Post on 08-Feb-2022
10/18/2020
1
Beyond Hardening - New Threats
Greg KellyPeopleTools Product ManagementPeopleTools Security
October 2020
When a crisis arises- The time for preparation has passed
2
10/18/2020
2
Agenda
3
Threat Architecture
Hardening
Security Considerations for a Security Strategy
Security Considerations for Cloud
Prevent PeopleSoft Becoming Collateral Damage
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.
Safe Harbor
4
10/18/2020
3
Agenda
5
Threat Architecture
Hardening
Security Considerations for a Security Strategy
Security Considerations for Cloud
Prevent PeopleSoft Becoming Collateral Damage
“Security” Implementations
10/18/2020
4
PeopleSoft Architecture and Threat Vectors
8
Mobile
PIA
eMail Server
Weblogic/Proxies
Tuxedo
AppServerPeopleSoft
Database
PeopleSoft Stack
IoT
NetworkIDE/LCM
Other Servers
In Same Domain
10/18/2020
5
Elements of Threat Architecture and Enterprise Protection
Concerns• A/V Current?• Inappropriate Access• Untrusted Networks
Mitigation• SW Asset Audit• WA/ERP Firewall• URL Request Filter• Site Advisor
PIA
Concerns• Internal Abuse
Mitigation• DB Firewall• TDE• Audit Vault• DB Vault
DatabaseConcerns• Internal abuse• Rogue Web Servers• Sniffing
Mitigation• Virtual IP’s• Routing• IPS• IDS• S/W Asset Audit• Firewalls• Traffic Encryption• OS login Audit
Network
Concerns• Phishing• Security/Brand
Mitigation• DMARC/SPF/DKIM
• DNS Security
• Site Advisor
Concerns• Detect Jail Broken?• Detect Rogue Apps?• Detect Leaky OS?• Detect Untrusted
Networks?
Mitigation• Fingerprinting• Mobile App Mgmt
Concerns• Internal Abuse
Mitigation• GRC• TDE• Log Analysis• SIEM• App Monitoring• OIM
PeopleSoftStackMobile
Concerns• Sniffing
Mitigation• Encryption• SW Asset Audit
IDE/LCMConcerns• Unknown
Mitigation• Bastion?
IoT
10
Typical Traffic Flow in a Phishing Attack
Where is the user?
Corporate Site
User
Hacker’s Web Site
Hacker
1
23.1
4
3.2
5
Defense
In this case:• Hacker sends email to target, simulating valid email format,
e.g. logos etc.• User clicks on link to Hacker’s site with login form.• User enters corporate credentials• Hacker site captures credentials and redirects user to
Corporate Site, possibly with credentials as POST• User may be requested to login again, most users treat this
as not unusual• User accesses Corporate Site and continues as normal• Some time later, Hacker logs in with captured credentials• Hacker may have to refine simulated page• Malware Scenario! ***
Defenses:• DMARC – eMail server defenses includes secure DNS• Fingerprint analysis of requests• Analysis of outgoing web site requests
e.g. whitelist, SiteAdvisor, routing rules• Revalidation of “user” for sensitive transactions• Delayed access for confirmation notification• Timed One Time Password (TOTP)• Multifactor Authentication• East-West, or North-South Migration mitigation
D
10/18/2020
6
11
Typical Traffic Flow in a Phishing Attack
Where is the user?
Corporate Site
User Hacker’s Web Site
Hacker1
2
3.1
4
3.2
5
Defense
In this case:• Hacker sends email to target, simulating valid email
format, e.g. logos etc.• User clicks on link to Hacker’s site with login form.• User enters corporate credentials• Hacker site captures credentials and redirects user to
Corporate Site, possibly with credentials as POST• User may be requested to login again, most users treat
this as not unusual• User accesses Corporate Site and continues as normal• Some time later, Hacker logs in with captured credentials• Hacker may have to refine simulated page• Malware Scenario! ***
Defenses:• DMARC• Fingerprint analysis of requests• Possible analysis of outgoing requests• Revalidation of “user” for sensitive transactions• Delayed access for confirmation notification• Timed One Time Password (TOTP)• Multifactor Authentication• East-West, or North-South Migration mitigation
D
Phishing Payload Deconstructed
https://www.youtube.com/watch?v=o1Ftl_8aAng
REPORT THE USE OF UNLICENSED SOFTWARE.HTTPS://REPORTING.BSA.ORG
12
[I] WANT TO REPORT:An organization or business that is using or installing more software than it has licenses forExamples of this type of piracy include:• Using one license on many computers• Using hacked/cracked software in the organization being reported• Using unlicensed software (from any other source)
Software piracy claims can ruin your business and reward those responsiblehttps://techcrunch.com/2016/05/10/software-piracy-claims-can-ruin-your-business-and-reward-those-responsible/
"... And to add insult to injury, this practice very often rewards with financial gains the very perpetrators of bad behavior"
BSA | The Software Alliance (BSA) is the leading advocate for
the global software industry. Its members are among the
world's most innovative companies, creating software
solutions that spark the economy and improve modern life.
10/18/2020
7
13
- Sextortion Email- Business Email Compromise (BEC)- “False SPAM”
In this ad, the “Skip Ad” box is click bait and opens a separate window with the ad.While annoying this example is relatively benign, but it could just as easily be a malware download site.
• Backup, Test, Backup, Test, …
Business Email Compromise
14
EMAIL SCAMMERS DITCH WIRE TRANSFERS FOR ITUNES GIFT CARDShttps://www.wired.com/story/email-scammers-gift-cards-nonprofits/
"... The Federal Trade Commission reported in October that 26 percent of people who report being scammed in 2018 said they bought or reloaded a gift card to deliver the money, up from 7 percent in 2015. The FTC says gift card-related losses reported to the agency totaled $20 million in 2015, $27 million in 2016, $40 million in 2017, and $53 million in the first nine months of 2018 alone."
Business Email Compromise in 2018https://www.trendmicro.com/vinfo/us/security/news/business-email-compromise
"... As of 2018, global losses to BEC have exceeded US$12 billion. To keep abreast of the landscape that scammers are operating in, we look back on some of the noteworthy incidents and trends that made BEC a headline staple this year."
10/18/2020
8
Business Email Compromise from FBIBusiness Email Compromise
https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise
Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most
financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—
both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a
legitimate request, like in these examples:
• A vendor your company regularly deals with sends an invoice with an updated mailing address.
• A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards.
She asks for the serial numbers so she can email them out right away.
• A homebuyer receives a message from his title company with instructions on how to wire his down
payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case,
thousands—or even hundreds of thousands—of dollars were sent to criminals instead.
https://www.ic3.gov/default.aspx
Agenda
16
Threat Architecture
Hardening
Security Considerations for a Security Strategy
Security Considerations for Cloud
Prevent PeopleSoft Becoming Collateral Damage
10/18/2020
9
17
Hardening – Security Red Paper See: Securing Your PeopleSoft Application Environment – DocID 747524.1https://support.oracle.com/epmos/faces/DocumentDisplay?id=747524.1
Hardening – Security Red Paper Chapter 3 - SECURING NETWORK INFRASTRUCTURE
18
Secure Setups• NAT DMZ Infrastructure
• Publicly Addressed DMZ Infrastructure
• Additional Security DMZ
• Firewall Application Server
Additional Network Protection• Intrusion Detection Systems
• Intrusion Prevention Systems
• Web Application Firewalls
• Oracle Adaptive Access Manager
10/18/2020
10
Hardening – Security Red Paper Chapter 4 - SECURING PEOPLESOFT INTERNET ARCHITECTURE
19
• How to Security Harden the Web Server - WebLogic and WebSphere
• How to Enable SSL on a Web Server for HTTPS
• How to Disable HTTP on a Web Server
• How to Disable Configuration Re-Initialization - "AuditPWD"
• How to Disable Browser Caching - note on "KIOSK“ <<<<<<<<<<<< Note!
• How to Configure a Forward Proxy Server for the Portal and Integration Gateway
• Setting a Forward Proxy for WebLogic and WebSphere
• How to Bypass a Forward Proxy for Local Hosts
• How to Enable Mutual Authentication for Integration
• How to Enable LDAPS for Directory Integration
• How to Enable TUXEDO Encryption (LLE and SSL)
• Useful hardening Lockdown links
KIOSK
This web profile uses the same
settings as the PROD web profile,
except that public user access is
enabled for the Guest user, and all
options for storing caching or
persistent cookies on the browser
are disabled.
Hardening – Security Red Paper Chapter 5 - PEOPLETOOLS SECURITY HARDENING (#1)
20
• Delete or Disable Unused User IDs
• Enable Password Controls
• Expire Password At Next Logon
• Allow Password to be Emailed
• Review Sign-in and Time-out Security
• Change the Access Password
• Change the Connect Password
• Change the IB Gateway Properties Password
• Review the Single Signon Configuration
• Use Strong Node Passwords or Use Certificates
• Review Signon PeopleCode and User Exits
10/18/2020
11
Hardening – Security Red Paper Chapter 5 - PEOPLETOOLS SECURITY HARDENING (#2)
21
NOTE: (useful information on customizing PeopleSoft static pages)
Oracle® Access Manager Integration Guide 10g (10.1.4.2) https://docs.oracle.com/cd/E12530_01/oam.1014/e10356.pdf
• Limit Usage of the PeopleSoft Administrator Role
• Limit Access to Application Designer and Data Mover
• Limit Access to User Profiles, Roles, and Permission Lists
• Limit Ability to Start Application Server
• Limit Access to Weblogic Console
• Review Query Security
• Enable SQL Error Message Suppression
• Track Users’ Login and Logout Activity - PSACCESSLOG and PSPTLOGINAUDIT
• Securing PS_HOME and PS_CFG_HOME
• Consider Auditing and Oracle Audit Vault
Hardening – Security Red Paper Chapter 6 - SECURING CUSTOMIZED PEOPLESOFT APPLICATIONS
22
• Configure every Component for Row-Level Security
• Isolate all User-Entered Data to a Bind Variable
• Escape All User-Entered HTML
• Turn Off Modifiable by HTML for Hidden Page Fields
• User-Entered File Names Should Not Include Paths
• Understanding WS-Security
• Protecting PDF files and XDO.CFG
10/18/2020
12
Cookie Rules
Non-Root DPK deploy
PeopleSoft PeopleTools 8.57 Deployment Packages Installation document introduces
a new optional procedure, task 2-2. It outlines the steps required to perform an
install as a non-root user for those customer shops where the PeopleSoft
administrator is not allowed to have root access. There is still a pre-requisite step
that root must perform, but that is the case with other products as well.
10/18/2020
13
PeopleCode Masking API
• The functionality is brand new and can only be accessed by writing new PeopleCode.
• The new Field Object API is called SetDisplayMask().
• SetDisplayMask was delivered in 8.57 GA requiring 2 parameters. • The First Parameter is a Single Char, which will be used as the masking character. No
matter what length of string is provided in the parameter only the first Character will be used.
• The Second Parameter is a Numeric which indicates how many right-most Characters are to remain unmasked.
• SetDisplayMask is being updated in the 8.57.03 patch.• The second parameter will now be optional. When present the above functionality will
be used.
• When the second parameter is not supplied the First parameter will be processed as a Mask Pattern. The Mask Pattern will only be applied if the length of the Mask Pattern matched the length of the Displayed Value. The @ symbol means do not mask this position in the data.
PeopleTools Security : Cryptography
• upgrade the encryption strength to AES-128bits.
• stronger encryption function using stronger encryption algorithms
• Regular updates for OpenSSL
• Reviewing implementing TLS 1.3
10/18/2020
14
PeopleTools 8.58 Enhancements
• Updates to Data Masking, including PSQuery
• OAuth Support
• “Real” IP Address Support
• PS-QUERY Masking
• Infrastructure DPK• With PeopleTools 8.58 we deliver the Infrastructure DPK
• This attempts to resolve the latency with PeopleTools CPU and the stack CPU’s
Agenda
28
Threat Architecture
Hardening
Considerations for a Security Strategy
Security Considerations for Cloud
Prevent PeopleSoft Becoming Collateral Damage
10/18/2020
15
Considerations for a Security Strategy
29
IT Security Is Not Just For The IT Department
The consequences of the loss of security doesn’t have to be
discussed at a technical level in the board room, but should
be a topic.
• The effect on Brand
• Loss of consumer (even user) confidence in your ability to
protect data
• Diminished value (share price) of the organization
Considerations for a Security Strategy
30
Real Consequences for Loss of Security
Data loss has a real effect on the bottom line, through loss of
business and reparation expense.
10/18/2020
16
Considerations for a Security Strategy
31
All Hackers are not Blackhats
• Criminal, or Nation States, Organizations
• “Hacktivists” and Whistle Blowers
• Deliberate and Inadvertent insider abuse
Considerations for a Security Strategy
32
Each new technology opens new Attack Vectors
Regardless of company size, it’s likely you’ve been attacked,
even if you don’t realize it. As well as virus’s, malware and
malicious software, consider the risks imposed by use of
smartphone/tablets and cloud computing.
10/18/2020
17
Considerations for a Security Strategy
33
Compliance Does Not Equal Security
Compliance Certification is point in time. Typically a
certification is engaged for the project, possibly on an annual
basis.
Security is an ongoing effort.
Considerations for a Security Strategy
34
Balancing the Need for Security With the Need for
Productivity
Smart phones and tablets have forever changed the way we
work. How can you be sure these efficiency-boosting tools
aren’t introducing security risks and/or leaving with data they
shouldn’t?
10/18/2020
18
HTTPS vs VPN vs IPSec (App Tunnel)
HTTPS
VPN
System
WebServer
BackEnd
ResourcesDM
Z/F
ire
wa
ll
App Tunnel, connects containerized app to back end
App Tunnel
WebServer
Considerations for a Security Strategy
36
Security is NOT Just a Technology Problem
Often the biggest risk to an organization is the behavior of the
people inside. How do you encourage and build an
environment that leverages strong company-wide employee
education on top of effective technology leadership within IT?
See something, Say something!
10/18/2020
19
Agenda
37
Threat Architecture
Hardening
Considerations for a Security Strategy
Security Considerations for Cloud
Prevent PeopleSoft Becoming Collateral Damage
Considerations for Cloud Security
10/18/2020
20
39
Operational Differences in Cloud Models
Networking
Storage
Servers
Virtualization
OS
Database/ Middleware
Runtime
Data
Applications
YO
U M
AN
AG
E
Traditional IT
Networking
Storage
Servers
Virtualization
OS
Database/ Middleware
Runtime
Data
Applications
YO
U M
AN
AG
ED
ELI
VE
RE
D A
S A
SE
RV
ICE
IaaS
Networking
Storage
Servers
Virtualization
OS
Database/ Middleware
Runtime
Data
Applications
DE
LIV
ER
ED
AS
A S
ER
VIC
E
SaaS
Networking
Storage
Servers
Virtualization
OS
Database/ Middleware
Runtime
Data
Applications
YO
U M
AN
AG
ED
ELI
VE
RE
D A
S A
SE
RV
ICE
PaaS
Overlapping trust boundaries
Customer-specific deployments
Many bespoke integration points
Often requires additionalTechnical Controls
Detective Controls
Administrative Controls
Contractual Controls
40
Other Cloud Models
Networking
Storage
Servers
Virtualization
OS
Database/ Middleware
Runtime
Data
Applications
DE
LIV
ER
ED
AS
A S
ER
VIC
E
Managed Hosting
YO
U M
AN
AG
E
10/18/2020
21
Agenda
41
Threat Architecture
Hardening
Considerations for a Security Strategy
Security Considerations for Cloud
Prevent PeopleSoft Becoming Collateral Damage
Prevent PeopleSoft Becoming Collateral Damage
• Invest in Collaboration
• Enterprise Security Virtual Teams
• Enterprise Wide, Tested and Updated, Security Processes
• System Health Dashboard
• Weighted, Organization Specific, CPU Advisory Analysis
• Phishing Awareness and Protection
• Check out: “Notification Fatigue”
• Review PCI DSS v3 (Why?)
• Oracle Database Security Assessment Tool (DBSAT): https://support.oracle.com/epmos/faces/DocumentDisplay?id=2138254.1
10/18/2020
22
CIO Update - Top 10 Cloud Computing Caveatshttps://cioupdate.com/top-10-cloud-computing-caveats/
1. Define your terms
2. Watch out for cloud washing - “everything old is new again”
3. Examine basic needs
4. Should I choose cumulus or nimbus?
i.e. public, private or hybrid cloud.
5. Nail down projected costs
6. Policy is as important as technology
7. Cloud piracy abounds
8. Know before you go
9. Start small
10. Find the right tools
@cgregkellygreg.kelly@oracle.com