Introducing Computer Security

In this lesson, you will get familiar with the fundamental concepts of computer security, such as security threats and safeguards. Also, you will find out how to categorize security measures to secure the system environment.

Security is the state of being protected or safe from potential harm, danger, or threats.

In technology, security refers to measures taken to protect information, systems, and networks from unauthorized access, breaches, and attacks. It encompasses a range of concepts, including safeguards, threats, and security goals, all of which are interlinked.

Threats compromise specific security goals, whereas safeguards protect systems against certain threats. As a result, when implementing security, one must consider the safeguards in relation to the goals and the threats.

The stringent security requirements in SAP systems have various reasons. These include compliance with industry regulations, protecting sensitive data, safeguarding intellectual property, and maintaining the organization's reputation and trust.

Optimizing administrative processes is essential to ensuring the effective implementation of security measures. This can be achieved through regular security audits, user training, implementing the principle of least privilege, and keeping systems and software up to date.

As an SAP System administrator, you are involved directly in providing and optimizing security processes using measures such as:

• conducting regular audits
• keeping the systems up to date
• implementing Single Sign-On (SSO) to reduce the number of password resets
• using digital signatures for the approval process

Understanding the concepts of security, the interplay between safeguards, threats, and security goals, and recognizing the reasons for security requirements are fundamental to maintaining the integrity and confidentiality of data within SAP systems. Let’s explore these concepts further.

A security goal is a specific objective or outcome that an organization or individual aims to achieve to protect their assets, information, and resources from unauthorized access, theft, damage, or other security threats.

In detail, these goals entail the following:

• Availability: Availability ensures that users can access their resources whenever needed. When determining your requirements regarding resource availability, you can consider the costs that result from unplanned downtime, such as customer loss, costs for unproductive employees, and overtime. Some damage, such as loss of reputation, cannot fully be factored in terms of money.
• Authentication: Authentication determines the real identity of the user. You can use the following authentication mechanisms in a system environment:
  • Authentication using user ID and password
  • Authentication using a smart card
  • Authentication using a smart card and PIN
• Authorization: Authorization defines the rights and privileges of the identified user and determines the functions a user can access. The application must be programmed to check if a user is authorized before accessing a particular function.
• Confidentiality: Confidentiality ensures the user’s history and communication are kept confidential. Information and services must be protected from unauthorized access. Authorizations to read, change, or add information or services must be granted explicitly to only a few users, and other users must be denied access. If you post something on the internet, the confidentiality of information is at risk.
• Integrity: Integrity ensures that user information transmitted or stored has not been altered. Programs and services can be executed successfully and provide accurate information. As a result, people, programs, or hardware components cannot modify programs and services.
• Non repudiation: Repudiation is the process of denying that you have done something, whereas non repudiation ensures that people cannot deny their actions.

A security system threat is any potential danger or risk to its effectiveness or integrity. It can include physical threats such as burglaries or vandalism and digital threats such as hacking or malware attacks.

Threats to security systems can compromise the safety and protection of people and property and the confidentiality and privacy of sensitive information. Assessing and addressing security system threats is crucial to prevent and mitigate potential risks.

Technology is evolving quickly, as are the security threats. Read below an updated list of the most critical threats:

• Malware: Malicious software such as viruses, worms, Trojans, ransomware, and spyware can compromise a system's security.
• Phishing: Cybercriminals use fraudulent e-mails, websites, and messages to trick users into revealing personal and sensitive information.
• DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks overwhelm a system or network with excessive traffic, disrupting services.
• Insider threats: Employees or other trusted individuals accessing the system may intentionally or unintentionally compromise its security.
• Social engineering: Attackers manipulate people into disclosing confidential information or performing specific actions that compromise security.
• Advanced Persistent Threats (APTs): APTs are sophisticated, long-term attacks that aim to steal sensitive information or disrupt operations.
• Zero-day exploits: Attacks targeting vulnerabilities in software or hardware that are not yet known to the vendor or security community.
• Man-in-the-middle attacks: Hackers intercept communication between two parties to eavesdrop, steal information, or manipulate the data being exchanged.
• Data breaches: Unauthorized access to sensitive data, often resulting in theft or exposure of confidential information.
• Physical security breaches occur due to unauthorized access to facilities, device theft, or other physical security vulnerabilities.
• Buffer overflow: An application can receive data that it is not expecting or prepared to accept, resulting in unpredictable results. This is known as buffer overflow and can lead to vulnerability within the server.
• Spoofing: Programs can be written to modify the internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet and trick the network because the true IP identity is concealed or disguised and looks like the packet is coming from within the network. This process is known as spoofing.
• Masquerading: A person can masquerade as another user.
• Repudiation: A buyer could deny purchasing an item from an online store.

Threats in the digital world are as dangerous as the ones in the real world. What makes them even more dangerous is that these attacks can be automated, executed remotely, and performed by people with little knowledge of technology.

Security system safeguards are the measures and technologies used to protect a physical location or digital system from security threats.

The safeguards run against the threats to achieve the organization's security goals.

Security safeguards can be categorized as follows:

• Technical safeguards, such as firewalls, cryptographic algorithms, and certificates
• Organizational safeguards, such as security policies, rules, or guidelines
• Physical safeguards include fire detection, secured rooms, and buildings

An important aspect of technical security is to regularly install security patches for applications and operating systems that are provided by vendors. Even though many security lapses can be fixed, customers and users still must update their systems regularly.

When you are involved in planning and implementing a security policy for an organization, we recommend performing the following:

• Identify sensitive information: The company can identify and classify its sensitive information, such as customer data, financial records, and proprietary information, to determine the level of security needed.
• Understand compliance requirements: The company must be aware of any industry-specific regulations or legal requirements regarding data security and ensure that its security measures meet these standards.
• Conduct a risk assessment: The company can assess potential security threats and vulnerabilities to determine the level of risk it faces and prioritize security measures accordingly.
• Implement access controls: The company can restrict access to sensitive data to only authorized personnel and implement robust authentication methods, such as passwords, biometrics, or multifactor authentication.
• Encourage security awareness: The company can educate its employees about security best practices, such as recognizing phishing attempts and securing their devices, to minimize the risk of human error compromising security.
• Continuously monitor and update security measures: The company can regularly monitor its security systems for any potential breaches or vulnerabilities and update its security measures as needed to avoid new threats.
• Secure physical assets: In addition to digital security, the company can secure its physical assets, such as servers, routers, and other hardware, to prevent unauthorized access or tampering.
• Consider cloud security: If the company uses cloud services, it can ensure that the vendor has robust security measures, and that data stored in the cloud is adequately protected.
• Have a response plan: The company plans to respond to security incidents, including steps to contain and mitigate the damage and communicate with stakeholders about the breach.
• Allocate resources for security: The company can allocate sufficient budget and personnel to ensure that its security measures are robust and effective.

Over the following several units and lessons, you discover the different security concepts that apply to SAP and the various tools and services that SAP offers.