As a follow-up to our June 3rd post PS_TOKEN vulnerability and prevention, I wanted to share recent activity about which you might be interested.
- On June 29, 2015, Security Week wrote the following article that not only discussed the issue, but also analyzed which organizations were at risk.
- 249 commercial enterprises
- 246 Universities
- 64 government and military organizations
- On July 1, 2015, The Department of Homeland Security included this in its July 1 Daily Open Source Infrastructure Report
As you might imagine, some of the more public PeopleSoft customers have started to become concerned especially since an attack could occur offline without being detected by the customer.
At GreyHeller, things escalated when one of our Higher Education customers discovered that they were one of the universities Security Week had found. Due to these concerns, and because this customer had processes dependent on the PS_TOKEN cookie, this customer made the decision to shut down access to its production system until satisfied that this risk was addressed.
Following the shutdown, this organization looked at its options, which included the following:
- Contacting their cloud vendor to update their PS_TOKEN encryption key. This would take a minimum of 2 weeks of effort.
- Looking at upgrading to a newer version of PeopleTools that had a stronger encryption algorithm (256-bit versus 128-bit).
- Contacting GreyHeller to see if we could provide a solution for them that worked better than removing the PS_TOKEN cookie or their other options
The first two options would require an extensive outage that would affect employees as well as students.
Wait… Production Back Up!
Fortunately through collaboration with GreyHeller, this customer was able to meet its needs with only a brief outage. The ultimate solution will allow this organization to continue to operate PeopleSoft with the strongest protection possible with respect to this issue:
- They were able to move to the 256-bit encryption algorithm immediately
- They will be able to configure the solution to leverage alternate (and future) encryption algorithms with no down time
- They are able to deploy live rotation of encryption keys… without downtime. This means that this organization will be automatically changing the encryption keys more rapidly than the bad guys would be able break it.
Additionally, GreyHeller was able to address the customers risk without installing or updating software or accessing the PeopleSoft servers directly, which was extremely beneficial to them as their PeopleSoft systems are managed by a hosting provider.