S317424

Analysis of a Threat and How to Protect Your Data

Greg Kelly
Product Strategy Manager, PeopleTools
THE FOLLOWING IS INTENDED TO OUTLINE
OUR GENERAL PRODUCT DIRECTION. IT IS
INTENDED FOR INFORMATION PURPOSES
ONLY, AND MAY NOT BE INCORPORATED INTO
ANY CONTRACT. IT IS NOT A COMMITMENT TO
DELIVER ANY MATERIAL, CODE, OR
FUNCTIONALITY, AND SHOULD NOT BE RELIED FUNCTIONALITY, AND SHOULD NOT BE RELIED
UPON IN MAKING PURCHASING DECISION. THE
DEVELOPMENT, RELEASE, AND TIMING OF ANY
FEATURES OR FUNCTIONALITY DESCRIBED
FOR ORACLE'S PRODUCTS REMAINS AT THE
SOLE DISCRETION OF ORACLE.
<Insert Picture Here>
Securing Your
PeopleSoft Environment
4
Agenda
Traditional Defense
Anatomy of an Attack
De-Perimeterization
A New Approach to Defense A New Approach to Defense
More Information
Traditional Defense
Fortress Mentality
Firewalls
DMZ(s)
Proxies Proxies
VLANs
Segregated Network Segments
Sample Layout
http://wiki.oracle.com/page/Securing+Your+PeopleSoft+Appl ication+-+Index+Page
Anatomy of Attack - Harvesting
Initial Research
Company Site
About Us Page(s)
Jobs and Resume Sites Jobs and Resume Sites
Social Networking Sites e.g.
Facebook
Twitter
Dumpster Diving
Social Engineering (Kevin Mitnick)
Anatomy of Attack Creating Bots
Phishing (spear)
Upload Code
Taking Control
Outbound Standard Ports Outbound Standard Ports
Sample Spam/Phishing email
From Subject
2Airline-Tickets Someone has sent you 2 Southwest-Airlines Tickets
Career Placement Ready for A Second J OB - FINANCIAL AID For A Career
College Grants Thousands of Dollars in college Grants are awarded to people like you
creditreport.com View updates to your Credit Report
Final Notice "Walmart Coupon inside!"
Final Notice FREE FedEx Delivery; Tell us where to send your DELLXPS Laptop!!
FinancialAid "Scholarships & Grants are available"
Flying Spree Our Records Indicate You may Have 2 Southwest Airlines Tickets
freecreditreport.com View updates to your Credit Report
Laptop Notification "Test it Free! A Dell package will be shipped to your door!"
uro20@yahoo.com Hello!!
Which eMails would your users open?
Anatomy of Attack Building Database
Dictionary Attack
Rules
Indicators
User Database User Database
Anonymous BIND to local LDAP
Which Wi-Fi would you choose?
Anatomy of Attack - Probing
System Under Control
Probe Infrastructure
Probe Typical Vulnerabilities
Sample Available Web Servers
from http://www.netcraft.com
Anatomy of Attack Building the Attack
User Credential Database
Known Vulnerabilities
Local LDAP
Build Out Control
No Time Limit
How long does it take to crack passwords
anyway?
Mixed upper and lower case alphabet plus numbers and common
symbols. http://www.lockdown.co.uk/?pg=combi
0123456789AaBbCcDdEeFfGgHhIiJ jKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
<SP>!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Password Time to Crack Based on Class of Attack
Len
Combi-
nations
Class A Class B Class C Class D Class E Class F
2 9,216 Instant Instant Instant Instant Instant Instant 2 9,216 Instant Instant Instant Instant Instant Instant
3 884,736 88 Secs 9 Secs Instant Instant Instant Instant
4 85 Mn 2 Hours 14 Mins 1 Mins 8 Secs Instant Instant
5 8 Bn 9 Days
22
Hours
2 Hours 13 Mins 1 Mins 8 Secs
6 782 Bn 2 Yrs 90 Days 9 Days 22 Hours 2 Hours 13 Mins
7 75 Trn 238 Yrs 24 Ys 2 Years 87 Days 8 Days 20 Hours
8 7.2 Qn 22,875 Yrs 2,287 Yrs 229 Yrs 23 Yrs 2 Yrs 83 Days
example:
E. 100,000,000 Passwords/sec - Workstation, or multiple PC's working together.
(Licensed under a Creative Commons Attribution-ShareAlike 2.0 License.)
How many computers could possibly be working
together?
Corporations, agencies infiltrated by botnet
JORDAN ROBERTSON AP Technology Writer
Friday, February 19, 2010
http://lubbockonline.com/stories/021910/bus_565096614.shtml
"... Security experts have found a network of 74,000
virus-infected computers that stole information from
inside corporations and government agencies. The
unusual thing about the incident is not that it
happened but that it was discovered, and it is a
reminder of the dangers of having computers with
sensitive data connected to the open Internet"
Issues with Internet Explorer
Scripts in Text Files
Temporary Internet Files Folder and disabled caching
De-Perimeterization
The huge expl osion in business collaboration and
commerce on the Web means that todays traditional
approaches to securing a network boundary are at best
flawed, and at worst ineffective.
Examples include:
Business transactions which tunnel through perimeters or Business transactions which tunnel through perimeters or
bypass them altogether
IT products that cross the boundary, encapsulating protocols
within Web protocols
Security exploits that use email and Web to get through the
perimeter
- The Jericho Forum, under the auspices of The Open Group
Defense at the Core
Transparent Data Encryption (TDE)
Oracle Advanced Security Option (ASO)
Data at Rest
Column and Tableset Encryption Column and Tableset Encryption
Hardware Security Module
Protects Against Forensic and Direct Files Access
Oracle Database Vault
Oracle Audit Vault
Oracle Enterprise Manager Data Masking
For Non-Production DB Copies
Core Protection
Audit Vault
Database
Vault
TDE TDE
Database
Core Protection
Monitoring
Configuration Management
Oracle Audit Vault
Total Recall
Access Control
Oracle Database Vault Oracle Database Vault
Label Security
Advanced Security
Secure Backup
Data Masking
Encryption & Masking
Monitoring
Access Control
Encryption & Masking
Enterprise Manager Data Masking
Production
DB
EM Data
Masking
Dev DB Test DB
Training
DB
EM Data
Masking
Defense in the Business Logic Layer
ASO Network Encryption
Data in Flight
Oracle Applications Access Controls Governor
Oracle Transactions Control Governor Oracle Transactions Control Governor
(Oracle Information Rights Manager for PS-Reports)
Quis custodiet ipsos custodes?
3 people can keep a secret if 2 of them are dead.
Protection in the Business Logic Layer
Protected DB
ASO
Application (Business Logic) Server
OAACG
OTCG
Defense in the Presentation (Web) layer
Oracle Access Manager
Oracle Identity Manager
Oracle Adaptive Access Manager
PeopleTools 8.50 Delivered Additional Security
Enhancements
SAML for Web Services
JNDI Libraries for LDAP and LDAPS
FTPS Support (FTP over secure transport)
Enhanced User Profile Synchronization
De-Coupled PS_HOME
PDF Encryption with XML Publisher
Support for Server Based Virus Scanning Engines
Customer Configured TDE Algorithm
PET Support for Encrypting the Encryption Keys and Secure
Data Wipe
Additional Hardening
PeopleTools 8.51 Features
Security
Security
User Security
Extended Password Controls
Multiple Session Detection
Kerberos Signon SDK
Data Security
Support for Transport Layer Security
Support for SFTP and FTPS
Common Questions
Vulnerability Testing
NIST FIPS 140-2
Update to Securing Your PeopleSoft Environment
Windows workstation as kiosk Windows workstation as kiosk
Issues without hardening
Critical Patch Update
Addressing Reported and Discovered Vulnerabilities
<Insert Picture Here>
More Information
30
PeopleTools 8.50 Viewlets Now Available
Via oracle.com
http://www.oracle.com/applications/peoplesoft/tools_tech/ent/ptools/index.html
or direct http://download.oracle.com/peopletools/viewlets.html
Get helpful insights on many PeopleTools and Collaboration
Framework features
Topic Areas:
Web Services & Integration
Broker
Life cycle Management Life cycle Management
Enterprise 2.0 and
User Interface
Platforms
Reporting
Security
PeopleTools for the
Developer
General PeopleTools
PeopleTools Strategy eMail
peopletools_ww@oracle.com
PeopleTools on Oracle Wiki
http://wiki.oracle.com/page/PeopleSoft
PeopleSoft discussion forums
http://forums.oracle.com/forums/category.jspa?categoryID=152
More Information
32
http://forums.oracle.com/forums/category.jspa?categoryID=152
PeopleTools Blog landing page
http://blogs.oracle.com/peopletools
Open Group Jericho Forum " de-perimeterization" :
http://www.opengroup.org/jericho/deperim.htm
Oracle's Critical patch Update
http://www.oracle.com/security/critical-patch-update.html
Go to OTN - Oracle Technology Network
http://www.oracle.com/technology/index.html
Look at the upper right hand corner
( Account | Manage Subscriptions | Sign Out )
Make sure you're logged in, then
Click on Manage Subscriptions
Not getting Security and other Alerts?
33
Click on Manage Subscriptions
Scroll down to Opt-in to Oracle Communications
Check box for
Oracle Security Alerts - Get the latest Security Alerts issued by
Oracle as they become available
... and any other alert or newsletter you want to receive
Scroll down to the end of the page and " Confirm"
Additional Resources
For more information about Oracle Applications
http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.htm
For more information about Education
http://www.oracle.com/education/index.html
For more information about Support
http://www.oracle.com/support/
For My Oracle Support information
34
For My Oracle Support information
http://support.oracle.com
For Oracle Product documentation:
http://www.oracle.com/applications/peoplesoft/tools_tech/ent/index.html
Certification Information on My Oracle Support
Doc id=747587.1
Technical Updates on My Oracle Support
Doc id=764222.1
Includes direct links to PeopleBooks,
PeopleBook Updates, Release Notes,
Installation and Upgrade Guides, and
more. All accessible from one
convenient My Oracle Support
location.
https://support.oracle.com/CSP/main/articl
PeopleTools 8.50
Documentation Homepage
PeopleTools 8.50 Information Development Deliverables
PeopleTools 8.50
Hosted PeopleBooks
PeopleTools Cumulative
Feature Overview Tool
Access a searchable HTML
installation of our PeopleTools 8.50
PeopleBook suite. This hosted
solution lets you access PeopleBooks
using the help link in your applications
without having to install PeopleBooks
on your own server.
Dynamic tool provides concise
descriptions of new and enhanced
solutions and functionality that have
become available between your
starting and target releases.
The CFO tool can be found on My
Oracle Support and on our Doc Home
e?cmd=show&type=NOT&id=847882.1 http://www.oracle.com/pls/psft/homepage
Oracle Support and on our Doc Home
Pages.
PeopleTools 8.50
Available Training
PeopleTools 8.50 classes available now:
PeopleSoft PeopleTools 1 Rel 8.50
PeopleTools II Rel 8.50
PeopleTools I/PeopleTools II - Accelerated Rel 8.50
PeopleSoft PeopleCode Rel 8.50
SQR for PeopleSoft Rel 8.50 SQR for PeopleSoft Rel 8.50
Application Engine Rel 8.50
PeopleCode/SQR Accelerated Rel 8.50
PeopleCode/Application Engine Accelerated Rel 8.50
To view a schedule of these classes or new upcoming
classes visit Oracle University
go to oracle.com/education
Related Sessions and More Information
PeopleTools Sessions of Interest
Monday
Time Title Number Location
11:00 Improving ROI by Mastering PS Upgrade Tools & Resources S318203 W2018
PeopleTools 8.50 Upgrade: Details of a Well Managed Project S317421 W2014
2:00 PeopleSoft Enterprise Release 9.1 Adoption and Roadmap General W3002
3:30 Oracle FMW for Oracle Applications Unlimited - Answers S318064 W2014
5:00 PeopleTools Tips and Tricks S317016 Marriott 5:00 PeopleTools Tips and Tricks S317016 Marriott
PeopleTools Sessions of Interest
Tuesday
Time Title Number Location
11:00 PeopleTools Product Roadmap General W3010
12:30 PeopleTools Dev Series: Building & Consuming Web Services S317431 Marriott
PeopleTools 8.51 Highlights: PeopleTools in Action S317433 W2014
2:00 PeopleTools Dev Series: Mastering PS Reporting Tools S317427 Marriott
PeopleTools Insight: Maximize Your PeopleSoft ROI S317442 W2014 PeopleTools Insight: Maximize Your PeopleSoft ROI S317442 W2014
3:30 Setting an Enterprise 2.0 Strategy with PS Portal S317437 Marriott
5:00 PeopleTools Insight: Defining a BI Strategy S317445 Marriott
PeopleTools Dev Series: Secure Coding Practices S317430 W2016
PeopleTools Sessions of Interest
Wednesday
Time Title Number Location
10:00 PeopleTools 8.51 Highlights: Simplify Upgrade & Maintenance S317434 W2014
Performance Techniques for the PS Middle Tier S317420 W3002
11:30 PeopleTools 8.50 Beta Customers: One Year Later S317446 W2014
1:00 PeopleTools Dev Series: Application Performance Tips S317426 W2014
PeopleTools Insight: Implement Data Governance/Compliance S317451 W2016 PeopleTools Insight: Implement Data Governance/Compliance S317451 W2016
4:45 Making the Most of PS Query S317455 W2016
PeopleTools Dev Series: Building a Custom Mobile App S317432 W2014
PeopleTools Sessions of Interest
Thursday
Time Title Number Location
9:00 PeopleTools 8.51 Highlights: PeopleSoft Integration Broker S317435 W2014
PlatformUpdate for PeopleSoft Enterprise S317422 W3002
PeopleTools Product Roadmap S317436 W3005
10:30 Best Practices for Managing Your PeopleSoft Applications S317034 Marriott
The New PS Experience: Enterprise 2.0 Ecosystem S317447 W2014 The New PS Experience: Enterprise 2.0 Ecosystem S317447 W2014
Building Mobile Solutions for Oracle Apps: Tech Insight S317110 W2020
12:00 Monster Mashups: Related Content in PeopleSoft Apps S317448 W2014
PeopleTools Product Team Panel Discussion S317439 W3002
1:30 PeopleTools Insight: The Value Prop of Oracle Technology S317438 W3002
Secure PeopleTools: Analysis of a Threat & Data Protection S317424 W2014
3:00 Bring Your PeopleSoft Apps to Life with Web 2.0 S317450 W3002
PeopleSoft Integration Broker Secrets S317425 W2014
Oracle PeopleSoft PeopleTools in Moscone
South
Oracle PeopleSoft PeopleTools Demo Pods
S-106 PeopleSoft PeopleTools Integration Technologies
S-107 PeopleSoft PeopleTools
S-110 PeopleSoft PeopleTools Reporting Solutions
PSFT Hyperion UPK
Useful Links
Oracle Software Security Assurance
http://www.oracle.com/security/software-security-assurance.html
PeopleSoft Enterprise Applications
http://www.oracle.com/peoplesoft
(look for "PeopleSoft Information Portal" link)
Secure Development Process
Critical Patch Update
External Security Validations
Security Information and Best Practices
2010 Oracle Corporation Proprietary and Confidential
(look for "PeopleSoft Information Portal" link)
Security Solutions From Oracle
http://www.oracle.com/security
PeopleSoft Technology Blog
http://blogs.oracle.com/peopletools
check the links >>>
Hosted & Mobile PeopleBooks - PeopleTools PeopleBooks are
available in three formats: Hosted PeopleBooks, PDFs, and
Amazons Kindle format. All can be accessed here:
http://www.oracle.com/technetwork/documentation/psftent-090284.html
Doc Home Pages constantly updated direct links to
PeopleBooks, PeopleBook Updates, Release Notes, Installation
and Upgrade Guides, and other useful product documentation,
all accessible from one My Oracle Support location.
Learn More
PeopleSoft Information Development Resources
Information Portal - locate the documentation, training, and
other info needed to help with your implementation process.
Customers searching for this information should make this
their first online destination.
http://www.oracle.com/us/products/applications/054275.html
all accessible from one My Oracle Support location.
PeopleTools 8.51 Documentation Home Page [ID 1127534.1]
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1127534.1
Cumulative Feature Overview (CFO)- Providing
concise descriptions of new and enhanced solutions
and functionality that have become available starting
with the 8.4 release through our latest 8.51 release.
https://support.oracle.com/CSP/main/article?cmd=show&type=
NOT&doctype=SYSTEMDOC&id=793143.1
Learn More
PeopleSoft Information Development Resources
Follow us on @PeopleSoft_Info
Upgrade Resource Report Tools - helps you find all
the documentation, scripts, and files you need for your
upgrade project.
https://support.oracle.com/CSP/main/article?cmd=show&type=
NOT&doctype=SYSTEMDOC&id=1117047.1