Greg Kelly Product Strategy Manager, PeopleTools THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE. <Insert Picture Here> Securing Your PeopleSoft Environment 4 Agenda Traditional Defense Anatomy of an Attack De-Perimeterization A New Approach to Defense A New Approach to Defense More Information Traditional Defense Fortress Mentality Firewalls DMZ(s) Proxies Proxies VLANs Segregated Network Segments Sample Layout http://wiki.oracle.com/page/Securing+Your+PeopleSoft+Appl ication+-+Index+Page Anatomy of Attack - Harvesting Initial Research Company Site About Us Page(s) Jobs and Resume Sites Jobs and Resume Sites Social Networking Sites e.g. Facebook Twitter Dumpster Diving Social Engineering (Kevin Mitnick) Anatomy of Attack Creating Bots Phishing (spear) Upload Code Taking Control Outbound Standard Ports Outbound Standard Ports Sample Spam/Phishing email From Subject 2Airline-Tickets Someone has sent you 2 Southwest-Airlines Tickets Career Placement Ready for A Second J OB - FINANCIAL AID For A Career College Grants Thousands of Dollars in college Grants are awarded to people like you creditreport.com View updates to your Credit Report Final Notice "Walmart Coupon inside!" Final Notice FREE FedEx Delivery; Tell us where to send your DELLXPS Laptop!! FinancialAid "Scholarships & Grants are available" Flying Spree Our Records Indicate You may Have 2 Southwest Airlines Tickets freecreditreport.com View updates to your Credit Report Laptop Notification "Test it Free! A Dell package will be shipped to your door!" uro20@yahoo.com Hello!! Which eMails would your users open? Anatomy of Attack Building Database Dictionary Attack Rules Indicators User Database User Database Anonymous BIND to local LDAP Which Wi-Fi would you choose? Anatomy of Attack - Probing System Under Control Probe Infrastructure Probe Typical Vulnerabilities Sample Available Web Servers from http://www.netcraft.com Anatomy of Attack Building the Attack User Credential Database Known Vulnerabilities Local LDAP Build Out Control No Time Limit How long does it take to crack passwords anyway? Mixed upper and lower case alphabet plus numbers and common symbols. http://www.lockdown.co.uk/?pg=combi 0123456789AaBbCcDdEeFfGgHhIiJ jKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ Password Time to Crack Based on Class of Attack Len Combi- nations Class A Class B Class C Class D Class E Class F 2 9,216 Instant Instant Instant Instant Instant Instant 2 9,216 Instant Instant Instant Instant Instant Instant 3 884,736 88 Secs 9 Secs Instant Instant Instant Instant 4 85 Mn 2 Hours 14 Mins 1 Mins 8 Secs Instant Instant 5 8 Bn 9 Days 22 Hours 2 Hours 13 Mins 1 Mins 8 Secs 6 782 Bn 2 Yrs 90 Days 9 Days 22 Hours 2 Hours 13 Mins 7 75 Trn 238 Yrs 24 Ys 2 Years 87 Days 8 Days 20 Hours 8 7.2 Qn 22,875 Yrs 2,287 Yrs 229 Yrs 23 Yrs 2 Yrs 83 Days example: E. 100,000,000 Passwords/sec - Workstation, or multiple PC's working together. (Licensed under a Creative Commons Attribution-ShareAlike 2.0 License.) How many computers could possibly be working together? Corporations, agencies infiltrated by botnet JORDAN ROBERTSON AP Technology Writer Friday, February 19, 2010 http://lubbockonline.com/stories/021910/bus_565096614.shtml "... Security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that it was discovered, and it is a reminder of the dangers of having computers with sensitive data connected to the open Internet" Issues with Internet Explorer Scripts in Text Files Temporary Internet Files Folder and disabled caching De-Perimeterization The huge expl osion in business collaboration and commerce on the Web means that todays traditional approaches to securing a network boundary are at best flawed, and at worst ineffective. Examples include: Business transactions which tunnel through perimeters or Business transactions which tunnel through perimeters or bypass them altogether IT products that cross the boundary, encapsulating protocols within Web protocols Security exploits that use email and Web to get through the perimeter - The Jericho Forum, under the auspices of The Open Group Defense at the Core Transparent Data Encryption (TDE) Oracle Advanced Security Option (ASO) Data at Rest Column and Tableset Encryption Column and Tableset Encryption Hardware Security Module Protects Against Forensic and Direct Files Access Oracle Database Vault Oracle Audit Vault Oracle Enterprise Manager Data Masking For Non-Production DB Copies Core Protection Audit Vault Database Vault TDE TDE Database Core Protection Monitoring Configuration Management Oracle Audit Vault Total Recall Access Control Oracle Database Vault Oracle Database Vault Label Security Advanced Security Secure Backup Data Masking Encryption & Masking Monitoring Access Control Encryption & Masking Enterprise Manager Data Masking Production DB EM Data Masking Dev DB Test DB Training DB EM Data Masking Defense in the Business Logic Layer ASO Network Encryption Data in Flight Oracle Applications Access Controls Governor Oracle Transactions Control Governor Oracle Transactions Control Governor (Oracle Information Rights Manager for PS-Reports) Quis custodiet ipsos custodes? 3 people can keep a secret if 2 of them are dead. Protection in the Business Logic Layer Protected DB ASO Application (Business Logic) Server OAACG OTCG Defense in the Presentation (Web) layer Oracle Access Manager Oracle Identity Manager Oracle Adaptive Access Manager PeopleTools 8.50 Delivered Additional Security Enhancements SAML for Web Services JNDI Libraries for LDAP and LDAPS FTPS Support (FTP over secure transport) Enhanced User Profile Synchronization De-Coupled PS_HOME PDF Encryption with XML Publisher Support for Server Based Virus Scanning Engines Customer Configured TDE Algorithm PET Support for Encrypting the Encryption Keys and Secure Data Wipe Additional Hardening PeopleTools 8.51 Features Security Security User Security Extended Password Controls Multiple Session Detection Kerberos Signon SDK Data Security Support for Transport Layer Security Support for SFTP and FTPS Common Questions Vulnerability Testing NIST FIPS 140-2 Update to Securing Your PeopleSoft Environment Windows workstation as kiosk Windows workstation as kiosk Issues without hardening Critical Patch Update Addressing Reported and Discovered Vulnerabilities <Insert Picture Here> More Information 30 PeopleTools 8.50 Viewlets Now Available Via oracle.com http://www.oracle.com/applications/peoplesoft/tools_tech/ent/ptools/index.html or direct http://download.oracle.com/peopletools/viewlets.html Get helpful insights on many PeopleTools and Collaboration Framework features Topic Areas: Web Services & Integration Broker Life cycle Management Life cycle Management Enterprise 2.0 and User Interface Platforms Reporting Security PeopleTools for the Developer General PeopleTools PeopleTools Strategy eMail peopletools_ww@oracle.com PeopleTools on Oracle Wiki http://wiki.oracle.com/page/PeopleSoft PeopleSoft discussion forums http://forums.oracle.com/forums/category.jspa?categoryID=152 More Information 32 http://forums.oracle.com/forums/category.jspa?categoryID=152 PeopleTools Blog landing page http://blogs.oracle.com/peopletools Open Group Jericho Forum " de-perimeterization" : http://www.opengroup.org/jericho/deperim.htm Oracle's Critical patch Update http://www.oracle.com/security/critical-patch-update.html Go to OTN - Oracle Technology Network http://www.oracle.com/technology/index.html Look at the upper right hand corner ( Account | Manage Subscriptions | Sign Out ) Make sure you're logged in, then Click on Manage Subscriptions Not getting Security and other Alerts? 33 Click on Manage Subscriptions Scroll down to Opt-in to Oracle Communications Check box for Oracle Security Alerts - Get the latest Security Alerts issued by Oracle as they become available ... and any other alert or newsletter you want to receive Scroll down to the end of the page and " Confirm" Additional Resources For more information about Oracle Applications http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.htm For more information about Education http://www.oracle.com/education/index.html For more information about Support http://www.oracle.com/support/ For My Oracle Support information 34 For My Oracle Support information http://support.oracle.com For Oracle Product documentation: http://www.oracle.com/applications/peoplesoft/tools_tech/ent/index.html Certification Information on My Oracle Support Doc id=747587.1 Technical Updates on My Oracle Support Doc id=764222.1 Includes direct links to PeopleBooks, PeopleBook Updates, Release Notes, Installation and Upgrade Guides, and more. All accessible from one convenient My Oracle Support location. https://support.oracle.com/CSP/main/articl PeopleTools 8.50 Documentation Homepage PeopleTools 8.50 Information Development Deliverables PeopleTools 8.50 Hosted PeopleBooks PeopleTools Cumulative Feature Overview Tool Access a searchable HTML installation of our PeopleTools 8.50 PeopleBook suite. This hosted solution lets you access PeopleBooks using the help link in your applications without having to install PeopleBooks on your own server. Dynamic tool provides concise descriptions of new and enhanced solutions and functionality that have become available between your starting and target releases. The CFO tool can be found on My Oracle Support and on our Doc Home e?cmd=show&type=NOT&id=847882.1 http://www.oracle.com/pls/psft/homepage Oracle Support and on our Doc Home Pages. PeopleTools 8.50 Available Training PeopleTools 8.50 classes available now: PeopleSoft PeopleTools 1 Rel 8.50 PeopleTools II Rel 8.50 PeopleTools I/PeopleTools II - Accelerated Rel 8.50 PeopleSoft PeopleCode Rel 8.50 SQR for PeopleSoft Rel 8.50 SQR for PeopleSoft Rel 8.50 Application Engine Rel 8.50 PeopleCode/SQR Accelerated Rel 8.50 PeopleCode/Application Engine Accelerated Rel 8.50 To view a schedule of these classes or new upcoming classes visit Oracle University go to oracle.com/education Related Sessions and More Information PeopleTools Sessions of Interest Monday Time Title Number Location 11:00 Improving ROI by Mastering PS Upgrade Tools & Resources S318203 W2018 PeopleTools 8.50 Upgrade: Details of a Well Managed Project S317421 W2014 2:00 PeopleSoft Enterprise Release 9.1 Adoption and Roadmap General W3002 3:30 Oracle FMW for Oracle Applications Unlimited - Answers S318064 W2014 5:00 PeopleTools Tips and Tricks S317016 Marriott 5:00 PeopleTools Tips and Tricks S317016 Marriott PeopleTools Sessions of Interest Tuesday Time Title Number Location 11:00 PeopleTools Product Roadmap General W3010 12:30 PeopleTools Dev Series: Building & Consuming Web Services S317431 Marriott PeopleTools 8.51 Highlights: PeopleTools in Action S317433 W2014 2:00 PeopleTools Dev Series: Mastering PS Reporting Tools S317427 Marriott PeopleTools Insight: Maximize Your PeopleSoft ROI S317442 W2014 PeopleTools Insight: Maximize Your PeopleSoft ROI S317442 W2014 3:30 Setting an Enterprise 2.0 Strategy with PS Portal S317437 Marriott 5:00 PeopleTools Insight: Defining a BI Strategy S317445 Marriott PeopleTools Dev Series: Secure Coding Practices S317430 W2016 PeopleTools Sessions of Interest Wednesday Time Title Number Location 10:00 PeopleTools 8.51 Highlights: Simplify Upgrade & Maintenance S317434 W2014 Performance Techniques for the PS Middle Tier S317420 W3002 11:30 PeopleTools 8.50 Beta Customers: One Year Later S317446 W2014 1:00 PeopleTools Dev Series: Application Performance Tips S317426 W2014 PeopleTools Insight: Implement Data Governance/Compliance S317451 W2016 PeopleTools Insight: Implement Data Governance/Compliance S317451 W2016 4:45 Making the Most of PS Query S317455 W2016 PeopleTools Dev Series: Building a Custom Mobile App S317432 W2014 PeopleTools Sessions of Interest Thursday Time Title Number Location 9:00 PeopleTools 8.51 Highlights: PeopleSoft Integration Broker S317435 W2014 PlatformUpdate for PeopleSoft Enterprise S317422 W3002 PeopleTools Product Roadmap S317436 W3005 10:30 Best Practices for Managing Your PeopleSoft Applications S317034 Marriott The New PS Experience: Enterprise 2.0 Ecosystem S317447 W2014 The New PS Experience: Enterprise 2.0 Ecosystem S317447 W2014 Building Mobile Solutions for Oracle Apps: Tech Insight S317110 W2020 12:00 Monster Mashups: Related Content in PeopleSoft Apps S317448 W2014 PeopleTools Product Team Panel Discussion S317439 W3002 1:30 PeopleTools Insight: The Value Prop of Oracle Technology S317438 W3002 Secure PeopleTools: Analysis of a Threat & Data Protection S317424 W2014 3:00 Bring Your PeopleSoft Apps to Life with Web 2.0 S317450 W3002 PeopleSoft Integration Broker Secrets S317425 W2014 Oracle PeopleSoft PeopleTools in Moscone South Oracle PeopleSoft PeopleTools Demo Pods S-106 PeopleSoft PeopleTools Integration Technologies S-107 PeopleSoft PeopleTools S-110 PeopleSoft PeopleTools Reporting Solutions PSFT Hyperion UPK Useful Links Oracle Software Security Assurance http://www.oracle.com/security/software-security-assurance.html PeopleSoft Enterprise Applications http://www.oracle.com/peoplesoft (look for "PeopleSoft Information Portal" link) Secure Development Process Critical Patch Update External Security Validations Security Information and Best Practices 2010 Oracle Corporation Proprietary and Confidential (look for "PeopleSoft Information Portal" link) Security Solutions From Oracle http://www.oracle.com/security PeopleSoft Technology Blog http://blogs.oracle.com/peopletools check the links >>> Hosted & Mobile PeopleBooks - PeopleTools PeopleBooks are available in three formats: Hosted PeopleBooks, PDFs, and Amazons Kindle format. All can be accessed here: http://www.oracle.com/technetwork/documentation/psftent-090284.html Doc Home Pages constantly updated direct links to PeopleBooks, PeopleBook Updates, Release Notes, Installation and Upgrade Guides, and other useful product documentation, all accessible from one My Oracle Support location. Learn More PeopleSoft Information Development Resources Information Portal - locate the documentation, training, and other info needed to help with your implementation process. Customers searching for this information should make this their first online destination. http://www.oracle.com/us/products/applications/054275.html all accessible from one My Oracle Support location. PeopleTools 8.51 Documentation Home Page [ID 1127534.1] https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1127534.1 Cumulative Feature Overview (CFO)- Providing concise descriptions of new and enhanced solutions and functionality that have become available starting with the 8.4 release through our latest 8.51 release. https://support.oracle.com/CSP/main/article?cmd=show&type= NOT&doctype=SYSTEMDOC&id=793143.1 Learn More PeopleSoft Information Development Resources Follow us on @PeopleSoft_Info Upgrade Resource Report Tools - helps you find all the documentation, scripts, and files you need for your upgrade project. https://support.oracle.com/CSP/main/article?cmd=show&type= NOT&doctype=SYSTEMDOC&id=1117047.1