Security With PeopleSoft
Transcript of Security With PeopleSoft
-
7/27/2019 Security With PeopleSoft
1/46
-
7/27/2019 Security With PeopleSoft
2/46
S317424
Analysis of a Threat and How to Protect Your Data
Greg Kelly
Product Strategy Manager, PeopleTools
-
7/27/2019 Security With PeopleSoft
3/46
THE FOLLOWING IS INTENDED TO OUTLINEOUR GENERAL PRODUCT DIRECTION. IT IS
INTENDED FOR INFORMATION PURPOSES
ONLY, AND MAY NOT BE INCORPORATED INTO
ANY CONTRACT. IT IS NOT A COMMITMENT TO
DELIVER ANY MATERIAL, CODE, OR
FUNCTIONALITY, AND SHOULD NOT BE RELIED
UPON IN MAKING PURCHASING DECISION. THE
DEVELOPMENT, RELEASE, AND TIMING OF ANY
FEATURES OR FUNCTIONALITY DESCRIBEDFOR ORACLE'S PRODUCTS REMAINS AT THE
SOLE DISCRETION OF ORACLE.
-
7/27/2019 Security With PeopleSoft
4/46
Securing Your
PeopleSoft Environment
4
-
7/27/2019 Security With PeopleSoft
5/46
Agenda
Traditional Defense
Anatomy of an Attack
De-Perimeterization ew pproac o e ense
More Information
-
7/27/2019 Security With PeopleSoft
6/46
Traditional Defense
Fortress Mentality
Firewalls
DMZ(s)
VLANs
Segregated Network Segments
-
7/27/2019 Security With PeopleSoft
7/46
Sample Layout
http://wiki.oracle.com/page/Securing+Your+PeopleSoft+Application+-+Index+Page
-
7/27/2019 Security With PeopleSoft
8/46
Anatomy of Attack - Harvesting
Initial Research
Company Site
About Us Page(s)
Social Networking Sites e.g.
Facebook
Twitter
Dumpster Diving
Social Engineering (Kevin Mitnick)
-
7/27/2019 Security With PeopleSoft
9/46
Anatomy of Attack Creating Bots
Phishing (spear)
Upload Code
Taking Control
-
7/27/2019 Security With PeopleSoft
10/46
Sample Spam/Phishing email
From Subject2Airline-Tickets Someone has sent you 2 Southwest-Airlines Tickets
Career Placement Ready for A Second JOB - FINANCIAL AID For A Career
College Grants Thousands of Dollars in college Grants are awarded to people like you
creditreport.com View updates to your Credit Report
Final Notice "Walmart Coupon inside!"
Final Notice FREE FedEx Delivery; Tell us where to send your DELLXPS Laptop!!
FinancialAid "Scholarships & Grants are available"
Flying Spree Our Records Indicate You may Have 2 Southwest Airlines Tickets
freecreditreport.com View updates to your Credit Report
Laptop Notification "Test it Free! A Dell package will be shipped to your door!"
[email protected] Hello!!
Which eMails would your users open?
-
7/27/2019 Security With PeopleSoft
11/46
Anatomy of Attack Building Database
Dictionary Attack
Rules
Indicators
Anonymous BIND to local LDAP
-
7/27/2019 Security With PeopleSoft
12/46
Which Wi-Fi would you choose?
-
7/27/2019 Security With PeopleSoft
13/46
Anatomy of Attack - Probing
System Under Control
Probe Infrastructure
Probe Typical Vulnerabil ities
-
7/27/2019 Security With PeopleSoft
14/46
Sample Available Web Servers
from http://www.netcraft.com
-
7/27/2019 Security With PeopleSoft
15/46
Anatomy of Attack Building the Attack
User Credential Database
Known Vulnerabilities
Local LDAP
Build Out Control
No Time Limit
-
7/27/2019 Security With PeopleSoft
16/46
How long does it take to crack passwords
anyway?
Mixed upper and lower case alphabet plus numbers and commonsymbols. http://www.lockdown.co.uk/?pg=combi0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz!"#$%&'()*+,-./:;?@[\]^_`{|}~
Password Time to Crack Based on Class of Attack
LenCombi-
nationsClass A Class B Class C Class D Class E Class F
,
3 884,736 88 Secs 9 Secs Instant Instant Instant Instant
4 85 Mn 2 Hours 14 Mins 1 Mins 8 Secs Instant Instant
5 8 Bn 9 Days22Hours
2 Hours 13 Mins 1 Mins 8 Secs
6 782 Bn 2 Yrs 90 Days 9 Days 22 Hours 2 Hours 13 Mins
7 75 Trn 238 Yrs 24 Ys 2 Years 87 Days 8 Days 20 Hours
8 7.2 Qn 22,875 Yrs 2,287 Yrs 229 Yrs 23 Yrs 2 Yrs 83 Daysexample:E. 100,000,000 Passwords/sec - Workstation, or multiple PC's working together.
(Licensed under a Creative Commons Attribution-ShareAlike 2.0 License.)
-
7/27/2019 Security With PeopleSoft
17/46
How many computers could possibly be working
together?
Corporations, agencies infil trated by botnetJORDAN ROBERTSON AP Technology Writer
Friday, February 19, 2010
http://lubbockonline.com/stories/021910/bus_565096614.shtml
"... Security experts have found a network of 74,000
virus-infected computers that stole information from
inside corporations and government agencies. The
unusual thing about the incident is not that it
happened but that it was discovered, and it is areminder of the dangers of having computers with
sensitive data connected to the open Internet"
-
7/27/2019 Security With PeopleSoft
18/46
Issues with Internet Explorer
Scripts in Text Files
Temporary Internet Files Folder and disabled caching
-
7/27/2019 Security With PeopleSoft
19/46
De-Perimeterization
The huge explosion in business col laboration andcommerce on the Web means that todays traditional
approaches to securing a network boundary are at best
flawed, and at worst ineffective.
Examples include:
bypass them altogether
IT products that cross the boundary, encapsulating protocols
within Web protocols
Security exploits that use email and Web to get through the
perimeter
- The Jericho Forum, under the auspices of The Open Group
-
7/27/2019 Security With PeopleSoft
20/46
Defense at the Core
Transparent Data Encryption (TDE)
Oracle Advanced Security Option (ASO)
Data at Rest
Hardware Security Module
Protects Against Forensic and Direct Files Access
Oracle Database Vault
Oracle Audit Vault
Oracle Enterprise Manager Data Masking
For Non-Production DB Copies
-
7/27/2019 Security With PeopleSoft
21/46
Core Protection
Audit Vault
DatabaseVault
Database
-
7/27/2019 Security With PeopleSoft
22/46
Core Protection
Monitoring
Configuration Management
Oracle Audit Vault
Total Recall
Access Control
Oracle Database Vault
Label Security
Advanced Security
Secure Backup
Data Masking
Encryption & Masking
Monitoring
Access Control
Encryption & Masking
-
7/27/2019 Security With PeopleSoft
23/46
Enterprise Manager Data Masking
ProductionDB
EM Data
Dev DB Test DBTraining
DB
Masking
-
7/27/2019 Security With PeopleSoft
24/46
Defense in the Business Logic Layer
ASO Network Encryption
Data in Flight
Oracle Applications Access Controls Governor
(Oracle Information Rights Manager for PS-Reports)
Quis custodiet ipsos custodes?
3 people can keep a secret if 2 of them are dead.
-
7/27/2019 Security With PeopleSoft
25/46
Protection in the Business Logic Layer
Protected DB
ASO
Application (Business Logic) Server
OAACG OTCG
-
7/27/2019 Security With PeopleSoft
26/46
Defense in the Presentation (Web) layer
Oracle Access Manager
Oracle Identi ty Manager
Oracle Adaptive Access Manager
-
7/27/2019 Security With PeopleSoft
27/46
PeopleTools 8.50 Delivered Additional Security
Enhancements
SAML for Web Services
JNDI Libraries for LDAP and LDAPS
FTPS Support (FTP over secure transport)
Enhanced User Profile Synchronization
De-Coupled PS_HOME
PDF Encryption with XML Publisher
Support for Server Based Virus Scanning Engines
Customer Configured TDE Algorithm
PET Support for Encrypting the Encryption Keys and Secure
Data Wipe
Additional Hardening
-
7/27/2019 Security With PeopleSoft
28/46
PeopleTools 8.51 FeaturesSecurity
Security
User Security
Extended Password Controls
Multiple Session Detection
Kerberos Signon SDK
Data Security
Support for Transport Layer Security
Support for SFTP and FTPS
-
7/27/2019 Security With PeopleSoft
29/46
Common Questions
Vulnerability Testing
NIST FIPS 140-2
Update to Securing Your PeopleSoft Environment
Issues without hardening
Critical Patch Update
Addressing Reported and Discovered Vulnerabilities
-
7/27/2019 Security With PeopleSoft
30/46
More Information
30
-
7/27/2019 Security With PeopleSoft
31/46
PeopleTools 8.50 Viewlets Now AvailableVia oracle.com
http://www.oracle.com/applications/peoplesoft/tools_tech/ent/ptools/index.html
or direct http://download.oracle.com/peopletools/viewlets.html
Get helpful insights on many PeopleTools and CollaborationFramework featuresTopic Areas:
Web Services & IntegrationBroker Life cycle Management
Enterprise 2.0 andUser Interface
Platforms Reporting Security
PeopleTools for theDeveloper General PeopleTools
-
7/27/2019 Security With PeopleSoft
32/46
PeopleTools Strategy eMail
PeopleTools on Oracle Wiki
http://wiki.oracle.com/page/PeopleSoft
PeopleSoft discussion forums
More Information
32
. . .
PeopleTools Blog landing page
http://blogs.oracle.com/peopletools
Open Group Jericho Forum "de-perimeterization":
http://www.opengroup.org/jericho/deperim.htm
Oracle's Critical patch Update
http://www.oracle.com/security/critical-patch-update.html
-
7/27/2019 Security With PeopleSoft
33/46
Go to OTN - Oracle Technology Networkhttp://www.oracle.com/technology/index.html
Look at the upper right hand corner
( Account | Manage Subscript ions | Sign Out )
Make sure you're logged in, thenClick on Mana e Subscri tions
Not getting Security and other Alerts?
33
Scroll down to Opt-in to Oracle Communications
Check box for
Oracle Security Alerts - Get the latest Securi ty Alerts issued by
Oracle as they become available... and any other alert or newsletter you want to receive
Scroll down to the end of the page and "Confirm"
-
7/27/2019 Security With PeopleSoft
34/46
Additional Resources
For more information about Oracle Applications http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.htm
For more information about Education
http://www.oracle.com/education/index.html
For more information about Support
http://www.oracle.com/support/
34
http://support.oracle.com
For Oracle Product documentation:
http://www.oracle.com/applications/peoplesoft/tools_tech/ent/index.html
Certification Information on My Oracle Support Doc id=747587.1
Technical Updates on My Oracle Support Doc id=764222.1
-
7/27/2019 Security With PeopleSoft
35/46
Includes direct links to PeopleBooks,PeopleBook Updates, Release Notes,Installation and Upgrade Guides, andmore. All accessible from oneconvenient My Oracle Support
location.https://support.oracle.com/CSP/main/articl
PeopleTools 8.50
Documentation Homepage
PeopleTools 8.50 Information Development Deliverables
PeopleTools 8.50
Hosted PeopleBooks
PeopleTools Cumulative
Feature Overview Tool
Access a searchable HTMLinstallation of our PeopleTools 8.50PeopleBook suite. This hostedsolution lets you access PeopleBooksusing the help link in your applications
without having to install PeopleBookson your own server.
Dynamic tool provides concisedescriptions of new and enhancedsolutions and functionality that havebecome available between yourstarting and target releases.
The CFO tool can be found on My
e?cmd=show&type=NOT&id=847882.1 http://www.oracle.com/pls/psft/homepage
Pages.
-
7/27/2019 Security With PeopleSoft
36/46
PeopleTools 8.50Available Training
PeopleTools 8.50 classes available now: PeopleSoft PeopleTools 1 Rel 8.50
PeopleTools II Rel 8.50
PeopleTools I/PeopleTools II - Accelerated Rel 8.50
PeopleSoft PeopleCode Rel 8.50 or eop e o e .
Application Engine Rel 8.50
PeopleCode/SQR Accelerated Rel 8.50
PeopleCode/Application Engine Accelerated Rel 8.50
To view a schedule of these classes or new upcomingclasses visit Oracle University
go to oracle.com/education
-
7/27/2019 Security With PeopleSoft
37/46
Related Sessions and More Information
-
7/27/2019 Security With PeopleSoft
38/46
PeopleTools Sessions of Interest
Monday
Time Title Number Location
11:00 Improving ROI by Mastering PS Upgrade Tools & Resources S318203 W2018
PeopleTools 8.50 Upgrade: Details of a Well Managed Project S317421 W2014
2:00 PeopleSoft Enterprise Release 9.1 Adoption and Roadmap General W3002
3:30 Oracle FMW for Oracle Applications Unlimited - Answers S318064 W2014
: eop e oo s ps an r c s arr o
-
7/27/2019 Security With PeopleSoft
39/46
PeopleTools Sessions of Interest
Tuesday
Time Title Number Location
11:00 PeopleTools Product Roadmap General W3010
12:30 PeopleTools Dev Series: Building & Consuming Web Services S317431 Marriott
PeopleTools 8.51 Highlights: PeopleTools in Action S317433 W2014
2:00 PeopleTools Dev Series: Mastering PS Reporting Tools S317427 Marriott
eop e oo s ns g : ax m ze our eop e o
3:30 Setting an Enterprise 2.0 Strategy with PS Portal S317437 Marriott
5:00 PeopleTools Insight: Defining a BI Strategy S317445 Marriott
PeopleTools Dev Series: Secure Coding Practices S317430 W2016
-
7/27/2019 Security With PeopleSoft
40/46
PeopleTools Sessions of Interest
Wednesday
Time Title Number Location
10:00 PeopleTools 8.51 Highlights: Simplify Upgrade & Maintenance S317434 W2014
Performance Techniques for the PS Middle Tier S317420 W3002
11:30 PeopleTools 8.50 Beta Customers: One Year Later S317446 W2014
1:00 PeopleTools Dev Series: Application Performance Tips S317426 W2014
eop e oo s ns g : mp emen a a overnance omp ance
4:45 Making the Most of PS Query S317455 W2016
PeopleTools Dev Series: Building a Custom Mobile App S317432 W2014
-
7/27/2019 Security With PeopleSoft
41/46
PeopleTools Sessions of Interest
Thursday
Time Title Number Location
9:00 PeopleTools 8.51 Highlights: PeopleSoft Integration Broker S317435 W2014
Platform Update for PeopleSoft Enterprise S317422 W3002
PeopleTools Product Roadmap S317436 W3005
10:30 Best Practices for Managing Your PeopleSoft Applications S317034 Marriott
e ew xper ence: n erpr se . cosys em
Building Mobile Solutions for Oracle Apps: Tech Insight S317110 W2020
12:00 Monster Mashups: Related Content in PeopleSoft Apps S317448 W2014
PeopleTools Product Team Panel Discussion S317439 W3002
1:30 PeopleTools Insight: The Value Prop of Oracle Technology S317438 W3002
Secure PeopleTools: Analysis of a Threat & Data Protection S317424 W2014
3:00 Bring Your PeopleSoft Apps to Life with Web 2.0 S317450 W3002
PeopleSoft Integration Broker Secrets S317425 W2014
-
7/27/2019 Security With PeopleSoft
42/46
Oracle PeopleSoft PeopleTools in Moscone
South
Oracle PeopleSoft PeopleTools Demo Pods
S-106 PeopleSoft PeopleTools Integration Technologies
S-107 PeopleSof t PeopleTools
S-110 PeopleSoft PeopleTools Reporting Solutions
PSFT HyperionUPK
-
7/27/2019 Security With PeopleSoft
43/46
Useful Links
Oracle Software Security Assurancehttp://www.oracle.com/security/software-security-assurance.html
PeopleSoft Enterprise Appl ications
http://www.oracle.com/peoplesoftlook for "Peo leSoft Information Portal" link
Secure Development Process
Critical Patch Update
External Security Validations
Security Information and Best Practices
2010 Oracle Corporation Proprietary and Confidential
Security Solutions From Oraclehttp://www.oracle.com/security
PeopleSoft Technology Blog
http://blogs.oracle.com/peopletools check the links >>>
-
7/27/2019 Security With PeopleSoft
44/46
Hosted & Mobile PeopleBooks - PeopleTools PeopleBooks are
available in three formats: Hosted PeopleBooks, PDFs, andAmazons Kindle format. All can be accessed here:
http://www.oracle.com/technetwork/documentation/psftent-090284.html
Doc Home Pages constantly updated direct links toPeopleBooks, PeopleBook Updates, Release Notes, Installation
and Upgrade Guides, and other useful product documentation,
Learn MorePeopleSoft Information Development Resources
Information Portal - locate the documentation, training, andother info needed to help with your implementation process.Customers searching for this information should make this
their first online destination.http://www.oracle.com/us/products/applications/054275.html
a access e rom one y rac e uppor oca on.
PeopleTools 8.51 Documentation Home Page [ID 1127534.1]
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1127534.1
-
7/27/2019 Security With PeopleSoft
45/46
Cumulative Feature Overview (CFO)- Providingconcise descriptions of new and enhanced solutionsand functionality that have become available startingwith the 8.4 release through our latest 8.51 release.
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=SYSTEMDOC&id=793143.1
Learn MorePeopleSoft Information Development Resources
Follow us on @PeopleSoft_Info
Upgrade Resource Report Tools - helps you find allthe documentation, scripts, and files you need for your
upgrade project.
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=SYSTEMDOC&id=1117047.1
-
7/27/2019 Security With PeopleSoft
46/46