SlideShare ist ein Scribd-Unternehmen logo

Learn About the Top Oracle E-Business Suite Security Vulnerabilities

OAUGNJ
OAUGNJ

Learn about the top security risks and vulnerabilities specific to the Oracle E-Business Suite and why you should care! Whether your ERP is in the process of being implemented or has been in place for years, there are a number of security vulnerabilities commonly overlooked by implementation / support teams focused on project timing, budget, and functionality. This presentation is geared toward the end user community, system administrators, and other application support personnel and what they need to know to protect their Oracle EBS data from unauthorized access. Amplify the participants’ overall security awareness Share knowledge and experiences in securing Oracle EBS Provide a detailed list of commonly overlooked security vulnerabilities, risks each pose, and how to fix or mitigate each

Technologie
1 von 53
Downloaden Sie, um offline zu lesen
Top Oracle E-Business Suite Security Vulnerabilities Christeen Russell, Crowe Horwath
Christeen Russell • Senior Manager in the Technology Risk Group at Crowe Horwath • Technology audit and implementation capabilities include: • Oracle E-Business Suite 11i & R12 • Great Plains 10 • Microsoft CRM 4.0 & 2011 • Certified Public Accountant (CPA) - Illinois & New York • Certified Information Systems Auditor (CISA)
Crowe Risk Consulting We have more than 1,100 experienced practitioners with geographic, functional, and industry expertise. Crowe Horwath Global Risk Consulting has been named a “Challenger” by Gartner, Inc., in the “Magic Quadrant for Global Risk Management Consulting Services”, by Jacqueline Heng and John A. Wheeler. The full report can be reviewed at www.crowehorwath.com/gartner
Objectives 1. Amplify the participants’ overall Oracle EBS security awareness 2. Share knowledge and experiences in securing Oracle EBS 3. Provide a detailed list of commonly overlooked Oracle EBS security vulnerabilities, risks each pose, and how to fix or mitigate each
Top Security Concerns • Seeded (default/generic) application accounts with known passwords (30+) • Seeded database accounts with known passwords (200+) • AZN menus • Seeded responsibilities and menus • Delegation authority and proxy users • Direct database access through the application • Defense against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering • Weak default password settings • Password setting “overrides” • Protecting sensitive information • Sensitive administrative pages
Why are These Top Security Concerns? • Issues commonly seen in Oracle EBS environments • Most are free and/or not complex to address • Relevant to various releases • Not well known
What are the Risks? • Unauthorized access (to data and configuration settings), adversely affecting transaction processing and data integrity • Data exfiltration and leakage • Non-compliance with regulations (SOX, PCI DSS/PA DSS, HIPPA, etc.) • Non-compliance with company policy • Potential to commit fraud • Reputational harm
Privileged & Generic IDs
ID Overview +30 seeded “generic” user ids: i.e. APPSMGR, IBEGUEST, GUEST, SYSADMIN, WIZARDOracle EBS Oracle EBS creates 200+ db accounts: i.e. APPS, APPLSYS, SYS, SYSTEM, 100+ schema accountsOracle Database oracle, applmgrOperating System Oracle ships seeded accounts with widely known default passwords!
Privileged & Generic IDs • Passwords are published on the internet and are typically “welcome”, “Oracle”, or is the same as the id; i.e. • MOBADM password is MOBADM • ASGADM password is welcome • Some IDs have privileged access • New accounts are automatically added during upgrades, i.e.: • 12.2.2 – GHG, APPS_NE • 12.1.0 – DDR, DPP, INL, MTH, QPR, RRS • 12.0.4 – IZU • 12.0.0 – DNA, GMO, IBW, IPM, JMF •2 . 2 . 2 – G H G , A P P S _ N E •2 . 1 . 0 – D D R , D P P , I N L, M T H , Q P R , R R S •2 . 0 . 4 – I Z U •2 . 0 . 0 – D N A , G M O , I B W , I P M , J M F •2 . 2 . 2 – G H G , A P P S _ N E •2 . 1 . 0 – D D R , D P P , I N L, M T H , Q P R , R R S •2 . 0 . 4 – I Z U •2 . 0 . 0 – D N A , G M O , I B W , I P M , J M F
Seeded ID’s – Application Level ID Purpose Change Password Disable Account AME_INVALID_APPROVER AME workflow migration 11.5.9 to 11.5.10 Yes Yes ANONYMOUS FND/AOL - Anonymous for non-logged users Yes Yes APPSMGR Routine maintenance via concurrent requests No^ Yes ASADMIN Application Server Administrator No^ Yes ASGADM Mobile gateway related products Yes Yes* ASGUEST Sales Application guest user Yes Yes* AUTOINSTALL AD Yes Yes CONCURRENT MANAGER FND/AOL: Concurrent Manager Yes Yes FEEDER SYSTEM AD - Supports data from feeder system Yes Yes ^ it is not possible to login as this user unless you change the password * Required for Mobile Sales, Service, and Mobile Core Gateway components. Or required for Sales Application. Or required for iStore.
Seeded ID’s – Application Level ID Purpose Change Password Disable Account GUEST Guest application user Yes No IBE_ADMIN iStore Admin user Yes Yes* IBE_GUEST iStore Guest user Yes Yes* IBEGUEST iStore Guest user Yes Yes* IEXADMIN Internet Expenses Admin Yes Yes INDUSTRY DATA Used for PCI Security Demo No^ Yes INITIAL SETUP AD Yes Yes IRC_EMP_GUEST iRecruitment Employee Guest Login Yes Yes IRC_EXT_GUEST iRecruitment External Guest Login Yes Yes MOBADM Mobile Applications Development Yes Yes MOBILEADM Mobile Applications Admin Yes Yes MOBILEDEV Mobile Applications Development Yes Yes Do not disable the GUEST account.
Seeded ID’s – Application Level ID Purpose Change Password Disable Account OP_CUST_CARE_ADMIN Customer Care Admin for Oracle Provisioning Yes Yes OP_SYSADMIN OP (Process Manufacturing) Admin User Yes Yes ORACLE12.0.0 to ORACLE12.9.0 Owner for release specific seed data No^ No PORTAL30 Oracle Portal and Portal Single Sign On (desupported) Yes Yes PORTAL30_SSO Oracle Portal and Portal Single Sign On (desupported) Yes Yes STANDALONE BATCH PROCESS FND/AOL Yes Yes SYSADMIN Application Systems Admin Yes No WIZARD AD Application Implementation Wizard Yes Yes XML_USER Gateway Yes Yes Do not disable the SYSADMIN account.
Other Generic ID’s – Application Level • Search for other generic ID’s from the users table (fnd_users) • SQL statement to identify users with: • no “end_date” • no “employee_id” and/or • “last_logon_date” greater than a certain date • Greatly narrow down your search through the user list
Seeded ID’s – Database Level Schema Purpose Change Password SYS Initial schema in any Oracle database Yes SYSTEM Initial DBA User Yes DBSNMP, SYSMAN, MGMT_VIEW Used for database status monitoring Yes SCOTT Oracle db demo account Yes and lock the account SSOSDK Single Sign On SDK Yes JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN, OWAPUB, MGDSYS Yes PORTAL30_DEMO, PORTAL30_PUBLIC, PORTAL30_SSO_PS, & PORTAL30_SSO_PUBLIC Oracle Login Server and Portal 3.0.9 with E- Business Suite 11i Yes and lock PORTAL30_DEMO if using 11i; otherwise lock all PORTAL30, PORTAL30_SSO Oracle Login Server and Portal 3.0.9 with E- Business Suite 11i Yes and lock the schemas if not using 11i CTXSYS Used by Online Help and CRM service products for indexing knowledge base data Yes
Seeded ID’s – Database Level Schema Purpose Change Password EDWREP Embedded Data Warehouse Metadata Repository Yes, but if not using Embedded Data Warehouse, then lock and expire EDWREP ODM Oracle Data Manager Yes APPLSYSPUB Verifies the username/password combination and the records the success or failure of a login attempt. R12 only Yes (must be all upper case) APPLSYS Contains shared APPS objects Yes, use a long secure password APPS Runtime user for E-Business Suite. Owns all of the applications code in the database Yes, use a long secure password APPS_mrc Obsolete account Yes, use a long secure password AD_MONITOR EM_MONITOR Oracle Applications Manager uses this schema to monitor running patches. Although the default password for AD_MONITOR is 'lizard', the schema is created locked and expired. Yes
Seeded ID’s – Database Level ABM AHL AHM AK ALR AMF AMS AMV AMW AP AR ASF ASG ASL ASN ASO ASP AST AX AZ BEN BIC BIL BIM BIS BIV BIX BNE BOM BSC CCT CE CLN CN CRP CS CSC CSD CSE CSF CSI CSL CSM CSP CSR CSS CUA CUE CUF CUG CUI CUN CUP CUS CZ DDD DDR DNA DOM DPP EAA EAM EC ECX EDR EGO ENG ENI EVM FA FEM FII FLM FPA FPT FRM FTE FTP FUN FV GCS GL GHG GMA GMD GME GMF GMI GML GMO GMP GMS GR HR HRI HXC HXT IA IBA IBC IBE IBP IBU IBW IBY ICX IEB IEC IEM IEO IES IEU IEX IGC IGF IGI IGS IGW IMC IMT INL INV IPA IPD IPM ISC ITA ITG IZU JA JE JG JL JMF JTF JTM JTS LNS ME MFG MRP MSC MSD MSO MSR MST MTH MWA OE OKB OKC OKE OKI OKL OKO OKR OKS OKX ONT OPI OSM OTA OZF OZP OZS PA PFT PJI PJM PMI PN PO POA POM PON POS PRP PSA PSB PSP PV QA QOT QP QPR QRM RG RHX RLA RLM RRS SSP VEA VEH WIP WMS WPS WSH WSM XDO XDP XLA XLE XNB XNC XNI XNM XNP XNS XTR ZFA ZPB ZSA ZX • By default the password is the same as the SCHEMA name • Change all of these schema passwords 200+ DB schemas shipped with Oracle EBS New schemas are created during upgrades
Control Seeded ID’s • Change the password and disable the account where recommended • Changed passwords should be “sealed” • For accounts where the password cannot be changed and/or disabled log activity performed using the accounts (manual logins) • Setup alerts or have periodic reviews of activity • Consult Oracle Metalink Note 403537.1.
Restricted Access & Segregation of Duties
Restricted Access & Segregation of Duties • Defined as users with too much or conflicting access • Risk: • Unauthorized transactions, erroneous transactions, or fraudulent activity • Users with combined access privileges to modify system configuration settings along with business transaction execution access increases the risk that application controls dependent upon configuration settings will be circumvented • Data leakage or exfiltration • So let’s discuss: • AZN’s • Seeded menus and responsibilities • Delegation authority • Proxy users
Process Tab / AZN • Click an icon to gain immediate access to the associated form • In this example, the user most likely has “end-to-end” access in the purchase to payments process Traditional way to access functions Process tab access
Process Tab / AZN - continued • Potential Segregation of Duties Conflicts!! • NOTE: Many do not know this additional access exists. Example of a menu with an AZN submenu (menus are assigned to responsibilities):
Exclude AZN Submenus However….. Lets consider the next topic
AZN Menus Exists for GL, AP, AR, Inventory, PO, Order Management menus
Seeded Menus & Responsibilities • Should not be used nor copied and renamed • These are not “perfect” and also may contain AZN menus, leading to: • Excessive access • Segregation of duties conflicts • Example: Seeded Receivables Inquiry is not limited to view only • Create auto adjustments • Write off receipts • Open and close periods • May re-introduce the aforementioned issues during upgrades/patches if using standard menus
User Management - UMX • Delivers Role Based Access Control (RBAC) • Groups responsibilities, permission sets, and data security rules • Common user registration workflow • Forgotten password functionality • Security decentralization • Proxies
Delegated Administration • Delegate local admins to perform system administration for a subset of users and roles • Risks: • The “users” form in the User Management screen (UMX) does not allow one to establish a password expiration • How do you ensure any remote locations are compliant with corporate security policies
Password Expiration • Set at the User level • Can set the “Password Expiration” to either: • Days • Accesses • None • By default user passwords do not periodically expire • Create a personalization • Periodic review or alert
Manage Proxies • Allows a user to determine who can act their behalf for a time • Equivalent to sharing your username and password • Activity performed by another is logged under the delegator’s username • R12.2 introduced • “Designate proxy” to all users as a default • “All or nothing is gone”, can now select certain responsibilities and workflows to delegate • This should not be used without a business case and compensating controls • User’s access does not appear in the system administrator module • Run script to see if proxies exist
Proxy • The delegate can't view what s/he did as someone’s proxy • Periodically review the proxy report which shows all navigation completed by the proxy user:
Profile Options
Profile Options • Affects security, processes, controls • 8000+ profile options • Set at one or more levels. • User takes precedence over the other levels • Site level has the lowest priority • Some maintained by users, most maintained by the SA responsibility User Responsibility Application (module) Site Takes Precedence
Profile Options – Diagnostics • Utilities: Diagnostic & FND: Diagnostics • These profile options should be set to “No” at all levels • Risk: Allows users to change individual database records • Hide Diagnostics Menu Entry • Hides the diagnostic menu from users • Profile option should be set to “Yes” • The default is "No" or NOT hidden
Profile Options – Diagnostics – 12.1.3+ only • Assign the “FND Diagnostics menu Examine Read Only” function to a Menu • Ensure the profile option “Hide Menu Entry” is set to No • Grant the seeded permission set to a role • Assign the role to a user • APPS password not required in read-only mode
Profile Options – Information Leakage • Set of profile options that can defend against: • Cross-site scripting (XSS) • HTML injection attacks • Parameter and URL tampering • Can lead to data leaks Profile Option^ Default Recommended FND Validation Level Error (as of R12) Error* FND Function Validation Level Error (as of 11.5.10) Error* Framework Validation Level Error (as of 11.5.10) Error* Restrict Text Input Yes Yes IRC: XSS Filter Null Enabled FND: Fixed Key Enabled Null Yes FND: Fixed Key None Yes, only at User level *R12.2 does not allow the profile option value to be changed ^ at Site level unless otherwise stated
Profile Options – Others Profile Option^ Purpose Default Recommended Concurrent:Report Access Level Determines access privileges to report output files and log files generated by a concurrent program User User Sign-On:Notification Warns users of key events such as failed concurrent requests, failed login attempts, and incorrect default printer settings No Yes Personalize Self- Service Defn Enables or disables the global Personalize Page link that appears on each self-service web application page No No – Site level Yes – User level for approved individuals only FND: Developer Mode Enables the Edit Region global button. Also enables Developer Test Mode diagnostics. Null No Yes – User level for approved individuals only ^ at Site level unless otherwise stated
Profile Options – Password Settings • By default Oracle does not set strong password parameters • Different studies have shown that passwords of 10 characters with a symbol can take “years” to break by high powered computers Profile Oracle Default Recommended (Site) Sign-on Password Case None Sensitive Sign-on Password Failure Limit None 3 (attempts) Sign-on Password Hard to Guess No Yes Sign-on Password Length 5 8 to 10 (characters) Sign-on Password No Reuse None 180+ (days)
Functional Administrator Best way to view profile option settings at each level
Profile Option – Security Most profile options should not be updateable by users
Profile Option – Control • Monitor profile options • Regular reports • Alerts • Changes to profile options should be requested, tested, & approved • Follow a change management procedure
Sensitive Data
Sensitive Information • PII: Name, SSN, DOB, Address, Salary, etc. • Payroll deductions • Credit card numbers • Bank accounts • Financial data • Reports (AP, PO)
Sensitive Information - Example Report
Sensitive Information • Challenge: Finding the sensitive data • 11 modules consisting of 20 known tables that display credit card data • Are CCN, SSN, etc. stored in other non-designated fields (i.e. misc. fields)? • Encrypt, restrict access • Options include: • SQL scripts • EBSCheckCCEncryption.sql - Checks whether credit cards are encrypted in ‘Immediate’ mode • Third party products • Oracle AMP Data Scrambling • Oracle OEM Data Masking
Non-Production / Cloning • When environments are cloned from production sometimes users access increases (additional users, additional privileged) and configuration settings get changed • Controls: • Change passwords of privileged ids when cloning to the app and db levels • Metalink No. 419475.1 “Removing Credentials from a Cloned EBS Production Database” • Scramble key data: • Employee name, address, social security number, compensation details • Customer name, address, credit card data • Risks: • Data confidentiality is breached • Data is exfiltrated • Privileged access to production
Sensitive Administrative Pages
Sensitive Administrative Pages • Some Oracle forms and pages allow for modification of the application: • Oracle Forms Controlled by Function Security (~47) • HTML Pages Controlled by Function Security (~21) • Functionality Controlled by Profile Options (3) • Pages Controlled by JTF Permissions and Roles (3) • Most of these are accessible only from SA menus and responsibilities, where access should already be limited • Eliminate or minimize access to these screens in a production system • Oracle has published an SQL query to who has access to the forms and pages, see MOS Note 1334930.1
Example SQL Excerpt
Recap
Best Practices • On going monitoring of: • Privileged IDs • Generic IDs • Key configuration (i.e. responsibilities, menus, profile options) • Users without password expirations • Proxies • Approval processes are in place when making changes to configuration and users
Questions
Reminder Please complete the session and overall meeting evaluations Thank You!
For more information, contact: Christeen Russell, CPA, CISA Crowe Horwath LLP Direct: 212-750-4195 Christeen.Russell@crowehorwath.com www.crowehorwath.com

Empfohlen

OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]
OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]
OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]vasuballa
 
Oracle Applications R12 architecture
Oracle Applications R12 architectureOracle Applications R12 architecture
Oracle Applications R12 architectureSekhar Byna
 
Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?
Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?
Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?Pranav Pandya
 
Oracle E business tax purchasing whitepaper
Oracle E business tax purchasing whitepaperOracle E business tax purchasing whitepaper
Oracle E business tax purchasing whitepaperRizwan Ali Qumbrani
 
128224154 oracle-inventory-ppt
128224154 oracle-inventory-ppt128224154 oracle-inventory-ppt
128224154 oracle-inventory-pptRamthilak R
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration toolsSmartDog Services
 
Oracle Fusion Application
Oracle Fusion ApplicationOracle Fusion Application
Oracle Fusion ApplicationArman Sadat Hossain
 
Oracle Web ADI Implementation Steps
Oracle Web ADI Implementation StepsOracle Web ADI Implementation Steps
Oracle Web ADI Implementation Stepsstandale
 

Empfohlen

OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]
OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]
OOW16 - Oracle E-Business Suite Integration Best Practices [CON6709]vasuballa
 
Oracle Applications R12 architecture
Oracle Applications R12 architectureOracle Applications R12 architecture
Oracle Applications R12 architectureSekhar Byna
 
Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?
Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?
Oracle fusion cloud financial : How to create Journal , Manual Vs Spreadsheet?Pranav Pandya
 
Oracle E business tax purchasing whitepaper
Oracle E business tax purchasing whitepaperOracle E business tax purchasing whitepaper
Oracle E business tax purchasing whitepaperRizwan Ali Qumbrani
 
128224154 oracle-inventory-ppt
128224154 oracle-inventory-ppt128224154 oracle-inventory-ppt
128224154 oracle-inventory-pptRamthilak R
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration toolsSmartDog Services
 
Oracle Fusion Application
Oracle Fusion ApplicationOracle Fusion Application
Oracle Fusion ApplicationArman Sadat Hossain
 
Oracle Web ADI Implementation Steps
Oracle Web ADI Implementation StepsOracle Web ADI Implementation Steps
Oracle Web ADI Implementation Stepsstandale
 
R12 inventory features
R12 inventory featuresR12 inventory features
R12 inventory featuresSuresh Mishra
 
Oracle Assets
Oracle AssetsOracle Assets
Oracle AssetsMohamed159686
 
Oracle Shop Floor Management R12
Oracle Shop Floor Management R12Oracle Shop Floor Management R12
Oracle Shop Floor Management R12Muhammad Ibrahim Memon
 
Webinar: Oracle R12 Warehouse Management System (WMS) Overview
Webinar: Oracle R12 Warehouse Management System (WMS) OverviewWebinar: Oracle R12 Warehouse Management System (WMS) Overview
Webinar: Oracle R12 Warehouse Management System (WMS) OverviewiWare Logic Technologies Pvt. Ltd.
 
Oracle financials functional training on ap, ar & gl
Oracle financials functional training on ap, ar & glOracle financials functional training on ap, ar & gl
Oracle financials functional training on ap, ar & glmagnifics
 
Inventory receiving processes for serial controlled items
Inventory receiving processes for serial controlled itemsInventory receiving processes for serial controlled items
Inventory receiving processes for serial controlled itemsAvishek Roychoudhuri
 
Oracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresOracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresravisagaram
 
Understanding Multi-Org Structure in Oracle Apps
Understanding Multi-Org Structure in Oracle AppsUnderstanding Multi-Org Structure in Oracle Apps
Understanding Multi-Org Structure in Oracle AppsBaker Khader Abdallah, PMP
 
Oracle Fusion Architecture
Oracle Fusion ArchitectureOracle Fusion Architecture
Oracle Fusion ArchitectureVinay Kumar
 
ORACLE EBS R12 UPGRADE
ORACLE EBS R12 UPGRADEORACLE EBS R12 UPGRADE
ORACLE EBS R12 UPGRADEDinesh Gupta
 
How to Generate FSG Reports - Part I
How to Generate FSG Reports - Part IHow to Generate FSG Reports - Part I
How to Generate FSG Reports - Part Ieprentise
 
Oracle Receivables
Oracle ReceivablesOracle Receivables
Oracle ReceivablesMohamed159686
 
Oracle EBS Upgrade to 12.2.5.1
Oracle EBS Upgrade to 12.2.5.1Oracle EBS Upgrade to 12.2.5.1
Oracle EBS Upgrade to 12.2.5.1Amit Sharma
 
Resume of Sugavanan - Oracle Apps Technical Consultant
Resume of Sugavanan - Oracle Apps Technical ConsultantResume of Sugavanan - Oracle Apps Technical Consultant
Resume of Sugavanan - Oracle Apps Technical ConsultantSugavanan Arunachalam
 
Oracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewOracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewSanjay Challagundla
 
Fusion apps receivables
Fusion apps receivablesFusion apps receivables
Fusion apps receivablesHasan Shabbir
 
Oracle R12 Legal Entity
Oracle R12 Legal EntityOracle R12 Legal Entity
Oracle R12 Legal EntitySanjay Challagundla
 
Oracle Fusion Financial Report Centre Reporting Beginner course
Oracle Fusion Financial Report Centre Reporting Beginner courseOracle Fusion Financial Report Centre Reporting Beginner course
Oracle Fusion Financial Report Centre Reporting Beginner courseKhalil Rehman NLP (MPrac) MCIPS, PMP,OCP
 
Transaction Account Builder Oracle Fusion Procurement
Transaction Account Builder Oracle Fusion ProcurementTransaction Account Builder Oracle Fusion Procurement
Transaction Account Builder Oracle Fusion ProcurementSam Elrashedy
 
Oracle EBS: P2P with EBS Payables and Non-EBS Procurement
Oracle EBS: P2P with EBS Payables and Non-EBS ProcurementOracle EBS: P2P with EBS Payables and Non-EBS Procurement
Oracle EBS: P2P with EBS Payables and Non-EBS ProcurementEric Guether
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodromDoina Draganescu
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 

Weitere ähnliche Inhalte

Was ist angesagt?

R12 inventory features
R12 inventory featuresR12 inventory features
R12 inventory featuresSuresh Mishra
 
Webinar: Oracle R12 Warehouse Management System (WMS) Overview
Webinar: Oracle R12 Warehouse Management System (WMS) OverviewWebinar: Oracle R12 Warehouse Management System (WMS) Overview
Webinar: Oracle R12 Warehouse Management System (WMS) OverviewiWare Logic Technologies Pvt. Ltd.
 
Oracle financials functional training on ap, ar & gl
Oracle financials functional training on ap, ar & glOracle financials functional training on ap, ar & gl
Oracle financials functional training on ap, ar & glmagnifics
 
Inventory receiving processes for serial controlled items
Inventory receiving processes for serial controlled itemsInventory receiving processes for serial controlled items
Inventory receiving processes for serial controlled itemsAvishek Roychoudhuri
 
Oracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresOracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresravisagaram
 
Understanding Multi-Org Structure in Oracle Apps
Understanding Multi-Org Structure in Oracle AppsUnderstanding Multi-Org Structure in Oracle Apps
Understanding Multi-Org Structure in Oracle AppsBaker Khader Abdallah, PMP
 
Oracle Fusion Architecture
Oracle Fusion ArchitectureOracle Fusion Architecture
Oracle Fusion ArchitectureVinay Kumar
 
ORACLE EBS R12 UPGRADE
ORACLE EBS R12 UPGRADEORACLE EBS R12 UPGRADE
ORACLE EBS R12 UPGRADEDinesh Gupta
 
How to Generate FSG Reports - Part I
How to Generate FSG Reports - Part IHow to Generate FSG Reports - Part I
How to Generate FSG Reports - Part Ieprentise
 
Oracle EBS Upgrade to 12.2.5.1
Oracle EBS Upgrade to 12.2.5.1Oracle EBS Upgrade to 12.2.5.1
Oracle EBS Upgrade to 12.2.5.1Amit Sharma
 
Resume of Sugavanan - Oracle Apps Technical Consultant
Resume of Sugavanan - Oracle Apps Technical ConsultantResume of Sugavanan - Oracle Apps Technical Consultant
Resume of Sugavanan - Oracle Apps Technical ConsultantSugavanan Arunachalam
 
Oracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewOracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewSanjay Challagundla
 
Fusion apps receivables
Fusion apps receivablesFusion apps receivables
Fusion apps receivablesHasan Shabbir
 
Transaction Account Builder Oracle Fusion Procurement
Transaction Account Builder Oracle Fusion ProcurementTransaction Account Builder Oracle Fusion Procurement
Transaction Account Builder Oracle Fusion ProcurementSam Elrashedy
 
Oracle EBS: P2P with EBS Payables and Non-EBS Procurement
Oracle EBS: P2P with EBS Payables and Non-EBS ProcurementOracle EBS: P2P with EBS Payables and Non-EBS Procurement
Oracle EBS: P2P with EBS Payables and Non-EBS ProcurementEric Guether
 

Was ist angesagt? (20)

R12 inventory features
R12 inventory featuresR12 inventory features
R12 inventory features
 
Oracle Assets
Oracle AssetsOracle Assets
Oracle Assets
 
Oracle Shop Floor Management R12
Oracle Shop Floor Management R12Oracle Shop Floor Management R12
Oracle Shop Floor Management R12
 
Webinar: Oracle R12 Warehouse Management System (WMS) Overview
Webinar: Oracle R12 Warehouse Management System (WMS) OverviewWebinar: Oracle R12 Warehouse Management System (WMS) Overview
Webinar: Oracle R12 Warehouse Management System (WMS) Overview
 
Oracle financials functional training on ap, ar & gl
Oracle financials functional training on ap, ar & glOracle financials functional training on ap, ar & gl
Oracle financials functional training on ap, ar & gl
 
Inventory receiving processes for serial controlled items
Inventory receiving processes for serial controlled itemsInventory receiving processes for serial controlled items
Inventory receiving processes for serial controlled items
 
Oracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresOracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 features
 
Understanding Multi-Org Structure in Oracle Apps
Understanding Multi-Org Structure in Oracle AppsUnderstanding Multi-Org Structure in Oracle Apps
Understanding Multi-Org Structure in Oracle Apps
 
Oracle Fusion Architecture
Oracle Fusion ArchitectureOracle Fusion Architecture
Oracle Fusion Architecture
 
ORACLE EBS R12 UPGRADE
ORACLE EBS R12 UPGRADEORACLE EBS R12 UPGRADE
ORACLE EBS R12 UPGRADE
 
How to Generate FSG Reports - Part I
How to Generate FSG Reports - Part IHow to Generate FSG Reports - Part I
How to Generate FSG Reports - Part I
 
Oracle Receivables
Oracle ReceivablesOracle Receivables
Oracle Receivables
 
Oracle EBS Upgrade to 12.2.5.1
Oracle EBS Upgrade to 12.2.5.1Oracle EBS Upgrade to 12.2.5.1
Oracle EBS Upgrade to 12.2.5.1
 
Resume of Sugavanan - Oracle Apps Technical Consultant
Resume of Sugavanan - Oracle Apps Technical ConsultantResume of Sugavanan - Oracle Apps Technical Consultant
Resume of Sugavanan - Oracle Apps Technical Consultant
 
Oracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewOracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement Overview
 
Fusion apps receivables
Fusion apps receivablesFusion apps receivables
Fusion apps receivables
 
Oracle R12 Legal Entity
Oracle R12 Legal EntityOracle R12 Legal Entity
Oracle R12 Legal Entity
 
Oracle Fusion Financial Report Centre Reporting Beginner course
Oracle Fusion Financial Report Centre Reporting Beginner courseOracle Fusion Financial Report Centre Reporting Beginner course
Oracle Fusion Financial Report Centre Reporting Beginner course
 
Transaction Account Builder Oracle Fusion Procurement
Transaction Account Builder Oracle Fusion ProcurementTransaction Account Builder Oracle Fusion Procurement
Transaction Account Builder Oracle Fusion Procurement
 
Oracle EBS: P2P with EBS Payables and Non-EBS Procurement
Oracle EBS: P2P with EBS Payables and Non-EBS ProcurementOracle EBS: P2P with EBS Payables and Non-EBS Procurement
Oracle EBS: P2P with EBS Payables and Non-EBS Procurement
 

Ähnlich wie Learn About the Top Oracle E-Business Suite Security Vulnerabilities

7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodromDoina Draganescu
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager OracleIDM
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...Emtec Inc.
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Oracle
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application securityKonstantin Mirin
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Projectharsh mehta
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Enabling: Optimized Integrations at Amway with Oracle SOA Suite
Enabling: Optimized Integrations at Amway with Oracle SOA SuiteEnabling: Optimized Integrations at Amway with Oracle SOA Suite
Enabling: Optimized Integrations at Amway with Oracle SOA SuiteRevelation Technologies
 
SoftwareONE Oracle Licensing Introduction 18.02.14
SoftwareONE Oracle Licensing Introduction 18.02.14SoftwareONE Oracle Licensing Introduction 18.02.14
SoftwareONE Oracle Licensing Introduction 18.02.14SoftwareONEPresents
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
What_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12cWhat_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12cMaria Colgan
 

Ähnlich wie Learn About the Top Oracle E-Business Suite Security Vulnerabilities (20)

7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Project
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Enabling: Optimized Integrations at Amway with Oracle SOA Suite
Enabling: Optimized Integrations at Amway with Oracle SOA SuiteEnabling: Optimized Integrations at Amway with Oracle SOA Suite
Enabling: Optimized Integrations at Amway with Oracle SOA Suite
 
SoftwareONE Oracle Licensing Introduction 18.02.14
SoftwareONE Oracle Licensing Introduction 18.02.14SoftwareONE Oracle Licensing Introduction 18.02.14
SoftwareONE Oracle Licensing Introduction 18.02.14
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know Webinar
 
SENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVSENTHIL RAMADOSS CV
SENTHIL RAMADOSS CV
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data Private
 
What_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12cWhat_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12c
 

Mehr von OAUGNJ

Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoftSales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoftOAUGNJ
 
Hyperion Planning: Cloud or On Premise
Hyperion Planning: Cloud or On PremiseHyperion Planning: Cloud or On Premise
Hyperion Planning: Cloud or On PremiseOAUGNJ
 
PM 201: Emotional Intelligence for Project Managers
PM 201: Emotional Intelligence for Project ManagersPM 201: Emotional Intelligence for Project Managers
PM 201: Emotional Intelligence for Project ManagersOAUGNJ
 
Which OBIEE Mobile Solution is Right for my Organization
Which OBIEE Mobile Solution is Right for my OrganizationWhich OBIEE Mobile Solution is Right for my Organization
Which OBIEE Mobile Solution is Right for my OrganizationOAUGNJ
 
Mobile Apps or Else
Mobile Apps or ElseMobile Apps or Else
Mobile Apps or ElseOAUGNJ
 
Hyperion Foot Print Evolving with Contemporary Business Needs
Hyperion Foot Print Evolving with Contemporary Business NeedsHyperion Foot Print Evolving with Contemporary Business Needs
Hyperion Foot Print Evolving with Contemporary Business NeedsOAUGNJ
 
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To Guide
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To GuidePreparing Your Own Strategic BI Vision and Roadmap: A Practical How-To Guide
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To GuideOAUGNJ
 
Turning your Excel Business Process Workflows into an Automated Business Inte...
Turning your Excel Business Process Workflows into an Automated Business Inte...Turning your Excel Business Process Workflows into an Automated Business Inte...
Turning your Excel Business Process Workflows into an Automated Business Inte...OAUGNJ
 
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...OAUGNJ
 
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...OAUGNJ
 
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...OAUGNJ
 
Big Data: The Road to Know More About Your Business
Big Data: The Road to Know More About Your BusinessBig Data: The Road to Know More About Your Business
Big Data: The Road to Know More About Your BusinessOAUGNJ
 
10 Tips for Successful 12.2 Upgrade
10 Tips for Successful 12.2 Upgrade10 Tips for Successful 12.2 Upgrade
10 Tips for Successful 12.2 UpgradeOAUGNJ
 

Mehr von OAUGNJ (13)

Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoftSales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
 
Hyperion Planning: Cloud or On Premise
Hyperion Planning: Cloud or On PremiseHyperion Planning: Cloud or On Premise
Hyperion Planning: Cloud or On Premise
 
PM 201: Emotional Intelligence for Project Managers
PM 201: Emotional Intelligence for Project ManagersPM 201: Emotional Intelligence for Project Managers
PM 201: Emotional Intelligence for Project Managers
 
Which OBIEE Mobile Solution is Right for my Organization
Which OBIEE Mobile Solution is Right for my OrganizationWhich OBIEE Mobile Solution is Right for my Organization
Which OBIEE Mobile Solution is Right for my Organization
 
Mobile Apps or Else
Mobile Apps or ElseMobile Apps or Else
Mobile Apps or Else
 
Hyperion Foot Print Evolving with Contemporary Business Needs
Hyperion Foot Print Evolving with Contemporary Business NeedsHyperion Foot Print Evolving with Contemporary Business Needs
Hyperion Foot Print Evolving with Contemporary Business Needs
 
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To Guide
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To GuidePreparing Your Own Strategic BI Vision and Roadmap: A Practical How-To Guide
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To Guide
 
Turning your Excel Business Process Workflows into an Automated Business Inte...
Turning your Excel Business Process Workflows into an Automated Business Inte...Turning your Excel Business Process Workflows into an Automated Business Inte...
Turning your Excel Business Process Workflows into an Automated Business Inte...
 
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...
 
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...
 
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...
 
Big Data: The Road to Know More About Your Business
Big Data: The Road to Know More About Your BusinessBig Data: The Road to Know More About Your Business
Big Data: The Road to Know More About Your Business
 
10 Tips for Successful 12.2 Upgrade
10 Tips for Successful 12.2 Upgrade10 Tips for Successful 12.2 Upgrade
10 Tips for Successful 12.2 Upgrade
 

Kürzlich hochgeladen

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Learn About the Top Oracle E-Business Suite Security Vulnerabilities

  • 1. Top Oracle E-Business Suite Security Vulnerabilities Christeen Russell, Crowe Horwath
  • 2. Christeen Russell • Senior Manager in the Technology Risk Group at Crowe Horwath • Technology audit and implementation capabilities include: • Oracle E-Business Suite 11i & R12 • Great Plains 10 • Microsoft CRM 4.0 & 2011 • Certified Public Accountant (CPA) - Illinois & New York • Certified Information Systems Auditor (CISA)
  • 3. Crowe Risk Consulting We have more than 1,100 experienced practitioners with geographic, functional, and industry expertise. Crowe Horwath Global Risk Consulting has been named a “Challenger” by Gartner, Inc., in the “Magic Quadrant for Global Risk Management Consulting Services”, by Jacqueline Heng and John A. Wheeler. The full report can be reviewed at www.crowehorwath.com/gartner
  • 4. Objectives 1. Amplify the participants’ overall Oracle EBS security awareness 2. Share knowledge and experiences in securing Oracle EBS 3. Provide a detailed list of commonly overlooked Oracle EBS security vulnerabilities, risks each pose, and how to fix or mitigate each
  • 5. Top Security Concerns • Seeded (default/generic) application accounts with known passwords (30+) • Seeded database accounts with known passwords (200+) • AZN menus • Seeded responsibilities and menus • Delegation authority and proxy users • Direct database access through the application • Defense against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering • Weak default password settings • Password setting “overrides” • Protecting sensitive information • Sensitive administrative pages
  • 6. Why are These Top Security Concerns? • Issues commonly seen in Oracle EBS environments • Most are free and/or not complex to address • Relevant to various releases • Not well known
  • 7. What are the Risks? • Unauthorized access (to data and configuration settings), adversely affecting transaction processing and data integrity • Data exfiltration and leakage • Non-compliance with regulations (SOX, PCI DSS/PA DSS, HIPPA, etc.) • Non-compliance with company policy • Potential to commit fraud • Reputational harm
  • 9. ID Overview +30 seeded “generic” user ids: i.e. APPSMGR, IBEGUEST, GUEST, SYSADMIN, WIZARDOracle EBS Oracle EBS creates 200+ db accounts: i.e. APPS, APPLSYS, SYS, SYSTEM, 100+ schema accountsOracle Database oracle, applmgrOperating System Oracle ships seeded accounts with widely known default passwords!
  • 10. Privileged & Generic IDs • Passwords are published on the internet and are typically “welcome”, “Oracle”, or is the same as the id; i.e. • MOBADM password is MOBADM • ASGADM password is welcome • Some IDs have privileged access • New accounts are automatically added during upgrades, i.e.: • 12.2.2 – GHG, APPS_NE • 12.1.0 – DDR, DPP, INL, MTH, QPR, RRS • 12.0.4 – IZU • 12.0.0 – DNA, GMO, IBW, IPM, JMF •2 . 2 . 2 – G H G , A P P S _ N E •2 . 1 . 0 – D D R , D P P , I N L, M T H , Q P R , R R S •2 . 0 . 4 – I Z U •2 . 0 . 0 – D N A , G M O , I B W , I P M , J M F •2 . 2 . 2 – G H G , A P P S _ N E •2 . 1 . 0 – D D R , D P P , I N L, M T H , Q P R , R R S •2 . 0 . 4 – I Z U •2 . 0 . 0 – D N A , G M O , I B W , I P M , J M F
  • 11. Seeded ID’s – Application Level ID Purpose Change Password Disable Account AME_INVALID_APPROVER AME workflow migration 11.5.9 to 11.5.10 Yes Yes ANONYMOUS FND/AOL - Anonymous for non-logged users Yes Yes APPSMGR Routine maintenance via concurrent requests No^ Yes ASADMIN Application Server Administrator No^ Yes ASGADM Mobile gateway related products Yes Yes* ASGUEST Sales Application guest user Yes Yes* AUTOINSTALL AD Yes Yes CONCURRENT MANAGER FND/AOL: Concurrent Manager Yes Yes FEEDER SYSTEM AD - Supports data from feeder system Yes Yes ^ it is not possible to login as this user unless you change the password * Required for Mobile Sales, Service, and Mobile Core Gateway components. Or required for Sales Application. Or required for iStore.
  • 12. Seeded ID’s – Application Level ID Purpose Change Password Disable Account GUEST Guest application user Yes No IBE_ADMIN iStore Admin user Yes Yes* IBE_GUEST iStore Guest user Yes Yes* IBEGUEST iStore Guest user Yes Yes* IEXADMIN Internet Expenses Admin Yes Yes INDUSTRY DATA Used for PCI Security Demo No^ Yes INITIAL SETUP AD Yes Yes IRC_EMP_GUEST iRecruitment Employee Guest Login Yes Yes IRC_EXT_GUEST iRecruitment External Guest Login Yes Yes MOBADM Mobile Applications Development Yes Yes MOBILEADM Mobile Applications Admin Yes Yes MOBILEDEV Mobile Applications Development Yes Yes Do not disable the GUEST account.
  • 13. Seeded ID’s – Application Level ID Purpose Change Password Disable Account OP_CUST_CARE_ADMIN Customer Care Admin for Oracle Provisioning Yes Yes OP_SYSADMIN OP (Process Manufacturing) Admin User Yes Yes ORACLE12.0.0 to ORACLE12.9.0 Owner for release specific seed data No^ No PORTAL30 Oracle Portal and Portal Single Sign On (desupported) Yes Yes PORTAL30_SSO Oracle Portal and Portal Single Sign On (desupported) Yes Yes STANDALONE BATCH PROCESS FND/AOL Yes Yes SYSADMIN Application Systems Admin Yes No WIZARD AD Application Implementation Wizard Yes Yes XML_USER Gateway Yes Yes Do not disable the SYSADMIN account.
  • 14. Other Generic ID’s – Application Level • Search for other generic ID’s from the users table (fnd_users) • SQL statement to identify users with: • no “end_date” • no “employee_id” and/or • “last_logon_date” greater than a certain date • Greatly narrow down your search through the user list
  • 15. Seeded ID’s – Database Level Schema Purpose Change Password SYS Initial schema in any Oracle database Yes SYSTEM Initial DBA User Yes DBSNMP, SYSMAN, MGMT_VIEW Used for database status monitoring Yes SCOTT Oracle db demo account Yes and lock the account SSOSDK Single Sign On SDK Yes JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN, OWAPUB, MGDSYS Yes PORTAL30_DEMO, PORTAL30_PUBLIC, PORTAL30_SSO_PS, & PORTAL30_SSO_PUBLIC Oracle Login Server and Portal 3.0.9 with E- Business Suite 11i Yes and lock PORTAL30_DEMO if using 11i; otherwise lock all PORTAL30, PORTAL30_SSO Oracle Login Server and Portal 3.0.9 with E- Business Suite 11i Yes and lock the schemas if not using 11i CTXSYS Used by Online Help and CRM service products for indexing knowledge base data Yes
  • 16. Seeded ID’s – Database Level Schema Purpose Change Password EDWREP Embedded Data Warehouse Metadata Repository Yes, but if not using Embedded Data Warehouse, then lock and expire EDWREP ODM Oracle Data Manager Yes APPLSYSPUB Verifies the username/password combination and the records the success or failure of a login attempt. R12 only Yes (must be all upper case) APPLSYS Contains shared APPS objects Yes, use a long secure password APPS Runtime user for E-Business Suite. Owns all of the applications code in the database Yes, use a long secure password APPS_mrc Obsolete account Yes, use a long secure password AD_MONITOR EM_MONITOR Oracle Applications Manager uses this schema to monitor running patches. Although the default password for AD_MONITOR is 'lizard', the schema is created locked and expired. Yes
  • 17. Seeded ID’s – Database Level ABM AHL AHM AK ALR AMF AMS AMV AMW AP AR ASF ASG ASL ASN ASO ASP AST AX AZ BEN BIC BIL BIM BIS BIV BIX BNE BOM BSC CCT CE CLN CN CRP CS CSC CSD CSE CSF CSI CSL CSM CSP CSR CSS CUA CUE CUF CUG CUI CUN CUP CUS CZ DDD DDR DNA DOM DPP EAA EAM EC ECX EDR EGO ENG ENI EVM FA FEM FII FLM FPA FPT FRM FTE FTP FUN FV GCS GL GHG GMA GMD GME GMF GMI GML GMO GMP GMS GR HR HRI HXC HXT IA IBA IBC IBE IBP IBU IBW IBY ICX IEB IEC IEM IEO IES IEU IEX IGC IGF IGI IGS IGW IMC IMT INL INV IPA IPD IPM ISC ITA ITG IZU JA JE JG JL JMF JTF JTM JTS LNS ME MFG MRP MSC MSD MSO MSR MST MTH MWA OE OKB OKC OKE OKI OKL OKO OKR OKS OKX ONT OPI OSM OTA OZF OZP OZS PA PFT PJI PJM PMI PN PO POA POM PON POS PRP PSA PSB PSP PV QA QOT QP QPR QRM RG RHX RLA RLM RRS SSP VEA VEH WIP WMS WPS WSH WSM XDO XDP XLA XLE XNB XNC XNI XNM XNP XNS XTR ZFA ZPB ZSA ZX • By default the password is the same as the SCHEMA name • Change all of these schema passwords 200+ DB schemas shipped with Oracle EBS New schemas are created during upgrades
  • 18. Control Seeded ID’s • Change the password and disable the account where recommended • Changed passwords should be “sealed” • For accounts where the password cannot be changed and/or disabled log activity performed using the accounts (manual logins) • Setup alerts or have periodic reviews of activity • Consult Oracle Metalink Note 403537.1.
  • 20. Restricted Access & Segregation of Duties • Defined as users with too much or conflicting access • Risk: • Unauthorized transactions, erroneous transactions, or fraudulent activity • Users with combined access privileges to modify system configuration settings along with business transaction execution access increases the risk that application controls dependent upon configuration settings will be circumvented • Data leakage or exfiltration • So let’s discuss: • AZN’s • Seeded menus and responsibilities • Delegation authority • Proxy users
  • 21. Process Tab / AZN • Click an icon to gain immediate access to the associated form • In this example, the user most likely has “end-to-end” access in the purchase to payments process Traditional way to access functions Process tab access
  • 22. Process Tab / AZN - continued • Potential Segregation of Duties Conflicts!! • NOTE: Many do not know this additional access exists. Example of a menu with an AZN submenu (menus are assigned to responsibilities):
  • 23. Exclude AZN Submenus However….. Lets consider the next topic
  • 24. AZN Menus Exists for GL, AP, AR, Inventory, PO, Order Management menus
  • 25. Seeded Menus & Responsibilities • Should not be used nor copied and renamed • These are not “perfect” and also may contain AZN menus, leading to: • Excessive access • Segregation of duties conflicts • Example: Seeded Receivables Inquiry is not limited to view only • Create auto adjustments • Write off receipts • Open and close periods • May re-introduce the aforementioned issues during upgrades/patches if using standard menus
  • 26. User Management - UMX • Delivers Role Based Access Control (RBAC) • Groups responsibilities, permission sets, and data security rules • Common user registration workflow • Forgotten password functionality • Security decentralization • Proxies
  • 27. Delegated Administration • Delegate local admins to perform system administration for a subset of users and roles • Risks: • The “users” form in the User Management screen (UMX) does not allow one to establish a password expiration • How do you ensure any remote locations are compliant with corporate security policies
  • 28. Password Expiration • Set at the User level • Can set the “Password Expiration” to either: • Days • Accesses • None • By default user passwords do not periodically expire • Create a personalization • Periodic review or alert
  • 29. Manage Proxies • Allows a user to determine who can act their behalf for a time • Equivalent to sharing your username and password • Activity performed by another is logged under the delegator’s username • R12.2 introduced • “Designate proxy” to all users as a default • “All or nothing is gone”, can now select certain responsibilities and workflows to delegate • This should not be used without a business case and compensating controls • User’s access does not appear in the system administrator module • Run script to see if proxies exist
  • 30. Proxy • The delegate can't view what s/he did as someone’s proxy • Periodically review the proxy report which shows all navigation completed by the proxy user:
  • 32. Profile Options • Affects security, processes, controls • 8000+ profile options • Set at one or more levels. • User takes precedence over the other levels • Site level has the lowest priority • Some maintained by users, most maintained by the SA responsibility User Responsibility Application (module) Site Takes Precedence
  • 33. Profile Options – Diagnostics • Utilities: Diagnostic & FND: Diagnostics • These profile options should be set to “No” at all levels • Risk: Allows users to change individual database records • Hide Diagnostics Menu Entry • Hides the diagnostic menu from users • Profile option should be set to “Yes” • The default is "No" or NOT hidden
  • 34. Profile Options – Diagnostics – 12.1.3+ only • Assign the “FND Diagnostics menu Examine Read Only” function to a Menu • Ensure the profile option “Hide Menu Entry” is set to No • Grant the seeded permission set to a role • Assign the role to a user • APPS password not required in read-only mode
  • 35. Profile Options – Information Leakage • Set of profile options that can defend against: • Cross-site scripting (XSS) • HTML injection attacks • Parameter and URL tampering • Can lead to data leaks Profile Option^ Default Recommended FND Validation Level Error (as of R12) Error* FND Function Validation Level Error (as of 11.5.10) Error* Framework Validation Level Error (as of 11.5.10) Error* Restrict Text Input Yes Yes IRC: XSS Filter Null Enabled FND: Fixed Key Enabled Null Yes FND: Fixed Key None Yes, only at User level *R12.2 does not allow the profile option value to be changed ^ at Site level unless otherwise stated
  • 36. Profile Options – Others Profile Option^ Purpose Default Recommended Concurrent:Report Access Level Determines access privileges to report output files and log files generated by a concurrent program User User Sign-On:Notification Warns users of key events such as failed concurrent requests, failed login attempts, and incorrect default printer settings No Yes Personalize Self- Service Defn Enables or disables the global Personalize Page link that appears on each self-service web application page No No – Site level Yes – User level for approved individuals only FND: Developer Mode Enables the Edit Region global button. Also enables Developer Test Mode diagnostics. Null No Yes – User level for approved individuals only ^ at Site level unless otherwise stated
  • 37. Profile Options – Password Settings • By default Oracle does not set strong password parameters • Different studies have shown that passwords of 10 characters with a symbol can take “years” to break by high powered computers Profile Oracle Default Recommended (Site) Sign-on Password Case None Sensitive Sign-on Password Failure Limit None 3 (attempts) Sign-on Password Hard to Guess No Yes Sign-on Password Length 5 8 to 10 (characters) Sign-on Password No Reuse None 180+ (days)
  • 38. Functional Administrator Best way to view profile option settings at each level
  • 39. Profile Option – Security Most profile options should not be updateable by users
  • 40. Profile Option – Control • Monitor profile options • Regular reports • Alerts • Changes to profile options should be requested, tested, & approved • Follow a change management procedure
  • 42. Sensitive Information • PII: Name, SSN, DOB, Address, Salary, etc. • Payroll deductions • Credit card numbers • Bank accounts • Financial data • Reports (AP, PO)
  • 43. Sensitive Information - Example Report
  • 44. Sensitive Information • Challenge: Finding the sensitive data • 11 modules consisting of 20 known tables that display credit card data • Are CCN, SSN, etc. stored in other non-designated fields (i.e. misc. fields)? • Encrypt, restrict access • Options include: • SQL scripts • EBSCheckCCEncryption.sql - Checks whether credit cards are encrypted in ‘Immediate’ mode • Third party products • Oracle AMP Data Scrambling • Oracle OEM Data Masking
  • 45. Non-Production / Cloning • When environments are cloned from production sometimes users access increases (additional users, additional privileged) and configuration settings get changed • Controls: • Change passwords of privileged ids when cloning to the app and db levels • Metalink No. 419475.1 “Removing Credentials from a Cloned EBS Production Database” • Scramble key data: • Employee name, address, social security number, compensation details • Customer name, address, credit card data • Risks: • Data confidentiality is breached • Data is exfiltrated • Privileged access to production
  • 47. Sensitive Administrative Pages • Some Oracle forms and pages allow for modification of the application: • Oracle Forms Controlled by Function Security (~47) • HTML Pages Controlled by Function Security (~21) • Functionality Controlled by Profile Options (3) • Pages Controlled by JTF Permissions and Roles (3) • Most of these are accessible only from SA menus and responsibilities, where access should already be limited • Eliminate or minimize access to these screens in a production system • Oracle has published an SQL query to who has access to the forms and pages, see MOS Note 1334930.1
  • 49. Recap
  • 50. Best Practices • On going monitoring of: • Privileged IDs • Generic IDs • Key configuration (i.e. responsibilities, menus, profile options) • Users without password expirations • Proxies • Approval processes are in place when making changes to configuration and users
  • 52. Reminder Please complete the session and overall meeting evaluations Thank You!
  • 53. For more information, contact: Christeen Russell, CPA, CISA Crowe Horwath LLP Direct: 212-750-4195 Christeen.Russell@crowehorwath.com www.crowehorwath.com