Upload
sumith10
View
221
Download
0
Embed Size (px)
Citation preview
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 1/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
You vs The Bad Guys -
The Top 10 L i s t For Sec ur ing R12
Randy Giefer, Solution Beacon LLC
Session - 3777
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 2/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Object ives
• Provide detailed explanations and mitigations
for a prioritized list of ten securityimprovements.
• Share experiences and knowledge in
securing R12
• Increase the attendee's overall Securityawareness.
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 3/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Approach
• 1st Pass
– Just R12 Top Ten
– Lacked Context and Justification
– Why Those Top Ten?
• 2nd Pass
– Added Context (Security Education)
– Added More Info About Today’s State Of Security
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 4/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Misce l laneous
• The associated whitepaper for this presentation
contains much, much more content than thispresentation!
• The most recent version of the whitepaper:www.solutionbeacon.com/r12securitytop10giefer.pdf
•
The author can be reached at:[email protected]
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 5/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Guid ing Doc um ent s
• Best Practices For Securing Oracle E-
Business Suite Release 12 [ID 403537.1]
• Oracle E-Business Suite R12 Configuration ina DMZ [ID 380490.1]
• Oracle® Applications System Administrator'sGuide – Security Release 12.1 Part No.E12843-03
• Database Security Guide 11g Release 2(11.2) Part No. E10574-04
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 6/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Today’s Dat a Breac h Prof i le
• Hacking Takes Lead as Top Cause of Data
Breaches*1
• Adobe Reader and Adobe Flash will be the toptargets for malware writers in 2010 *2
•
Data breach cases:*3
– Negligence 40%
– System glitches 36%
– Malicious and criminal attacks 24%
*1 Identity Theft Resource Center's 2009 Breach Report
*2 McAfee 2010 Threat Predictions Report
*3 Ponemon Institute 2009 Annual Data Breach Report
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 7/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
4/10 Sec ur i t y Headl ines
• Reported Data Breaches on the Rise in Ireland
• Microsoft to Issue 11 Bulletins to Address 25 Flaws on April 13• Adobe May Make Changes to Reader and Acrobat to Protect
Users
• Faulty Routing Data From Chinese ISP Causes Problems Again
• Former Bank of America IT Worker Charged in ATM Scheme
• Romanian Police Arrest 70 In Connection with eBay Fraud
• Cyber Espionage Group Stealing Indian National SecurityDocuments
Source: SANS Institute NewsBites
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 8/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Today’s St at e o f Sec ur i t y
• Malicious and Criminal Attacks Are Rising
• Awareness Is Increasing
• Internal Threats Are Slowly Decreasing
•
Breach Costs Continue To Rise*1
– $204 per compromised customer
– Total Average Breach Cost: $6.75 million
*1 Ponemon Institute 2009 Annual Data Breach Report
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 9/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Protect.
Detect.
React.
An Approac h To Sec ur i t y
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 10/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
• Identify What Needs Protection
• Identify Your Enemies
• Identify Their Attack Methods
An Approac h To Sec ur i t y
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 11/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
An Approac h To Sec ur i t y
• Identify What Needs Protection
– Break down the “what” into components, groups,or areas
• Identify All Possible Enemies
– Who?
– Why?
– What are they seeking?
• Identify All Possible Attack Methods
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 12/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
An Approac h To Sec ur i t y (2nd Pass)
• Identify What Needs Protection (2nd Iteration)
– Deep dive into the “what” into components, groups,or areas
• Identify Your Enemies (2nd Iteration)
– Classify and prioritize
• Identify Their Attack Methods (2nd Iteration)
– Evaluate and Prioritize
– Assign Risk
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 13/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Pro tec t , Det ec t , Reac t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 14/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Know Your Technology Stack
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 15/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
K now Your Tec hno logy St ac k
• Sounds Easy, But Need To Know:
– R12 Technology Stack (not so simple)
– Other R12 System Components (SOA, BI, etc.)
– OS
– Network
• Oracle eSeminar TOI: Oracle E-BusinessSuite Technology Stack Functional Overview
• Thoroughly Learn The Content In The“Guiding Documents”
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 16/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
K now Your Tec hno logy St ac k
• Constantly Changing:
• 15 New Technology Stack Enhancements inEBS 12.1.1 - http://blogs.oracle.com/stevenChan
Component 12.0.0 12.0.4 12.1.1
Database 10.2.0.2 10.2.0.3 11.1.0.7
OracleAS 10.1.2 Forms &
Reports10.1.2.0.2 10.1.2.2 10.1.2.3
OracleAS 10.1.3 OC4J 10.1.3.0.0 10.1.3.0.0 10.1.3.4
App Tier Java (JDK) 1.5.0_10 1.5.0_13 1.6.0_10
Desktop Client Java (JRE) 1.5.0_10-erdist 1.5.0_13 1.6.0_u10
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 17/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Implement A Secure Architecture
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 18/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Sec ure Arc h i t ec t u re
• An Architecture is Mandatory
• Three interrelated areas that need analysis: – Network Attack Surface
– Software Attack Surface
– Human Attack Surface
• Oracle E-Business Suite R12 Configuration ina DMZ, [ID 380490.1]
• Don’t be misled by the DMZ reference in thetitle
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 19/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Strictly Control Direct Database Access
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 20/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Cont ro l Di rec t Dat abase Ac c ess
•
This control has two main components: – A White List of Allowed Hosts
– Reduces the Number of Allowed Hosts
•
Allowed Hosts via sqlnet.ora: – tcp.validnode_checking
– tcp.invited_nodes
tcp.validnode_checking = YES
tcp.invited_nodes = (192.168.1.91)
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 21/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Cont ro l Di rec t Dat abase Ac c ess
•
Reducing the Number of Allowed Hosts• Note 277535.1’s pertinent statements are:
Oracle recommends that all components requiring direct connection to
the E-Business Suite database are deployed on servers rather than on
end user desktop machines … it is recommended that they are deployed in a remote server environment using either Windows Server Terminal Services, Citrix or Tarantella.
• Somewhat Dated, But Still Pertinent
• Virtual Desktop Interface (VDI) Technology
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 22/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Control and Protect “Data In Transit”
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 23/58
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 24/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Fi l t er HTTP Traf f i c
• Application Firewall (URL FW)
• Appendix B of the Oracle E-Business Suite Release 12 Configuration in a DMZ [ID380940] contains the current list of certifiedR12 products that can be deployed forexternal use.
• Only implements a “white list”
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 25/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Fi l t er HTTP Traf f ic (c ont .)
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 26/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Restrict OAS Pages and Prevent
Information Disclosure
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 27/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Rest r ic t OAS Pages
• Protect Administrative Pages
• Disable Test Pages
<Location "uri-to-protect">
Order deny,allow
Deny from all
Allow from localhost <list of TRUSTED IPs>
</Location>
<Location ~ "^/fcgi-bin/echo.*$">
Order deny,allow
Deny from all
</Location>
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 28/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Prevent OAS In form at ionDisc losure
• Create your own “Safe” error pages
• Disable OAS Banner Information
Suppresses trailing footer lines, OS, virtual hosts, and version info
< ErrorDocument 500 /my_custom_500_error.htm
ServerSignature OFF
ServerTokens Prod
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 29/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Mitigate Known Vulnerabilities
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 30/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Mit iga t e K now n Vulnerabi l i t i es
• Hackers Reverse Engineer CPU Patches
• Patch Current!
• Critical Patch Updates and Security Alerts – http://www.oracle.com/technology/deploy/security/alerts.htm
– Security Alerts and Critical Patch Updates -Frequently Asked Questions [ID 360470.1]
• Oracle’s security alert notification system via:
http://www.oracle.com/technology/deploy/security/securityemail.html
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 31/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Mit iga t e K now n Vulnerabi l i t i es
• Critical Patch Update Implementation Best
Practices:http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf
• The next four CPU dates are:• 13 July 2010
• 12 October 2010
• 18 January 2011
• 19 April 2011
• The Bad Guys Know These Dates Too!• Plan for it. Prepare. Protect yourself.
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 32/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Harden R12 Profiles and Passwords
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 33/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Harden EBS R12 Using Pro f i leOpt ions• Secure Configuration of E-Business Suite
Profiles [946372.1]
– FND: Diagnostics -> NO
– FND Validation Level -> ERROR
– FND Function Validation Level ->ERROR
– Framework Validation Level -> ERROR
– Restrict Text Input -> Yes
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 34/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Harden R12 App Passw ordsAnd Passw ord Cont ro ls
Profile Default Recommendation
Signon Password Failure Limit None 3 (attempts)
Signon Password Hard to Guess No YesSignon Password Length 5 8 (characters)
Signon Password No Reuse None 180 (days)
Signon Password Custom None See Note Below
Signon Password Case None *1 Sensitive
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 35/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Harden R12 App Passw ordsAnd Passw ord Cont ro ls
Account Product / Purpose Change Disable
AME_INVALID_APPROVERAME WF migration 11.5.9 to11.5.10
Y Y
ANONYMOUSFND/AOL – Anonymous fornon-logged users
Y Y
APPSMGRRoutine maintenance via
concurrent requests
Y Y
ASGADMMobile gateway relatedproducts
YYa
ASGUEST Sales Application guest user Y Yb
AUTOINSTALL AD Y Y
CONCURRENT MANAGER
FND/AOL: Concurrent
Manager Y Y
FEEDER SYSTEMAD – Supports data fromfeeder system
Y Y
GUEST Guest application user Y N
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 36/58
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 37/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Harden t he End Point
• Client Browser
• Recommended Browsers for Oracle E-Business Suite Release 12 [ID 389422.1]
– Internet Explorer for Windows Users
– Firefox for Windows Users – Safari for Mac Users
• Don’t be misled by the title - addresses more
than just ‘recommended browsers
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 38/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Harden t he End Point
• Don’t be misled by the title - addresses more
than just ‘recommended browsers’, such assettings that deal with:
– Security Zones
– JRE Plug-ins
– Use of Excel with ADI
– Autocomplete
– Keep Alive
–
Certificates– Cross Site Scripting Errors
– Attachments
– Exporting Data
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 39/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Implement R12 Functional Security
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 40/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
R12 Func t ional Sec ur i t y - MOAC
• MOAC: Multi-Org Access Control
• Role based access to Operating Units (OU)
• Security Profiles for data security – MO: Security Profile
– List of operating units for a responsibility
– Defined in HR
• OU field on UI
– all transactions – setup data specific to OU, like transaction type
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 41/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
R12 Func t ional Sec ur i t y - MOAC
• Enhanced Multi-Org Reporting andProcessing – Ledger/Ledger Set parameter on accounting
reports and processes
– OU parameter on other standard reports andprocesses
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 42/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
R12 Func Sec ur i t y – GL Ac c essSets
• Data Access Sets – Grant and tailor access to Ledgers and Balancing
Segment Values (i.e. Companies, Stores,Branches, etc.)
•
Definition Access Sets – separate from datasecurity – Share, restrict definitions; privileges to view,
modify, etc.
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 43/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Pro tec t , Detec t , React
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 44/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Enable and Monitor Logs
Sec ur ing R12 Top 10 L is t
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 45/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Enab le Mid-Tier Logs
• How to enable Apache, OC4J and OPMN
logging in Oracle Applications R12 [ID419839.1]
Log Level Description
alert Action must be taken
crit Critical conditions
debug Debug level messages
emerg Emergencies, system is not
useable
error Error conditions
info Information
notice Normal but significant condition
warn Warning conditions
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 46/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Moni t or Mid-Tier Logs
• The Apache log files are written to:
$LOG_HOME/ora/10.1.3/Apache
• The logs consist of:
– Access Log (CustomLog) - the filename format
access_log.<unique id>
– Error Log (ErrorLog) - the filename format is:
error_log.<unique id>
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 47/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Moni t or Mid-Tier Logs
• The following logs can also provide important
event information:
$LOG_HOME/ora/10.1.3/Apache/mod_rewrite.log
$LOG_HOME/ora/10.1.3/Apache/sec_audit.log$LOG_HOME/ora/10.1.3/Apache/sec_debug.log
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 48/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Enable L is t ener Log
• To enable Listener logging, set the following
parameters in $TNS_ADMIN/listener.ora:
LOG_STATUS = ON
LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMINLOG_FILE_$ORACLE_SID = $ORACLE_SID
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 49/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Enable DB Audi t ingAUDIT_TRAIL settings
Parameter Value Meaning
DB Enables database auditing and directs all audit records to thedatabase audit trail (SYS.AUD$), except for records that are always
written to the operating system audit trail
DB_EXTENDED Does all actions of AUDIT_TRAIL=DB and also populates the SQL
bind and SQL text columns of the SYS.AUD$ table
XML Enables database auditing and directs all audit records in XML format
to an operating system file
XML_EXTENDED Does all actions of AUDIT_TRAIL=XML, adding the SQL bind and
SQL text columnsOS Enables database auditing and directs all audit records to an
operating system file
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 50/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Enable R12 Audi t ing
SIGNONAUDIT:LEVEL Possible Values:
None
User
ResponsibilityForm
Profile Option Name Description Recommend Value
AUDITTRAIL:ACTIVATE
Enable R12 Auditing Yes
SIGNONAUDIT:LEVELSet at site-level to trackactions starting when theuser logs on.
Form
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 51/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Pro tec t , Detec t , React
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 52/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Inc ident Response
• Final Component of the P-D-R Trinity; React.
• P3 (Prepare, Plan, Practice) – Prepare
• Need Inventories
•
Need Information At Your Fingertips – Plan
• Need to plan for what to do in various scenarios
– Practice
• Practice and Observe
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 53/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
TOP 10 Rev iew
• Know Your Technology Stack
• Implement a Secure, Overall Architecture
• Strictly Control Direct Database Access
• Control and Protect “Data In Transit”
• Restrict OAS Pages and Prevent Information Disclosure
• Mitigate Known Vulnerabilities
• Harden EBS R12 Profiles and Passwords
• Harden the End Point
• Implement R12 Functional Security
• Enable Logging and Monitor Logs
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 54/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Conclusion
• Don’t neglect other security controls and best
practice recommendations – they areimportant!
• Security does not “just happen”
• Security is a continual process• Security is no longer an option
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 55/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Free consultation at our booth
• Get Your Technical Scorecard Today
– Identify areas of risk – Suggest cost saving opportunities
– Provide checklist of next steps
• See Your Technical Assessment Options
– Upgrade readiness, customization reduction,Hardware/Architecture, Workflow, Health Check, Security
– All provide technical recommendations, best practices andperformance/efficiency improvements and ROI
Ranked R12 Scorecard Technical Consultation
B O
O T H
B O O T H 2 7 2 0 2 7 2 0
S T O P B
Y
S T O P B
Y
Time is money. A Technical Assessment can identify how to reducTime is money. A Technical Assessment can identify how to reduceetechnical expenses for all future upgrades.technical expenses for all future upgrades.
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 56/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Assessments Implementations
• Strategic business assessments & ROI• Functional assessments•
Technical assessments• IT roadmap planning• Acquisition integration• Software selection• Upgrade readiness
• ERP upgrades• ERP implementations•
ERP migration and consolidation• Oracle Fusion Middleware - SOA• Develop industry specific front-end modules• Custom development• International dependencies and multi-org
Optimizations Support Services
• Business process re-engineering• Functional optimization• Technical optimization• System architecture optimization• Database tuning and optimization
• Functional and technical support• Focused knowledge transfer•
Remote DBA support• Oracle instance hosting
Solution Beacon’s services are even better than our presentations
B O O T H
B O O T H
2 7 2
0
2 7 2
0
S T O P B Y
S T O P B Y
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 57/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
57
Published Authority on Oracle
Published Books
National Publications
B O O
T H
B O O
T H 2 7 2 0
2
7 2 0
S T O P B Y
S T O P B Y
8/3/2019 YouvsTheBadGuysv2
http://slidepdf.com/reader/full/youvsthebadguysv2 58/58
Copyright© 2010 Solution Beacon, LLC All Rights Reserved Any other commercial product names herein are trademark, registered
trademarks or service marks of their respective owners.
Quest ions?