While original security controls may have sufficed in the past, they are unlikely to be adequate in today's multidevice, Internet-connected, threat-laden environment.
ERP gives a company an integrated, real-time view of core business processes and resources, such as production, order processing and inventory management. It also facilitates the flow of information between business functions both inside an organization and with critical suppliers and customers. To maximize profits, CRM focuses on streamlining interactions with current and future customers, managing marketing campaigns, building customer relationships and improving customer satisfaction.
A recent survey of enterprise IT budget spending plans by Gartner Inc. revealed the top three application software investment initiatives for 2013 are CRM, ERP and office/personal productivity tools. Despite continued investment in ERP and CRM, there are many instances of applications that have been in place for years. More than likely, the staff involved in their acquisition and deployment have departed the enterprise, leaving the applications to run on their own, and taken the knowledge of how to manage and maintain the systems with them.
Because patching aging mission-critical applications is so difficult, many legacy CRM and ERP systems are left unpatched and vulnerable. But since they process and store highly valuable and confidential data, security must be a top priority. While original security controls may have sufficed in the past, they are unlikely to be adequate in today's multidevice, Internet-connected, threat-laden environment.
In this tip, we'll review application security best practices for ERP and CRM systems, focusing not only on the applications themselves, but also the other IT components crucial to their security.
To keep ERP and CRM applications secure, controls must be implemented at the network layer, presentation layer, and -- most importantly -- at the application layer, which has become a favored attack vector for hackers.
Unpatched ERP and CRM systems are particularly vulnerable as they are easy targets for automated scanners and attack tools. Although not every new vulnerability will present a risk to your particular implementation, efforts should be made to patch older systems when the threat is real. However, knowing when a vulnerability is a risk to your specific applications is extremely useful, as it allows for the prioritization of patches, upgrades, and firewall and intrusion detection system changes. One way to test vulnerabilities and the effects of a patch is to duplicate a production system in a virtual test lab and use the Metasploit Framework to attempt to compromise the test application with applicable exploits. If the test application fails or becomes compromised, clearly the production application will need patching against an attacker that may attempt a similar exploit.
While patches that trigger problems on older systems are not uncommon, surveys have shown that only a small percentage of administrators has suffered system failures due to untested patches. If, however, you have a legacy or aging infrastructure that has failed or malfunctioned as a result of being patched in the past or if the system is mission-critical, strongly consider running a patch test prior to installing new patches.
When the overall risk of patching is too high, virtual patching can be used to eliminate some vulnerabilities by controlling either the inputs or outputs of the affected application. Unlike traditional patch procedures, virtual patching doesn't require expensive downtime, as an application can be patched without touching the application itself, its associated libraries or the operating system it's running on. Sometimes virtual patching is the only way to support older versions of an application that the vendor no longer supports. The easiest virtual patching method is to update the configuration of intrusion-prevention system filters to block attacks trying to exploit the vulnerability. Always be sure to document such changes along with which vulnerability the virtual patch is mitigating.
For more on CRM and ERP security
Has hosted CRM cleared the security hurdle?
Validating ERP system security and ERP best practices
Age-old vulnerabilities, attack techniques constantly trip enterprises
Quiz: Security Basics
For Windows-based ERP and CRM applications, administrators should consider deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET) v4.0, an extremely valuable mitigation technology for older Windows applications and OS software. It's free and works by retroactively applying new security technologies to applications, making it more difficult for a hacker to exploit known attack vectors, such as buffer overflows and memory corruption.
Since the original graphical user interface (GUI) used to access ERP and CRM applications (the presentation layer) may have been abandoned as of late in favor of a browser -- or even a custom app for the mobile age -- it is critical to ensure any browsers and apps interacting with the system be kept up to date. Third-party apps should always be road-tested to ensure they are not leaking data through unexpected channels or processes. It may help to use a Citrix Systems Inc. server to deliver the GUI to desktop users or use Windows 8.1's Start Screen lockdown feature to create a kiosk environment for both desktops and mobile devices to reduce the possibility of user-related threats.
If maintaining existing ERP and CRM systems is getting too difficult, costly or time-consuming, it may be time to migrate to a cloud-based service -- which is also a more natural and secure fit for mobile devices. Integrated ERP/CRM software and hosted solutions utilizing just one secure centralized database are also available. Compiere, for example, is a cloud-based, open-source ERP software and CRM system.
In the end, sharing knowledge and information is essential for organizations to achieve a competitive advantage. However, it is vital to do so securely to comply with both industry and company regulations. Simply put, running vulnerable software is no longer acceptable; enterprises must take all necessary proactive and reactive measures to keep their applications -- new or old -- secure.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).
This was first published in November 2013