Have Your Peoplesoft System Been Hacked - 2013
Download
Report
Transcript Have Your Peoplesoft System Been Hacked - 2013
Have your PeopleSoft
systems been
hacked?
GreyHeller LLC
©GreyHeller, LLC All Rights Reserved
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Agenda
Introductions
What
you read in the Press
Identity and Password Management
Data Security
Process Security
Incident Response
Logging and Analysis
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Company Highlights
•
Founded by the people who ran PeopleTools
•
PeopleTools strategists and developers since 1994
•
Deep PeopleSoft software development skills and DNA
•
Nearly 100 customers (US; Canada; UK; EU; Australia; Asia; Africa;
South America)
• Beta test partner: PeopleTools 8.53 & Applications 9.2
•
2011 & 2012 Oracle Customer Advisory Board
•
PeopleSoft ecosystem – Blog; Webinars; Conference training
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Software Solutions
Mobile for PeopleSoft
Any PeopleSoft page / customization….Automatically
Single code version: iOS; Android; Blackberry; Windows 7
Highly secure
Single Signon
ERP Firewall
Version Control
Excel Add-in
QuestDirect.org
Customers
GreyHeller LLC, Proprietary & Confidential
Unilever
US. Dept of State
Pfizer
University of North Carolina at
Chapel Hill
University of Arkansas
Cambridge University
Philip Morris
Chesapeake Energy
Lazard, Ltd.
Texas Christian Univ
QVC
Arizona State University
US Dept. of Energy
HealthSouth
Robert Half International
MMI Holdings
Stony Brook University
Methanex
Univ. of Oklahoma – Health
Sciences Center
University of Central Florida
BCD Travel
Jones Lang LaSalle
University of Montreal
Ryerson University
Berlin Packaging
Frostburg State Univ
University of Kansas
University at Buffalo
AgFirst Bank
Incyte
Amedisys
Quintiles
DLA Piper
GEICO
Logistics Health
Barnabas Health
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
What you read in the press
SQL
Injection
Cross Site Scripting
Content Spoofing and Injection
Authentication and Authorization
Directory Indexing
Information Leakage
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
PeopleTools as a platform
Security
enforced consistently
Central team within PeopleTools who specializes in
security.
Vulnerabilities addressed without requiring
redevelopment of business logic. Changes are
made in the platform, and the vulnerability is
addressed platform-wide immediately
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
SQL Injection
Repercussions
Gather sensitive data
Make unauthorized updates to application data
Escalate privileges and/or bypass system controls
Cause service interruption
Mitigated in PeopleTools by
PeopleTools does not concatenate form fields to create the SQL it issues.
The type of form fields are known to PeopleTools, so the entry is validated on
size and type.
Watch out for SQL Execs. Mitigate by Change Management procedures.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Cross site scripting
Occurs
when an unauthorized form mimics a form
within the application to fool it to allow unauthorized
updates
Addressed in PeopleTools by embedding a random
token in each PeopleSoft page that the web server
validates before accepting it.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Content Spoofing and Injection
Modifies traffic between site and browser to find an
opportunity to gain unauthorized access or to escalate
privileges to it.
Examples include:
Modifying the URL in unexpected ways
Altering or removing HTML headers
Altering or removing cookies
Altering the HTML or XML content
PeopleTools acts as single controller for traffic
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Content Spoofing and Injection
Can be bypassed with improper coding practices
Utilizing http header to maintain the identity of the user for single
signon.
Utilizing get request parameter with SQLEXEC function
Common location-based security mistakes
Restrict the portal navigation as enforcing location security.
Utilizing headers to identify the source of traffic.
Common Remediations
Review any headers that are available on the client.
Change management process to review all logic related to the % request.
Get parameter() function as well as SQL-Exec functions.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Authentication and Authorization
Identity
management processes and controls
Password storage, management, and controls
Privilege management
Consistent application controls
PeopleTools enforces security
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Information Leakage
To aid in development and troubleshooting, information about the
configuration and version of the parts of the system need to be
accessible at times. However, making this information available
publicly can provide information that can help attackers find
vulnerabilities.
The access of this information is not controllable by developers, but
by the PeopleTools platform itself in the web profile. Therefore, we
recommend that the web profile settings of the production web
servers are audited to ensure that the settings for providing this
information are turned off.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Discussion Points
Identity
and Password Management
Data Security
Process Security
Incident Response
Logging and Analysis
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Identifying and Authenticating
Users
Risks
User IDs and passwords
Users can have privileges that are not appropriate for them
Lack of visibility into inappropriate use of user ids, passwords, or
privileges
Categories
User Account and Identity Management
Processes that surround user identity and role changes
Differentiated levels of trust and re-authentication
Password Controls
QuestDirect.org
Centralize user credentials, password
controls, and authentication process
(Single Signon)
One place to protect the user account information
One ID across different University systems
Password controls enforced consistently
Changes in access administered and enforced in a single
place
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
One Identity for System Access
regardless of role
Risks:
Password controls are not enforced consistently, and
users must remember the credentials for each
Changes in the user’s identity and access must often be
applied manually to both accounts
It is more difficult to audit users’ actions across the
different accounts.
Controls over account provisioning process
Batch Processes
QuestDirect.org
Processes for controlling changes
in user identity
GreyHeller LLC, Proprietary & Confidential
Student Self-Service Access: Risk limited to the individual student
Faculty and Student Intern Access: Risk related to activities that faculty and interns perform
for students or University, such as grading and advising
Functional Administrator Access: Risk is related to operations of the system in a functional
area
System Administrator Access: Risk is related to the operations of the PeopleSoft
Environment
End-user Support Access: Risk is related to the scope of tasks that can be performed.
Developer Access: Risk related to changes and the data that the developer accessible.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Key Activities
Provisioning
of a new individual
Termination
Transfer
Assumption
of new responsibilities
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Login attempt capture and
analysis
Identify
Suspicious Activity
Identification of accounts targeted in attacks
Identification of potentially compromised
accounts
Early Identification organized attacks
Identification of sources of attacks
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Protecting Application Data
Controls over how data is stored
Controls over how data is accessed
Controls over how data is moved
Focus on Roles
End-User
Administrator
Developer
DBA
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Administrator Best Practices
Hiding or Masking sensitive data
Externalizing sensitive data from the application
Policies for exporting and storing data
Stewardship
Controlling storage and access
Single control point over access (real time)
Controlling PS/Query Access
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Controlling Access to PeopleSoft
Functions
The areas to consider within each type of user include:
Protecting against actions performed by unauthorized user with an
valid account
Protecting against actions performed by an authorized user with an
authorized account
Protecting against system changes that could allow privilege
escalation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Mitigation Techniques
Controlling access to a machine with an open session or saved
credentials
Controlling access to administrative functions that could compromise
business functions or cause privilege escalation
Providing audits and controls over high risk functions
QuestDirect.org
Best Practice: 2-factor
authentication
GreyHeller LLC, Proprietary & Confidential
Two
of the three standard authentication factors
Something the user knows (password, PIN, pattern)
Something the user has (Phone, Email Account, USB
Key, smart card, Secure ID token)
Something the user is (biometric characteristic).
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Common Tokens
Connected token
Smart card reader
USB token
Fingerprint scanner
Disconnected token
Secure ID token
Email
SMS
IVR
Mobile App
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Best Practice: Differentiated
Levels of Trust
Based on following attributes
Location from which access is
being performed
Device from which the user is
accessed
User
History of access
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Location Attributes
Access from a campus office with keycard access
Access from campus locations that have wired connections
Access from campus locations that are accessed wirelessly
Access from non-campus locations, but in the community of the
campus
Access from other US locations
Access from other countries
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Device Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
User Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
History Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Setting the Levels
Banding sets of session attributes into levels of trust.
Banding PeopleSoft functionality into the different levels of access.
Functionality should be analyzed with the following in mind:
The results of this banding will group PeopleSoft functionality into how it will
be provided
Can it be used for privilege escalation?
Can it be used fraudulently to benefit or damage students, faculty, administration
or the University?
Are there other processes in place to review or approve changes made?
Allowed with any valid session
Allowed with a valid session and an additional factor of authentication
Disallowed for the current session
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Other Best Practices
Temporary access to high risk functions
Well defined policies and training over administrative use
Release process over configuration settings
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Developer and Tester Best
Practices
Limit developer access to production
Change Management solution for development tasks
Automating migrations into production with segregation of duties
Removal of PeopleSoft-delivered accounts and roles
Audit and controls over development and testing accounts and
permissions in production
Test Automation
Develop and test scripts instead of running SQL directly in
production
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Incident Response
Common
Incidents
Solicited and/or unsolicited information provided by
security research organizations
Publication of issue or breach that affecting the
University’s system.
Discovery of potential breach that could affect the
University’s system.
Account-level issues including breaches and password
resets
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Incident Response Best
Practices
Cross-Functional
incident response teams
Communication processes and plans
Incident response policies and procedures that
define SLA’s, roles, responsibilities, and automation
wherever possible
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Logging and Auditing
Helps
with
Prevent security breaches
Identify breaches or attacks early thereby reducing the
scope of impact
Quickly understand the of scope of attacks or
breaches so that a response can be planned and
quickly implemented
Gather better information for security audits or litigation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Logging Best Practices
Information
Failed
about the location accessed from
login activity
Information
about the data accessed or any
transaction activity
QuestDirect.org
Best Practice: Capturing
additional information
GreyHeller LLC, Proprietary & Confidential
IP Address or Location
Web Server being accessed
User ID
Pages accessed within the application
Keys to identify the data accessed or transaction to be
processed
Actions performed within the application
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Best Practice: Segmented Logs
Login activity
Password resets
Administrative access by functional area
Student access by functional area
Support access
Access from high-risk locations
Access from high-risk personnel
Access to sensitive data or transactions
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Summary
Masking and externalizing sensitive data
Differentiated Security and 2-factor authentication
Logging and Auditing
Change Management and Automation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
GreyHeller Security Products
Desktop
Single Signon
ERP Firewall
Differentiated Security
Location based Security
2 Factor Authentication
Delegation
Logging
GreyHeller
Version Control
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
ERP Firewall
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Allows you to
Control
access based on location, user, content,
and state.
Log only the requests you care about.
Implement additional challenges for content you
wish to secure more strongly
Display your own system messages to your users
Restrict access when system is under maintenance
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Access Control Made Easy
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
ERP Firewall Flow
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Flexible, Powerful Conditions
QuestDirect.org
Powerful Logging
Gathers
Oprid / IP Address / Result / Browser / Date / Time
Login Page / Portal Content / PeopleSoft Page / iScript
EMPLID / Search Criteria / Actions taken
Allows
a complete picture of access
creation of targeted logs
Failed login activity
Activity for specific content
Activity for types of users
2-factor activity
QuestDirect.org
Definitional 2-factor
authentication
GreyHeller LLC, Proprietary & Confidential
Identify
areas that
require additional
security upon access
Only grant extended
privileges when needed
Limit the scope of those
privileges
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Change Management
Segregation of duties and Release
Management Controls
Visibility into all development and
release activity
Facilitates automated testing
No footprint on your PeopleSoft
servers
PeopleSoft environments are not
linked to each other
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Collaboration
Access to all parts of your release process from
browser
Code Browsing and revision history
Check-in History
Migration definition and execution
Tickets, Approvals, and state of work
Integrated Collaboration Tools
Email Notifications
RSS Feeds
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Normal Release Process
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Standard Release Process
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
APRIL 7-11, 2014
Sands Expo and Convention
Center
Las Vegas, Nevada
QuestDirect.org/COLLABORATE
COLLABORATE 14- Quest Forum is THE source for PeopleSoft roadmaps & news.
It matters where you register! All PeopleSoft education and events run through Quest
QuestDirect.org