Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

Similar documents
The SANS Institute Top 20 Critical Security Controls. Compliance Guide

PeopleSoft - Top 10 Security Risks

epldt Web Builder Security March 2017

Locking down a Hitachi ID Suite server

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud FastPath: Highly Secure Data Transfer

IBM SmartCloud Notes Security

SDR Guide to Complete the SDR

Security in Bomgar Remote Support

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

BeOn Security Cybersecurity for Critical Communications Systems

PCI DSS Compliance. White Paper Parallels Remote Application Server

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Security in the Privileged Remote Access Appliance


Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Karthik Bharathy Program Manager, SQL Server Microsoft

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Insiders: The Threat is Already Within

Juniper Vendor Security Requirements

CIS Controls Measures and Metrics for Version 7

Xerox Audio Documents App

TIBCO Cloud Integration Security Overview

Solutions Business Manager Web Application Security Assessment

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

DreamFactory Security Guide

Comprehensive Database Security

How to Configure Authentication and Access Control (AAA)

CyberArk Privileged Threat Analytics

Online Services Security v2.1

2. Firewall Management Tools used to monitor and control the Firewall Environment.

ANATOMY OF AN ATTACK!

Security+ SY0-501 Study Guide Table of Contents

Phire 12.2 Hardware and Software Requirements

HikCentral V1.3 for Windows Hardening Guide

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

How NOT To Get Hacked

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

HPE Intelligent Management Center

Security Fundamentals for your Privileged Account Security Deployment

HikCentral V.1.1.x for Windows Hardening Guide

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Information Security in Corporation

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

New Oracle EBS Security Features You Can Use Now

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Oracle Database Security Assessment Tool (DBSAT) Overview

Changing face of endpoint security

CIS Controls Measures and Metrics for Version 7

Introduction. The Safe-T Solution

I, J, K. Lightweight directory access protocol (LDAP), 162

CoreMax Consulting s Cyber Security Roadmap

CYBERSECURITY RISK LOWERING CHECKLIST

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

An Oracle White Paper September Security and the Oracle Database Cloud Service

HIPAA Regulatory Compliance

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Going Without CPU Patches on Oracle E-Business Suite 11i?

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

HySecure Quick Start Guide. HySecure 5.0

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

CYAN SECURE WEB Installing on Windows

5. Execute the attack and obtain unauthorized access to the system.

Security Readiness Assessment

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

Projectplace: A Secure Project Collaboration Solution

McAfee Network Security Platform 9.1

InterCall Virtual Environments and Webcasting

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

Security Information & Policies

1 Hitachi ID Mobile Access. 2 The BYOD challenge. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

WebLogic Security Top Ten

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Seqrite Endpoint Security

Cloud Security Whitepaper

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Oracle Audit Vault Implementation

AWS FREQUENTLY ASKED QUESTIONS (FAQ)

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

CompTIA Security+(2008 Edition) Exam

See the unseen. CryptoAuditor SSH.COM. Control and audit encrypted 3rd party sessions. What is CryptoAuditor?

Transcription:

PeopleSoft supports end to end encryption: browser to web server; web server to Java container; Java container to Tuxedo app server; Tuxedo app server to DB Security Hardening recommendations, Hosted, On-Premise or Cloud based Systems Note: This is not a comprehensive list, but a set of basic considerations and not intended to replace a comprehensive security audit Server Room lock down (Key card in and out, no tail gating) Restricted OS CLI (command line interface or shell) access to DB servers DB Lockdown http://www.oracle.com/technetwork/articles/index-087388.html Transparent Data Encryption (Oracle DB encryption for data-at-rest protection, Microsoft has similar functionality for SQL Server) Review features of Oracle Audit Vault especially for abusive data harvesting SQL Net traffic encryption App Server to DB Restricted OS CLI access to App servers JOLT traffic encryption Web Server to App Server Restricted OS CLI access to Web servers Weblogic Lockdown http://docs.oracle.com/cd/e15523_01/core.1111/e12889/infrahard.htm Restrict access to Weblogic Console, e.g. enable it only when necessary ERP Firewall which additionally tracks User ID access attempts logging finger print data: e.g. workstation ID, User ID, real IP address, user agent, referrer name Separate Weblogic Java container from HTTP Server, installing HTTP Server in DMZ Risk and Security analysis server like Oracle Adaptive Access Manager Firewall and Router policies which restrict internal access to approved web server and proxy addresses, reduced/restricted port 80 enabled or accessible internally HTTPS rather than HTTP by default internally, PeopleSoft supports SSL 3.0 and TLS 1.1 (as a result of POODLE threat, eliminating SSL 3.0)

Server based Virus Scanning Engine, ICAP v1.0 compatible http://docs.oracle.com/cd/e58500_01/pt854pbh1/eng/pt/tmcf/task_enablingvirusscanning-a47fea.html#topofpage Software asset management to retrieve details of software installed on each server/workstation and company owned end user device. Policy lockdown of workstations to prevent unauthorized installation or unapproved use of USB flash drives, unapproved software, no rogue proxies or TCP/IP traffic sniffers Policy management of end user device e.g. to ensure current anti-virus/malware software Ad hoc and regular discovery of wireless access points Uncontrolled use of cloud storage from inside the firewall Document protection and inappropriate sharing Site and web server access protection workstation software, like McAfee SiteAdvisor http://www.mcafee.com/us/products/siteadvisor-enterprise.aspx#vt=vtab-featuresbenefits Browser lockdown by Microsoft policy management to white list approved web servers internally and externally. No local user administrator access. Configure PeopleSoft (or access system) password controls, e.g. for complexity, length, expiration, consecutive failures. Ensure Node Passwords are maximum length and complex MDM/MAM for mobile device access, especially BYOD Use robust Kiosk software for common area access to sensitive data Use SPF/DKIM/DMARC to protect mail servers (phishing protection) Use URL Expander to test shortened URL s Review: Securing Your PeopleSoft Application Environment http://download.oracle.com/peopletools/documents/securing_psft_app_environment_may2010%20v4.pdf PeopleTools CPU analysis and supported versions of PeopleTools https://blogs.oracle.com/peopletools/entry/peopletools_cpu_analysis_and_supported PeopleTools version end of support/life and PeopleTools support for applications https://blogs.oracle.com/peopletools/entry/peopletools_version_end_of_life PeopleSoft Technology and Security Video Overviews https://www.youtube.com/user/peoplesofttechnology

Questions for the IT/Security Team Do you encrypt data in the database (data at rest)? PET, TDE, SQL Server Encryption Do you use full transport, browser to disk, encryption (data in flight)? PeopleSoft supports Browser to Web Server HTTPS, Web Server to Servlet HTTPS, Servlet to Tuxedo JOLT Encryption, Tuxedo to Oracle DB with Encrypted NetSQL How do you protect against abusive or inappropriate access by high privilege DBA's? Do all DBA s use their own user ID or a common ID for administration? Oracle Audit Vault, Oracle DB Vault, other audit (PeopleSoft, GRC, ) How quickly can you revoke access, one user, groups of users, high privilege users? How often do you, or do you have a process to, run background checks on employees handling customer data? Internal processes, Attestation, HireRight How do you protect firewalls, proxies, and IPS/IDS? Do you have different set of credentials for administrator right on each? Infrastructure Does your Disaster Plan have a contingency for when a breach occurs? Who makes the decisions to lock down systems, turn off web servers? Do you have a disclosure plan and are you prepared for credibility/reputation loss? Have you established Security Processes and a defined review cycle? Do you use Anonymous BIND on Exposed LDAP? Infrastructure NOTE: Over the past couple of years, most breaches, including credential harvesting have been the result of a successful phishing attack. Consider a site advisor for content filtering and review the security of your email servers. Consider use of a site advisor proxy, which includes web content filtering? For instance, see document at this secure McAfee shortened URL - http://mcaf.ee/e9txw Check your exposure to phishing? https://www.phishingscorecard.com/

System hardening with reference to the additional concern for insider threat Understand Waterfall User ID Flow in Integration Broker If access drops through validation, access will use Roles of the Default User on the Anonymous Node, so you must ensure this user has minimal rights PIA Node ========================== =========================================== =============== External Node

Delivered Security Related Queries Navigation: PeopleTools > Security > Common Queries Review Security Information User ID Queries Queries specific to a User ID. Role Queries Queries specific to a Role. Permission List Queries Queries specific to a Permission List. PeopleTools Objects Queries Queries specific to a PeopleTools object. Definition Security Queries Queries specific to Definition Security. Access Log Queries Queries specific to log-in/log-out activity Consider additional queries for: Roles/Permissions for user assigned to Anonymous Node in IB (see Waterfall diagram above) Users with all caps in PSOPRDEFN, indicating persistence of delivered users in production environment New table PSPTLOGINAUDIT

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback