The news is flooded with stories about cybercriminals successfully engaging in phishing and social engineering aimed at exploiting people’s COVID-19 fears, all in order to steal user credentials to business applications and VPNs. From fake delivery notifications to World Health Organization (WHO) impersonations, malicious actors are preying on people’s emotions during this pandemic.
The credentials used for authentication are ultimately an organization’s network perimeter. This puts organizations in a difficult position — they can limit employee’s access to these systems and risk negative impacts on productivity and business continuity, or they could bury their head in the sand and hope nothing bad happens. Many are choosing the latter, and the implications are being felt worldwide.
Why There is a Correlation Between a Stressful Environment and Cyber Attack Volume
Social engineering fundamentally relies on taking advantage of strong emotions to trick people into taking actions that can cause them harm. This crisis has emotions running high, and many employees are stuck in a state of fight or flight.
Research shows that stress impairs the brain’s ability to make decisions. That’s why, when people are under stress, they often take more risks and engage in activities that could cause them harm. In other words, employees are not forgetting their phishing trainings, their brains are functionally incapable of making good decisions.
Cybercriminals rely on emotional responses — whether it’s clicking on links, downloading documents, or opening attachments — emotionally charged content (e.g., fake layoff announcement email with a malware attachment) is more likely to result in a successful attack
The problem isn’t the people, it’s the cybercriminals and the tactics they use.
The Principle of Least Privilege
Often, companies view data protection solely from the compliance and financial risk perspective. Unfortunately, this doesn’t go nearly far enough. It is recommended that companies consider limiting user access to resources based on the principle of least privilege, or the absolute minimum access necessary to complete a job function. Least privilege is a governance strategy that has never been more relevant than today — especially as organizations rely on remote workforces. Fundamentally, when users have more access than necessary, they may accidentally (or intentionally) violate compliance requirements designed to protect the organization.
Today, access governance is largely dictated by predetermined roles and permissions usually classified into groups (administrator, power user, etc.) This classification of permissions is tied to authentication processes like username/password security models that are heavily targeted by cybercriminals through phishing and social engineering. Further, if a phishing attack compromises a user’s credentials, then the cybercriminal may access or acquire as much sensitive data as their victim’s role will allow. This is precisely were least privilege should kick in.
The rise of phishing attacks that target coronavirus fears not only places organizational data at risk, but it also places employees at risk — especially those with high privileges. Many employees use the same credentials for multiple applications, such as social media networks and shared cloud drives. If one set of credentials is compromised, multiple systems are now at risk.
Limiting access to data according to the principle of least privilege provides organizations with the tools necessary to prevent catastrophic data breaches. A good question to ask yourself is, what data should my administrators and power users have access to? Do they need easy access to executive payroll data? Do they need easy access to other employee social security numbers? What do they really need easy access to in order to do their job?
The truth is, they will likely need access to some sensitive data, so how do you protect data that still falls under the principal of least privilege?
“Zero trust” often sounds harsh — trust no one, assume a threat at all access points, and never grant access by default (e.g., a predetermined role and privilege.) At first glance, this mentality appears to go against corporate values like collaboration and integrity, but, in reality, it fosters them.
Moving toward an IT culture based on zero trust means that an organization can identify all devices, users, applications, and data across its ecosystem. Then, the organization can establish the appropriate controls that limit access where appropriate.
Fundamentally, a zero trust model encourages collaboration and integrity while also supporting employees who mean well but could be making risky decisions while under stress — coronavirus related or otherwise. By setting zero trust identity and access controls, organizations ensure constant alignment between who an employee is and what they have access to, thus, mitigating risk.
Part of establishing an effective zero trust model involves finding solutions that allow organizations to apply contextual attributes when granting access. Attribute-based controls adapt to different contexts and ultimately drive how and when users can access information. For example, an attribute might be geolocation or time of day. Adaptive multi-factor authentication (MFA) takes these attributes and requires additional authentication as users move across systems or within applications. For example, to log into an ERP system, passing a standard authentication challenge is required. Then, to update direct deposit or access payroll information, an adaptive MFA challenge should be deployed. Zero trust means that just because they passed through the front door of the application, they can’t execute the most sensitive transactions.
As employees work remotely, organizations may want to incorporate adaptive MFA so employees in finance or human resources can securely authenticate to their ERP systems. Adaptive MFA will detect anomalous locations or times for activity, trigger an additional authentication process, and prevent malicious actor access.
Ultimately, zero trust and adaptive MFA protect the organization, the person whose information was almost leaked, and the employee whose credentials were stolen. The organization can be alerted to the cyber criminal’s attempt to gain entry to its networks, the person whose data was almost leaked retains privacy, and the employee whose credentials were phished is protected from the negative impact of their privilege being hijacked.
Remote Access Means Phishing and Phishing Requires Additional Strategies
Organizations have tried to protect themselves from phishing attacks for years. What they have not done is protect themselves during a time of social, emotional, and physical upheaval. But, the current upward trend in phishing attacks should come as no surprise to organizations. Cybercriminals never rest — they take advantage of any weaknesses in an IT ecosystem, both digital and human.
Maintaining strong identity and access governance strategies ensures that both data and end-users can be protected during these strange and unusual times.
This article was originally published by Mission Critical Magazine.
On April 19, 2020, Oracle announced on its PeopleSoft Support blog that the company is extending support for the ERP application through 2031. As stated on the blog, Oracle remains “committed to a rolling ten years of support for PeopleSoft. We will review and plan to extend support again next year, and the year after that, so that you have a decade of committed support and can plan your enterprise software investments accordingly.”
This news should give PeopleSoft customers a sense of certainty that investing in the long-term success of their PeopleSoft applications is mission-critical. Thanks to COVID-19, organizations may be concerned about their short-term financial stability. Add in the newfound uncertainly of continuing large-scale IT projects in this climate (like a cloud ERP migration) – organizations have now found themselves looking for ways to reap maximum benefits with the lowest degree of overhead and project completion time.
Three “Home Improvement” PeopleSoft Data Security Projects
With large-scale projects on hold, it’s a good time to invest in smaller-scale projects that focus on what is truly mission-critical today (and for the near future) – PeopleSoft data security. You’re already working hard to secure data while users are accessing remotely and while bandaids may be in place right now, organizations must consider strategies that scale long-term.
Here are three smaller “home improvement” projects that strengthen your PeopleSoft data security posture:
Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)
When you count the hours spent managing passwords (80% of help desk calls) or tackling SSO projects using customizations and home-grown solutions, you find that removing the complexity of PeopleSoft password management is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. The bottom line, a SAML-configured Single Sign-On for PeopleSoft will make everybody happy. A SAML SSO provides the combination of security and productivity that organizations are striving for. And, given the alarming uptick in phishing attacks – user credentials have become an obvious liability.
Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)
When you’re buying new appliances for a remodeling project, you buy a washer and dryer in pairs. Yes, you can wash and dry your clothes using one or the other, but using both is a better option. Same with applying an adaptive multi-factor authentication (MFA) with your SSO as an effective method for verifying identity. Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. The context of access varies in mobile and work-from-home environments, and your level of control should do the same. This is essential if your users are accessing remotely, as managing authentication (especially for high privilege users) can be challenging.
It is also recommended to expand the use of MFA and apply step-up challenges on transactions that may be considered ‘highly sensitive.’
Real-Time Visibility for User Activity Monitoring and Transaction Logging
Just like a rug can tie a room together, real-time visibility via user activity monitoring and transaction logging can be the perfect complement to your PeopleSoft data security fixer upper. There are a lot of sensitive transactions being executed outside of the office these days, and monitoring user activity gives you a better sense of how your data is being accessed and used.
Invest in Today and Plan for Tomorrow
Now is a good time to take Oracle’s lead in their extension of PeopleSoft support – and alleviate a lot of the complexity around PeopleSoft data security, identity, and access management. Securing remote access with SSO and adaptive MFA today provides significant PeopleSoft ROI – along with applying a strong data security framework that can scale with a myriad of workforce and landscape changes.
Best yet, you can complete these projects in only two to four weeks, and we guarantee you won’t be cleaning up any sawdust when you’re done.
Request a demonstration of the Appsian Security Platform today.
With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.
A VPN is Not Data Security
Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…
Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:
Federating High Privilege Users
High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)
If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.
Malicious Insiders Tend to be High Privilege Users
This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.
Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!
Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.
A VPN Can Be Costly, Unscalable, and Leave You in The Lurch
Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.
And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.
How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications
Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.
Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.
When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.
At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.