when a crisis arises the time for preparation has passed

10/18/2020

1

Beyond Hardening - New Threats

Greg KellyPeopleTools Product ManagementPeopleTools Security

October 2020

When a crisis arises- The time for preparation has passed

2

10/18/2020

2

Agenda

3

Threat Architecture

Hardening

Security Considerations for a Security Strategy

Security Considerations for Cloud

Prevent PeopleSoft Becoming Collateral Damage

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.

Safe Harbor

4

10/18/2020

3

Agenda

5

Threat Architecture

Hardening




“Security” Implementations

10/18/2020

4

PeopleSoft Architecture and Threat Vectors

8

Mobile

PIA

eMail Server

eMail

Weblogic/Proxies

Tuxedo

AppServerPeopleSoft

Database

PeopleSoft Stack

IoT

NetworkIDE/LCM

Other Servers

In Same Domain

10/18/2020

5

Elements of Threat Architecture and Enterprise Protection

Concerns• A/V Current?• Inappropriate Access• Untrusted Networks

Mitigation• SW Asset Audit• WA/ERP Firewall• URL Request Filter• Site Advisor

PIA

Concerns• Internal Abuse

Mitigation• DB Firewall• TDE• Audit Vault• DB Vault

DatabaseConcerns• Internal abuse• Rogue Web Servers• Sniffing

Mitigation• Virtual IP’s• Routing• IPS• IDS• S/W Asset Audit• Firewalls• Traffic Encryption• OS login Audit

Network

Concerns• Phishing• Security/Brand

Mitigation• DMARC/SPF/DKIM

• DNS Security

• Site Advisor

Concerns• Detect Jail Broken?• Detect Rogue Apps?• Detect Leaky OS?• Detect Untrusted

Networks?

Mitigation• Fingerprinting• Mobile App Mgmt

Email

Concerns• Internal Abuse

Mitigation• GRC• TDE• Log Analysis• SIEM• App Monitoring• OIM

PeopleSoftStackMobile

Concerns• Sniffing

Mitigation• Encryption• SW Asset Audit

IDE/LCMConcerns• Unknown

Mitigation• Bastion?

IoT

10

Typical Traffic Flow in a Phishing Attack

Where is the user?

Corporate Site

User

Hacker’s Web Site

Hacker

1

23.1

4

3.2

5

Defense

In this case:• Hacker sends email to target, simulating valid email format,

e.g. logos etc.• User clicks on link to Hacker’s site with login form.• User enters corporate credentials• Hacker site captures credentials and redirects user to

Corporate Site, possibly with credentials as POST• User may be requested to login again, most users treat this

as not unusual• User accesses Corporate Site and continues as normal• Some time later, Hacker logs in with captured credentials• Hacker may have to refine simulated page• Malware Scenario! ***

Defenses:• DMARC – eMail server defenses includes secure DNS• Fingerprint analysis of requests• Analysis of outgoing web site requests

e.g. whitelist, SiteAdvisor, routing rules• Revalidation of “user” for sensitive transactions• Delayed access for confirmation notification• Timed One Time Password (TOTP)• Multifactor Authentication• East-West, or North-South Migration mitigation

D

10/18/2020

6

11

Typical Traffic Flow in a Phishing Attack

Where is the user?

Corporate Site

User Hacker’s Web Site

Hacker1

2

3.1

4

3.2

5

Defense

In this case:• Hacker sends email to target, simulating valid email

format, e.g. logos etc.• User clicks on link to Hacker’s site with login form.• User enters corporate credentials• Hacker site captures credentials and redirects user to

Corporate Site, possibly with credentials as POST• User may be requested to login again, most users treat

this as not unusual• User accesses Corporate Site and continues as normal• Some time later, Hacker logs in with captured credentials• Hacker may have to refine simulated page• Malware Scenario! ***

Defenses:• DMARC• Fingerprint analysis of requests• Possible analysis of outgoing requests• Revalidation of “user” for sensitive transactions• Delayed access for confirmation notification• Timed One Time Password (TOTP)• Multifactor Authentication• East-West, or North-South Migration mitigation

D

Phishing Payload Deconstructed

https://www.youtube.com/watch?v=o1Ftl_8aAng

REPORT THE USE OF UNLICENSED SOFTWARE.HTTPS://REPORTING.BSA.ORG

12

[I] WANT TO REPORT:An organization or business that is using or installing more software than it has licenses forExamples of this type of piracy include:• Using one license on many computers• Using hacked/cracked software in the organization being reported• Using unlicensed software (from any other source)

Software piracy claims can ruin your business and reward those responsiblehttps://techcrunch.com/2016/05/10/software-piracy-claims-can-ruin-your-business-and-reward-those-responsible/

"... And to add insult to injury, this practice very often rewards with financial gains the very perpetrators of bad behavior"

BSA | The Software Alliance (BSA) is the leading advocate for

the global software industry. Its members are among the

world's most innovative companies, creating software

solutions that spark the economy and improve modern life.

10/18/2020

7

13

- Sextortion Email- Business Email Compromise (BEC)- “False SPAM”

In this ad, the “Skip Ad” box is click bait and opens a separate window with the ad.While annoying this example is relatively benign, but it could just as easily be a malware download site.

• Backup, Test, Backup, Test, …

Business Email Compromise

14

EMAIL SCAMMERS DITCH WIRE TRANSFERS FOR ITUNES GIFT CARDShttps://www.wired.com/story/email-scammers-gift-cards-nonprofits/

"... The Federal Trade Commission reported in October that 26 percent of people who report being scammed in 2018 said they bought or reloaded a gift card to deliver the money, up from 7 percent in 2015. The FTC says gift card-related losses reported to the agency totaled $20 million in 2015, $27 million in 2016, $40 million in 2017, and $53 million in the first nine months of 2018 alone."

Business Email Compromise in 2018https://www.trendmicro.com/vinfo/us/security/news/business-email-compromise

"... As of 2018, global losses to BEC have exceeded US$12 billion. To keep abreast of the landscape that scammers are operating in, we look back on some of the noteworthy incidents and trends that made BEC a headline staple this year."

10/18/2020

8

Business Email Compromise from FBIBusiness Email Compromise

https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise

Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most

financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—

both personal and professional.

In a BEC scam, criminals send an email message that appears to come from a known source making a

legitimate request, like in these examples:

• A vendor your company regularly deals with sends an invoice with an updated mailing address.

• A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards.

She asks for the serial numbers so she can email them out right away.

• A homebuyer receives a message from his title company with instructions on how to wire his down

payment.

Versions of these scenarios happened to real victims. All the messages were fake. And in each case,

thousands—or even hundreds of thousands—of dollars were sent to criminals instead.

https://www.ic3.gov/default.aspx

Agenda

16

Threat Architecture

Hardening




10/18/2020

9

17

Hardening – Security Red Paper See: Securing Your PeopleSoft Application Environment – DocID 747524.1https://support.oracle.com/epmos/faces/DocumentDisplay?id=747524.1

Hardening – Security Red Paper Chapter 3 - SECURING NETWORK INFRASTRUCTURE

18

Secure Setups• NAT DMZ Infrastructure

• Publicly Addressed DMZ Infrastructure

• Additional Security DMZ

• Firewall Application Server

Additional Network Protection• Intrusion Detection Systems

• Intrusion Prevention Systems

• Web Application Firewalls

• Oracle Adaptive Access Manager

10/18/2020

10

Hardening – Security Red Paper Chapter 4 - SECURING PEOPLESOFT INTERNET ARCHITECTURE

19

• How to Security Harden the Web Server - WebLogic and WebSphere

• How to Enable SSL on a Web Server for HTTPS

• How to Disable HTTP on a Web Server

• How to Disable Configuration Re-Initialization - "AuditPWD"

• How to Disable Browser Caching - note on "KIOSK“ <<<<<<<<<<<< Note!

• How to Configure a Forward Proxy Server for the Portal and Integration Gateway

• Setting a Forward Proxy for WebLogic and WebSphere

• How to Bypass a Forward Proxy for Local Hosts

• How to Enable Mutual Authentication for Integration

• How to Enable LDAPS for Directory Integration

• How to Enable TUXEDO Encryption (LLE and SSL)

• Useful hardening Lockdown links

KIOSK

This web profile uses the same

settings as the PROD web profile,

except that public user access is

enabled for the Guest user, and all

options for storing caching or

persistent cookies on the browser

are disabled.

Hardening – Security Red Paper Chapter 5 - PEOPLETOOLS SECURITY HARDENING (#1)

20

• Delete or Disable Unused User IDs

• Enable Password Controls

• Expire Password At Next Logon

• Allow Password to be Emailed

• Review Sign-in and Time-out Security

• Change the Access Password

• Change the Connect Password

• Change the IB Gateway Properties Password

• Review the Single Signon Configuration

• Use Strong Node Passwords or Use Certificates

• Review Signon PeopleCode and User Exits

10/18/2020

11

Hardening – Security Red Paper Chapter 5 - PEOPLETOOLS SECURITY HARDENING (#2)

21

NOTE: (useful information on customizing PeopleSoft static pages)

Oracle® Access Manager Integration Guide 10g (10.1.4.2) https://docs.oracle.com/cd/E12530_01/oam.1014/e10356.pdf

• Limit Usage of the PeopleSoft Administrator Role

• Limit Access to Application Designer and Data Mover

• Limit Access to User Profiles, Roles, and Permission Lists

• Limit Ability to Start Application Server

• Limit Access to Weblogic Console

• Review Query Security

• Enable SQL Error Message Suppression

• Track Users’ Login and Logout Activity - PSACCESSLOG and PSPTLOGINAUDIT

• Securing PS_HOME and PS_CFG_HOME

• Consider Auditing and Oracle Audit Vault

Hardening – Security Red Paper Chapter 6 - SECURING CUSTOMIZED PEOPLESOFT APPLICATIONS

22

• Configure every Component for Row-Level Security

• Isolate all User-Entered Data to a Bind Variable

• Escape All User-Entered HTML

• Turn Off Modifiable by HTML for Hidden Page Fields

• User-Entered File Names Should Not Include Paths

• Understanding WS-Security

• Protecting PDF files and XDO.CFG

10/18/2020

12

Cookie Rules

Non-Root DPK deploy

PeopleSoft PeopleTools 8.57 Deployment Packages Installation document introduces

a new optional procedure, task 2-2. It outlines the steps required to perform an

install as a non-root user for those customer shops where the PeopleSoft

administrator is not allowed to have root access. There is still a pre-requisite step

that root must perform, but that is the case with other products as well.

10/18/2020

13

PeopleCode Masking API

• The functionality is brand new and can only be accessed by writing new PeopleCode.

• The new Field Object API is called SetDisplayMask().

• SetDisplayMask was delivered in 8.57 GA requiring 2 parameters. • The First Parameter is a Single Char, which will be used as the masking character. No

matter what length of string is provided in the parameter only the first Character will be used.

• The Second Parameter is a Numeric which indicates how many right-most Characters are to remain unmasked.

• SetDisplayMask is being updated in the 8.57.03 patch.• The second parameter will now be optional. When present the above functionality will

be used.

• When the second parameter is not supplied the First parameter will be processed as a Mask Pattern. The Mask Pattern will only be applied if the length of the Mask Pattern matched the length of the Displayed Value. The @ symbol means do not mask this position in the data.

PeopleTools Security : Cryptography

• upgrade the encryption strength to AES-128bits.

• stronger encryption function using stronger encryption algorithms

• Regular updates for OpenSSL

• Reviewing implementing TLS 1.3

10/18/2020

14

PeopleTools 8.58 Enhancements

• Updates to Data Masking, including PSQuery

• OAuth Support

• “Real” IP Address Support

• PS-QUERY Masking

• Infrastructure DPK• With PeopleTools 8.58 we deliver the Infrastructure DPK

• This attempts to resolve the latency with PeopleTools CPU and the stack CPU’s

Agenda

28

Threat Architecture

Hardening

Considerations for a Security Strategy



10/18/2020

15


29

IT Security Is Not Just For The IT Department

The consequences of the loss of security doesn’t have to be

discussed at a technical level in the board room, but should

be a topic.

• The effect on Brand

• Loss of consumer (even user) confidence in your ability to

protect data

• Diminished value (share price) of the organization


30

Real Consequences for Loss of Security

Data loss has a real effect on the bottom line, through loss of

business and reparation expense.

10/18/2020

16


31

All Hackers are not Blackhats

• Criminal, or Nation States, Organizations

• “Hacktivists” and Whistle Blowers

• Deliberate and Inadvertent insider abuse


32

Each new technology opens new Attack Vectors

Regardless of company size, it’s likely you’ve been attacked,

even if you don’t realize it. As well as virus’s, malware and

malicious software, consider the risks imposed by use of

smartphone/tablets and cloud computing.

10/18/2020

17


33

Compliance Does Not Equal Security

Compliance Certification is point in time. Typically a

certification is engaged for the project, possibly on an annual

basis.

Security is an ongoing effort.


34

Balancing the Need for Security With the Need for

Productivity

Smart phones and tablets have forever changed the way we

work. How can you be sure these efficiency-boosting tools

aren’t introducing security risks and/or leaving with data they

shouldn’t?

10/18/2020

18

HTTPS vs VPN vs IPSec (App Tunnel)

HTTPS

VPN

System

WebServer

BackEnd

ResourcesDM

Z/F

ire

wa

ll

App Tunnel, connects containerized app to back end

App Tunnel

WebServer


36

Security is NOT Just a Technology Problem

Often the biggest risk to an organization is the behavior of the

people inside. How do you encourage and build an

environment that leverages strong company-wide employee

education on top of effective technology leadership within IT?

See something, Say something!

10/18/2020

19

Agenda

37

Threat Architecture

Hardening




Considerations for Cloud Security

10/18/2020

20

39

Operational Differences in Cloud Models

Networking

Storage

Servers

Virtualization

OS

Database/ Middleware

Runtime

Data

Applications

YO

U M

AN

AG

E

Traditional IT

Networking

Storage

Servers

Virtualization

OS


Runtime

Data

Applications

YO

U M

AN

AG

ED

ELI

VE

RE

D A

S A

SE

RV

ICE

IaaS

Networking

Storage

Servers

Virtualization

OS


Runtime

Data

Applications

DE

LIV

ER

ED

AS

A S

ER

VIC

E

SaaS

Networking

Storage

Servers

Virtualization

OS


Runtime

Data

Applications

YO

U M

AN

AG

ED

ELI

VE

RE

D A

S A

SE

RV

ICE

PaaS

Overlapping trust boundaries

Customer-specific deployments

Many bespoke integration points

Often requires additionalTechnical Controls

Detective Controls

Administrative Controls

Contractual Controls

40

Other Cloud Models

Networking

Storage

Servers

Virtualization

OS


Runtime

Data

Applications

DE

LIV

ER

ED

AS

A S

ER

VIC

E

Managed Hosting

YO

U M

AN

AG

E

10/18/2020

21

Agenda

41

Threat Architecture

Hardening





• Invest in Collaboration

• Enterprise Security Virtual Teams

• Enterprise Wide, Tested and Updated, Security Processes

• System Health Dashboard

• Weighted, Organization Specific, CPU Advisory Analysis

• Phishing Awareness and Protection

• Check out: “Notification Fatigue”

• Review PCI DSS v3 (Why?)

• Oracle Database Security Assessment Tool (DBSAT): https://support.oracle.com/epmos/faces/DocumentDisplay?id=2138254.1

10/18/2020

22

CIO Update - Top 10 Cloud Computing Caveatshttps://cioupdate.com/top-10-cloud-computing-caveats/

1. Define your terms

2. Watch out for cloud washing - “everything old is new again”

3. Examine basic needs

4. Should I choose cumulus or nimbus?

i.e. public, private or hybrid cloud.

5. Nail down projected costs

6. Policy is as important as technology

7. Cloud piracy abounds

8. Know before you go

9. Start small

10. Find the right tools

@[email protected]

when a crisis arises the time for preparation has passed

Documents