Have your PeopleSoft
systems been
hacked?
GreyHeller LLC
©GreyHeller, LLC All Rights Reserved
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Agenda
 Introductions
 What
you read in the Press
 Identity and Password Management
 Data Security
 Process Security
 Incident Response
 Logging and Analysis
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Company Highlights
•
Founded by the people who ran PeopleTools
•
PeopleTools strategists and developers since 1994
•
Deep PeopleSoft software development skills and DNA
•
Nearly 100 customers (US; Canada; UK; EU; Australia; Asia; Africa;
South America)
• Beta test partner: PeopleTools 8.53 & Applications 9.2
•
2011 & 2012 Oracle Customer Advisory Board
•
PeopleSoft ecosystem – Blog; Webinars; Conference training
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Software Solutions

Mobile for PeopleSoft







Any PeopleSoft page / customization….Automatically
Single code version: iOS; Android; Blackberry; Windows 7
Highly secure
Single Signon
ERP Firewall
Version Control
Excel Add-in
QuestDirect.org
Customers
GreyHeller LLC, Proprietary & Confidential
Unilever
US. Dept of State
Pfizer
University of North Carolina at
Chapel Hill
University of Arkansas
Cambridge University
Philip Morris
Chesapeake Energy
Lazard, Ltd.
Texas Christian Univ
QVC
Arizona State University
US Dept. of Energy
HealthSouth
Robert Half International
MMI Holdings
Stony Brook University
Methanex
Univ. of Oklahoma – Health
Sciences Center
University of Central Florida
BCD Travel
Jones Lang LaSalle
University of Montreal
Ryerson University
Berlin Packaging
Frostburg State Univ
University of Kansas
University at Buffalo
AgFirst Bank
Incyte
Amedisys
Quintiles
DLA Piper
GEICO
Logistics Health
Barnabas Health
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
What you read in the press
 SQL
Injection
 Cross Site Scripting
 Content Spoofing and Injection
 Authentication and Authorization
 Directory Indexing
 Information Leakage
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
PeopleTools as a platform
 Security
enforced consistently
 Central team within PeopleTools who specializes in
security.
 Vulnerabilities addressed without requiring
redevelopment of business logic. Changes are
made in the platform, and the vulnerability is
addressed platform-wide immediately
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
SQL Injection



Repercussions
 Gather sensitive data
 Make unauthorized updates to application data
 Escalate privileges and/or bypass system controls
 Cause service interruption
Mitigated in PeopleTools by
 PeopleTools does not concatenate form fields to create the SQL it issues.
 The type of form fields are known to PeopleTools, so the entry is validated on
size and type.
Watch out for SQL Execs. Mitigate by Change Management procedures.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Cross site scripting
 Occurs
when an unauthorized form mimics a form
within the application to fool it to allow unauthorized
updates
 Addressed in PeopleTools by embedding a random
token in each PeopleSoft page that the web server
validates before accepting it.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Content Spoofing and Injection



Modifies traffic between site and browser to find an
opportunity to gain unauthorized access or to escalate
privileges to it.
Examples include:
 Modifying the URL in unexpected ways
 Altering or removing HTML headers
 Altering or removing cookies
 Altering the HTML or XML content
PeopleTools acts as single controller for traffic
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Content Spoofing and Injection




Can be bypassed with improper coding practices
Utilizing http header to maintain the identity of the user for single
signon.
Utilizing get request parameter with SQLEXEC function
Common location-based security mistakes
 Restrict the portal navigation as enforcing location security.


Utilizing headers to identify the source of traffic.
Common Remediations


Review any headers that are available on the client.
Change management process to review all logic related to the % request.
Get parameter() function as well as SQL-Exec functions.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Authentication and Authorization
 Identity
management processes and controls
 Password storage, management, and controls
 Privilege management
 Consistent application controls
 PeopleTools enforces security
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Information Leakage


To aid in development and troubleshooting, information about the
configuration and version of the parts of the system need to be
accessible at times. However, making this information available
publicly can provide information that can help attackers find
vulnerabilities.
The access of this information is not controllable by developers, but
by the PeopleTools platform itself in the web profile. Therefore, we
recommend that the web profile settings of the production web
servers are audited to ensure that the settings for providing this
information are turned off.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Discussion Points
 Identity
and Password Management
 Data Security
 Process Security
 Incident Response
 Logging and Analysis
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Identifying and Authenticating
Users


Risks
 User IDs and passwords
 Users can have privileges that are not appropriate for them
 Lack of visibility into inappropriate use of user ids, passwords, or
privileges
Categories
 User Account and Identity Management
 Processes that surround user identity and role changes
 Differentiated levels of trust and re-authentication
 Password Controls
QuestDirect.org
Centralize user credentials, password
controls, and authentication process
(Single Signon)




One place to protect the user account information
One ID across different University systems
Password controls enforced consistently
Changes in access administered and enforced in a single
place
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
One Identity for System Access
regardless of role



Risks:
 Password controls are not enforced consistently, and
users must remember the credentials for each
 Changes in the user’s identity and access must often be
applied manually to both accounts
 It is more difficult to audit users’ actions across the
different accounts.
Controls over account provisioning process
Batch Processes
QuestDirect.org
Processes for controlling changes
in user identity
GreyHeller LLC, Proprietary & Confidential






Student Self-Service Access: Risk limited to the individual student
Faculty and Student Intern Access: Risk related to activities that faculty and interns perform
for students or University, such as grading and advising
Functional Administrator Access: Risk is related to operations of the system in a functional
area
System Administrator Access: Risk is related to the operations of the PeopleSoft
Environment
End-user Support Access: Risk is related to the scope of tasks that can be performed.
Developer Access: Risk related to changes and the data that the developer accessible.
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Key Activities
 Provisioning
of a new individual
 Termination
 Transfer
 Assumption
of new responsibilities
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Login attempt capture and
analysis
 Identify




Suspicious Activity
Identification of accounts targeted in attacks
Identification of potentially compromised
accounts
Early Identification organized attacks
Identification of sources of attacks
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Protecting Application Data




Controls over how data is stored
Controls over how data is accessed
Controls over how data is moved
Focus on Roles
 End-User
 Administrator
 Developer
 DBA
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Administrator Best Practices




Hiding or Masking sensitive data
Externalizing sensitive data from the application
Policies for exporting and storing data
 Stewardship
 Controlling storage and access
 Single control point over access (real time)
Controlling PS/Query Access
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Controlling Access to PeopleSoft
Functions

The areas to consider within each type of user include:
 Protecting against actions performed by unauthorized user with an
valid account
 Protecting against actions performed by an authorized user with an
authorized account
 Protecting against system changes that could allow privilege
escalation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Mitigation Techniques

Controlling access to a machine with an open session or saved
credentials

Controlling access to administrative functions that could compromise
business functions or cause privilege escalation

Providing audits and controls over high risk functions
QuestDirect.org
Best Practice: 2-factor
authentication
GreyHeller LLC, Proprietary & Confidential
 Two



of the three standard authentication factors
Something the user knows (password, PIN, pattern)
Something the user has (Phone, Email Account, USB
Key, smart card, Secure ID token)
Something the user is (biometric characteristic).
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Common Tokens


Connected token
 Smart card reader
 USB token
 Fingerprint scanner
Disconnected token
 Secure ID token
 Email
 SMS
 IVR
 Mobile App
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Best Practice: Differentiated
Levels of Trust

Based on following attributes
 Location from which access is
being performed
 Device from which the user is
accessed
 User
 History of access
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Location Attributes






Access from a campus office with keycard access
Access from campus locations that have wired connections
Access from campus locations that are accessed wirelessly
Access from non-campus locations, but in the community of the
campus
Access from other US locations
Access from other countries
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Device Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
User Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
History Attributes
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Setting the Levels


Banding sets of session attributes into levels of trust.
Banding PeopleSoft functionality into the different levels of access.
 Functionality should be analyzed with the following in mind:




The results of this banding will group PeopleSoft functionality into how it will
be provided



Can it be used for privilege escalation?
Can it be used fraudulently to benefit or damage students, faculty, administration
or the University?
Are there other processes in place to review or approve changes made?
Allowed with any valid session
Allowed with a valid session and an additional factor of authentication
Disallowed for the current session
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Other Best Practices

Temporary access to high risk functions

Well defined policies and training over administrative use

Release process over configuration settings
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Developer and Tester Best
Practices

Limit developer access to production
Change Management solution for development tasks
Automating migrations into production with segregation of duties
Removal of PeopleSoft-delivered accounts and roles
Audit and controls over development and testing accounts and
permissions in production
Test Automation

Develop and test scripts instead of running SQL directly in





production
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Incident Response
 Common




Incidents
Solicited and/or unsolicited information provided by
security research organizations
Publication of issue or breach that affecting the
University’s system.
Discovery of potential breach that could affect the
University’s system.
Account-level issues including breaches and password
resets
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Incident Response Best
Practices
 Cross-Functional
incident response teams
 Communication processes and plans
 Incident response policies and procedures that
define SLA’s, roles, responsibilities, and automation
wherever possible
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Logging and Auditing
 Helps




with
Prevent security breaches
Identify breaches or attacks early thereby reducing the
scope of impact
Quickly understand the of scope of attacks or
breaches so that a response can be planned and
quickly implemented
Gather better information for security audits or litigation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Logging Best Practices
 Information
 Failed
about the location accessed from
login activity
 Information
about the data accessed or any
transaction activity
QuestDirect.org
Best Practice: Capturing
additional information
GreyHeller LLC, Proprietary & Confidential






IP Address or Location
Web Server being accessed
User ID
Pages accessed within the application
Keys to identify the data accessed or transaction to be
processed
Actions performed within the application
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Best Practice: Segmented Logs








Login activity
Password resets
Administrative access by functional area
Student access by functional area
Support access
Access from high-risk locations
Access from high-risk personnel
Access to sensitive data or transactions
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Summary

Masking and externalizing sensitive data

Differentiated Security and 2-factor authentication

Logging and Auditing

Change Management and Automation
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
GreyHeller Security Products
 Desktop
Single Signon
 ERP Firewall





Differentiated Security
Location based Security
2 Factor Authentication
Delegation
Logging
 GreyHeller
Version Control
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
ERP Firewall
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Allows you to
 Control
access based on location, user, content,
and state.
 Log only the requests you care about.
 Implement additional challenges for content you
wish to secure more strongly
 Display your own system messages to your users
 Restrict access when system is under maintenance
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Access Control Made Easy
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
ERP Firewall Flow
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Flexible, Powerful Conditions
QuestDirect.org
Powerful Logging
 Gathers



Oprid / IP Address / Result / Browser / Date / Time
Login Page / Portal Content / PeopleSoft Page / iScript
EMPLID / Search Criteria / Actions taken
 Allows




a complete picture of access
creation of targeted logs
Failed login activity
Activity for specific content
Activity for types of users
2-factor activity
QuestDirect.org
Definitional 2-factor
authentication
GreyHeller LLC, Proprietary & Confidential
 Identify
areas that
require additional
security upon access
 Only grant extended
privileges when needed
 Limit the scope of those
privileges
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Change Management





Segregation of duties and Release
Management Controls
Visibility into all development and
release activity
Facilitates automated testing
No footprint on your PeopleSoft
servers
PeopleSoft environments are not
linked to each other
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Collaboration


Access to all parts of your release process from
browser
 Code Browsing and revision history
 Check-in History
 Migration definition and execution
 Tickets, Approvals, and state of work
Integrated Collaboration Tools
 Email Notifications
 RSS Feeds
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Normal Release Process
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
Standard Release Process
QuestDirect.org
GreyHeller LLC, Proprietary & Confidential
APRIL 7-11, 2014
Sands Expo and Convention
Center
Las Vegas, Nevada
QuestDirect.org/COLLABORATE
COLLABORATE 14- Quest Forum is THE source for PeopleSoft roadmaps & news.
It matters where you register! All PeopleSoft education and events run through Quest
QuestDirect.org
Download

Have Your Peoplesoft System Been Hacked - 2013