenarios
• Recommendations
• Q&A
• Closing
3 © 2006 KBACE Technologies, Inc.
4. Presenters
• Daryl Geryol, Practice Director- GRC Services, KBACE: Formerly with
Logical Apps and BearingPoint, Daryl has a decade of leadership and
implementation and upgrade experience, specializing in assessing and automating
internal controls for SOX 404, 302, OMB A-123, HIPAA, PII, and SSI, automating
business processes and delivering successful corporate governance solutions
• Jeff Hare, CPA, CISA, CIA: Jeff 's extensive background includes public
accounting, industry, and Oracle applications implementation experience. His sole
focus is on the development of internal controls and security best practices for
companies running Oracle Applications. Jeff is a Certified Public Accountant (CPA),
a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor
(CIA). He is the founder of ERP Seminars and the Oracle Users Best Practices Board
and is widely published.
4 © 2006 KBACE Technologies, Inc.
5. KBACE Corporate Overview
• KBACE maximizes the value that Oracle’s clients derive from their software
investment and goes to market with Oracle to augment the generation of
new license opportunities.
• Incorporated in 1998
• Privately held, employee owned, cash-flow positive since inception
• Headquartered in Nashua, NH with national presence
• Maintain significant portfolio of 250-300 Oracle install base clients
• Specialize solely on the Oracle E-Business Suite & related technology
• Multiple LOBs
Professional Services Support Services Analytics
Advanced Technologies Education
• KBACE runs our business on the Oracle E-Business Suite Release 12
5 © 2006 KBACE Technologies, Inc.
6. Professional Services
• Oracle Application Consulting Practices
Financials Supply Chain Manufacturing
Projects CRM Advanced Technology
Human Capital Management (HCM) Data Services
Governance Risk and Compliance (GRC)
• Development centers in Nashua, NH and Bangalore India
• Worldwide Certified Advantage Partner
• Participated with Oracle on Accelerator and Methodology
development
• Currently partnering with Oracle on Fusion validation
6 © 2006 KBACE Technologies, Inc.
7. ERP Seminars
Jeffrey T. Hare, CPA CISA CIA
• Founder and CEO of ERP Seminars (http://www.erpseminars.com)
• Author of various thought leadership white papers available at
http://www.oubpb.com and in the internal controls repository (see link at
www.erpseminars.com).
• Upcoming book series on Oracle Applications Internal Controls
• Provides the seminar “Internal Controls and Security Best Practice in an
Oracle Applications Environment”
7 © 2006 KBACE Technologies, Inc.
8. ERP Seminars
• Seminars- Internal Controls and Security Best Practices in an Oracle
Applications Environment; Upcoming new series to address both
Implementing Oracle Apps and Auditing Oracle Apps, including web-
delivery options
• Risk Assessment Services- User Access Controls and Segregation of Duties
Risk Assessment, Risk-Based Automated User Access Controls Analysis,
Various Security and Controls Design and Review
• Software Implementation- RFI/RFP, Vendor Selection
• Free one hour consultation
8 © 2006 KBACE Technologies, Inc.
9. Objective
Oracle’s E-Business Suite has unique risks that need to be evaluated when
designing application security and controls. We will look at one of the
highest risk areas in Oracle’s E-Business Suite, forms that allow SQL
statements to be embedded in them. This webinar will address the
following:
• Overview of SQL forms and the related risks
• Examples of how SQL forms can be used to manipulate data and commit fraud
• Best practices related to SQL forms
• Strategies to monitor access to and activity in SQL forms
9 © 2006 KBACE Technologies, Inc.
10. SQL Forms Survey- Awareness of SQL forms risks?
I was not aware of the risk 32.6%
I have read about SQL forms, but
9% didn't/don't understand the risks 13.0%
0%
My company is aware of the risks, but
have chosen not to address them 4.3%
33%
My company is aware of the risks, but
22% feels monitoring software is too expensive
10.8%
My company has put a third party trigger
or log-based solution to monitor them
4.3%
My company uses Oracle's Sys Admin
4% audit trail to monitor the activity 4.3%
13%
4% 11% My company requires all SQL form activity
4%
to go through IT Change Management
21.7%
My company reconciles actually activity to
our Change Management approvals 0.0%
Other 8.6%
10 © 2006 KBACE Technologies, Inc.
11. SQL Forms Survey- How long as Oracle EBS customer?
3% 3%
5% 5%
We are not yet live with the system 5.1%
We have been live less than 1 year 2.5%
20%
We have been live 2 - 4 years 20.5%
We have been live 5 or more years 64.1%
Other 2.5%
64%
No Responses 5.1%
11 © 2006 KBACE Technologies, Inc.
12. SQL Forms Survey- Number of Oracle users?
5% 11%
13% 1-50
3% 51-250
27% 251-1000
1001-2500
2501-5000
41%
Over 5000
12 © 2006 KBACE Technologies, Inc.
13. Risks
• What type of risks are exposed when users have access to SQL forms?
• Override of change management process
• Fraud - employees, consultants
• Data theft
• Unauthorized changes to security
• References
• Metalink note 189367.1-Best Practices for Securing the E-Business Suite
• Additional information available in the internal control repository (ICR).
13 © 2006 KBACE Technologies, Inc.
14. Scenarios
• Fraudulent bank account updates for the purpose of mis-
directing funds payment to a supplier
• Reset of SYSADMIN login for the propose of unapproved
access and system updates
The objective of the following scenarios is to show limited examples of how fraud may be committed.
These methods shows are not meant to inspire their use for any activities that may be illegal or
unethical.
The examples shown are for presentation purposes only and do not outline the full business processes
or controls that in place around those processes.
14 © 2006 KBACE Technologies, Inc.
15. Scenario 1- Fraudulent Bank Account Update
• A Supplier has contacted procurement about payments they have not
received. Through some reporting it has been found that payments were
made however there is some inconsistency in the system. The bank account
looks as though it had been changed and then changed back however there
are no records of this being approved.
• Cause- An oracle alert “SQL form” was used to update the bank account
from behind the scenes and then update it back.
15 © 2006 KBACE Technologies, Inc.
16. Unapproved Alert is created
The select statement itself does not matter as long as it returns 1 row. A
clever person could go so far as fire the trigger when the payment is created
with the “victim” bank account and update the bank account record.
This is being done as on demand
however someone could make it
much more intelligent using the
event tab
16 © 2006 KBACE Technologies, Inc.
17. Unapproved Alert is created
There are a couple setups needed for triggers but they are fairly simple and
flexible. Alerts are powerful since they can launch programs, sql statements
and pl/sql. It should be noted that normal users don’t usually have access to
create alerts.
Create an action set, add an
action
Select a action type
Notice SQL or OS Script
Call a pl/sql package or write sql
statements
17 © 2006 KBACE Technologies, Inc.
18. Take a look at the Bank account ‘BEFORE’
Bank accounts are not defined per vendor but are defined as bank accounts
records and then assigned to other pieces of data. They are used on vendors,
vendor sites and payments as an example.
This will be the bank account
show on the vendor site. This is
the value seen on payment and
transactions
The bank account number is the
victim. This is important because
it is not usually seen on the
transaction, the “name” is.
18 © 2006 KBACE Technologies, Inc.
19. A payment is created
A payment is created using the “victim” bank account. The bad guy could
have an alert set to see this or just now what day payments are made so the
alert can fire. The trick is to update the account after the payment record is
created. Another note is that this type of fraud would likely be directed at
electronic payments .
The bank account number
shows here in the LOV but not
on the form.
19 © 2006 KBACE Technologies, Inc.
20. The unapproved Alert is fired
The alert may be manually initiated to update the account. The smart
perpetrator may goes as far as changing the account back after the EFT is
completed so it will be tougher for someone to catch what has happened.
The alert is raised which will update the
records. The last updated date and last
updated by will not change. It will look as if
the last person changed the record .
20 © 2006 KBACE Technologies, Inc.
21. Bank account “AFTER” payment and back again
If someone were to review the bank account record the account number
would be different. The last updated date and last update by would not show
any different from before.
The perpetrator could then update again and effectively wipe away some of
the tracks! The bank account number
The bank account number
changed 10271-17621-620
10271-17621-619
Updated by dgeryol
Update by dgeryol
at 6:41:02 pm
at 6:41:02 pm
21 © 2006 KBACE Technologies, Inc.
22. Scenario 2- Reset of SYSADMIN login
• Upon routine audit of the system the system admin could not login to the
SYSADMIN account. The audit reports also showed a high number of logins
by the SYSADMIN user and updates to key profile options. There was no
record of approval for any changes by this user and profile options are not
normally updated with this login.
• Cause- A quality plan from the Oracle Quality application was used to reset
the SYSADMIN password so that illegal logins and updates could be made.
22 © 2006 KBACE Technologies, Inc.
23. SYSADMIN login- Normal
Admin personnel may use the SYSADMIN application user for certain admin
tasks. The password is tightly controlled
123@!ABc
SYSADMIN NORMALLY
HAS KEYS TO THE
KINGDOM TYPE
RESPONSBILITIES
23 © 2006 KBACE Technologies, Inc.
24. Oracle Quality- not just for Quality Control!
Oracle Quality is a powerful application used in areas like receiving and
manufacturing to help capture data related to quality, measurement,
specifications and other similar data. The data entry into plans can translate
into automated reporting, notifications and updates to areas of the system.
Setup is normally where you will
find the function to create plans
however many have this
function available for creating
adhoc plans.
24 © 2006 KBACE Technologies, Inc.
25. Create a QA plan
A fraudulent QA plan is created with minimal information. These plans can be
deleted once they are done being used. This removes many traces of what has
been done.
A bogus QA plan
is created
Actions….access to
GOLD
25 © 2006 KBACE Technologies, Inc.
26. Create the condition and pick the event
Once a plan is created you need only define your action condition that triggers
your action. You then just pick your method to execute.
This sets up a
condition or
trigger value
Here are my choices to
do damage…
Operating System
scripts and SQL scripts
26 © 2006 KBACE Technologies, Inc.
27. Create the action details (sql entry)
Using the details window you can write a sql statement or call pl/sql
procedures to do your bidding.
EXECUTING A STANDARD
ORACLE PACKAGE TO
UPDATE A USERS
PASSWORD WITHOUT
KNOWING THE EXISTING
PASSWORD.
27 © 2006 KBACE Technologies, Inc.
28. Enter a QA result to initiate the plan illegal update
To execute the plan a simple entry must be made into the fraudulent plan with
the trigger condition.
Entering QA results is a fairly
standard function
28 © 2006 KBACE Technologies, Inc.
29. Entering the trigger condition initiates an update
When the trigger condition is entered and saved a periodic alert is run. This is
really the only indicator that something has been done. The alert itself is not
really traceable since we can delete our trail!
TRIGGER CONDITION
INITIATED THE PERIODIC
ALERT
29 © 2006 KBACE Technologies, Inc.
30. USER MAKES ILLEGAL LOGIN AS SYSADMIN
The offending user now logins in as SYSADMIN with the password that was
set.
welcome123
30 © 2006 KBACE Technologies, Inc.
31. Recommendations
Conduct a thorough analysis of the system to identify SQL forms (see references) and
also control risks on master data and system setup forms. Review users that have access
to any 2 of the following 3 risk areas; system setups, master data, transaction forms.
If there are no system controls there should be well documented manual and closely
monitored manual controls. System controls are recommended and should cover the
following;
• Segregation of Duties
• Change Control
• System Auditing or Monitoring
31 © 2006 KBACE Technologies, Inc.
32. Best Practices
• Segregation of duties
• It is not all about transaction forms. If users do not need to see data such as bank
accounts, do not let them. This will mitigate people from seeing temptation .
• Do not allow end users to have access to SQL forms. These are meant to be configured as
part of the system and not as a day to day production task.
• An overall risk assessment should highlight those with access to these areas and SQL
forms
• Change Control
• Do not allow sensitive information or master data to get changed without a good change
process.
• Master data management can be a great success to an organization, or a great risk.
• Changes to system setups such as SQL forms should be under change control
• System Auditing or Monitoring
• Audit key data for setups and master data
• Review audit reports regularly to reconcile approved activity to actual activity
• Mediate conditions that led to any unauthorized activity
32 © 2006 KBACE Technologies, Inc.
33. Monitoring Strategies
• Record History (row who?)
• Limitations
• Advanced Oracle Auditing
• Pro
• Cons
• Alerts
• Pro
• Cons
• Triggers / Logs
• Pro
• Cons
33 © 2006 KBACE Technologies, Inc.
34. Q&A
• Any questions that we do not get to will be
addressed via email
• Please email all other questions to the
presenters directly
• Webinar replays at:
www.kbace.com
Services Tab Webinars
http://www.kbace.com/Services/Webinars.aspx
34 © 2006 KBACE Technologies, Inc.
35. Thank You
Daryl Geryol, Practice Director - GRC Services, KBACE
dgeryol@kbace.com
www.kbace.com
(262) 649.2916
Jeffrey Hare, CPA CISA CIA - ERP Seminars
jhare@erpseminars.com
www.erpseminars.com
www.oubpb.com
(602) 769.9094
35 .