thespot4sap.com independent sap information
 

get SAP Access - pay monthly

 SAP Tutorials    Online SAP Training    SAP CBT's    Forums    SAP Articles    SAP Jobs    Resumes
  SAP Access    SAP Blogs    SAP Books     Links     Vendor Directory     Submit Content    Search
Previous posts in SAP SCM
Office Business Applications (OBA) connect front-end systems to back-end systems
Forrester Research says Team Foundation Server is a strong SCM performer and ready for prime time
SAP SCM: Special Report
SCM for the Homebuilding Industry
Deploying SAP MDM - Managing Master Data to Maximize Value of ERP, SCM and CRM Systems
Freaking coincidence
SCM for the Homebuilding Industry
Microsoft SCM ??? -- from BHarry
Microsoft SCM
The SOA thing as I would explain to my mother
Teaching Backorder Processing with Cards
About Apolemia
APO books
Source Control and the \bin folder
Got Passion for Dynamics?
UAC Distilled
Difference between BI and ERP
??????? Build ??? Team Project
Windows Installer and Restart Manager: MSI Files-In-Use V2
??? ???????? Microsoft Dynamics Ax
Page 1549 of 5163

CSO Summit: Securing the retail application

Blogger : MSDN Blogs
All posts : All posts by MSDN Blogs
Category : SAP SCM
Blogged date : 2007 Jun 07
Technorati Tags: Conferences

Last month I presented a talk about the security risks faced by the retail industry at the Microsoft Chief Security Officer Summit in Redmond. This was a gathering of several hundred CSOs from major Microsoft customers to share their experience around security in their organizations and to help them understand our strategy around security.

My talk was based upon interactions and research my team has done with several large organizations in the retail vertical. I've come up with a couple of very plausible real world scenarios that can allow a technical risk to transcend the enterprise IT boundary and impact the core business processes.

Scenario 1:Stealing credit card info from Point of Sales systems in-store

Ease of exploitability: medium.

Impact is critical.

Attacker steals credit card data from Point of Sales (POS) system that talks to retail application client and web service across the web. This system does financial applications over the Internet.

In most cases enterprises expect the attack surface to be communication going over the "Internet", however my experience has been that it is trivial to attack POS systems in stores or retail outlets and obtain that data before it is transmitted across the web. The attack surface is not limited to the web.

Scenario 2: Compromise Supply Chain Management System

Ease of exploitability: hard

Impact is critical.

In several SCM systems unauthenticated web service are used to generate control data like shipping addresses. An attacker can use compromised web service to inject malicious data into shipping system. As a result 100,000 wool sweaters could be sent to Miami in July. Threat modeling and security code reviews can be used to minimize the possibility of this attack succeeding.

Our investigations led us to determine that from a business perspective the highest application risk to retail organizations comes in the following threats:

* Insufficient authentication mechanisms

* Poor authorization model

* Lacking input validation controls

* Susceptible to Denial of Service issues

* Non-standard deployment of point of sales systems

* SCM systems susceptible to insider attacks

Read comments or post a reply to : CSO Summit: Securing the retail application
Page 1549 of 5163
Newest posts
New Page 1

 

 

About Us   Contact Us   Privacy   Disclaimer   Feedback   Email Discussion   Newsletter  

Copyright © - Independent SAP Information
Learn XML, Guesthouses and B&B's