Security With PeopleSoft

7/27/2019 Security With PeopleSoft

1/46


2/46

S317424

Analysis of a Threat and How to Protect Your Data

Greg Kelly

Product Strategy Manager, PeopleTools


3/46

THE FOLLOWING IS INTENDED TO OUTLINEOUR GENERAL PRODUCT DIRECTION. IT IS

INTENDED FOR INFORMATION PURPOSES

ONLY, AND MAY NOT BE INCORPORATED INTO

ANY CONTRACT. IT IS NOT A COMMITMENT TO

DELIVER ANY MATERIAL, CODE, OR

FUNCTIONALITY, AND SHOULD NOT BE RELIED

UPON IN MAKING PURCHASING DECISION. THE

DEVELOPMENT, RELEASE, AND TIMING OF ANY

FEATURES OR FUNCTIONALITY DESCRIBEDFOR ORACLE'S PRODUCTS REMAINS AT THE

SOLE DISCRETION OF ORACLE.


4/46

Securing Your

PeopleSoft Environment

4


5/46

Agenda

Traditional Defense

Anatomy of an Attack

De-Perimeterization ew pproac o e ense

More Information


6/46

Traditional Defense

Fortress Mentality

Firewalls

DMZ(s)

VLANs

Segregated Network Segments


7/46

Sample Layout

http://wiki.oracle.com/page/Securing+Your+PeopleSoft+Application+-+Index+Page


8/46

Anatomy of Attack - Harvesting

Initial Research

Company Site

About Us Page(s)

Social Networking Sites e.g.

Facebook

Twitter

Dumpster Diving

Social Engineering (Kevin Mitnick)


9/46

Anatomy of Attack Creating Bots

Phishing (spear)

Upload Code

Taking Control


10/46

Sample Spam/Phishing email

From Subject2Airline-Tickets Someone has sent you 2 Southwest-Airlines Tickets

Career Placement Ready for A Second JOB - FINANCIAL AID For A Career

College Grants Thousands of Dollars in college Grants are awarded to people like you

creditreport.com View updates to your Credit Report

Final Notice "Walmart Coupon inside!"

Final Notice FREE FedEx Delivery; Tell us where to send your DELLXPS Laptop!!

FinancialAid "Scholarships & Grants are available"

Flying Spree Our Records Indicate You may Have 2 Southwest Airlines Tickets

freecreditreport.com View updates to your Credit Report

Laptop Notification "Test it Free! A Dell package will be shipped to your door!"

[email protected] Hello!!

Which eMails would your users open?


11/46

Anatomy of Attack Building Database

Dictionary Attack

Rules

Indicators

Anonymous BIND to local LDAP


12/46

Which Wi-Fi would you choose?


13/46

Anatomy of Attack - Probing

System Under Control

Probe Infrastructure

Probe Typical Vulnerabil ities


14/46

Sample Available Web Servers

from http://www.netcraft.com


15/46

Anatomy of Attack Building the Attack

User Credential Database

Known Vulnerabilities

Local LDAP

Build Out Control

No Time Limit


16/46

How long does it take to crack passwords

anyway?

Mixed upper and lower case alphabet plus numbers and commonsymbols. http://www.lockdown.co.uk/?pg=combi0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz!"#$%&'()*+,-./:;?@[\]^_`{|}~

Password Time to Crack Based on Class of Attack

LenCombi-

nationsClass A Class B Class C Class D Class E Class F

,

3 884,736 88 Secs 9 Secs Instant Instant Instant Instant

4 85 Mn 2 Hours 14 Mins 1 Mins 8 Secs Instant Instant

5 8 Bn 9 Days22Hours

2 Hours 13 Mins 1 Mins 8 Secs

6 782 Bn 2 Yrs 90 Days 9 Days 22 Hours 2 Hours 13 Mins

7 75 Trn 238 Yrs 24 Ys 2 Years 87 Days 8 Days 20 Hours

8 7.2 Qn 22,875 Yrs 2,287 Yrs 229 Yrs 23 Yrs 2 Yrs 83 Daysexample:E. 100,000,000 Passwords/sec - Workstation, or multiple PC's working together.

(Licensed under a Creative Commons Attribution-ShareAlike 2.0 License.)


17/46

How many computers could possibly be working

together?

Corporations, agencies infil trated by botnetJORDAN ROBERTSON AP Technology Writer

Friday, February 19, 2010

http://lubbockonline.com/stories/021910/bus_565096614.shtml

"... Security experts have found a network of 74,000

virus-infected computers that stole information from

inside corporations and government agencies. The

unusual thing about the incident is not that it

happened but that it was discovered, and it is areminder of the dangers of having computers with

sensitive data connected to the open Internet"


18/46

Issues with Internet Explorer

Scripts in Text Files

Temporary Internet Files Folder and disabled caching


19/46

De-Perimeterization

The huge explosion in business col laboration andcommerce on the Web means that todays traditional

approaches to securing a network boundary are at best

flawed, and at worst ineffective.

Examples include:

bypass them altogether

IT products that cross the boundary, encapsulating protocols

within Web protocols

Security exploits that use email and Web to get through the

perimeter

- The Jericho Forum, under the auspices of The Open Group


20/46

Defense at the Core

Transparent Data Encryption (TDE)

Oracle Advanced Security Option (ASO)

Data at Rest

Hardware Security Module

Protects Against Forensic and Direct Files Access

Oracle Database Vault

Oracle Audit Vault

Oracle Enterprise Manager Data Masking

For Non-Production DB Copies


21/46

Core Protection

Audit Vault

DatabaseVault

Database


22/46

Core Protection

Monitoring

Configuration Management

Oracle Audit Vault

Total Recall

Access Control

Oracle Database Vault

Label Security

Advanced Security

Secure Backup

Data Masking

Encryption & Masking

Monitoring

Access Control

Encryption & Masking


23/46

Enterprise Manager Data Masking

ProductionDB

EM Data

Dev DB Test DBTraining

DB

Masking


24/46

Defense in the Business Logic Layer

ASO Network Encryption

Data in Flight

Oracle Applications Access Controls Governor

(Oracle Information Rights Manager for PS-Reports)

Quis custodiet ipsos custodes?

3 people can keep a secret if 2 of them are dead.


25/46

Protection in the Business Logic Layer

Protected DB

ASO

Application (Business Logic) Server

OAACG OTCG


26/46

Defense in the Presentation (Web) layer

Oracle Access Manager

Oracle Identi ty Manager

Oracle Adaptive Access Manager


27/46

PeopleTools 8.50 Delivered Additional Security

Enhancements

SAML for Web Services

JNDI Libraries for LDAP and LDAPS

FTPS Support (FTP over secure transport)

Enhanced User Profile Synchronization

De-Coupled PS_HOME

PDF Encryption with XML Publisher

Support for Server Based Virus Scanning Engines

Customer Configured TDE Algorithm

PET Support for Encrypting the Encryption Keys and Secure

Data Wipe

Additional Hardening


28/46

PeopleTools 8.51 FeaturesSecurity

Security

User Security

Extended Password Controls

Multiple Session Detection

Kerberos Signon SDK

Data Security

Support for Transport Layer Security

Support for SFTP and FTPS


29/46

Common Questions

Vulnerability Testing

NIST FIPS 140-2

Update to Securing Your PeopleSoft Environment

Issues without hardening

Critical Patch Update

Addressing Reported and Discovered Vulnerabilities


30/46

More Information

30


31/46

PeopleTools 8.50 Viewlets Now AvailableVia oracle.com

http://www.oracle.com/applications/peoplesoft/tools_tech/ent/ptools/index.html

or direct http://download.oracle.com/peopletools/viewlets.html

Get helpful insights on many PeopleTools and CollaborationFramework featuresTopic Areas:

Web Services & IntegrationBroker Life cycle Management

Enterprise 2.0 andUser Interface

Platforms Reporting Security

PeopleTools for theDeveloper General PeopleTools


32/46

PeopleTools Strategy eMail

[email protected]

PeopleTools on Oracle Wiki

http://wiki.oracle.com/page/PeopleSoft

PeopleSoft discussion forums

More Information

32

. . .

PeopleTools Blog landing page

http://blogs.oracle.com/peopletools

Open Group Jericho Forum "de-perimeterization":

http://www.opengroup.org/jericho/deperim.htm

Oracle's Critical patch Update

http://www.oracle.com/security/critical-patch-update.html


33/46

Go to OTN - Oracle Technology Networkhttp://www.oracle.com/technology/index.html

Look at the upper right hand corner

( Account | Manage Subscript ions | Sign Out )

Make sure you're logged in, thenClick on Mana e Subscri tions

Not getting Security and other Alerts?

33

Scroll down to Opt-in to Oracle Communications

Check box for

Oracle Security Alerts - Get the latest Securi ty Alerts issued by

Oracle as they become available... and any other alert or newsletter you want to receive

Scroll down to the end of the page and "Confirm"


34/46

Additional Resources

For more information about Oracle Applications http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.htm

For more information about Education

http://www.oracle.com/education/index.html

For more information about Support

http://www.oracle.com/support/

34

http://support.oracle.com

For Oracle Product documentation:

http://www.oracle.com/applications/peoplesoft/tools_tech/ent/index.html

Certification Information on My Oracle Support Doc id=747587.1

Technical Updates on My Oracle Support Doc id=764222.1


35/46

Includes direct links to PeopleBooks,PeopleBook Updates, Release Notes,Installation and Upgrade Guides, andmore. All accessible from oneconvenient My Oracle Support

location.https://support.oracle.com/CSP/main/articl

PeopleTools 8.50

Documentation Homepage

PeopleTools 8.50 Information Development Deliverables

PeopleTools 8.50

Hosted PeopleBooks

PeopleTools Cumulative

Feature Overview Tool

Access a searchable HTMLinstallation of our PeopleTools 8.50PeopleBook suite. This hostedsolution lets you access PeopleBooksusing the help link in your applications

without having to install PeopleBookson your own server.

Dynamic tool provides concisedescriptions of new and enhancedsolutions and functionality that havebecome available between yourstarting and target releases.

The CFO tool can be found on My

e?cmd=show&type=NOT&id=847882.1 http://www.oracle.com/pls/psft/homepage

Pages.


36/46

PeopleTools 8.50Available Training

PeopleTools 8.50 classes available now: PeopleSoft PeopleTools 1 Rel 8.50

PeopleTools II Rel 8.50

PeopleTools I/PeopleTools II - Accelerated Rel 8.50

PeopleSoft PeopleCode Rel 8.50 or eop e o e .

Application Engine Rel 8.50

PeopleCode/SQR Accelerated Rel 8.50

PeopleCode/Application Engine Accelerated Rel 8.50

To view a schedule of these classes or new upcomingclasses visit Oracle University

go to oracle.com/education


37/46

Related Sessions and More Information


38/46

PeopleTools Sessions of Interest

Monday

Time Title Number Location

11:00 Improving ROI by Mastering PS Upgrade Tools & Resources S318203 W2018

PeopleTools 8.50 Upgrade: Details of a Well Managed Project S317421 W2014

2:00 PeopleSoft Enterprise Release 9.1 Adoption and Roadmap General W3002

3:30 Oracle FMW for Oracle Applications Unlimited - Answers S318064 W2014

: eop e oo s ps an r c s arr o


39/46


Tuesday


11:00 PeopleTools Product Roadmap General W3010

12:30 PeopleTools Dev Series: Building & Consuming Web Services S317431 Marriott

PeopleTools 8.51 Highlights: PeopleTools in Action S317433 W2014

2:00 PeopleTools Dev Series: Mastering PS Reporting Tools S317427 Marriott

eop e oo s ns g : ax m ze our eop e o

3:30 Setting an Enterprise 2.0 Strategy with PS Portal S317437 Marriott

5:00 PeopleTools Insight: Defining a BI Strategy S317445 Marriott

PeopleTools Dev Series: Secure Coding Practices S317430 W2016


40/46


Wednesday


10:00 PeopleTools 8.51 Highlights: Simplify Upgrade & Maintenance S317434 W2014

Performance Techniques for the PS Middle Tier S317420 W3002

11:30 PeopleTools 8.50 Beta Customers: One Year Later S317446 W2014

1:00 PeopleTools Dev Series: Application Performance Tips S317426 W2014

eop e oo s ns g : mp emen a a overnance omp ance

4:45 Making the Most of PS Query S317455 W2016

PeopleTools Dev Series: Building a Custom Mobile App S317432 W2014


41/46


Thursday


9:00 PeopleTools 8.51 Highlights: PeopleSoft Integration Broker S317435 W2014

Platform Update for PeopleSoft Enterprise S317422 W3002

PeopleTools Product Roadmap S317436 W3005

10:30 Best Practices for Managing Your PeopleSoft Applications S317034 Marriott

e ew xper ence: n erpr se . cosys em

Building Mobile Solutions for Oracle Apps: Tech Insight S317110 W2020

12:00 Monster Mashups: Related Content in PeopleSoft Apps S317448 W2014

PeopleTools Product Team Panel Discussion S317439 W3002

1:30 PeopleTools Insight: The Value Prop of Oracle Technology S317438 W3002

Secure PeopleTools: Analysis of a Threat & Data Protection S317424 W2014

3:00 Bring Your PeopleSoft Apps to Life with Web 2.0 S317450 W3002

PeopleSoft Integration Broker Secrets S317425 W2014


42/46

Oracle PeopleSoft PeopleTools in Moscone

South

Oracle PeopleSoft PeopleTools Demo Pods

S-106 PeopleSoft PeopleTools Integration Technologies

S-107 PeopleSof t PeopleTools

S-110 PeopleSoft PeopleTools Reporting Solutions

PSFT HyperionUPK


43/46

Useful Links

Oracle Software Security Assurancehttp://www.oracle.com/security/software-security-assurance.html

PeopleSoft Enterprise Appl ications

http://www.oracle.com/peoplesoftlook for "Peo leSoft Information Portal" link

Secure Development Process

Critical Patch Update

External Security Validations

Security Information and Best Practices

2010 Oracle Corporation Proprietary and Confidential

Security Solutions From Oraclehttp://www.oracle.com/security

PeopleSoft Technology Blog

http://blogs.oracle.com/peopletools check the links >>>


44/46

Hosted & Mobile PeopleBooks - PeopleTools PeopleBooks are

available in three formats: Hosted PeopleBooks, PDFs, andAmazons Kindle format. All can be accessed here:

http://www.oracle.com/technetwork/documentation/psftent-090284.html

Doc Home Pages constantly updated direct links toPeopleBooks, PeopleBook Updates, Release Notes, Installation

and Upgrade Guides, and other useful product documentation,

Learn MorePeopleSoft Information Development Resources

Information Portal - locate the documentation, training, andother info needed to help with your implementation process.Customers searching for this information should make this

their first online destination.http://www.oracle.com/us/products/applications/054275.html

a access e rom one y rac e uppor oca on.

PeopleTools 8.51 Documentation Home Page [ID 1127534.1]

https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1127534.1


45/46

Cumulative Feature Overview (CFO)- Providingconcise descriptions of new and enhanced solutionsand functionality that have become available startingwith the 8.4 release through our latest 8.51 release.

https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=SYSTEMDOC&id=793143.1

Learn MorePeopleSoft Information Development Resources

Follow us on @PeopleSoft_Info

Upgrade Resource Report Tools - helps you find allthe documentation, scripts, and files you need for your

upgrade project.

https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=SYSTEMDOC&id=1117047.1


46/46

Documents

Security With PeopleSoft