Whitepaper on AuthShield Two Factor Authentication with SAP

Similar documents
SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Keep the Door Open for Users and Closed to Hackers

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

CHAPTER 8 SECURING INFORMATION SYSTEMS

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Integrated Access Management Solutions. Access Televentures

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Securing Today s Mobile Workforce

Chapter 6 Network and Internet Security and Privacy

Panda Security 2010 Page 1

The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Evolution of Spear Phishing. White Paper

Employee Security Awareness Training

Phishing Activity Trends Report August, 2006

Cybercrime Criminal Law Definitions and Concepts

How to Build a Culture of Security

FAQ. Usually appear to be sent from official address

Computer Security Policy

BRING SPEAR PHISHING PROTECTION TO THE MASSES

Using Biometric Authentication to Elevate Enterprise Security

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Copyright

Security and Authentication

Network Security Issues and Cryptography

Cloud sicherung durch Adaptive Multi-factor Authentication

Online Threats. This include human using them!

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

716 West Ave Austin, TX USA

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

Phishing Activity Trends

ABOUT COMODO. Year Established: 1998 Ownership: Private Employees: over 700

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Online Security and Safety Protect Your Computer - and Yourself!

MODULE NO.28: Password Cracking

BEST PRACTICES FOR PERSONAL Security

A STUDY OF TWO-FACTOR AUTHENTICATION AGAINST ON-LINE IDENTITY THEFT

White paper. Common attacks and counter measures. How Keytalk helps protect against sniffing, man in the middle, phishing and trojan attacks

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

But it Was Such a Little Phish February 2016 Webinar

Lecture 9 User Authentication

Discount Kaspersky PURE 3.0 internet download software for windows 8 ]

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Account Takeover: Why Payment Fraud Protection is Not Enough

SafeNet MobilePASS+ for Android. User Guide

Phishing is Yesterday s News Get Ready for Pharming

Phishing Activity Trends

ANNUAL SECURITY AWARENESS TRAINING 2012

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Phishing Activity Trends Report August, 2005

4 Information Security

Securing Information Systems

Authentication Technology for a Smart eid Infrastructure.

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Introduction...1. Authentication Methods...1. Classes of Attacks on Authentication Mechanisms...4. Security Analysis of Authentication Mechanisms...

Introduction. The Safe-T Solution

CONVENIENCE & SECURITY ARE THE KEYS TO SUCCESS NOW - SUBJECT TO THE SMART AUTHENTICATION. Kelly Ng Co-Founder

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Authentication Methods

IP Risk Assessment & Loss Prevention By Priya Kanduri Happiest Minds, Security Services Practice

Lecture 14 Passwords and Authentication

SECURE DATA EXCHANGE

Table of Contents. User Guide

Unique Phishing Attacks (2008 vs in thousands)

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

CYBER SECURITY: ALTITUDE DOES NOT MAKE YOU SAFE

Paystar Remittance Suite Tokenless Two-Factor Authentication

IS Today: Managing in a Digital World 9/17/12

Modern two-factor authentication: Easy. Affordable. Secure.

HY-457 Information Systems Security

Topics. Ensuring Security on Mobile Devices

Cyber Security Guidelines for Public Wi-Fi Networks

We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are:

Quick Heal Total Security Multi-Device (Mac) Simple, fast and seamless protection for Mac.

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Accelerating growth and digital adoption with seamless identity trust

Issues in Using DNS Whois Data for Phishing Site Take Down

Computer Security & Privacy

Web Cash Fraud Prevention Best Practices

The Value of Automated Penetration Testing White Paper

MESSAGING SECURITY GATEWAY. Solution overview

In this unit we are continuing our discussion of IT security measures.

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Accounting Information Systems

Best Practices Guide to Electronic Banking

Securing Information Systems

Cyber Risks in the Boardroom Conference

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Transcription:

Whitepaper on AuthShield Two Factor Authentication with SAP By AuthShield Labs Pvt. Ltd

Table of Contents Table of Contents...2 1.Overview...4 2. Threats to account passwords...5 2.1 Social Engineering or Password Sharing...5 2.2 Reuse Logins...6 2.3 Identity thefts Phishing...6 2.4 Virus, worms, Trojans...7 3. Protecting SAP Accounts...7 3.1 Two Factor Authentication: Why do you need it?...8 3.1.1 Hard Token...9 3.1.2 SMS Token...9 3.1.3 Mobile Token...10 3.1.2 Soft Token...10 4. SAP Login Architecture...11 4.1 Integration of Two Factor Authentication with SAP GUI...11 4.1.1 Architecture...11...12 4.1.2 Process...12 4.2 Integration of Two Factor Authentication with SAP Netweaver... 18 4.2.1 Architecture...18 4.2.2 Process...19 5. Features...19

6. Advantages of using AuthShield...20 6.About Us...21

1. Overview SAP, an acronym for Systems, Applications and Products is a German software company and one of the world s largest ERP solution providers. SAP ERP is used across thousands of different industries all over the planet. 70% of the companies on the Forbes 500 list run on an ERP that is provided by SAP The ERP delivers a comprehensive set of integrated, crossfunctional business processes. A large number of companies today use SAP ERP to improve productivity and insight, alignment of strategies and operations, reduce costs and support changing industry requirements. With the rapid growing importance of SAP in an organization daily work processes, it has become one of the most critical targets for an attacker trying to harm the organization. With organizations moving away from the security of a private network to the cloud, new threats are constantly emerging and evolving online.

Hundreds of organizations around the world are running unpatched, Internet-facing versions of SAP software, exposing them to data theft. SAP exploits are part of a thriving underground trade, particularly as organizations in Asian countries are exposing their systems with new SAP deployments. Access to ERP provides immediate access to complete enterprise information as SAP databases are usually shared by several functions in different functional units participating in the same business process. Access to SAP may lead to leakage of HR or financial data, corporate secrets or in certain cases even SCADA systems. Most of the SAP breaches are caused due to a single factor of authentication which users use to log into SAP. As per a recent report released in a security conference in 2013, 22% of SAP vulnerabilities arise from Missing authorization check. In such an environment it has become critical to secure SAP s with Two Factor Authentication. 2. Threats to account passwords 2.1 Social Engineering or Password Sharing Most people end up sharing their passwords with their friends or colleagues. The act may be deliberate or accidental. But the

fact remains that a user seldom even remembers the number of people the account details may have been shared with. At the same time, passwords are not changed at frequent interval, giving an outsider unlimited access to an account. Occasionally, users also fall prey to common social engineering techniques and end up revealing answers to their security questions thereby providing intruders a chance to gain unauthorized access to the account 2.2 Reuse Logins A user on the net usually has more than one account. Most users end up using same or similar passwords in multiple accounts leading to a possibility where an inadvertent leak may lead to providing access to multiple accounts 2.3 Identity thefts Phishing One Phishing attack at a Bank / Online Portal / store/ BPO etc can lead to a loss of thousands of accounts in one step Acquire details such as credentials to SAP and other critical applications etc by masquerading as a trustworthy entity. Such an information breach by authorized personnel either intentionally or accidentally, can cause irreparable damage to an organization.

2.4 Virus, worms, Trojans The best way to beat a thief is to think like one Keyloggers, remote sniffers, worms and other types of Trojans have been used since the evolution of the internet to steal user s identity. Most data is accessed from stolen computers and laptops or by hackers capturing data on unprotected networks. 3. Protecting SAP Accounts When your organization banks on you, what do you bank on? Prevention is always better than cure. It is truer today than ever before when the theft is conducted on the net with no physical threats and with less cost to the perpetrator of the crime. The only challenge that remains is to cover ones tracks and considering the massive flow of information on the net almost on a daily basis, it is not much difficult either. "According to a survey carried out 70% of people reuse their passwords in multiple accounts. Less than 2% users have passwords that are complex enough and long enough to resist a combination of dictionary, rainbow and brute-force attacks" 3.1 Two Factor Authentication: Why do you need it?

Phishers try to obtain personal information such as your password or PIN-code by pretending to be a legitimate entity. Using Phishing, static passwords can be easily hacked providing fraudsters easy access your personal accounts, files and confidential information. AuthShield s AuthShield - Two Factor Authentication maps the physical identity of the user to the server and increases the security of financial and other critical systems. Integrating Stronger User Authentication system not only helps prevent Online Credit Card fraud, Card Cloning, Identity theft but also helps in the capture of habitual cyber criminals. AuthShield authenticates and verifies the user based on something only the user has (mobile phone/ land line/ hard token) something only the user knows (user id and password) AuthShield technology uses a dual mode of identification where along with the user id and password, verification is done through a secure randomly generated one time password (OTP). This is provided to the user through - 3.1.1 Hard Token AuthShield s hard token is a security device given to authorized users who keep them in their possession. To verify

a transaction using second factor of authentication, the device displays a changing number that is typed in as a password. The new number is based on a pre defined unbreakable randomized algorithm. Thereby, the hard token enables the server to authenticate the digital identity of the sender using a hardware device apart from his user name and password. 3.1.2 SMS Token On verifying user information an OTP is sent to the user s phone via SMS/ automated call. The One time password is generated using a combination of multiple unbreakable encryption algorithms. The algorithm generates an unbreakable one time password every time the user logs onto a DMZ (De militarized zone) as specified by the IT architecture. 3.1.3 Mobile Token AuthShield s mobile token is an application installed on smart phones which generates an OTP for the user on the phone itself. The password is based on a pre defined unbreakable randomized algorithm.

The architecture remains similar to a Hard Token except that the user only has to carry his mobile phone. Thereby, the device enables the server to authenticate the digital identity of the sender using a mobile phone apart from his user name and password. 3.1.2 Soft Token Application installed on the system generates a One Time Password using a combination of multiple unbreakable encryption algorithms. 4. SAP Login Architecture SAPGUI is a software that runs on the desktops/ laptops (Windows, Mac, Unix etc) that allows users to access SAP functionality in SAP applications such as SAP ERP and SAP Business intelligence

SAP Netweaver is a service-oriented application and integration platform that can be used for custom development and integration with other applications and systems 4.1 Integration of Two Factor Authentication with SAP GUI 4.1.1 Architecture

4.1.2 Process 1. User clicks on SAPGUI

2. User enters his user name and password 3. On correct authentication, user is prompted to enter OTP

4. User s OTP is validated by AuthShield AAA server to allow or deny access 4.2 Integration of Two Factor Authentication with SAP Netweaver 4.2.1 Architecture Access to Server

SAP ECE Server (1) (2) 4.2.2 Process Process SAP Netweaver Authentication is done via RADIUS Protocol User enters his User name and Passcode The request is forwarded to the IAS server which authenticates the request

5. Features OS Independent Authentication Mechanism Seamless Integration with the current business and security architecture Increases the log on security for Mails 99% security from Phishing attacks and identity thefts Unbreakable encryption on the lines of those used by US Government Logs are maintained to fix responsibility in case of an unlawful event. 6. Advantages of using AuthShield For Users Using AuthShield s two factor authentication can help prevent- Online credit card fraud Phishing Card cloning Unauthorized access to data by employees. For the organization OS Independent Authentication Mechanism Seamless Integration with the current business and security architecture

Increases the log on security for critical applications. According to a recent survey across ten cities in India, overwhelming 84% internet users indicated that they would like to use two factor authentications (2FA) to protect their identity 6. About Us The world today revolves around information. Information today is the energy that plays a critical role in our personal lives and drives our businesses. As we move further into this digital age, it has become imperative to not just protect our information from outsiders but to also draw intelligence from the vast amount information available to us. Internet is the new playground for unwanted elements of society intent on committing terrorist or espionage activities, financial frauds or identity thefts. Keeping this in mind, it has become imperative to not only prevent these acts but also be in a position to intercept, monitor and block Internet communication to draw intelligence out of them. AuthShield is a research oriented Information Security consulting group specializing in meeting the Information Security needs of the consumer via specialized products

and services. We believe in innovating and creating the latest technologies to combat the rapidly growing menace of hacking and reduce dependency on human factors. We offer a complete gamut of Information Security services under one roof which includes our patented and patent pending products like 99% Secure - Cyber Cafe Surveillance, Tactical Internet Interception, Multi Factor Authentication, Link analysis and Pattern Matching and services like complete corporate security process management, web application security and managed security services.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback