S Analysis of a Threat and How to Protect Your Data. Greg Kelly Product Strategy Manager, PeopleTools

Transcription

1

2 S Analysis of a Threat and How to Protect Your Data Greg Kelly Product Strategy Manager, PeopleTools

3 THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE.

4 <Insert Picture Here> Securing Your PeopleSoft Environment 4

5 Agenda Traditional Defense Anatomy of an Attack De-Perimeterization A New Approach to Defense More Information

6 Traditional Defense Fortress Mentality Firewalls DMZ(s) Proxies VLANs Segregated Network Segments

7 Sample Layout

8 Anatomy of Attack - Harvesting Initial Research Company Site About Us Page(s) Jobs and Resume Sites Social Networking Sites e.g. Facebook Twitter Dumpster Diving Social Engineering (Kevin Mitnick)

9 Anatomy of Attack Creating Bots Phishing (spear) Upload Code Taking Control Outbound Standard Ports

10 Sample Spam/Phishing From Subject 2Airline-Tickets Someone has sent you 2 Southwest-Airlines Tickets Career Placement Ready for A Second JOB - FINANCIAL AID For A Career College Grants Thousands of Dollars in college Grants are awarded to people like you creditreport.com View updates to your Credit Report Final Notice "Walmart Coupon inside!" Final Notice FREE FedEx Delivery; Tell us where to send your DELLXPS Laptop!! FinancialAid "Scholarships & Grants are available" Flying Spree Our Records Indicate You may Have 2 Southwest Airlines Tickets freecreditreport.com View updates to your Credit Report Laptop Notification "Test it Free! A Dell package will be shipped to your door!" uro20@yahoo.com Hello!! Which s would your users open?

11 Anatomy of Attack Building Database Dictionary Attack Rules Indicators User Database Anonymous BIND to local LDAP

12 Which Wi-Fi would you choose?

13 Anatomy of Attack - Probing System Under Control Probe Infrastructure Probe Typical Vulnerabilities

14 Sample Available Web Servers from

15 Anatomy of Attack Building the Attack User Credential Database Known Vulnerabilities Local LDAP Build Out Control No Time Limit

16 How long does it take to crack passwords anyway? Mixed upper and lower case alphabet plus numbers and common symbols AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz }~ Password Time to Crack Based on Class of Attack Len Combinations 2 9,216 Instant Instant Instant Instant Instant Class A Class B Class C Class D Class E Class F Instant 3 884,736 88½ Secs 9 Secs Instant Instant Instant Instant 4 85 Mn 2¼ Hours 14 Mins 1½ Mins 8½ Secs Instant Instant 22½ 5 8 Bn 9½ Days 2¼ Hours 13½ Mins 1¼ Mins 8 Secs Hours Bn 2½ Yrs 90 Days 9 Days 22 Hours 2 Hours 13 Mins 7 75 Trn 238 Yrs 24 Ys 2½ Years 87 Days 8½ Days 20 Hours Qn 22,875 Yrs 2,287 Yrs 229 Yrs 23 Yrs 2¼ Yrs 83½ Days example: E. 100,000,000 Passwords/sec - Workstation, or multiple PC's working together. (Licensed under a Creative Commons Attribution-ShareAlike 2.0 License.)

17 How many computers could possibly be working together? Corporations, agencies infiltrated by botnet JORDAN ROBERTSON AP Technology Writer Friday, February 19, "... Security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that it was discovered, and it is a reminder of the dangers of having computers with sensitive data connected to the open Internet"

18 Issues with Internet Explorer Scripts in Text Files Temporary Internet Files Folder and disabled caching

19 De-Perimeterization The huge explosion in business collaboration and commerce on the Web means that today s traditional approaches to securing a network boundary are at best flawed, and at worst ineffective. Examples include: Business transactions which tunnel through perimeters or bypass them altogether IT products that cross the boundary, encapsulating protocols within Web protocols Security exploits that use and Web to get through the perimeter - The Jericho Forum, under the auspices of The Open Group

20 Defense at the Core Transparent Data Encryption (TDE) Oracle Advanced Security Option (ASO) Data at Rest Column and Tableset Encryption Hardware Security Module Protects Against Forensic and Direct Files Access Oracle Database Vault Oracle Audit Vault Oracle Enterprise Manager Data Masking For Non-Production DB Copies

21 Core Protection Audit Vault Database Vault TDE Database

22 Core Protection Monitoring Configuration Management Oracle Audit Vault Total Recall Access Control Oracle Database Vault Label Security Encryption & Masking Access Control Monitoring Encryption & Masking Advanced Security Secure Backup Data Masking

23 Enterprise Manager Data Masking EM Data Masking Production DB Dev DB Test DB Training DB

24 Defense in the Business Logic Layer ASO Network Encryption Data in Flight Oracle Applications Access Controls Governor Oracle Transactions Control Governor (Oracle Information Rights Manager for PS-Reports) Quis custodiet ipsos custodes? 3 people can keep a secret if 2 of them are dead.

25 Protection in the Business Logic Layer Protected DB ASO Application (Business Logic) Server OAACG OTCG

26 Defense in the Presentation (Web) layer Oracle Access Manager Oracle Identity Manager Oracle Adaptive Access Manager

27 PeopleTools 8.50 Delivered Additional Security Enhancements SAML for Web Services JNDI Libraries for LDAP and LDAPS FTPS Support (FTP over secure transport) Enhanced User Profile Synchronization De-Coupled PS_HOME PDF Encryption with XML Publisher Support for Server Based Virus Scanning Engines Customer Configured TDE Algorithm PET Support for Encrypting the Encryption Keys and Secure Data Wipe Additional Hardening

28 PeopleTools 8.51 Features Security Security User Security Extended Password Controls Multiple Session Detection Kerberos Signon SDK Data Security Support for Transport Layer Security Support for SFTP and FTPS

29 Common Questions Vulnerability Testing NIST FIPS Update to Securing Your PeopleSoft Environment Windows workstation as kiosk Issues without hardening Critical Patch Update Addressing Reported and Discovered Vulnerabilities

30 <Insert Picture Here> More Information 30

31 PeopleTools 8.50 Viewlets Now Available Via oracle.com or direct Get helpful insights on many PeopleTools and Collaboration Framework features Topic Areas: Web Services & Integration Broker Life cycle Management Enterprise 2.0 and User Interface Platforms Reporting Security PeopleTools for the Developer General PeopleTools

32 More Information PeopleTools Strategy PeopleTools on Oracle Wiki PeopleSoft discussion forums PeopleTools Blog landing page Open Group Jericho Forum "de-perimeterization": Oracle's Critical patch Update 32

33 Not getting Security and other Alerts? Go to OTN - Oracle Technology Network Look at the upper right hand corner ( Account Manage Subscriptions Sign Out ) Make sure you're logged in, then Click on Manage Subscriptions Scroll down to Opt-in to Oracle Communications Check box for Oracle Security Alerts - Get the latest Security Alerts issued by Oracle as they become available... and any other alert or newsletter you want to receive Scroll down to the end of the page and "Confirm" 33

34 Additional Resources For more information about Oracle Applications For more information about Education For more information about Support For My Oracle Support information For Oracle Product documentation: Certification Information on My Oracle Support Doc id= Technical Updates on My Oracle Support Doc id=

35 PeopleTools 8.50 Information Development Deliverables PeopleTools 8.50 Documentation Homepage PeopleTools 8.50 Hosted PeopleBooks PeopleTools Cumulative Feature Overview Tool Includes direct links to PeopleBooks, PeopleBook Updates, Release Notes, Installation and Upgrade Guides, and more. All accessible from one convenient My Oracle Support location. e?cmd=show&type=not&id= Access a searchable HTML installation of our PeopleTools 8.50 PeopleBook suite. This hosted solution lets you access PeopleBooks using the help link in your applications without having to install PeopleBooks on your own server. Dynamic tool provides concise descriptions of new and enhanced solutions and functionality that have become available between your starting and target releases. The CFO tool can be found on My Oracle Support and on our Doc Home Pages.

36 PeopleTools 8.50 Available Training PeopleTools 8.50 classes available now: PeopleSoft PeopleTools 1 Rel 8.50 PeopleTools II Rel 8.50 PeopleTools I/PeopleTools II - Accelerated Rel 8.50 PeopleSoft PeopleCode Rel 8.50 SQR for PeopleSoft Rel 8.50 Application Engine Rel 8.50 PeopleCode/SQR Accelerated Rel 8.50 PeopleCode/Application Engine Accelerated Rel 8.50 To view a schedule of these classes or new upcoming classes visit Oracle University go to oracle.com/education

37 Related Sessions and More Information

38 PeopleTools Sessions of Interest Monday Time Title Number Location 11:00 Improving ROI by Mastering PS Upgrade Tools & Resources S W2018 PeopleTools 8.50 Upgrade: Details of a Well Managed Project S W2014 2:00 PeopleSoft Enterprise Release 9.1 Adoption and Roadmap General W3002 3:30 Oracle FMW for Oracle Applications Unlimited - Answers S W2014 5:00 PeopleTools Tips and Tricks S Marriott

39 PeopleTools Sessions of Interest Tuesday Time Title Number Location 11:00 PeopleTools Product Roadmap General W :30 PeopleTools Dev Series: Building & Consuming Web Services S Marriott PeopleTools 8.51 Highlights: PeopleTools in Action S W2014 2:00 PeopleTools Dev Series: Mastering PS Reporting Tools S Marriott PeopleTools Insight: Maximize Your PeopleSoft ROI S W2014 3:30 Setting an Enterprise 2.0 Strategy with PS Portal S Marriott 5:00 PeopleTools Insight: Defining a BI Strategy S Marriott PeopleTools Dev Series: Secure Coding Practices S W2016

40 PeopleTools Sessions of Interest Wednesday Time Title Number Location 10:00 PeopleTools 8.51 Highlights: Simplify Upgrade & Maintenance S W2014 Performance Techniques for the PS Middle Tier S W :30 PeopleTools 8.50 Beta Customers: One Year Later S W2014 1:00 PeopleTools Dev Series: Application Performance Tips S W2014 PeopleTools Insight: Implement Data Governance/Compliance S W2016 4:45 Making the Most of PS Query S W2016 PeopleTools Dev Series: Building a Custom Mobile App S W2014

41 PeopleTools Sessions of Interest Thursday Time Title Number Location 9:00 PeopleTools 8.51 Highlights: PeopleSoft Integration Broker S W2014 Platform Update for PeopleSoft Enterprise S W3002 PeopleTools Product Roadmap S W :30 Best Practices for Managing Your PeopleSoft Applications S Marriott The New PS Experience: Enterprise 2.0 Ecosystem S W2014 Building Mobile Solutions for Oracle Apps: Tech Insight S W :00 Monster Mashups: Related Content in PeopleSoft Apps S W2014 PeopleTools Product Team Panel Discussion S W3002 1:30 PeopleTools Insight: The Value Prop of Oracle Technology S W3002 Secure PeopleTools: Analysis of a Threat & Data Protection S W2014 3:00 Bring Your PeopleSoft Apps to Life with Web 2.0 S W3002 PeopleSoft Integration Broker Secrets S W2014

42 Oracle PeopleSoft PeopleTools in Moscone South Oracle PeopleSoft PeopleTools Demo Pods S-106 PeopleSoft PeopleTools Integration Technologies S-107 PeopleSoft PeopleTools S-110 PeopleSoft PeopleTools Reporting Solutions UPK PSFT Hyperion

43 Useful Links Oracle Software Security Assurance Secure Development Process Critical Patch Update PeopleSoft Enterprise Applications (look for "PeopleSoft Information Portal" link) Security Solutions From Oracle PeopleSoft Technology Blog check the links >>> External Security Validations Security Information and Best Practices 2010 Oracle Corporation Proprietary and Confidential

44 Learn More PeopleSoft Information Development Resources Hosted & Mobile PeopleBooks - PeopleTools PeopleBooks are available in three formats: Hosted PeopleBooks, PDF s, and Amazon s Kindle format. All can be accessed here: Doc Home Pages constantly updated direct links to PeopleBooks, PeopleBook Updates, Release Notes, Installation and Upgrade Guides, and other useful product documentation, all accessible from one My Oracle Support location. PeopleTools 8.51 Documentation Home Page [ID ] Information Portal - locate the documentation, training, and other info needed to help with your implementation process. Customers searching for this information should make this their first online destination.

45 Learn More PeopleSoft Information Development Resources Cumulative Feature Overview (CFO)- Providing concise descriptions of new and enhanced solutions and functionality that have become available starting with the 8.4 release through our latest 8.51 release. NOT&doctype=SYSTEMDOC&id= Upgrade Resource Report Tools - helps you find all the documentation, scripts, and files you need for your upgrade project. NOT&doctype=SYSTEMDOC&id= Follow us

46