Security, Tips and Techniques

What you need to know about the reported PS_Token vulnerability

By Hendrix Bodden • September 4, 2015

Appsian has been offering security assessments to both customers and non-customers around the potential of a PS_TOKEN configuration vulnerability. Over the past month, we have posted to our blog that PeopleSoft is arguably the most secure ERP platform on the market. The blog contains links to the PeopleSoft red paper and additional information about proper configuration of PeopleSoft to mitigate potential vulnerabilities of PS_TOKEN configuration.

In this session, Greg Wendt, Executive Director, Security Solutions, talks about numerous takeaways learned from our PS_TOKEN assessments. Topics include:

  • Mitigation options
  • Best practices
  • Lessons learned
  • Incident Response
  • Defense-in-depth for PeopleSoft

Stay Updated

Security, Tips and Techniques

What you should know about PeopleSoft and Common Web Application Vulnerabilities

By Larry Grey • August 14, 2015

Background

In recent blog posts, we’ve mentioned that PeopleSoft provides a number of security protections out of the box. In this entry, we wanted to go into more detail on this, specifically focusing on what you should know about PeopleSoft and common web application vulnerabilities.

  • Data sniffing
  • SQL Injection
  • Cross-Site Scripting
  • Content Spoofing and Injection
  • Directory Indexing
  • Information Leakage

If you hire an organization to perform penetration testing (as any organization deploying PeopleSoft on the public internet should), these are the items that they will primarily focus on.

PeopleTools as a Security Platform

One of the most important aspects of security within PeopleSoft, is that the platform ensures that security protections are built in globally.  As such, PeopleTools differs from other development platforms in the following ways:

  • Secure by Default:  Developers do not have to write specific security code in the application, because protections are applied automatically — PeopleTools takes care of it for them — thus ensuring that security is enforced consistently.
  • Rapid evolution:  Keeping up with potential vulnerabilities is an arms race where new attack vectors are constantly being created by the bad guys.  Because the security logic is applied externally to the application logic, vulnerabilities can be addressed at the platform level, delivered by Oracle, and applied platform-wide immediately.
  • Centralized Security Expertise:  PeopleTools has a team of security developers who’s job it is to stay current on best practices and potential vulnerabilities, allowing the rest of the organization to focus on business functionality.  This ensures that customers staying current on their PeopleSoft updates will be have the latest protections available.

So, let’s look at each of the common web vulnerabilities and what PeopleSoft does to remediate them.

Data Sniffing

Although this should be second nature to anybody deploying a web application, SSL termination is a critical component of ensuring secure data transportation between the end-user and the PeopleSoft system. PeopleSoft has configuration settings specifically for SSL termination and virtual addressing so that all traffic can be sent securely.  It also gives organizations the ability to utilize other tiers for SSL termination, such as the load balancer.

SQL Injection

Because many web applications access and store data through a relational database, a common attack vector is to inject SQL into edit boxes, URLs, or other user enterable fields to bypass application logic and talk directly to the database.  This could allow an unauthorized user to:

  • Gather sensitive data
  • Make unauthorized updates to application data
  • Escalate privileges and/or bypass system controls
  • Cause service interruptions

The following comic — “Bobby Tables” — pokes fun at this technique:

PeopleTools mitigates this vector through its definitional development infrastructure. When a page is developed in PeopleTools, the developer is rarely writing SQL, but placing the fields on the page.  PeopleTools will generate the SQL with the appropriate size, type, and encoding.

However, PeopleTools does not restrict developers from writing their own SQL, frequently using the infamous SQL-Exec PeopleCode function.  Therefore, it’s important that organizations incorporate strong change management techniques to review in detail any places where customizations are made with SQLExec functions.

Cross-Site Scripting

Cross-site scripting occurs when an unauthorized site or form controls a page or form in your application, making unauthorized updates.  This is commonly done with JavaScript, but can also be accomplished with other techniques.

PeopleTools protects against cross-site scripting by embedding a random token in each PeopleSoft page that is validated by servlets on the PeopleSoft web server.  If the form doesn’t have the token or the token is rejected, the traffic is also rejected.

This vulnerability existed in very early PeopleTools versions (circa 2000), but was remediated quickly platform-wide with a PeopleTools update once the threat vector was discovered and hasn’t been a risk for at least 10 years.

Content Spoofing and Injection

Content spoofing and injection is a whole category of techniques for making unexpected modifications to HTTP traffic between the browser and the application.  Examples include:

  • Modifying the URL in unexpected ways
  • Altering or removing HTTP Headers
  • Altering or removing cookies
  • Altering the HTML or XML content

A common technique followed by the bad guys is to install a proxy between the browser and the application, capture traffic, modify the different aspects of the traffic, and play back the results.

PeopleTools protects against spoofing and injection by acting as a single controller that issues and processes the HTTP traffic.  Whenever an unexpected event occurs (such as an unexpected URL), it will either issue a security error (such as You are not authorized to access this component) or will terminate your session.

That said, there are techniques that some implementation decisions that customers can make that would allow an organization to circumvent these protections.  These would include the following:

  • Adding an HTTP header to the HTML to maintain the identity of the user for single signon.  If the header is accessible to the end-user and Signon PeopleCode does not have anti-spoofing functionality, modifying the header could allow access without logging in.
  • Utilizing the %GetRequest parameter with a SQL-Exec function.  Because this function allows parameters to be embedded in the URL as a query string, improper use of it could open up a vulnerability
  • Improper implementation of location-based security rules.  Many organizations will implement location-based security by hiding URLs based on location (versus blocking them).  Because any PeopleSoft page can be accessed directly from a URL, merely hiding navigation does not block access to the content.

Directory Indexing

Directory indexing is a threat vector where a person gets a web server to disclose the list of files and folders on it.  In some cases, this can be used to determine how the application works behind the scenes, even to point of looking at the code that is running on the server.

PeopleSoft provides a few protections against this:

  • The first is that all of the security, business and database logic runs on a server separate from the PeopleSoft web server.  This means that gaining access to the web server does not provide access to the directories controlling how the application processes
  • The second is that PeopleSoft has a number of ways in which it can be deployed in conjunction with a DMZ.  One common option is to have a proxy server running in the DMZ where the web server itself is behind the corporate firewall.

Information Leakage

The last threat vector we will discuss.  From the context of this discussion, we will be covering information leakage as it relates to an external attacker trying to learn about how the system operates.  Information Leakage can also be discussed from the perspective of an authorized user’s use of sensitive application data, which will be discussed in a future post.

Anybody familiar with PeopleSoft’s Control-J function is familiar with type of data that can be leaked.  This page provides information about the version of PeopleTools, the PeopleSoft application, and the ports that are being used on the app servers.  At the weblogic level, the weblogic console provides information about the java version being run, etc.  Although it is great for troubleshooting issues in a development or test environment, an external person can utilize this to research known vulnerabilities for the versions being utilized to plan an attack.

Fortunately, PeopleSoft provides a configuration option in the web profile to turn off disclosure of this information, and the default PROD web profile has this setting made appropriately.

Stay Updated

Security

Webinar: Fact or Myth – Protecting your PeopleSoft HCM Data from Cybercrime

By Hendrix Bodden • August 2, 2015

Want to sort cybercrime fact from fiction? Do you think you know the difference? Test your knowledge. In this OHUG sponsored webinar, GreyHeller will set the record straight about cybersecurity myths using data from its Annual Cybersecurity Survey, the Sans Survey and live audience polling.

This engaging and interactive webinar session will test your internal and external threat knowledge and give you the tools necessary to assess your organizations’ PeopleSoft security. All participants will be given a copy of GreyHeller’s Confidential Threat Assessment Matrix which identifies the internal, external and data threat vectors the bad guys have used to compromise HCM data.

The session will include information on:

  • Data Masking
  • Data Leakage
  • Multi-Factor Authentication
  • Location Based Security
  • Self Service Use
  • High Privilege Access
  • Logging/Analysis & Forensic Investigation

We will conclude with real world case studies of how PeopleSoft customers are protecting their HCM data from cybercrime.

Register Now

Stay Updated

Security

PS_Token Update and Department of Homeland Security July 1 Report

By Larry Grey • July 7, 2015

As a follow-up to our June 3rd post PS_TOKEN vulnerability and prevention, I wanted to share recent activity about which you might be interested.

  • On June 29, 2015, Security Week wrote the following article that not only discussed the issue, but also analyzed which organizations were at risk.
    • 249 commercial enterprises
    • 246 Universities
    • 64 government and military organizations
  • On July 1, 2015, The Department of Homeland Security included this in its July 1 Daily Open Source Infrastructure Report

As you might imagine, some of the more public PeopleSoft customers have started to become concerned especially since an attack could occur offline without being detected by the customer.

Production Down!

At GreyHeller, things escalated when one of our Higher Education customers discovered that they were one of the universities Security Week had found. Due to these concerns, and because this customer had processes dependent on the PS_TOKEN cookie, this customer made the decision to shut down access to its production system until satisfied that this risk was addressed.

Following the shutdown, this organization looked at its options, which included the following:

  • Contacting their cloud vendor to update their PS_TOKEN encryption key. This would take a minimum of 2 weeks of effort.
  • Looking at upgrading to a newer version of PeopleTools that had a stronger encryption algorithm (256-bit versus 128-bit).
  • Contacting GreyHeller to see if we could provide a solution for them that worked better than removing the PS_TOKEN cookie or their other options

The first two options would require an extensive outage that would affect employees as well as students.

Wait… Production Back Up!

Fortunately through collaboration with GreyHeller, this customer was able to meet its needs with only a brief outage. The ultimate solution will allow this organization to continue to operate PeopleSoft with the strongest protection possible with respect to this issue:

  • They were able to move to the 256-bit encryption algorithm immediately
  • They will be able to configure the solution to leverage alternate (and future) encryption algorithms with no down time
  • They are able to deploy live rotation of encryption keys… without downtime. This means that this organization will be automatically changing the encryption keys more rapidly than the bad guys would be able break it.

Additionally, GreyHeller was able to address the customers risk without installing or updating software or accessing the PeopleSoft servers directly, which was extremely beneficial to them as their PeopleSoft systems are managed by a hosting provider.

Learn More

Contact us to schedule a review of your current environment and learn how you, too, could leverage the GreyHeller ERP Firewall to protect your PeopleSoft system.

Stay Updated

Security

GreyHeller at Collaborate15- Las Vegas

By Hendrix Bodden • March 31, 2015

GreyHeller is thrilled to showcase our Mobile and Security solutions at Collaborate 2015. From announcing new partnerships, to launching your institution’s mobile strategy, to practical ways to protect your ERP systems, we’ll be available to demo our solutions and answer your questions.  

Turn your employees into fans of your PeopleSoft application. PeopleMobile® provides a modern, easy to use experience that your employees will love.

  • Provide a beautiful mobile and desktop experience that matches your brand identity
  • “Plug and Play” your PeopleSoft content with mobile applications and portals
  • Transform any of PeopleSoft’s 6,000 pages, including customizations
  • Implement quickly and easily using your existing PeopleSoft version and infrastructure
  • Leverage your employees’ existing PeopleSoft skills for implementation and support

Key Features

  • Responsive Design
  • Automatically transforms any PeopleSoft page
  • Adapts to customizations and new PeopleSoft releases
  • Compatible with PeopleTools 8.45 and greater

Protect and secure your organization and your PeopleSoft investment. ERP Firewall mitigates internal and external risks while lowering total cost of ownership.

  • Control access outside the perimeter
  • Reduce or eliminate data leakage
  • Protect against compromised credentials
  • Empower security administrators with visibility into system use including incident response
  • Protect against misuse of personal information for high profile students by administrators

Key Features

  • Data Masking
  • 2-Factor Authentication
  • Location Based Security
  • VIP Data Protection
  • Delegate Access
  • Logging & Analysis

Visit booth 636 at Collaborate 2015 for more information on our Mobile and Security solutions and to check out how our products work with our partners’ solutions: GreyHeller + Modo Labs and GreyHeller + Duo Security.

Stay Updated

Security, Tips and Techniques

GreyHeller Sessions and Customer Sessions @ Alliance2015

By Hendrix Bodden • March 11, 2015

GreyHeller is thrilled to showcase our Mobile and Security solutions and our customers’ sessions at Alliance 2015.  From announcing new partnerships, to launching your institution’s mobile strategy, to practical ways to protect your ERP systems, there’s a session that fits your needs.

Also joining us, Shelley Nelson, VP, Services and Greg Wendt, Executive Director of Security Solutions.  Shelley is responsible for Customer Implementation and Support and will be available in our booth to discuss ongoing customer projects and answer questions about implementation best practices for our Mobile & Security products. Greg was past Chairman of the TAG and will be available in our booth to discuss Security and best practices to protect your institution from cybercrime.

3/16 ERP Security Analytics & Intrusion Prevention Session: 34465 Time: 2:15p – 3:15p Presenter: Larry Grey, President and Greg Wendt, Executive Director Description:  ESAIP – based on our ERP Firewall technology – secures your PeopleSoft data with prebuilt dashboards, alerts, and analytics based on automated, enterprise-wide event data collection.

3/17  Modo Labs + GreyHeller: Together, Making the Impossible, Possible Session: 34467 Time: 1:00p – 1:30p Presenters: Larry Grey, President and Andrew Yu, Founder & CTO, Modo Labs Description: GreyHeller and Modo Labs have partnered to deliver powerful mobile solutions to PeopleSoft customers. Join us for a brief demonstration of the deep integration between PeopleMobile® and the Kurogo™ Mobile Campus. The demonstration will include Student/Faculty and HCM use cases and disclose how your organization can benefit from our groundbreaking partnership.

3/16  Mobile My Madison – PeopleSoft Mobile at James Madison University Session: 34402 Time: 2:15p – 3:15p Presenter: Tariq Rabie, Applications Development and Support, James Madison University Description: JMU recently implemented mobile access to self-service components of PeopleSoft Interaction Hub,Campus Solutions and Human Capital Management in a short timeframe, implementing GreyHeller’s PeopleMobile® product. Learn how in approximately 2 months, JMU provided a pilot mobile deployment and then turned around in approximately 2 additional months to provide full access of its customized PeopleSoft environment to its students.

3/17 Mobilizing the Student Service  Experience – UT Dallas and PeopleMobile® Session: 34141 Time: 03:15 p – 4:15p Presenter: Ryan Meyers, Business Analyst/Developer IV, University of Texas at Dallas Description:  UT Dallas recently implemented the first component of its overall mobile strategy. At this session we will present UTD’s overall mobile strategy and how UTD is delivering PeopleSoft on mobile devices to its students and faculty. This session will include a demonstration of UTD’s mobile system. It will include a discussion on UTD’s technology evaluation, implementation best practices and lessons learned during the project.

3/16 GreyHeller Application Firewall – enhance security! Session: 34635 Time: 3:45p – 4:45p Presenter: Sharron Bouquin, Auxilary Services Development Manager, University of North Carolina at Chapel Hill Description:  UNC-CH  implemented the GreyHeller ERP Firewall, providing an enhanced level of security to its applications. At this session UNC-CH will present how they implemented the product, provided additional levels of security and filled some unique gaps!  They will also cover ‘next steps’ with their implementation plans.

3/17 Protect your Users and Data in PeopleSoft with 2 Factor Authentication Session: 34388 Time: 1:45p – 02:45p Presenter: Ryan McDaniel, Assistant Director of Identity and Access Management, University of Colorado Description:  The UC has successfully implemented 2 factor authentication using ERP Firewall and Duo Security.  Come by for an overview of their implementation, demonstration of functionality, and plans for the future.

Stay Updated

Security

Shelley Nelson Joins GreyHeller as Vice President of Services

By Hendrix Bodden • January 29, 2015

Shelley Nelson

Shelley Nelson,
Vice President of Services

San Ramon, California – January 28, 2015 – GreyHeller, LLC, provider of the leading security and modernization software for legacy ERP systems, today announced the appointment of Shelley Nelson as Vice President of Services. Shelley will have worldwide responsibility for customer implementation projects and support and will serve as a member of GreyHeller’s senior leadership team. Shelley will report to Larry Grey, President, GreyHeller.

“We are pleased to welcome Shelley to GreyHeller and look forward to Shelley’s delivering 100% customer success and satisfaction,” said Larry. “I’ve worked with Shelley in the past. Her 20-plus years of experience make her ideal to lead all of our customer-facing initiatives.”

“I am excited to be a part of an organization that is totally focused on making their customers successful,” Shelley said. “Joining GreyHeller is a fantastic opportunity and I am excited to help the company grow to its full potential.”

Previously, Shelley launched Services for Lisam America which grew to 90 customers. Prior to Lisam, she served as Vice President, Global Support for TomorrowNow where she achieved top 10% worldwide IT-industry customer satisfaction and 98% customer reference rating (TNS Global rating). Before joining TomorrowNow, Shelley spent 6 years at PeopleSoft leading Financials systems implementations and as a Financials systems developer.

About GreyHeller

GreyHeller’s award winning software modernizes and secures legacy ERP systems. ERP Firewall protects ERP sensitive data from cyber criminals. PeopleMobileÒ modernizes and mobilizes legacy ERP platforms, giving customers an option to costly system replacement. GreyHeller’s products are used by nearly 100 customers worldwide across all industries.

Stay Updated

Security

OHUG Interview With GreyHeller CEO Hendrix H. Bodden

By Hendrix Bodden • December 18, 2014

Hendrix H Bodden
Data Magnifed

The year has been full of cyber attacks that have left sensitive information ranging from bank accounts to social security numbers exposed and vulnerable.

From data breaches at eBay and Michaels to the recent and devastating attack on Sony, no business is safe from cybercrime though many fail to realize the seriousness of the situation.

And it’s a problem that will only grow in severity. The value of cybercrime is expected to exceed $1 trillion by 2020, and the current market for security technology is more than $40 billion, according to Hendrix H. Bodden, chief executive officer of GreyHeller. Graphic 01“It is more frightening than anybody actually realizes that isn’t in this business,”Bodden said in an interview. “I think that 2014 has seen so many high profile breaches, even JPMorgan Chase has been breached. They were able to index virtually every node, “virtually every terminal, every Web server on the JPMorgan network. JPMorgan’s CEO Jamie Dimon said they’re at least doubling their cyber-security budget, and I do think that companies are taking it more seriously.I think boards of directors, shareholders, and customers are starting to ask, ‘What are you doing to protect your valuable assets?”
Hr Arrow 01

There Are a Wide Variety of Cyber Criminals

The make-up of cyber criminals is diverse — representatives of foreign governments, international organized crime rings, individuals working alone, and hacking collectives are all trawling the Web for a window of opportunity. It is estimated that 97 percent of U.S. companies have been hacked or will be hacked. Oftentimes businesses aren’t even aware that they’ve been compromised. “The cybercrime environment is multi-layered, it’s incredibly active, it’s 24-7,” Bodden said. “If you believe that the bad guys are always one step ahead, in this case they really are.” Consumers can protect their information by creating secure passwords and using two-step authentication whenever available. They also should be wary of email-based phishing attacks, which can be protected against with a careful eye. Some signs that an email may be fraudulent include poor grammar and punctuation or bizarre phrasing.
Graphic 02 “What happens is I’ll click on a link and that link will actually take me to what appears to be a legitimate site and I’ll enter information,” Bodden said. “Once I’ve entered that information, the bad guy’s site will then forward me on to the legitimate site and you’ll never know that there was that intermediate step in between. A lot of this happens and people don’t even know it. The only time they find out is when somebody has bought their credit card number on the black market and all of a sudden they’re seeing purchases at electronic stores or gift cards, which are two of the most favorite ways that cyber criminals monetize stolen identities.”
Hr Arrow 01

Mobile Device Management Increasingly Being Used for Protection

Mobile device management is an up-and-coming area of cybersecurity. For example, some systems allow for remote data wipes when a mobile device is lost or permit the company to download updates. GreyHeller’s ERP Firewall protects users by implementing two-factor authentication at the field level. Data masking, logging and analysis, and location-based security also are rising trends in the industry. GreyHeller will kick off the new year with a series of cybersecurity webinars. The first will debut on Jan. 7 and focus on Oracle PeopleSoft security for higher education. These systems often host the same information banks do, making them an attractive target for cyber criminals.
Graphic 03 “Higher education is especially challenged by cyber criminals because they have by definition very open networks,” Bodden said. “They’re not behind a firewall, so higher education institutions have to have all of their web applications out and accessible in the wild and on the internet. The bad guys know this and so higher education is one of the top industries that is actually targeted by cyber criminals.”
Hr Arrow 01

January Webinar to Focus on PeopleSoft HR Systems

The Jan. 14 webinar centers on PeopleSoft human resources systems, which also typically contain sensitive information vulnerable and valuable to hackers.

“Before the human resources systems were mobilized, they could pretty well contain them behind the corporate firewall,” Bodden said. “But now that a lot of these systems have been mobilized so you can access your paycheck, you can change your benefits, you can do a lot of employee self-service and manager self-service from your mobile device, that exposes those systems to the internet and the bad guys know that so they’re going after them.”

The third and final webinar on Jan. 21 will be presented alongside Duo and discuss two-factor authentication.

Graphic 04 Graphic 05
 

Stay Updated

Security

How Data Masking Helps Prevent Cyber Attacks

By Hendrix Bodden • December 9, 2014

Data Masking could have helped prevent recent, high-profile destructive cyber attacks.

How?

By scrambling or removing sensitive data from production and non-production systems, Data Masking can prevent compromised privileged user account information from being used to gain access to sensitive data such as Social Security Numbers.

Greg Wendt, GreyHeller’s Executive Director of Security Solutions and Services, said “I’m consistently amazed that more organizations haven’t implemented Data Masking or Two-Factor Authentication.”

Cyber criminals using compromised privileged user account information to access databases would not be able to actually see the data had it been masked. Further, combining Two-Factor Authentication with Data Masking would impose even tighter security on that sensitive data, ensuring that access only occurs once the Two-Factor Authentication challenge was successfully passed, often with an SMS message or secure ID token.

According to Mr. Wendt, “privileged user access is a huge threat vector that can be properly managed with masking and Two-Factor Authentication.”

Privileged users are often defined as systems and database administrators in the information technology department who maintain systems and databases that contain sensitive information.

GreyHeller’s software product – ERP Firewall – contains powerful Data Masking and Two-Factor Authentication capabilities and is used by major commercial and higher education institutions to protect their sensitive data from cyber attack.

Additional Resources:

About GreyHeller

San Ramon, California-based GreyHeller serves Oracle® PeopleSoft customers globally across all industries, helping them secure and mobilize their PeopleSoft investment. GreyHeller’s software solutions – PeopleMobile®, ERP Firewall and Single Signon  – are in production at nearly 100 PeopleSoft customers. PeopleMobile® renders PeopleSoft responsive across any mobile device and desktop. ERP Firewall and Single Signon protect PeopleSoft customers from criminal and inadvertent breach. For more information about GreyHeller, please visit www.greyheller.com.

Stay Updated