• Classroom
Course Description

By attending this course, attendees will acquire the knowledge and skills to progress beyond the basic auditing employed by many auditors and become competent at an advanced auditing level. This three-day course will provide participants with an in-depth understanding of SAP Basis and security assessment techniques necessary for performing an in-depth technical audit and will help take SAP technical auditing skills to the next level. You will learn the advanced risks and control opportunities that should be considered in a thorough audit of the SAP basis system and security, including considerations when using SAP GRC.

On completion of this course, attendees will be able to develop an effective SAP technical audit plan and prioritize key steps, discuss techniques for controlling both dialog and non-dialog user security, assess the appropriateness of SAP Basis configuration settings, recommend procedures for controlling customizations, analyze SAP Basis and security-related tables and describe effective research techniques related to advanced SAP technical issues. A live SAP system will be used for demonstration, complemented by referential screen shots and reinforced by group discussion and class exercises.

This course is available on-site at your location, or offered through open enrollment 7/20/20 - 7/22/20.

Learning Objectives

  1. Reviewing the Basics, system parameters, authorization concept, assessing segregation of duties and critical access, most critical basis and security risks
  2. Advanced SAP system parameters, parameters that can cost you $, parameters that mitigate terminated/transferred employee risks, single sign-on parameters, logging-related parameters
  3. Advanced SAP Basis Security, securing direct access to tables, securing access to ABAP programs, controlling administrator access, controlling transport administration and access, protecting security-critical objects and tables
  4. Controlling Non-Dialog User Types, system users, communication users, service Users, reference users (and their undocumented risks)
  5. Special Considerations, protecting the most powerful ID in the SAP system, global deactivation of authorization objects, Remote Function Calls (RFC), virus protection
  6. SAP Authentication Issues, Secure Network Communications (SNC), X.509 client certificates, SAP logon tickets
  7. Netweaver Security, Security for the SAP Web AS ABAP and Java components, Protecting the SAP Gateway, SAP router issues
  8. Advanced Auditing of SAP Customizations, reviewing ABAP code for insecure statements and back doors, including custom tables in change document reports, securing customized objects
  9. Hacking SAP (aka: Hardening SAP against Hacking), Current state of SAP cyber-security, Breaking SAP passwords, Taking over SAP user accounts, SQL injection and other common exploits, Secure SAP programming (ABAP & Java), Freeware hacking tools (and paid pen-testing tools)
  10. Analyzing SAP Tables, transparent, cluster, and structure tables, key configuration tables, key master data tables, using the SQ01 Query Builder, data access with ACL/IDEA

Framework Connections

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.