Oracle Cloud & PeopleSoft Day 2017

1. PeopleSoft Cyber Security
Neville Varnham
How Well Prepared Are You?

2. Some sobering thoughts…

3. So You Think You Are Safe?
The Cerber affiliate
scheme allows
anyone to become a
cyber extortionist -
for a price. A
ransomware-as-a-
service scheme is
enabling even the
most technically illiterate cyber criminal to extort payments
from victims infected with data-encrypting malware -- with
the developers of the service taking a significant chunk of
the ill-gotten gains. GoldenEye, Petya & Locky are similar.

4. I Use Passwords – I Am Safe!
 I can download, install and configure the hashcat “password
recovery” (aka cracking) software and add a decent set of word
lists in about 10 – 15 minutes.
 All I need next is an idea of what encryption algorithm has been
used:
 DES – encrypted passwords have no ID (e.g. {V1.1})
 3DES – encrypted passwords start with {V1.1}
 3DES – after key regeneration, V1.2, V1.3 etc
 AES - encrypted passwords start with {AES}
 Assume 1 billion password guesses per second in a brute force
attack
 6 char alpha-numeric password has 56.8 billion combinations –
cracked in under a minute!
 12 char alpha-numeric password will take > 100,000 years
 Password crackers don’t just use brute force!

5. I Trust My Users
“An undergraduate at the University of Nebraska last year was able to break into a database
associated with the university's PeopleSoft system, exposing Social Security numbers and other
sensitive information on about 654,000 students, alumni and employees. According to our sister
website Dark Reading, the university was lucky enough to detect the breach and shut it down
quickly. An IT staffer picked up on an error message that seemed like evidence of something amiss,
and a recently installed security information and event management system helped network
managers sort through system logs and collect enough evidence to allow police to get a warrant to
confiscate the computer of the student believed to have been behind the attack.”

6. Security Breaches Cost: Money & Reputation

7. Selected Terminology

8. Terminology – Selected Terms Only
 HARDENING - Process of identifying and fixing vulnerabilities on a
system.
 THREAT - A potential for violation of security, which exists when there
is a circumstance, capability, action, or event that could breach security
and cause harm
 THREAT ASSESSMENT - The identification of types of threats that an
organization might be exposed to.
 THREAT MODEL- Used to describe a given threat and the harm it
could do to a system if it has a vulnerability
 THREAT VECTOR - Method a threat uses to get to the target.
 HASH FUNCTIONS - (Cryptographic) hash functions are used to
generate a one way "check sum" for a larger text, which is not trivially
reversed. Can be used to create encrypted passwords.
 CPU – Critical Patch Update – set of security patches issues regularly
by Oracle http://www.oracle.com/us/support/assurance/leveraging-cpu-
wp-164638.pdf

9. Terminology – More Selected Terms
 Intrusion Detection System (IDS) - Network device or program that
monitors network traffic and logs/reports suspicious network activity.
 An IDS is usually installed at the edge of an organization’s
networks. Network traffic coming from outside is examined for
malicious activity. The IDS may not only examine the contents of
the traffic, it can also look for traffic with a specific signature pattern
— a sequence of packets matching the profile of a known attack.
 An intrusion prevention system (IPS) goes one step farther, and
attempts to block suspicious traffic once it has detected it.
 GPU – Graphics Processing Unit. A massively parallel board with many
CPU cores designed to run very similar operations in parallel for
graphics acceleration – but very well suited to running brute force
password cracking attempts over and over again.

10. Terminology – Will He Never Finish?
 Phishing [Wikipedia] – Attempt to obtain sensitive information such as
usernames, passwords, and credit card details by disguising as a
trustworthy entity in an electronic communication. [NV] Wide target
audience and low success rate.
 Spear Phishing – Something Tom Hanks got good at in “Castaway”
 Spear Phishing – A carefully crafted phishing attack targeted at key
individuals, and purporting to be from an organisation or person “the
mark” would recognise and treat as genuine.
 The Mark - Term I learned from “Hustle” for the rich stupid loser who
will be considerably less rich at the end of the episode.

11. How This Presentation Works

12. Inform – Act – Resolve
I’ll present some key information and
thoughts
Look out for this symbol:
That topic will be included in the Cedar
Security Assessment

13. Oracle Critical Patch Updates

14. Critical Patch Updates - CPUs
What are they?
How do you get notifications?
How to ensure you can act on them.
How to understand them.
How to assess the impact.
How to decide what action to take.

15. Terminology Of The Oracle CPU
 CVE# (or Vuln# in older advisories) The unique identifier of a
vulnerability.
 Protocol - The protocol required to attempt to exploit the vulnerability.
 Remote Exploit Without Authentication? – Can the attacker attack
the system remotely without having to supply valid login credentials.
 CVSS Version Base Risk
 The CVSS Base Score, an assessment of risk defined by the
Common Vulnerability Scoring Standard (CVSS). The "Oracle's
Use of CVSS Scoring" page explains Oracle's implementation.
 The CVSS base score assigns a numeric value between 0.0 and
10.0 to indicate the severity of the vulnerability, where 10.0
represents the highest severity. Each risk matrix is ordered using
this value, with the most severe vulnerability at the top of each risk
matrix.
 Supported Versions Affected – Actually means what version of the
Product are Oracle releasing fixes on. Typically the latest version of
PeopleTools and the previous, for a period of time.

16. Understanding The Attack Vectors
 Knowing how the attacker will set about gaining
unauthorized access
 Consider in conjunction with vulnerabilities
 Consider in conjunction with your deployed
architecture
 Internet-facing systems are at considerably more
risk
 Never forget internal attackers

17. Data Encryption

18. Different Types Of Encryption Configuration
 Encrypt Data at rest – database encryption
 Encrypt Data in transit – use HTTPS
 Signed Certificates and their requests
 Configuring WebLogic
 Java keystore
 REN server configuration

19. Data Obfuscation
 Implement Data masking/obfuscation
 Ensure production data does not exist in non-prod
environments
 Have a data obfuscation tool
 Build data obfuscation into refresh procedures for
Dev & Test environments

20. Password Management

21. Password Management Policy
 Modify all administrative and super-user passwords
 Never use default or well-known passwords
 Implement an access and password management
policy
 Use a site-specific SALT value in the encryption of
PeopleSoft passwords
 Longest available length
 Auto-generation with the largest character set
 Rotation of passwords (i.e. change them
regularly!)
 Switch on all available password controls
 Store admin passwords in a repository

22. PeopleSoft Hardening

23. Harden Your PeopleSoft Configuration
 Security Basics
 Ensure all passwords in Web Server, Application Server
and Process Scheduler configuration files are encrypted
 Enable Application Server domain authentication so that
3-tier connections to Tuxedo are protected by a
password
 Internet-facing PeopleSoft
 Place a dedicated Web & Application server in a DMZ
 Protect the Web & App server via a Reverse Proxy
Server
 Again - Think carefully about creating a Public Access
user in the web profile – especially if PeopleSoft is
internet-facing

24. Harden Your PeopleSoft Infrastructure
 Harden all application tiers
 Follow Oracle’s advice for security hardening the
WebLogic installation
 If using HTTPS, consider disabling HTTP within
WebLogic
 Follow Oracle’s advice for security hardening the
Tuxedo installation
 If Web & App servers are on different machines,
use Tuxedo JOLT encryption
 Use minimally-privileged Operator IDs to start
Application Servers and Process Schedulers

25. Further Hardening Tasks
 In the Application server configuration file suppress
SQL error messages – they can provide attackers with
useful information
 Java keystore
 Change the delivered password of the Java
keystore
 When generating signed certificate requests, use a
different key password for each environment

26. Don’t Forget Secure PS_HOME
 Implement segregated PS_HOME, PS_APP_HOME
and PS_CUST_HOME with differentiated security
 Enforce segregation of duties and allow
configuration management and operations to
continue without full software installation and
patch privileges.
, sweet home

27. Miscellaneous Hardening Tasks
 Think carefully about creating a Public Access user in
the web profile – especially if PeopleSoft is internet-
facing
 Check that the Web Profile does not have a custom
property “auditPWD” which enables debug and control
settings
 Disable <CNTRL>-J to show environment information
as this may be useful to attackers

28. SSO
PeopleSoft SSO
 If multi-pillar, implement PeopleSoft SSO
 Integrated accounts and passwords means less to
remember and therefore fewer passwords written
on PostIt™ sticky notes!
 Users will appreciate the ease of use

29. Logging For Security

30. Make Sure You Know What Is Going On
 Switch on detailed Web Server and App Server logging
 Get as much detail as possible about user (or
hacker) login activity
 Create reports on the logs
 Better still, think BIG DATA, machine data
 Log files are rich in data but they are not particularly
readable and can grow enormously if detailed tracing
is enabled.
 Mine those rich sources of security information with
modern Big Data tools such as Splunk
 "Why Splunk?" Video

31. Auditing Enhances Security
 Enable PeopleSoft Auditing of key security-sensitive
information:
 PeopleTools > Security
 Administrative pages where admin accounts and
passwords are maintained
 PeopleTools 8.54 and beyond logs successful and
unsuccessful login attempts in the PSPTLOGINAUDIT
table
 Run regular reports on this table

32. Customising Securely

33. Follow Best Practice When Customising
 Make sure your customisations follow good security
practice and do not introduce weaknesses. As a
minimum:
 Every component should have appropriate row-level
security.
 Defend against SQL injection. All user-entered data that is
part of dynamic SQL must be isolated to a bind variable.
 All user-entered HTML must be escaped.
 All hidden page fields should have the Modifiable by
HTML flag deselected with the exception of those that are
used to control the user interface.
 All user-entered file names should not contain complete or
relative paths. (Keep paths and file names distinct)

34. Adding Layers Of Security

35. Third-Party Security Products
 Consider third-party technology enhancement solutions
 Distributed Access Management
 Why is x logging in at 2am?
 Why is x logging in from a remote location
 Two-Factor/Step-Up Authentication
 Additional base password controls
 Firewall technology

36. Layered Security for PeopleSoft

37. Building Security Into Processes

38. Security Profiles And Their Management
Review security profiles
Minimum permissions only
Segregation Of Duties (SOD)
On-boarding and off-boarding processes

39. Cedar Security Solutions

40. So What’s To Be Done?
 Remember Perato – You could probably reduce or
eliminate 80% of your threat exposure by taking just
20% of all the possible actions.
 What is the garden peas link?
 In 1896 economist Vilfredo Pareto observed that 20% of his
garden peapods contained 80% of the peas and that 80% of
Italy was owned by 20% of the population

41. Implement Defence In Depth Security
Like a castle, data needs multiple rings of defence
Procurement
HR
Financials
End Users
Application
Administrators
Application
Security
Administrators
DBAs & Sys
Admins
“Hackers”

42. Taking The First Step
 Short, highly targeted security
assessment
 Covers the 80% of vulnerabilities
 Delivers an assessment report with
recommended actions and
estimated remedial effort
Cedar Security Assessment

43. The Cedar Security Assessment – Recap of
Coverage
 Degree of PeopleSoft Hardening
 Password Controls
 CPU level and current exposure
 Architecture
 Processes

44. The Cedar Security Assessment - Requirements
 Administrator access to the system
 PeopleSoft server access
 (Visibility of passwords)
 (Exact current versions of PeopleTools and
supporting technologies)
ools and

45. The Cedar Security Assessment – Duration &
Deliverables
 2-Day audit and assessment
 Remediation report listing remediation actions and
estimated effort to complete:
 Password Management
 Hardness of PeopleSoft configuration
 Encryption
 Security patching, CPUs and recommended CPU
actions