What is Identity Theft
SAP Identity theft is when someone steals your account details and uses them to execute unauthorized transactions on your behalf. Identity theft is one of the fastest growing crimes in the world today. Enterprises should educate their users on some basic rules to help protect their identities. A few basic examples include:
1. Safeguard your information, both online and offline
Do not reuse passwords. Using strong and unique passwords for each account is the easiest and most effective way to avoid becoming victim of identity theft. Mix upper and lowercase letters, use symbols, and create sufficiently long passwords for each of your accounts.
2. Log out when you are done
Never leave an unlocked terminal unattended. If you do not log yourself out, you may be automatically logged out by the SAP instance after a period of inactivity. Attackers only need seconds to perform an unauthorized action in your name.
3. Keep your computer protected
Keep your computer and mobile devices protected by virus scanners, anti-malware, etc.
4. Always be vigilant
Report suspicious activity immediately. If you spot anything out of the ordinary - unauthorized account activity - report it right away. You are less likely to be seriously impacted by identity theft if you discover and report the incident shortly after the security breach.
What is the Impact
of a stolen identity?
Similar to stolen credit or ID cards, the attacker may use the authorisations of the stolen identity for fraud, data extraction or manipulation. If the IT Security Department detects anomalies in SAP©, all evidence points to the owner of the identity. The attacker stays anonymous. To measure the size and impact of an identity theft case, two questions shall be answered:
- How much time did the attacker have to use the stolen identity?
- Did the attacker access an SAP account having super rights?
depending on time elapsed
Damage should be limited unless the attacker used a well-prepared procedure that does not take much time.
Up to 1 hour
It is likely that the attacker had enough time to acquire business data or trade secrets. A detailed investigation will be required.
More than 1 hour
In this scenario, the entire system should be considered compromised. The attacker had enough time to escalate privileges, gain access to other identities or perform lateral movements to different SAP instances. A time consuming and detailed investigation, covering a longer period, needs to be executed. If the system is confirmed as compromised, all potential backdoors have to be identified and eliminated.
depending on acquired authorisations
It is likely that the attacker had enough time to acquire business data or trade secrets. Potentially, there was enough time to copy the data. A detailed investigation will be required.
In this case, the entire system is likely compromised. The attacker had enough rights to escalate privileges, gain access to other identities or perform lateral movements to different SAP instances. A time consuming and detailed investigation, covering a longer period, needs to be executed.
IdentityProtection (SB-IP) is a feature of SecurityBridge. Once installed, an SAP instance of your choice becomes the verifier for identities. SB-IP detects new identities, informs the identity owner and allows reporting of identity theft. When reporting malicious activity, the SB-IDS raises a security event.
Features at a glance:
- Enable crowdsourcing, your SAP user community monitors account activity.
- Unauthorized account activity can be reported through a single click.
- No need for dedicated monitoring resources, each SAP user will become a sensor.
- Plug-and-Play. Install and rollout within a single day.
- Seamlessly integrates with SecurityBridge and your SIEM platform.
SecurityBridge Identity Protection transforms an SAP instance of choice into a verifier. The verifier evaluates all logons and interlinked meta-data to decide whether a new identity should be created. This entire process happens in real-time and seamlessly without noticeable impact on the system performance. Whenever the identifier of SB-IP creates a new identity, the applicant receives an information email.
If the true owner of the identity does not recognize the login activity, a potentially malicious logon can be reported. With identity theft, every minute counts! A security event should lead to immediate manual or automated actions. SB supports automated account lock or session termination via a rule based action framework.