Have your PeopleSoft systems been hacked?

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 6 months ago)

159 views

QuestDirect.org

GreyHeller LLC


Have your PeopleSoft
systems been
hacked?

©GreyHeller, LLC All Rights Reserved

QuestDirect.org

Agenda


Introductions


What you read in the Press


Identity and Password Management


Data Security


Process Security


Incident Response


Logging and Analysis

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Company Highlights

GreyHeller LLC, Proprietary & Confidential


Founded by the people who ran PeopleTools


PeopleTools strategists and developers since 1994


Deep PeopleSoft software development skills and DNA


Nearly 100 customers (US; Canada; UK; EU; Australia; Asia; Africa;


South
America)


Beta test partner: PeopleTools 8.53 & Applications 9.2


2011 & 2012 Oracle Customer Advisory Board


PeopleSoft ecosystem


Blog; Webinars; Conference training

QuestDirect.org

Software Solutions


Mobile for PeopleSoft


Any PeopleSoft page / customization….Automatically


Single code version: iOS; Android; Blackberry; Windows 7


Highly secure


Single Signon


ERP Firewall


Version Control


Excel Add
-
in

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Customers

GreyHeller LLC, Proprietary & Confidential

Unilever

US.
Dept

of State

Pfizer

University of North Carolina at
Chapel Hill

University of Arkansas

Cambridge University

Philip Morris

Chesapeake Energy

Lazard, Ltd.

Texas Christian Univ

QVC

Arizona State University

US Dept. of Energy

HealthSouth

Robert Half International

MMI Holdings

Stony Brook University

Methanex

Univ. of Oklahoma


Health
Sciences Center

University of Central Florida

BCD Travel

Jones Lang LaSalle

University of Montreal

Ryerson University

Berlin Packaging

Frostburg State Univ

University of Kansas

University at Buffalo

AgFirst Bank

Incyte

Amedisys

Quintiles

DLA Piper

GEICO

Logistics Health

Barnabas Health

QuestDirect.org

What you read in the press


SQL Injection


Cross Site Scripting


Content Spoofing and Injection


Authentication and Authorization


Directory Indexing


Information Leakage

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

PeopleTools as a platform


Security enforced consistently


Central team within PeopleTools who specializes in
security.


Vulnerabilities addressed without requiring
redevelopment of business logic. Changes are
made in the platform, and the vulnerability is
addressed platform
-
wide immediately

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

SQL Injection


Repercussions


Gather sensitive data


Make unauthorized updates to application data


Escalate privileges and/or bypass system controls


Cause service interruption


Mitigated in PeopleTools by


PeopleTools does not concatenate form fields to create the SQL it issues.


The type of form fields are known to PeopleTools, so the entry is validated on
size and type.


Watch out for SQL Execs. Mitigate by Change Management procedures.

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Cross site scripting


Occurs when an unauthorized form mimics a form
within the application to fool it to allow unauthorized
updates


Addressed in PeopleTools by embedding a random
token in each PeopleSoft page that the web server
validates before accepting it.

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Content Spoofing and Injection


Modifies traffic between site and browser to find an
opportunity to gain unauthorized access or to escalate
privileges to it.


Examples include:


Modifying the URL in unexpected ways


Altering or removing HTML headers


Altering or removing cookies


Altering the HTML or XML content


PeopleTools acts as single controller for traffic

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Content Spoofing and Injection


Can be bypassed with improper coding practices


Utilizing http header to maintain the identity of the user for single
signon.


Utilizing get
request
parameter with SQLEXEC function


Common location
-
based security mistakes


Restrict the portal navigation as enforcing location
security
.


Utilizing headers to identify the source of traffic.


Common Remediations


Review any headers that are available on the client.


Change management process to review all logic related to the
% request.
Get parameter()
function as well as SQL
-
Exec functions.

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Authentication and Authorization


Identity management processes and controls


Password storage, management, and controls


Privilege management


Consistent application controls


PeopleTools enforces
security

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Information Leakage


To aid in development and troubleshooting, information about the
configuration and version of the parts of the system need to be
accessible at times. However, making this information available
publicly can provide information that can help attackers find
vulnerabilities.


The access of this information is not controllable by developers, but
by the PeopleTools platform itself in the web profile. Therefore, we
recommend that the web profile settings of the production web
servers are audited to ensure that the settings for providing this
information are turned off.

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Discussion Points


Identity and Password Management


Data Security


Process Security


Incident Response


Logging and Analysis

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Identifying and Authenticating
Users


Risks


User IDs and passwords


Users can have privileges that are not appropriate for them


Lack of visibility into inappropriate use of
user ids
, passwords, or
privileges


Categories


User Account and Identity Management


Processes that surround user identity and role changes


Differentiated levels of trust and re
-
authentication


Password Controls

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Centralize user credentials, password
controls, and authentication process

(Single Signon)


One place to protect the user account information


One ID across different University systems


Password controls enforced consistently


Changes in access administered and enforced in a single
place

QuestDirect.org

One Identity for System Access
regardless of role


Risks:


Password controls are not enforced consistently, and
users must remember the credentials for each


Changes in the user’s identity and access must often be
applied manually to both accounts


It is more difficult to audit users’ actions across the
different accounts.


Controls over account provisioning process


Batch Processes

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Processes for controlling changes
in user identity


Student Self
-
Service Access:

Risk limited to the individual student


Faculty and Student Intern Access:

Risk related to activities that faculty and interns perform
for students or University, such as grading and advising


Functional Administrator Access:

Risk is related to operations of the system in a functional
area


System Administrator Access:

Risk is related to the operations of the PeopleSoft
Environment


End
-
user Support Access:

Risk is related to the scope of tasks that can be performed.


Developer Access:
Risk related to changes and the data that the developer accessible.

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Key Activities


Provisioning of a new individual


Termination


Transfer


Assumption of new responsibilities

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Login attempt capture and
analysis


Identify Suspicious Activity


Identification of accounts targeted in attacks


Identification of potentially compromised
accounts


Early Identification organized attacks


Identification of sources of attacks

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Protecting Application Data


Controls over how data is stored


Controls over how data is accessed


Controls over how data is moved


Focus on Roles


End
-
User


Administrator


Developer


DBA

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Administrator Best Practices


Hiding or Masking sensitive data


Externalizing sensitive data from the application


Policies for exporting and storing data


Stewardship


Controlling storage and access


Single control point over access (real time)


Controlling PS/Query Access

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Controlling Access to PeopleSoft
Functions


The areas to consider within each type of user include:


Protecting against actions performed by unauthorized user with an
valid account


Protecting against actions performed by an authorized user with an
authorized account


Protecting against system changes that could allow privilege
escalation

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Mitigation Techniques


Controlling access to a machine with an open session or saved
credentials



Controlling access to administrative functions that could compromise
business functions or cause privilege
escalation



Providing audits and controls over high risk functions

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Best Practice: 2
-
factor
authentication


Two of the three standard authentication factors


Something the user knows (password, PIN, pattern)


Something the user has (Phone, Email Account, USB
Key, smart card, Secure ID token)


Something the user is (biometric characteristic).

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Common Tokens


Connected token


Smart card reader


USB token


Fingerprint scanner


Disconnected token


Secure ID
token


Email


SMS


IVR


Mobile App

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Best Practice: Differentiated
Levels of Trust


Based on following attributes


Location from which access is
being performed


Device from which the user is
accessed


User


History of access

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Location Attributes


Access from a campus office with keycard access


Access from campus locations that have wired connections


Access from campus locations that are accessed wirelessly


Access from non
-
campus locations, but in the community of the
campus


Access from other US locations


Access from other countries

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Device Attributes

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

User Attributes

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

History Attributes

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Setting the Levels


Banding sets of session attributes into levels of trust.


Banding PeopleSoft functionality into the different levels of access.


Functionality should be analyzed with the following in mind:


Can it be used for privilege escalation?


Can it be used fraudulently to benefit or damage students, faculty, administration
or the University?


Are there other processes in place to review or approve changes made?


The results of this banding will group PeopleSoft functionality into how it will
be provided


Allowed with any valid session


Allowed with a valid session and an additional factor of authentication


Disallowed for the current session

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Other Best Practices


Temporary access to high risk
functions



Well defined policies and training over administrative
use



Release process over configuration settings

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Developer and Tester Best
Practices


Limit developer access to production


Change Management solution for development tasks


Automating migrations into production with segregation of duties


Removal of PeopleSoft
-
delivered accounts and roles


Audit and controls over development and testing accounts and
permissions in production


Test Automation


Develop and test scripts instead of running
SQL directly in
production

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Incident Response


Common Incidents


Solicited and/or unsolicited information provided by
security research organizations


Publication of issue or breach that affecting the
University’s system.


Discovery of potential breach that could affect the
University’s system.


Account
-
level issues including breaches and password
resets

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Incident Response Best
Practices


Cross
-
Functional incident response teams


Communication processes and plans


Incident response policies and procedures that
define SLA’s, roles, responsibilities, and automation
wherever possible

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Logging and Auditing


Helps with


Prevent security breaches


Identify breaches or attacks early thereby reducing the
scope of impact


Quickly understand the of scope of attacks or
breaches so that a response can be planned and
quickly implemented


Gather better information for security audits or litigation

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Logging Best Practices


Information about the location accessed
from



Failed login
activity



Information about the data accessed or any
transaction activity

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Best Practice: Capturing
additional information


IP Address or Location


Web Server being accessed


User ID


Pages accessed within the application


Keys to identify the data accessed or transaction to be
processed


Actions performed within the application

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Best Practice: Segmented Logs


Login activity


Password resets


Administrative access by functional area


Student access by functional area


Support access


Access from high
-
risk locations


Access from high
-
risk personnel


Access to sensitive data or transactions

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Summary


Masking and externalizing sensitive
data



Differentiated Security and 2
-
factor
authentication



Logging and
Auditing



Change Management and Automation

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

GreyHeller Security Products


Desktop Single Signon


ERP Firewall


Differentiated Security


Location based Security


2 Factor Authentication


Delegation


Logging


GreyHeller Version Control

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

ERP Firewall

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Allows you to


Control access based on location, user, content,
and state.


Log only the requests you care about.


Implement additional challenges for content you
wish to secure more strongly


Display your own system messages to your users


Restrict access when system is under maintenance

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Access Control Made Easy

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

ERP Firewall Flow

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Flexible, Powerful Conditions

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Powerful Logging


Gathers a complete picture of access


Oprid / IP Address / Result / Browser / Date / Time


Login Page / Portal Content / PeopleSoft Page / iScript


EMPLID / Search Criteria / Actions taken


Allows creation of targeted logs


Failed login activity


Activity for specific content


Activity for types of users


2
-
factor activity

QuestDirect.org

Definitional 2
-
factor
authentication


Identify areas that
require additional
security upon access


Only grant extended
privileges
when needed


Limit the scope of those
privileges

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Change Management


Segregation
of duties and Release
Management Controls


Visibility into all development and
release activity


Facilitates automated testing


No footprint on your PeopleSoft
servers


PeopleSoft environments are not
linked to each other

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Collaboration


Access to all parts of your release process from
browser


Code Browsing and revision history


Check
-
in History


Migration definition and execution


Tickets, Approvals, and state of work


Integrated Collaboration Tools


Email Notifications


RSS Feeds

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Normal Release Process

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

Standard Release Process

GreyHeller LLC, Proprietary & Confidential

QuestDirect.org

APRIL 7
-
11, 2014

Sands Expo and Convention
Center

Las Vegas, Nevada

QuestDirect.org/COLLABORATE

COLLABORATE 14
-

Quest Forum is THE source for PeopleSoft roadmaps & news.

It matters where you register!
All PeopleSoft education and events run through Quest

GreyHeller LLC, Proprietary & Confidential