This follows on from my recent article about detecting hackers probing a Maximo installation.

Maximo is probably not the highest priority target for hackers but it can contain important information:

• Maintenance schedule information and thus indications of maintenance budgets
• Locations of sensitive equipment
• Customer details e.g. addresses where maintenance needs to be carried out
• Financial details e.g. buyers details
• Contractual details that only certain groups of people should see e.g. costs

Security groups allow system administrators to use data restrictions/conditional expressions to control what data users can see/view. IBM have published various technotes about how to use these features. When designing solutions using conditional expressions make sure that the objects are usable regardless of the security groups that are being used – you don’t want to create a situation where a field requires a value but the field is hidden from users.

IBM provides information on securing its software on its web site. IBM publish notifications so customers can keep up to date with the latest fixes including security problems.

Readers who want to learn about security threats will find Brian Krebs site interesting. It explains the value of a hacked PC and provides details of some of the various scams that are going on.

This is an interesting article about the risks associated with remote management software. The securityintelligence.com site often has interesting security related articles.

Financial risks associated with the purchasing process

Maximo can be used in a purchasing process with purchase orders being sent to suppliers or external systems to be sent to purchasing systems.

As with any financial system there is always the risk of fraud.

Maximo provides security groups to control who can raise PRs and POs and so on.

I have seen solutions where different people have different roles so a person can raise a PR but they can’t then approve the PO. This prevents users from raising a PR that benefits them and then approving the related PO.

Account separation is important but is it working?

One Maximo installation found that a user had the login details for several accounts and this allowed them to raise PRs and then approve them.

Here are two checks that can be used to detect this type of abuse:

• Use the login tracking functionality to record where users logged in from. Are two privileged accounts logging in from the same PC?
• Check approval dates against known dates that the approver is away

Reducing the risk of legal costs associated with workorders

Maximo is often used in environments which can have dangers such as dust/heat/chemicals etc. Safety plans are often defined that specify the use of specific safety gear such as heavy duty gloves.

Some sites book safety gear out to individuals to ensure that there is a safety record. Each staff member’s identity card has a bar code that is scanned when safety gear is booked out to them. This creates a record linking the equipment to the person and this record can be used to defend legal claims that the person was not provided with the appropriate safety equipment.

This booking in/out can generate a lot of work for financial staff accounting for inventory changes. A BIRT report can be built to compare the data in the two systems and automatically highlight differences. It can be scheduled to enable quick checks.

Vetasi customisations

Vetasi can build reports to check for multiple accounts using the same PC and to compare data in two systems. I’ll be demonstrating how to use a BIRT report in a future “Making Maximo Easier to Support” webcast. The date hasn’t been confirmed yet but it should be before May.

This blog series

This article is one of a series of articles to help system administrators understand the Maximo logs and the underlying architecture.

Articles are normally posted on a Tuesday and Thursday. The linkedin notification mechanism means that you may not receive a notification about the Thursday posting So visit the index page mentioned above.

If you like this article then please share it so others can benefit from it or like it so I can understand which articles are the most useful.

Disclaimer

The postings on this blog are my own and don't necessarily represent Vetasi's positions, strategies or opinions.

The materials on this site are provided "AS IS" and the author will not be liable for any direct, indirect or incidental damages arising out or relating to any use or distribution of them.