PeopleSoft Cyber Security

Neville Varnham

How Well Prepared Are You?

Some sobering thoughts…

So You Think You Are Safe?

The Cerber affiliate scheme allows anyone to become a cyber extortionist -for a price. A ransomware-as-a-service scheme is enabling even the

most technically illiterate cyber criminal to extort payments from victims infected with data-encrypting malware -- with the developers of the service taking a significant chunk of the ill-gotten gains. GoldenEye, Petya & Locky are similar.

I Use Passwords – I Am Safe!

I can download, install and configure the hashcat “password

recovery” (aka cracking) software and add a decent set of word

lists in about 10 – 15 minutes.

All I need next is an idea of what encryption algorithm has been

used:

DES – encrypted passwords have no ID (e.g. {V1.1})

3DES – encrypted passwords start with {V1.1}

3DES – after key regeneration, V1.2, V1.3 etc

AES - encrypted passwords start with {AES}

Assume 1 billion password guesses per second in a brute force

attack

6 char alpha-numeric password has 56.8 billion combinations –

cracked in under a minute!

12 char alpha-numeric password will take > 100,000 years

Password crackers don’t just use brute force!

I Trust My Users

“An undergraduate at the University of Nebraska last year was able to break into a database associated with the university's PeopleSoft system, exposing Social Security numbers and other sensitive information on about 654,000 students, alumni and employees. According to our sister website Dark Reading, the university was lucky enough to detect the breach and shut it down quickly. An IT staffer picked up on an error message that seemed like evidence of something amiss, and a recently installed security information and event management system helped network managers sort through system logs and collect enough evidence to allow police to get a warrant to confiscate the computer of the student believed to have been behind the attack.”

Security Breaches Cost: Money & Reputation

Selected Terminology

Terminology – Selected Terms Only

HARDENING - Process of identifying and fixing vulnerabilities on a

system.

THREAT - A potential for violation of security, which exists when there

is a circumstance, capability, action, or event that could breach security

and cause harm

THREAT ASSESSMENT - The identification of types of threats that an

organization might be exposed to.

THREAT MODEL- Used to describe a given threat and the harm it

could do to a system if it has a vulnerability

THREAT VECTOR - Method a threat uses to get to the target.

HASH FUNCTIONS - (Cryptographic) hash functions are used to

generate a one way "check sum" for a larger text, which is not trivially

reversed. Can be used to create encrypted passwords.

CPU – Critical Patch Update – set of security patches issues regularly

by Oracle http://www.oracle.com/us/support/assurance/leveraging-cpu-

wp-164638.pdf

Terminology – More Selected Terms

Intrusion Detection System (IDS) - Network device or program that

monitors network traffic and logs/reports suspicious network activity.

An IDS is usually installed at the edge of an organization’s

networks. Network traffic coming from outside is examined for

malicious activity. The IDS may not only examine the contents of

the traffic, it can also look for traffic with a specific signature pattern

— a sequence of packets matching the profile of a known attack.

An intrusion prevention system (IPS) goes one step farther, and

attempts to block suspicious traffic once it has detected it.

GPU – Graphics Processing Unit. A massively parallel board with many

CPU cores designed to run very similar operations in parallel for

graphics acceleration – but very well suited to running brute force

password cracking attempts over and over again.

Terminology – Will He Never Finish?

Phishing [Wikipedia] – Attempt to obtain sensitive information such as

usernames, passwords, and credit card details by disguising as a

trustworthy entity in an electronic communication. [NV] Wide target

audience and low success rate.

Spear Phishing – Something Tom Hanks got good at in “Castaway”

Spear Phishing – A carefully crafted phishing attack targeted at key

individuals, and purporting to be from an organisation or person “the

mark” would recognise and treat as genuine.

The Mark - Term I learned from “Hustle” for the rich stupid loser who

will be considerably less rich at the end of the episode.

How This Presentation Works

Inform – Act – Resolve

I’ll present some key information and

thoughts

Look out for this symbol:

That topic will be included in the Cedar

Security Assessment

Oracle Critical Patch Updates

Critical Patch Updates - CPUs

What are they?

How do you get notifications?

How to ensure you can act on them.

How to understand them.

How to assess the impact.

How to decide what action to take.

Terminology Of The Oracle CPU

CVE# (or Vuln# in older advisories) The unique identifier of a

vulnerability.

Protocol - The protocol required to attempt to exploit the vulnerability.

Remote Exploit Without Authentication? – Can the attacker attack

the system remotely without having to supply valid login credentials.

CVSS Version Base Risk

The CVSS Base Score, an assessment of risk defined by the

Common Vulnerability Scoring Standard (CVSS). The "Oracle's

Use of CVSS Scoring" page explains Oracle's implementation.

The CVSS base score assigns a numeric value between 0.0 and

10.0 to indicate the severity of the vulnerability, where 10.0

represents the highest severity. Each risk matrix is ordered using

this value, with the most severe vulnerability at the top of each risk

matrix.

Supported Versions Affected – Actually means what version of the

Product are Oracle releasing fixes on. Typically the latest version of

PeopleTools and the previous, for a period of time.

Understanding The Attack Vectors

Knowing how the attacker will set about gaining

unauthorized access

Consider in conjunction with vulnerabilities

Consider in conjunction with your deployed

architecture

Internet-facing systems are at considerably more

risk

Never forget internal attackers

Data Encryption

Different Types Of Encryption Configuration

Encrypt Data at rest – database encryption

Encrypt Data in transit – use HTTPS

Signed Certificates and their requests

Configuring WebLogic

Java keystore

REN server configuration

Data Obfuscation

Implement Data masking/obfuscation

Ensure production data does not exist in non-prod

environments

Have a data obfuscation tool

Build data obfuscation into refresh procedures for

Dev & Test environments

Password Management

Password Management Policy

Modify all administrative and super-user passwords

Never use default or well-known passwords

Implement an access and password management

policy

Use a site-specific SALT value in the encryption of

PeopleSoft passwords

Longest available length

Auto-generation with the largest character set

Rotation of passwords (i.e. change them

regularly!)

Switch on all available password controls

Store admin passwords in a repository

PeopleSoft Hardening

Harden Your PeopleSoft Configuration

Security Basics

Ensure all passwords in Web Server, Application Server

and Process Scheduler configuration files are encrypted

Enable Application Server domain authentication so that

3-tier connections to Tuxedo are protected by a

password

Internet-facing PeopleSoft

Place a dedicated Web & Application server in a DMZ

Protect the Web & App server via a Reverse Proxy

Server

Again - Think carefully about creating a Public Access

user in the web profile – especially if PeopleSoft is

internet-facing

Harden Your PeopleSoft Infrastructure

Harden all application tiers

Follow Oracle’s advice for security hardening the

WebLogic installation

If using HTTPS, consider disabling HTTP within

WebLogic

Follow Oracle’s advice for security hardening the Tuxedo installation

If Web & App servers are on different machines, use Tuxedo JOLT encryption

Use minimally-privileged Operator IDs to start Application Servers and Process Schedulers

Further Hardening Tasks

In the Application server configuration file suppress SQL error messages – they can provide attackers with useful information

Java keystore Change the delivered password of the Java

keystore When generating signed certificate requests, use a

different key password for each environment

Don’t Forget Secure PS_HOME

Implement segregated PS_HOME, PS_APP_HOME

and PS_CUST_HOME with differentiated security

Enforce segregation of duties and allow

configuration management and operations to

continue without full software installation and

patch privileges.

, sweet home

Miscellaneous Hardening Tasks

Think carefully about creating a Public Access user in the web profile – especially if PeopleSoft is internet-facing

Check that the Web Profile does not have a custom property “auditPWD” which enables debug and control settings

Disable <CNTRL>-J to show environment information as this may be useful to attackers

SSO

PeopleSoft SSO

If multi-pillar, implement PeopleSoft SSO

Integrated accounts and passwords means less to

remember and therefore fewer passwords written

on PostIt™ sticky notes!

Users will appreciate the ease of use

Logging For Security

Make Sure You Know What Is Going On

Switch on detailed Web Server and App Server logging

Get as much detail as possible about user (or

hacker) login activity

Create reports on the logs

Better still, think BIG DATA, machine data

Log files are rich in data but they are not particularly

readable and can grow enormously if detailed tracing

is enabled.

Mine those rich sources of security information with

modern Big Data tools such as Splunk

"Why Splunk?" Video

Auditing Enhances Security

Enable PeopleSoft Auditing of key security-sensitive

information:

PeopleTools > Security

Administrative pages where admin accounts and

passwords are maintained

PeopleTools 8.54 and beyond logs successful and unsuccessful login attempts in the PSPTLOGINAUDIT

table

Run regular reports on this table

Customising Securely

Follow Best Practice When Customising

Make sure your customisations follow good security

practice and do not introduce weaknesses. As a

minimum: Every component should have appropriate row-level

security.

Defend against SQL injection. All user-entered data that is

part of dynamic SQL must be isolated to a bind variable.

All user-entered HTML must be escaped.

All hidden page fields should have the Modifiable by

HTML flag deselected with the exception of those that are

used to control the user interface.

All user-entered file names should not contain complete or

relative paths. (Keep paths and file names distinct)

Adding Layers Of Security

Third-Party Security Products

Consider third-party technology enhancement solutions

Distributed Access Management

Why is x logging in at 2am? Why is x logging in from a remote location

Two-Factor/Step-Up Authentication

Additional base password controls

Firewall technology

Layered Security for PeopleSoft

Building Security Into Processes

Security Profiles And Their Management

Review security profiles

Minimum permissions only

Segregation Of Duties (SOD)

On-boarding and off-boarding processes

Cedar Security Solutions

So What’s To Be Done?

Remember Perato – You could probably reduce or

eliminate 80% of your threat exposure by taking just

20% of all the possible actions.

What is the garden peas link?

In 1896 economist Vilfredo Pareto observed that 20% of his

garden peapods contained 80% of the peas and that 80% of

Italy was owned by 20% of the population

Implement Defence In Depth SecurityLike a castle, data needs multiple rings of defence

Procurement

HR

Financials

End Users

Application

Administrators

Application

Security

Administrators

DBAs & Sys

Admins

“Hackers”

Taking The First Step

Short, highly targeted security

assessment

Covers the 80% of vulnerabilities

Delivers an assessment report with

recommended actions and

estimated remedial effort

Cedar Security Assessment

The Cedar Security Assessment – Recap of

Coverage

Degree of PeopleSoft Hardening

Password Controls

CPU level and current exposure

Architecture

Processes

The Cedar Security Assessment - Requirements

Administrator access to the system

PeopleSoft server access

(Visibility of passwords)

(Exact current versions of PeopleTools and

supporting technologies)ools and

The Cedar Security Assessment – Duration &

Deliverables

2-Day audit and assessment

Remediation report listing remediation actions and

estimated effort to complete:

Password Management

Hardness of PeopleSoft configuration

Encryption

Security patching, CPUs and recommended CPU

actions