Have Your Peoplesoft System Been Hacked - 2013
Short Description
Download Have Your Peoplesoft System Been Hacked - 2013...
Description
Have your PeopleSoft systems been hacked? GreyHeller LLC ©GreyHeller, LLC All Rights Reserved
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Agenda Introductions
What
you read in the Press Identity and Password Management Data Security Process Security Incident Response Logging and Analysis QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Company Highlights •
Founded by the people who ran PeopleTools
•
PeopleTools strategists and developers since 1994
•
Deep PeopleSoft software development skills and DNA
•
Nearly 100 customers (US; Canada; UK; EU; Australia; Asia; Africa; South America)
• Beta test partner: PeopleTools 8.53 & Applications 9.2 •
2011 & 2012 Oracle Customer Advisory Board
•
PeopleSoft ecosystem – Blog; Webinars; Conference training QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Software Solutions
Mobile for PeopleSoft
Any PeopleSoft page / customization….Automatically Single code version: iOS; Android; Blackberry; Windows 7 Highly secure
Single Signon ERP Firewall Version Control Excel Add-in
QuestDirect.org
Customers
GreyHeller LLC, Proprietary & Confidential
Unilever
US. Dept of State
Pfizer
University of North Carolina at Chapel Hill
University of Arkansas
Cambridge University
Philip Morris
Chesapeake Energy
Lazard, Ltd.
Texas Christian Univ
QVC
Arizona State University
US Dept. of Energy
HealthSouth
Robert Half International
MMI Holdings
Stony Brook University
Methanex
Univ. of Oklahoma – Health Sciences Center
University of Central Florida
BCD Travel
Jones Lang LaSalle
University of Montreal
Ryerson University
Berlin Packaging
Frostburg State Univ
University of Kansas
University at Buffalo
AgFirst Bank
Incyte
Amedisys
Quintiles
DLA Piper
GEICO
Logistics Health
Barnabas Health
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
What you read in the press SQL
Injection Cross Site Scripting Content Spoofing and Injection Authentication and Authorization Directory Indexing Information Leakage
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
PeopleTools as a platform Security
enforced consistently Central team within PeopleTools who specializes in security. Vulnerabilities addressed without requiring redevelopment of business logic. Changes are made in the platform, and the vulnerability is addressed platform-wide immediately
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
SQL Injection
Repercussions Gather sensitive data Make unauthorized updates to application data Escalate privileges and/or bypass system controls Cause service interruption Mitigated in PeopleTools by PeopleTools does not concatenate form fields to create the SQL it issues. The type of form fields are known to PeopleTools, so the entry is validated on size and type. Watch out for SQL Execs. Mitigate by Change Management procedures.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Cross site scripting Occurs
when an unauthorized form mimics a form within the application to fool it to allow unauthorized updates Addressed in PeopleTools by embedding a random token in each PeopleSoft page that the web server validates before accepting it.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Content Spoofing and Injection
Modifies traffic between site and browser to find an opportunity to gain unauthorized access or to escalate privileges to it. Examples include: Modifying the URL in unexpected ways Altering or removing HTML headers Altering or removing cookies Altering the HTML or XML content PeopleTools acts as single controller for traffic QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Content Spoofing and Injection
Can be bypassed with improper coding practices Utilizing http header to maintain the identity of the user for single signon. Utilizing get request parameter with SQLEXEC function Common location-based security mistakes Restrict the portal navigation as enforcing location security.
Utilizing headers to identify the source of traffic.
Common Remediations
Review any headers that are available on the client. Change management process to review all logic related to the % request. Get parameter() function as well as SQL-Exec functions.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Authentication and Authorization Identity
management processes and controls Password storage, management, and controls Privilege management Consistent application controls PeopleTools enforces security
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Information Leakage
To aid in development and troubleshooting, information about the configuration and version of the parts of the system need to be accessible at times. However, making this information available publicly can provide information that can help attackers find vulnerabilities. The access of this information is not controllable by developers, but by the PeopleTools platform itself in the web profile. Therefore, we recommend that the web profile settings of the production web servers are audited to ensure that the settings for providing this information are turned off.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Discussion Points Identity
and Password Management Data Security Process Security Incident Response Logging and Analysis
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Identifying and Authenticating Users
Risks User IDs and passwords Users can have privileges that are not appropriate for them Lack of visibility into inappropriate use of user ids, passwords, or privileges Categories User Account and Identity Management Processes that surround user identity and role changes Differentiated levels of trust and re-authentication Password Controls
QuestDirect.org
Centralize user credentials, password controls, and authentication process (Single Signon)
One place to protect the user account information One ID across different University systems Password controls enforced consistently Changes in access administered and enforced in a single place
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
One Identity for System Access regardless of role
Risks: Password controls are not enforced consistently, and users must remember the credentials for each Changes in the user’s identity and access must often be applied manually to both accounts It is more difficult to audit users’ actions across the different accounts. Controls over account provisioning process Batch Processes QuestDirect.org
Processes for controlling changes in user identity GreyHeller LLC, Proprietary & Confidential
Student Self-Service Access: Risk limited to the individual student Faculty and Student Intern Access: Risk related to activities that faculty and interns perform for students or University, such as grading and advising Functional Administrator Access: Risk is related to operations of the system in a functional area System Administrator Access: Risk is related to the operations of the PeopleSoft Environment End-user Support Access: Risk is related to the scope of tasks that can be performed. Developer Access: Risk related to changes and the data that the developer accessible.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Key Activities Provisioning
of a new individual
Termination Transfer Assumption
of new responsibilities
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Login attempt capture and analysis Identify
Suspicious Activity
Identification of accounts targeted in attacks Identification of potentially compromised accounts Early Identification organized attacks Identification of sources of attacks
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Protecting Application Data
Controls over how data is stored Controls over how data is accessed Controls over how data is moved Focus on Roles End-User Administrator Developer DBA
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Administrator Best Practices
Hiding or Masking sensitive data Externalizing sensitive data from the application Policies for exporting and storing data Stewardship Controlling storage and access Single control point over access (real time) Controlling PS/Query Access
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Controlling Access to PeopleSoft Functions
The areas to consider within each type of user include: Protecting against actions performed by unauthorized user with an valid account Protecting against actions performed by an authorized user with an authorized account Protecting against system changes that could allow privilege escalation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Mitigation Techniques
Controlling access to a machine with an open session or saved credentials
Controlling access to administrative functions that could compromise business functions or cause privilege escalation
Providing audits and controls over high risk functions
QuestDirect.org
Best Practice: 2-factor authentication
GreyHeller LLC, Proprietary & Confidential
Two
of the three standard authentication factors
Something the user knows (password, PIN, pattern) Something the user has (Phone, Email Account, USB Key, smart card, Secure ID token) Something the user is (biometric characteristic).
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Common Tokens
Connected token Smart card reader USB token Fingerprint scanner Disconnected token Secure ID token Email SMS IVR Mobile App
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Best Practice: Differentiated Levels of Trust
Based on following attributes Location from which access is being performed Device from which the user is accessed User History of access
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Location Attributes
Access from a campus office with keycard access Access from campus locations that have wired connections Access from campus locations that are accessed wirelessly Access from non-campus locations, but in the community of the campus Access from other US locations Access from other countries
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Device Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
User Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
History Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Setting the Levels
Banding sets of session attributes into levels of trust. Banding PeopleSoft functionality into the different levels of access. Functionality should be analyzed with the following in mind:
The results of this banding will group PeopleSoft functionality into how it will be provided
Can it be used for privilege escalation? Can it be used fraudulently to benefit or damage students, faculty, administration or the University? Are there other processes in place to review or approve changes made?
Allowed with any valid session Allowed with a valid session and an additional factor of authentication
Disallowed for the current session
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Other Best Practices
Temporary access to high risk functions
Well defined policies and training over administrative use
Release process over configuration settings
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Developer and Tester Best Practices
Limit developer access to production Change Management solution for development tasks Automating migrations into production with segregation of duties Removal of PeopleSoft-delivered accounts and roles Audit and controls over development and testing accounts and permissions in production Test Automation
Develop and test scripts instead of running SQL directly in
production
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Incident Response Common
Incidents
Solicited and/or unsolicited information provided by security research organizations Publication of issue or breach that affecting the University’s system. Discovery of potential breach that could affect the University’s system. Account-level issues including breaches and password resets QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Incident Response Best Practices Cross-Functional
incident response teams Communication processes and plans Incident response policies and procedures that define SLA’s, roles, responsibilities, and automation wherever possible
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Logging and Auditing Helps
with
Prevent security breaches Identify breaches or attacks early thereby reducing the scope of impact Quickly understand the of scope of attacks or breaches so that a response can be planned and quickly implemented Gather better information for security audits or litigation QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Logging Best Practices Information Failed
about the location accessed from
login activity
Information
about the data accessed or any transaction activity QuestDirect.org
Best Practice: Capturing additional information
GreyHeller LLC, Proprietary & Confidential
IP Address or Location Web Server being accessed User ID Pages accessed within the application Keys to identify the data accessed or transaction to be processed Actions performed within the application
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Best Practice: Segmented Logs
Login activity Password resets Administrative access by functional area Student access by functional area Support access Access from high-risk locations Access from high-risk personnel Access to sensitive data or transactions
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Summary
Masking and externalizing sensitive data
Differentiated Security and 2-factor authentication
Logging and Auditing
Change Management and Automation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
GreyHeller Security Products Desktop
Single Signon ERP Firewall
Differentiated Security Location based Security 2 Factor Authentication Delegation Logging
GreyHeller
Version Control QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
ERP Firewall
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Allows you to Control
access based on location, user, content, and state. Log only the requests you care about. Implement additional challenges for content you wish to secure more strongly Display your own system messages to your users Restrict access when system is under maintenance QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Access Control Made Easy
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
ERP Firewall Flow
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Flexible, Powerful Conditions
QuestDirect.org
Powerful Logging Gathers
Oprid / IP Address / Result / Browser / Date / Time Login Page / Portal Content / PeopleSoft Page / iScript EMPLID / Search Criteria / Actions taken
Allows
a complete picture of access
creation of targeted logs
Failed login activity Activity for specific content Activity for types of users 2-factor activity QuestDirect.org
Definitional 2-factor authentication
GreyHeller LLC, Proprietary & Confidential
Identify
areas that require additional security upon access Only grant extended privileges when needed Limit the scope of those privileges
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Change Management
Segregation of duties and Release Management Controls Visibility into all development and release activity Facilitates automated testing No footprint on your PeopleSoft servers PeopleSoft environments are not linked to each other
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Collaboration
Access to all parts of your release process from browser Code Browsing and revision history Check-in History Migration definition and execution Tickets, Approvals, and state of work Integrated Collaboration Tools Email Notifications RSS Feeds
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Normal Release Process
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Standard Release Process
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
APRIL 7-11, 2014 Sands Expo and Convention Center Las Vegas, Nevada
QuestDirect.org/COLLABORATE COLLABORATE 14- Quest Forum is THE source for PeopleSoft roadmaps & news. It matters where you register! All PeopleSoft education and events run through Quest
QuestDirect.org
View more...
Comments
