Security

December is Prime “ERP Data Breach” Season… Be Prepared!

By Scott Lavery • November 28, 2018

Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.

What is the weakest link in your ERP security chain?

Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.

Recommendations for mitigating the “human error” element

Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:

  • Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
  • Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
  • Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
  • Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
  • Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
  • Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.

Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.

Download Your Whitepaper!

On a time-crunch? Request a quick session with our PeopleSoft security experts.

Contact Us Today!

 

1. https://info.digitalshadows.com/ERPApplicationsUnderFire-Press.html
2. https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications
3. https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/

Stay Updated

Uncategorized

PS_TOKEN, Phishing and Peoplesoft

By Hendrix Bodden • December 2, 2015

After the PS_TOKEN threat vector was announced at Hack in the Box Amsterdam in May 2015, security organizations started adding specific tests for PS_TOKEN into their penetration test portfolio. Find out what this means to your organization. Phishing and spear phishing attacks are specifically targeting PeopleSoft systems. Monthly organizations lose money to fraudulent direct deposit transactions. Layered security within your PeopleSoft application is a must to protect against the known threats of today and the unknown threats of tomorrow. In this session, Greg Wendt, Executive Director, Security Solutions, talks about numerous takeaways learned from GreyHeller’s PS_TOKEN assessments and how a layered security model keeps you protected. Topics include:
  • Mitigation options
  • Best practices
  • Lessons learned
  • Incident Response
  • Defense-in-depth for PeopleSoft

Stay Updated

Security, Tips and Techniques

Oracle’s CVE-2015-4852 Update

By Greg Wendt • November 11, 2015

Since many PeopleSoft customers utilize weblogic for their PeopleSoft environment, we wanted to highlight yesterday’s security alert. Oracle released an out of band security update (more information) for issues within Oracle Weblogic Server. Recommendations are to apply the patch and mitigation steps as soon as possible. While out of band security updates are rare, they are not unheard of. PeopleSoft customers need to review the update as soon as possible.

The CVSS (Common Vulnerability Scoring System) score of this update is 7.5 (more information). For reference, vulnerabilities are ranked from 0-10 based upon numerous factors like ease of execution for example. CVSS score ranges are Low (0 – 3.9), Medium (4.0 – 6.9) and High (7.0 – 10.0). The high base score of this update most likely led to the out of band patch being released.

As always if you ever have security questions, remember our assessment opportunity.

Stay safe and keep secure!

Stay Updated

Security, Tips and Techniques

PS_TOKEN becoming standard PeopleSoft Penetration Test

By Greg Wendt • November 6, 2015

After the PS_TOKEN threat vector was announced at Hack in the Box Amsterdam in May 2015, security organizations started adding specific tests for PS_TOKEN into their penetration test portfolio.

If your organization does regular penetration tests (which you should if your PeopleSoft system is publicly available on the internet), your organization may fail and would therefore have to remediate this risk immediately.

What does this mean to you?  

More time and effort will be required to deal with test results moving forward.  Prepare for this situation today.  

GreyHeller is the leading expert in performing PS_TOKEN assessments for customers and non-customers alike.  Ensure your organization is in the most secure position by scheduling your assessment with GreyHeller today. 

Register Now

Stay Updated

Uncategorized

Product Demo: Approvals Workflow

By Hendrix Bodden • October 6, 2015

Stay Updated

Uncategorized

Product Demo: Expense Report Creation

By Hendrix Bodden • October 4, 2015

Stay Updated

Tips and Techniques

What is True Responsiveness?

By Jennifer Goncalves • September 16, 2015

Designed to intelligently move functionality based on available real estate, transforming the user experience.

What is True Responsiveness? Your employees and constituents expect to be able to do everything on their mobile device that they would on their desktop without compromising functionality: finding a contact, applying for a job, reviewing their pay stub, enrolling in a class, enrolling in benefits, or make a payment.

Read on to see examples of true responsiveness in action.

iPhone in portrait view vs. iPad

Let’s look at the weekly class schedule in Campus Solutions on two form factors: iPhone in portrait view vs. iPad.

In the header bar the “Week of” identification moves below on the mobile device because there isn’t enough real estate. On the iPad it extends across the page based on the same logic.

In the example above, the real estate allows for 2 columns of the class schedule on the iPhone while displaying 4 columns on tablet. Responsiveness design is not dependent on device type and instead flows intelligently based on available real estate.

Indicator dots appear when the entire week is not visible. The reason for this is because responsive design is not about making content smaller to fit on a page, but instead, to rearrange it and present it in a useful manner to the end user.

In both of these examples the action buttons are fixed to the bottom of the screen, and visible at all times, to minimize vertical scrolling.

As you’ll notice, new device size doesn’t matter because breakpoints move fluidly based on the content.

iPhone vs. Desktop

This is how the desktop view changes based upon available real estate on a desktop computer.

As the screen becomes larger, you are able to see more at one time so the action buttons are relocated to the bottom right hand side of the screen. Additionally, in the desktop view, the navigation is expanded

The “Week of” identification reflows based on real estate.

The hamburger menu is collapsed when there is lesser real estate, but ever present when there is more space.

The action buttons are fixed to the bottom of the screen to minimize vertical scrolling on smaller devices.

Indicator dots appear when the entire week is not visible. With larger views the entire week is visible and therefore the indicator dots and arrows are not present.

Bringing back the submenu navigation

True responsiveness is not stripping out functionality for smaller form factors.

For example, earlier versions of our Campus Solutions user experience eliminated the navigation tabs that are present throughout PeopleSoft Campus Solutions to save real estate.

Due to feedback from our customers, we reintroduced this functionality in a way that moved it out of the way but made it available when desired.

Stay Updated

Security, Tips and Techniques

What you need to know about the reported PS_Token vulnerability

By Hendrix Bodden • September 4, 2015

Appsian has been offering security assessments to both customers and non-customers around the potential of a PS_TOKEN configuration vulnerability. Over the past month, we have posted to our blog that PeopleSoft is arguably the most secure ERP platform on the market. The blog contains links to the PeopleSoft red paper and additional information about proper configuration of PeopleSoft to mitigate potential vulnerabilities of PS_TOKEN configuration.

In this session, Greg Wendt, Executive Director, Security Solutions, talks about numerous takeaways learned from our PS_TOKEN assessments. Topics include:

  • Mitigation options
  • Best practices
  • Lessons learned
  • Incident Response
  • Defense-in-depth for PeopleSoft

Stay Updated

Tips and Techniques

Google changed its logo today – what does it mean?

By Larry Grey • September 1, 2015

Today, Google changed its logo to better represent its presence on platforms other than desktop PC’s — where people initially interacted with Google’s software.  This is just another step in its acknowledgement that people are increasingly using mobile devices as their primary computing device. Take the following support posting that encourages people to make sure their sites are mobile friendly (and that Google will be adjusting its ranking based on this).

Google’s perspective on its logo change is an interesting read.  Check it out here.

Stay Updated