openSAP tis1-2 All Slides

Social engineering

Social engineering is the act of obtaining or trying to get information by tricking and convincing an individual to reveal sensitive information.

In this section, you will learn how to identify these tricks and avoid sharing sensitive information with unauthorized persons.

• Attackers establish a trusting relationship

then abuse it to gain access to sensitive

information.

Attackers try to establish a trusting relationship


information and even passwords. A very

popular social engineering method is contacting

the victim via telephone.

THE RISK

!



information.

THE RISK

• If in doubt, end the call

If you get a suspicious call from an unknown

person, end it by telling the caller that you’re

under time pressure and that you’ll get back to

them.

1

WHAT CAN I DO?

!I’ll call

back



information.

THE RISK

• Verify the caller’s identity

You can check if the caller really is who they claim

to be by calling the switchboard of the alleged

company and asking to be put through. Do not

call a mobile number given to you by the

suspicious caller.

2

WHAT CAN I DO?

!



information.

THE RISK

• Do not share any information

Never share sensitive information with unverified

people, either on the phone or by e-mail. Never

share your password with anyone, not even with

an IT administrator or your manager.

3

WHAT CAN I DO?

!

Manager Assistant IT


then abuse it to gain access to

confidential information.

THE RISK

• Report potential attacks

Always report social engineering and other

potential attacks immediately as a security

incident. Multiple employees in a company may

be targeted at the same time and it is essential

for us to react. Please use the incident reporting

tool or – in the case of a critical incident – also

inform your local security staff right away.

4

WHAT CAN I DO?

!SOS

• Theft or loss of equipment

• Disclosure of information

• Hacking or malware attacks

• Unauthorized access to IT systems

• Physical harm

• Disclosure of your password

• More

Quick link: go/incident-reporting

Quick link: go/emergencies

https://portal.wdf.sap.corp/irj/portal?NavigationTarget=navurl://4e999dae58e73df5b11a7e6b85163507&url=/Infocenters/Cross%20Services%20for%20SAP/Security/Incident%20Reporting

https://portal.wdf.sap.corp/wcm/ROLES:/portal_content/cp/roles/employee/employee_services/Security/Infocenters/Cross%20Services%20for%20SAP/Security/~/Emergencies

Well done! You now know:

• If in doubt, end the call

• Verify the caller’s identity

• Do not share any information

• Report potential attacks

2

1

3

4

Social engineering

Passwords

Your passwords are keys to accessing our systems and information.

In this section, you will learn how to create good, safe passwords for your work and private life.

• Unauthorized individuals can access

company information in your name.

• Simple or short passwords are very easy

to guess or to crack.

Passwords protect your digital identity. Disclosed

passwords can give unauthorized people access

to your personal and company information.

Simple or short passwords, with just a few digits

or which can be found in the dictionary, are

very easy for hackers to guess or to crack.

THE RISK

!

!





THE RISK

WHAT CAN I DO?

• Never share your password with anyone

Not even with IT staff or a manager. For

privileged users with administrative access,

specific requirements apply. If you suspect that

your password has been disclosed, please reset

it immediately and open a security incident

ticket.

1

!

!

Manager Assistant IT





THE RISK

• Always use secure passwords

Use secure passwords, which cannot be found in

the dictionary, and are comprised of at least 3 of

the following 4 types of characters:

Latin uppercase letters, Latin lowercase letters,

base 10 digits and non-alphanumeric characters.

Also remember that the longer the password is

the stronger it will be. Your password must at

least meet SAP’s minimum requirement.

2

WHAT CAN I DO?

!

!

123..&#@

ABC xyz

**********





THE RISK

• Store your standard user passwords in

Password Depot

Don‘t ever leave your passwords lying around.

Store your standard user passwords in Password

Depot which we recommend be installed on

your computer. You can also use Password

Depot to create strong passwords. Please do not

use any other online password generators which

are not approved by SAP.

3

WHAT CAN I DO?

!

!

Password Depot

SAP Jam: Password Depot

https://jam4.sapjam.com/groups/2fpaOVhM7Tdo1AN9PDhlkQ/overview_page/tCnMzoLEKuXQ4xhQPuUCmN





THE RISK

• Use a different password for each system

Use unique passwords for all important systems.

Never reuse your SAP or Windows password for

other systems, and especially, do not use your

SAP password for private accounts. Don’t forget

to use unique passwords for your important

private accounts too.

14

WHAT CAN I DO?

!

!

Different password for each system

Company E-Mail Online Banking

^^


• Never share your password with anyone

• Always use secure passwords

• Store your passwords in Password Depot

• Use a different password for each system

2

1

3

4

Passwords

Information classification

Due to the nature of our business, we work with a lot of sensitive information.

In this section, you will learn how to classify data and how to handle it with care.

• Information often fails to get the right

protection because it is either left

unclassified or classified incorrectly.

• In the wrong hands, confidential

information can cause considerable

damage.

Incorrectly classified or non-classified

information will likely be handled in an incorrect

manner.

We can be greatly harmed in terms of money

and reputation if confidential information ends

up in the wrong hands.

This is why it is essential that data is correctly

classified and handled in the right way.

THE RISK

!

!






damage.

THE RISK

• Always classify information

The more damage a piece of information could

cause if it gets wrongly disclosed, the more

protection it needs.

Classify and label data according to our

information classification levels: Public, Internal

and Confidential.

1

WHAT CAN I DO?

!

!

Public

Damage

Level

Internal

Confidential






damage.

THE RISK

• Use the “Sensitivity” button in Office365 to

protect information

By using the “Sensitivity” button, you can classify,

label, and encrypt your office documents.

Please make yourself familiar with this solution

and use it, especially for confidential information.

22

WHAT CAN I DO?

!

!

More information: SharePoint

https://sap.sharepoint.com/sites/116218/SitePages/Unified-Labeling(1).aspx






damage.

THE RISK

• File it in the right place

Confidential information must only be stored in

the designated company IT environment, which

is specified for this type of information.

Never store business information on a private

computer or self-subscribing cloud.

23

WHAT CAN I DO?

!

!




• In the wrong hands, sensitive information

can cause considerable damage.

THE RISK

• Handle it with care

Always label it according to its classification level.

Store it locked, either in digital or paper form.

Don’t transfer it unencrypted.

Dispose it properly using a shredder or secure

data bin.

Always consider the need-to-know principle. Tell

others only what they need to know to carry out

their tasks.

WHAT CAN I DO?

!

!

4

Document classification: Confidential


• Always classify information

Use the “Sensitivity” button in Office365 to protect

information

• File it in the right place

Handle it with care

2

1

3

Information classification

4

Secure workplace

Information left lying on your desk is vulnerable to prying eyes and sticky fingers.

In this section, you will learn how to keep sensitive and private information secure.

• Unauthorized access to buildings is

always possible. Attackers can then

easily get access to confidential

information.

We are customer and business-oriented, not

Fort Knox.

Attackers will always find a way to enter our

buildings and can easily access sensitive data

left lying around

THE RISK

!




information.

THE RISK

• Keep confidential data under lock and key

When away from your workplace, lock your

office if possible or lock away sensitive

information in a cabinet.

And please: Lock your computer screen, even if

you just step away briefly.

At your unlocked PC, an attacker can easily

access sensitive data or install malware.

No one will take care of your PC when you’re

not around.

1

!

WHAT CAN I DO?

L+

+ +or

and

Mac users: + +Control Command Q




information.

THE RISK

• Always use Badge Printing

For printing sensitive information, use badge

printing. The printer will not start printing until

you login.

2

!

WHAT CAN I DO?




information.

THE RISK

• Accompany visitors

Pick up visitors at the reception and accompany

them back or to their next meeting. Make sure

that the visitors wear their visitor badge visibly.

You should also always wear your badge visibly if

you are on site at SAP.

3

!

WHAT CAN I DO?




information.

THE RISK

• Work securely at home and while travelling

And remember: Security also applies when

travelling and in the home office. Even there,

lock away sensitive documents, lock your PC and

do not leave SAP IT devices with anyone,

including family members.

1

!

WHAT CAN I DO?

4


• Keep confidential data under lock and key

• Always use Badge Printing

• Accompany visitors

• Work securely at home and while travelling

2

3

Secure workplace

1

4

Phishing

Phishing is the attempt by a hacker to acquire sensitive information or to establish permanent access to your computer.

It often starts with an e-mail impersonating a trustworthy entity. In this section, you will learn how to recognize and protect yourself against phishing attacks.

• Phishing e-mails can trigger infections that

damage our entire corporate IT and can

lead to the loss of confidential information.

Clicking on links or attachments in phishing e-

mails can cause infections. The infections can be

caused by harmful software that our antivirus

software might not detect.

In the worst case, the infection will be spread to

your colleagues and can even compromise our

entire network.

This situation can lead to leakage of confidential

information and huge business and reputational

loss.

THE RISK

!

Customer

information

Employee

information

Business

information

Your

colleagues

Network




THE RISK

• Double-check the e-mail sender

Keep the following indicators of phishing in

mind. Double-check the e-mail sender and see if

it is in any way suspicious. Don‘t forget that e-

mail addresses can be easily spoofed.

1

!

WHAT CAN I DO?




THE RISK

• Double-check the greeting

Check and see if there is a personal greeting.

Are you being addressed by name?

2

!

WHAT CAN I DO?




THE RISK

• Double-check links and attachments and

do not activate macros

Phishing e-mails nearly always contain a sense of

urgency, requiring you to click on a link or open

an attachment. If it seems suspicious, do not

click on the link or open the attachment. Also,

be extremely cautious when activating macros in

Microsoft Office programs, such as Excel or

Word as they might contain malware.

3

!

WHAT CAN I DO?




THE RISK

• If in doubt, report it!

If you are in doubt about an e-mail and you

know the sender, call and ask if he/she actually

sent it.

Suspicious e-mails should be forwarded as an

attachment to [email protected] or using the

Phishing Reporter button in Outlook. If you do

not have the button installed yet you can find it

with the Get Add-ins button in your Outlook

ribbon.

4

!

WHAT CAN I DO?

mailto:[email protected]

PhishingWell done! You now know:

• Double-check the e-mail sender

• Double-check the greeting

• Double-check links and attachments and do not activate macros

• If in doubt, report it!

2

1

3

4

Social media

As a company, we have no problem with social networks, as long as you stick to our rules.

In this chapter, we give you the most important guidelines for social networking.

• The reputation and image of SAP could

be damaged.

Attackers could obtain valuable internal

information.

The reputation of a company can be severely

damaged very quickly by ill-considered posts

and information on social networks.

In addition, professional attackers search social

networks for key information they can use for an

attack.

THE RISK

!

!


be damaged.


information.

THE RISK

• Never set up user profiles or groups in

SAP's name

Our marketing department is responsible for this

task.

Always act responsibly and behave

appropriately. The network does not distinguish

between you as a private individual and you as a

SAP employee.

1

WHAT CAN I DO?

!

!

fSAP YOU

Traverses one another and gives a picture

SAP Travel Group


be damaged.


information.

THE RISK

• Don’t share internal information

Never share internal or confidential company

information.

Even seemingly harmless information, for

example project names, software used or a

photo of your badge, is often exploited for

targeted phishing or social engineering attacks

2

WHAT CAN I DO?

!

!


be damaged.


information.

THE RISK

• Never use your SAP passwords on social

networks and only use your SAP e-mail

address if officially approved by SAP

If the social network has a security gap, there’s

no need for us to have one too.

3

WHAT CAN I DO?

!

!


• Never set up user profiles or groups in SAP's name

• Don’t share internal information

• Never use your SAP passwords on social networks and only

use your SAP e-mail address if officially approved by SAP

2

1

3

Social media

Secure communication

We all need to transfer information for our daily work.

In this section, you will learn how to do this safely and securely in your working environment.

• Unencrypted e-mails and public cloud

storage services are not secure.

Sensitive information may be lost or can

even end up in the wrong hands.

If you transfer unencrypted information, for

example by e-mail, it is about as secret as a

message on a postcard and can be read by

many people.

THE RISK

!





THE RISK

• Never use unauthorized cloud services

Our business information must always remain in

our business IT environment. Any business

information outside of this environment is out of

our control and therefore considered vulnerable.

Accordingly, never use unauthorized cloud

services for business data.

1

WHAT CAN I DO?

!

Public

Cloud





THE RISK

• Use approved exchange tools

Only use SAP-approved solutions for

exchanging business data, such as OneDrive for

Business.

You can even transfer confidential information

with many of them.

WHAT CAN I DO?

!

2

Link: https://go.sap.corp/secure-communication

SharePoint Online

OneDrive for Business

SAP Jam

More





THE RISK

• Always encrypt sensitive data

Because unencrypted information can be easily

read by many people, it is essential that you

transfer sensitive information encrypted.

Microsoft Office Data Level Encryption with

Azure Rights Management is the best way to

secure your Microsoft Office data at SAP. It is

enabled for all SAP employees and is available in

Microsoft 365 applications.

WHAT CAN I DO?

!

3





THE RISK

• Never use personal e-mail accounts

Please also do not use private e-mail accounts

for our business data and never set up

automatic forwarding rules to private accounts.

Data will be transferred unencrypted and the

private client can be infected with malware.

4

WHAT CAN I DO?

!

^^


• Never use unauthorized cloud services

• Use approved exchange tools

• Always encrypt sensitive data

• Never use personal e-mail accounts

2

3

1

4

Secure communication

Secure Mobile Devices

Our know-how is not only stored in data centers and computers – we take it with us on smartphones and tablets.

In this chapter you will learn how to protect our information on mobile devices.

• Company tablets and smartphones can

also be subject to various malicious

threats.

Company tablets and smartphones can be

subject to threats such as: malicious apps,

phishing attacks, data leakage, malware or even

unsecure WiFi.

THE RISK

!



threats.

THE RISK

• Use trusted WiFi connections

Check the available WiFis carefully. Be cautious

of WiFi networks you don‘t recognize and free

WiFi networks that don‘t require a password.

We recommend using iPass. With iPass, you can

automatically log-in with your SAP device to

trusted iPass WiFi networks, which are available

in hotels, airports, flights, and other locations.

1

WHAT CAN I DO?

!



threats.

THE RISK

• Use apps from official stores and update

your device

Only install apps from official stores like Apple

Store or Google Play or from the SAP IT app

store.

And please ensure that your device is always

updated to the latest software version approved

by SAP IT.

WHAT CAN I DO?

!

2



threats.

THE RISK

• Prevent data leakage

Please avoid copying SAP data to local apps like

your personal contacts. They could be read by

apps such as WhatsApp or synchronized with

rental cars via Bluetooth.

WHAT CAN I DO?

!

3



threats.

THE RISK

• Immediately report lost devices

Don’t leave your devices unattended on a desk

or packed in luggage. If your mobile device is

lost or stolen, immediately remotely lock the

device and report the incident by creating a

security incident ticket.

4

WHAT CAN I DO?

!


• Use trusted WiFi connections

• Use apps from official stores and update

your device

• Prevent data leakage

• Immediately report lost devices

Secure Mobile Devices

3

1

4

2

Date post:	07-Feb-2022
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

openSAP tis1-2 All Slides

Documents