3. So You Think You Are Safe?
The Cerber affiliate
scheme allows
anyone to become a
cyber extortionist -
for a price. A
ransomware-as-a-
service scheme is
enabling even the
most technically illiterate cyber criminal to extort payments
from victims infected with data-encrypting malware -- with
the developers of the service taking a significant chunk of
the ill-gotten gains. GoldenEye, Petya & Locky are similar.
4. I Use Passwords – I Am Safe!
I can download, install and configure the hashcat “password
recovery” (aka cracking) software and add a decent set of word
lists in about 10 – 15 minutes.
All I need next is an idea of what encryption algorithm has been
used:
DES – encrypted passwords have no ID (e.g. {V1.1})
3DES – encrypted passwords start with {V1.1}
3DES – after key regeneration, V1.2, V1.3 etc
AES - encrypted passwords start with {AES}
Assume 1 billion password guesses per second in a brute force
attack
6 char alpha-numeric password has 56.8 billion combinations –
cracked in under a minute!
12 char alpha-numeric password will take > 100,000 years
Password crackers don’t just use brute force!
5. I Trust My Users
“An undergraduate at the University of Nebraska last year was able to break into a database
associated with the university's PeopleSoft system, exposing Social Security numbers and other
sensitive information on about 654,000 students, alumni and employees. According to our sister
website Dark Reading, the university was lucky enough to detect the breach and shut it down
quickly. An IT staffer picked up on an error message that seemed like evidence of something amiss,
and a recently installed security information and event management system helped network
managers sort through system logs and collect enough evidence to allow police to get a warrant to
confiscate the computer of the student believed to have been behind the attack.”
8. Terminology – Selected Terms Only
HARDENING - Process of identifying and fixing vulnerabilities on a
system.
THREAT - A potential for violation of security, which exists when there
is a circumstance, capability, action, or event that could breach security
and cause harm
THREAT ASSESSMENT - The identification of types of threats that an
organization might be exposed to.
THREAT MODEL- Used to describe a given threat and the harm it
could do to a system if it has a vulnerability
THREAT VECTOR - Method a threat uses to get to the target.
HASH FUNCTIONS - (Cryptographic) hash functions are used to
generate a one way "check sum" for a larger text, which is not trivially
reversed. Can be used to create encrypted passwords.
CPU – Critical Patch Update – set of security patches issues regularly
by Oracle http://www.oracle.com/us/support/assurance/leveraging-cpu-
wp-164638.pdf
9. Terminology – More Selected Terms
Intrusion Detection System (IDS) - Network device or program that
monitors network traffic and logs/reports suspicious network activity.
An IDS is usually installed at the edge of an organization’s
networks. Network traffic coming from outside is examined for
malicious activity. The IDS may not only examine the contents of
the traffic, it can also look for traffic with a specific signature pattern
— a sequence of packets matching the profile of a known attack.
An intrusion prevention system (IPS) goes one step farther, and
attempts to block suspicious traffic once it has detected it.
GPU – Graphics Processing Unit. A massively parallel board with many
CPU cores designed to run very similar operations in parallel for
graphics acceleration – but very well suited to running brute force
password cracking attempts over and over again.
10. Terminology – Will He Never Finish?
Phishing [Wikipedia] – Attempt to obtain sensitive information such as
usernames, passwords, and credit card details by disguising as a
trustworthy entity in an electronic communication. [NV] Wide target
audience and low success rate.
Spear Phishing – Something Tom Hanks got good at in “Castaway”
Spear Phishing – A carefully crafted phishing attack targeted at key
individuals, and purporting to be from an organisation or person “the
mark” would recognise and treat as genuine.
The Mark - Term I learned from “Hustle” for the rich stupid loser who
will be considerably less rich at the end of the episode.
12. Inform – Act – Resolve
I’ll present some key information and
thoughts
Look out for this symbol:
That topic will be included in the Cedar
Security Assessment
14. Critical Patch Updates - CPUs
What are they?
How do you get notifications?
How to ensure you can act on them.
How to understand them.
How to assess the impact.
How to decide what action to take.
15. Terminology Of The Oracle CPU
CVE# (or Vuln# in older advisories) The unique identifier of a
vulnerability.
Protocol - The protocol required to attempt to exploit the vulnerability.
Remote Exploit Without Authentication? – Can the attacker attack
the system remotely without having to supply valid login credentials.
CVSS Version Base Risk
The CVSS Base Score, an assessment of risk defined by the
Common Vulnerability Scoring Standard (CVSS). The "Oracle's
Use of CVSS Scoring" page explains Oracle's implementation.
The CVSS base score assigns a numeric value between 0.0 and
10.0 to indicate the severity of the vulnerability, where 10.0
represents the highest severity. Each risk matrix is ordered using
this value, with the most severe vulnerability at the top of each risk
matrix.
Supported Versions Affected – Actually means what version of the
Product are Oracle releasing fixes on. Typically the latest version of
PeopleTools and the previous, for a period of time.
16. Understanding The Attack Vectors
Knowing how the attacker will set about gaining
unauthorized access
Consider in conjunction with vulnerabilities
Consider in conjunction with your deployed
architecture
Internet-facing systems are at considerably more
risk
Never forget internal attackers
18. Different Types Of Encryption Configuration
Encrypt Data at rest – database encryption
Encrypt Data in transit – use HTTPS
Signed Certificates and their requests
Configuring WebLogic
Java keystore
REN server configuration
19. Data Obfuscation
Implement Data masking/obfuscation
Ensure production data does not exist in non-prod
environments
Have a data obfuscation tool
Build data obfuscation into refresh procedures for
Dev & Test environments
21. Password Management Policy
Modify all administrative and super-user passwords
Never use default or well-known passwords
Implement an access and password management
policy
Use a site-specific SALT value in the encryption of
PeopleSoft passwords
Longest available length
Auto-generation with the largest character set
Rotation of passwords (i.e. change them
regularly!)
Switch on all available password controls
Store admin passwords in a repository
23. Harden Your PeopleSoft Configuration
Security Basics
Ensure all passwords in Web Server, Application Server
and Process Scheduler configuration files are encrypted
Enable Application Server domain authentication so that
3-tier connections to Tuxedo are protected by a
password
Internet-facing PeopleSoft
Place a dedicated Web & Application server in a DMZ
Protect the Web & App server via a Reverse Proxy
Server
Again - Think carefully about creating a Public Access
user in the web profile – especially if PeopleSoft is
internet-facing
24. Harden Your PeopleSoft Infrastructure
Harden all application tiers
Follow Oracle’s advice for security hardening the
WebLogic installation
If using HTTPS, consider disabling HTTP within
WebLogic
Follow Oracle’s advice for security hardening the
Tuxedo installation
If Web & App servers are on different machines,
use Tuxedo JOLT encryption
Use minimally-privileged Operator IDs to start
Application Servers and Process Schedulers
25. Further Hardening Tasks
In the Application server configuration file suppress
SQL error messages – they can provide attackers with
useful information
Java keystore
Change the delivered password of the Java
keystore
When generating signed certificate requests, use a
different key password for each environment
26. Don’t Forget Secure PS_HOME
Implement segregated PS_HOME, PS_APP_HOME
and PS_CUST_HOME with differentiated security
Enforce segregation of duties and allow
configuration management and operations to
continue without full software installation and
patch privileges.
, sweet home
27. Miscellaneous Hardening Tasks
Think carefully about creating a Public Access user in
the web profile – especially if PeopleSoft is internet-
facing
Check that the Web Profile does not have a custom
property “auditPWD” which enables debug and control
settings
Disable <CNTRL>-J to show environment information
as this may be useful to attackers
28. SSO
PeopleSoft SSO
If multi-pillar, implement PeopleSoft SSO
Integrated accounts and passwords means less to
remember and therefore fewer passwords written
on PostIt™ sticky notes!
Users will appreciate the ease of use
30. Make Sure You Know What Is Going On
Switch on detailed Web Server and App Server logging
Get as much detail as possible about user (or
hacker) login activity
Create reports on the logs
Better still, think BIG DATA, machine data
Log files are rich in data but they are not particularly
readable and can grow enormously if detailed tracing
is enabled.
Mine those rich sources of security information with
modern Big Data tools such as Splunk
"Why Splunk?" Video
31. Auditing Enhances Security
Enable PeopleSoft Auditing of key security-sensitive
information:
PeopleTools > Security
Administrative pages where admin accounts and
passwords are maintained
PeopleTools 8.54 and beyond logs successful and
unsuccessful login attempts in the PSPTLOGINAUDIT
table
Run regular reports on this table
33. Follow Best Practice When Customising
Make sure your customisations follow good security
practice and do not introduce weaknesses. As a
minimum:
Every component should have appropriate row-level
security.
Defend against SQL injection. All user-entered data that is
part of dynamic SQL must be isolated to a bind variable.
All user-entered HTML must be escaped.
All hidden page fields should have the Modifiable by
HTML flag deselected with the exception of those that are
used to control the user interface.
All user-entered file names should not contain complete or
relative paths. (Keep paths and file names distinct)
35. Third-Party Security Products
Consider third-party technology enhancement solutions
Distributed Access Management
Why is x logging in at 2am?
Why is x logging in from a remote location
Two-Factor/Step-Up Authentication
Additional base password controls
Firewall technology
38. Security Profiles And Their Management
Review security profiles
Minimum permissions only
Segregation Of Duties (SOD)
On-boarding and off-boarding processes
40. So What’s To Be Done?
Remember Perato – You could probably reduce or
eliminate 80% of your threat exposure by taking just
20% of all the possible actions.
What is the garden peas link?
In 1896 economist Vilfredo Pareto observed that 20% of his
garden peapods contained 80% of the peas and that 80% of
Italy was owned by 20% of the population
41. Implement Defence In Depth Security
Like a castle, data needs multiple rings of defence
Procurement
HR
Financials
End Users
Application
Administrators
Application
Security
Administrators
DBAs & Sys
Admins
“Hackers”
42. Taking The First Step
Short, highly targeted security
assessment
Covers the 80% of vulnerabilities
Delivers an assessment report with
recommended actions and
estimated remedial effort
Cedar Security Assessment
43. The Cedar Security Assessment – Recap of
Coverage
Degree of PeopleSoft Hardening
Password Controls
CPU level and current exposure
Architecture
Processes
44. The Cedar Security Assessment - Requirements
Administrator access to the system
PeopleSoft server access
(Visibility of passwords)
(Exact current versions of PeopleTools and
supporting technologies)
ools and
45. The Cedar Security Assessment – Duration &
Deliverables
2-Day audit and assessment
Remediation report listing remediation actions and
estimated effort to complete:
Password Management
Hardness of PeopleSoft configuration
Encryption
Security patching, CPUs and recommended CPU
actions