Case Study #002.01

Scenario

A brute force attack (password guessing or cracking) is being carried out on user accounts via the SAProuter from an external network. The goal of the attack is to compromise the passwords of critical predefined accounts such as DDIC, SAP*, and TMSADM. For this purpose, a password cracking attempt has been initiated.

Impact

Predefined users in the system are equipped with authorizations to perform critical operations. Since these accounts are active by default during system installation, they are prime targets for hackers or attackers. Monitoring activities on these accounts and controlling operations performed through internal or external terminals is of critical importance. Keeping these user accounts' passwords in their default state poses a significant security risk. Therefore, it is essential to assign strong, new passwords. If these accounts are compromised, attackers can harm the system, manipulate data, and gain access to sensitive information.

DefenceMore OCA Capabilities

Defencemore OCA's A005 control lists all password change activities. If the passwords of predefined accounts like DDIC or SAP* are modified, it is flagged as a violation and reported. The P005 use case shows the number of password attempts made for standard user accounts. The P009 control lists failed login attempts. If these attempts target predefined users, a violation is recorded. The P002 control verifies the existence of a list of the most commonly used passwords. If such a list is not created, a violation is logged.

Related Checks

• A005 Password Change Activities
• P005 Standard User Password
• P009 Unsuccessfull Login Attempts
• P002 Password Exception List