The news is flooded with stories about cybercriminals successfully engaging in phishing and social engineering aimed at exploiting people’s COVID-19 fears, all in order to steal user credentials to business applications and VPNs. From fake delivery notifications to World Health Organization (WHO) impersonations, malicious actors are preying on people’s emotions during this pandemic.
The credentials used for authentication are ultimately an organization’s network perimeter. This puts organizations in a difficult position — they can limit employee’s access to these systems and risk negative impacts on productivity and business continuity, or they could bury their head in the sand and hope nothing bad happens. Many are choosing the latter, and the implications are being felt worldwide.
Why There is a Correlation Between a Stressful Environment and Cyber Attack Volume
Social engineering fundamentally relies on taking advantage of strong emotions to trick people into taking actions that can cause them harm. This crisis has emotions running high, and many employees are stuck in a state of fight or flight.
Research shows that stress impairs the brain’s ability to make decisions. That’s why, when people are under stress, they often take more risks and engage in activities that could cause them harm. In other words, employees are not forgetting their phishing trainings, their brains are functionally incapable of making good decisions.
Cybercriminals rely on emotional responses — whether it’s clicking on links, downloading documents, or opening attachments — emotionally charged content (e.g., fake layoff announcement email with a malware attachment) is more likely to result in a successful attack
The problem isn’t the people, it’s the cybercriminals and the tactics they use.
The Principle of Least Privilege
Often, companies view data protection solely from the compliance and financial risk perspective. Unfortunately, this doesn’t go nearly far enough. It is recommended that companies consider limiting user access to resources based on the principle of least privilege, or the absolute minimum access necessary to complete a job function. Least privilege is a governance strategy that has never been more relevant than today — especially as organizations rely on remote workforces. Fundamentally, when users have more access than necessary, they may accidentally (or intentionally) violate compliance requirements designed to protect the organization.
Today, access governance is largely dictated by predetermined roles and permissions usually classified into groups (administrator, power user, etc.) This classification of permissions is tied to authentication processes like username/password security models that are heavily targeted by cybercriminals through phishing and social engineering. Further, if a phishing attack compromises a user’s credentials, then the cybercriminal may access or acquire as much sensitive data as their victim’s role will allow. This is precisely were least privilege should kick in.
The rise of phishing attacks that target coronavirus fears not only places organizational data at risk, but it also places employees at risk — especially those with high privileges. Many employees use the same credentials for multiple applications, such as social media networks and shared cloud drives. If one set of credentials is compromised, multiple systems are now at risk.
Limiting access to data according to the principle of least privilege provides organizations with the tools necessary to prevent catastrophic data breaches. A good question to ask yourself is, what data should my administrators and power users have access to? Do they need easy access to executive payroll data? Do they need easy access to other employee social security numbers? What do they really need easy access to in order to do their job?
The truth is, they will likely need access to some sensitive data, so how do you protect data that still falls under the principal of least privilege?
“Zero trust” often sounds harsh — trust no one, assume a threat at all access points, and never grant access by default (e.g., a predetermined role and privilege.) At first glance, this mentality appears to go against corporate values like collaboration and integrity, but, in reality, it fosters them.
Moving toward an IT culture based on zero trust means that an organization can identify all devices, users, applications, and data across its ecosystem. Then, the organization can establish the appropriate controls that limit access where appropriate.
Fundamentally, a zero trust model encourages collaboration and integrity while also supporting employees who mean well but could be making risky decisions while under stress — coronavirus related or otherwise. By setting zero trust identity and access controls, organizations ensure constant alignment between who an employee is and what they have access to, thus, mitigating risk.
Part of establishing an effective zero trust model involves finding solutions that allow organizations to apply contextual attributes when granting access. Attribute-based controls adapt to different contexts and ultimately drive how and when users can access information. For example, an attribute might be geolocation or time of day. Adaptive multi-factor authentication (MFA) takes these attributes and requires additional authentication as users move across systems or within applications. For example, to log into an ERP system, passing a standard authentication challenge is required. Then, to update direct deposit or access payroll information, an adaptive MFA challenge should be deployed. Zero trust means that just because they passed through the front door of the application, they can’t execute the most sensitive transactions.
As employees work remotely, organizations may want to incorporate adaptive MFA so employees in finance or human resources can securely authenticate to their ERP systems. Adaptive MFA will detect anomalous locations or times for activity, trigger an additional authentication process, and prevent malicious actor access.
Ultimately, zero trust and adaptive MFA protect the organization, the person whose information was almost leaked, and the employee whose credentials were stolen. The organization can be alerted to the cyber criminal’s attempt to gain entry to its networks, the person whose data was almost leaked retains privacy, and the employee whose credentials were phished is protected from the negative impact of their privilege being hijacked.
Remote Access Means Phishing and Phishing Requires Additional Strategies
Organizations have tried to protect themselves from phishing attacks for years. What they have not done is protect themselves during a time of social, emotional, and physical upheaval. But, the current upward trend in phishing attacks should come as no surprise to organizations. Cybercriminals never rest — they take advantage of any weaknesses in an IT ecosystem, both digital and human.
Maintaining strong identity and access governance strategies ensures that both data and end-users can be protected during these strange and unusual times.
This article was originally published by Mission Critical Magazine.
Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.
What is the weakest link in your ERP security chain?
Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.
Recommendations for mitigating the “human error” element
Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:
- Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
- Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
- Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
- Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
- Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
- Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.
Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.
On a time-crunch? Request a quick session with our PeopleSoft security experts.
Direct deposit is a given for most of us. Until it doesn’t work. I definitely remember the days of getting paper checks in the mail….or not.
Our customer – University of Waterloo – recently relaunched their direct deposit functionality that allows employees to add or update their direct deposit bank account information on-line through myHRinfo self-service.
Here’s a link to an article from their Daily Bulletin newsletter
The implementation of ERP Firewall, which provided UWaterloo with additional layers of security on top of their PeopleSoft HCM system, was foundational to the relaunch.
A GreyHeller customer – one of the largest financial services firms in the US – licensed and implemented our ERP Firewall layered security platform specifically to put in place detailed logging and analysis to prevent the same type of breach suffered by Anthem Healthcare in 2015. Anthem settled that breach for $115 million.
On July 31, 2017 it was reported that Anthem suffered another breach. This breach involved a malicious insider – one of the hardest situations to track down.
If you as a PeopleSoft customer are concerned about your PeopleSoft sensitive data being exfiltrated, our ERP Firewall software solution can help.
• Multi-Factor Authentication to prevent a phished employee’s credentials being used to use Query to download sensitive data
• Data Masking to redact sensitive data
You can prevent cyber criminals from stealing your PeopleSoft sensitive data.
How does it work and how easy is ERP Firewall to implement?
ERP Firewall plugs into your PeopleSoft webserver and is delivered with a pre-configured set of the most commonly used rules (based on implementing ERP Firewall for nearly 100 customers). Our highly automated install process takes a couple of hours after which you will be invoking MFA, masking data and logging transactions at a highly granular level. Many of our customers actually go-live within 30-days of installation.
- Mitigation options
- Best practices
- Lessons learned
- Incident Response
- Defense-in-depth for PeopleSoft
Since many PeopleSoft customers utilize weblogic for their PeopleSoft environment, we wanted to highlight yesterday’s security alert. Oracle released an out of band security update (more information) for issues within Oracle Weblogic Server. Recommendations are to apply the patch and mitigation steps as soon as possible. While out of band security updates are rare, they are not unheard of. PeopleSoft customers need to review the update as soon as possible.
The CVSS (Common Vulnerability Scoring System) score of this update is 7.5 (more information). For reference, vulnerabilities are ranked from 0-10 based upon numerous factors like ease of execution for example. CVSS score ranges are Low (0 – 3.9), Medium (4.0 – 6.9) and High (7.0 – 10.0). The high base score of this update most likely led to the out of band patch being released.
As always if you ever have security questions, remember our assessment opportunity.
Stay safe and keep secure!
After the PS_TOKEN threat vector was announced at Hack in the Box Amsterdam in May 2015, security organizations started adding specific tests for PS_TOKEN into their penetration test portfolio.
If your organization does regular penetration tests (which you should if your PeopleSoft system is publicly available on the internet), your organization may fail and would therefore have to remediate this risk immediately.
What does this mean to you?
More time and effort will be required to deal with test results moving forward. Prepare for this situation today.
GreyHeller is the leading expert in performing PS_TOKEN assessments for customers and non-customers alike. Ensure your organization is in the most secure position by scheduling your assessment with GreyHeller today.
Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss. However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.
Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency. Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.
New employee onboarding
If done manually, the security implications of hiring a new employee can be daunting and prone to error. The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg. HR processes have to be followed; FERPA or HIPAA tests need to be passed. Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.
To accomplish this, the hiring event starts the automated process of providing least privileged access. By providing this, new employees should only have access to the initial set of self service functions such as enrolling in benefits. This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks. Granting higher privileged access is covered in the next section.
Newly hired, promoted or transferred workers
When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.
To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities. That way the system naturally mitigates privilege creep through job migrations.
Administrative access requests
Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application. Therefore, tracking the systems is absolutely critical. These high privileged users have access to the institutions most prized data or intellectual property.Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.
Terminations – there goes the data!
Termination is a critical security event. When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access. An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.
To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users. When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.
Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.
- 9/30 UNC Chapel Hill Thwarts Cybercrime with ERP Firewall
- 10/13 Verizon Makes PeopleSoft HCM Responsive with PeopleMobile®
Check out the details below!
9/30 UNC Chapel Hill Thwarts Cybercrime with ERP Firewall Presenter: Sharron Bouquin, Auxiliary Applications Manager, Enterprise Applications 11am PST / 2pm EST
The University of North Carolina at Chapel Hill utilizes the GreyHeller Application Firewall to enhance application security and protect valuable data assets. The intelligence provided by the GreyHeller Application Firewall enabled an invaluable shift in mindset from being reactive to proactively planning security measures.
This webinar will focus on the steps the university took to:
- Stop administrative users from insecurely accessing sensitive data
- Protect against specific browser flaws like cross-site scripting and URL spoofing
- Protect high profile departments
- Increase actionable intelligence about end users behavior allowing knowledgeable business decisions
- Lower their risk profile by implementing critical data protection rules across all development and production systems
- Increase ROI by enabling increased end user satisfaction by securely delivering self-service and mobile access
MOBILE / USER EXPERIENCE
10/13 Verizon Makes PeopleSoft HCM Responsive with PeopleMobile® Presenter: David Kelly, Director Systems Architecture at Verizon 11am PST / 2pm EST
This session will discuss how Verizon was able to provide mobile / responsive self service access to its 170,000+ workforce within a 4 month implementation timeframe. This presentation will cover:
- Overview of Verizon’s highly customized environment
- Key Use Cases
- Types of mobile access
- UI standards and requirements
- Implementation methodology
- Lessons learned
For more information or to schedule a private demo, please contact us.