According to Kate Hash, Manager of ITS Communications at UNC Chapel Hill, “Up until Friday, our largest download month had been 600 downloads of the app. On Friday alone, we had 2,000. It is clear that ConnectCarolina is adding a value to the app and that the students are now discovering the app because they want to use ConnectCarolina.”
Check out the full article on dailytarheel.com to learn more about how UNC mobilized and transformed PeopleSoft using PeopleMobile®. Read more
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
While some organizations believe hacks come from only external sources, these companies may be missing an even larger threat: internal, privileged users. According to the study, titled Ponemon Institute’s Survey on Data Security Breaches, sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. While some attacks can be unintentional, to protect your organization from internal aggravators, there are a couple of steps your business can take.
High-privileged users by definition have access to the most sensitive information within the organization. Their access is coveted by both external hackers and malicious internal users. Safeguarding your company requires an in-depth look at current security policies and how they could be improved. There should be guidelines put in place detailing what access each member receives, as well as strict account management practices. This can include requiring privileged users to change their passwords biweekly or bimonthly to ensure important data is always secured or implementing a least privilege arrangement. This practice gives users the bare minimum for their positions’ needs when it comes to access.
In addition, your company could eradicate “all powerful” accounts that allow entitled users access to almost all information in a business’s system. Instead, delegate access to particular data to different people, using a specific identification password or username that can be tied to that person. Certain actions within the system would then be accessible by only people who have been granted that permission. Multifactor authentication would limit and verify which privileged users are able to complete specific behaviors within the system.
Multifactor authentication can prevent malicious insiders from hacking into secure data.
Users with great power, also comes great responsibility. Our security survey results show greater than 80% of respondents expect high-privileged users to utilize increased security measures such as multi-factor authentication. Privileged users with particular leverage should still have to meet and pass certain security requirements for access to data and functions. To keep company information as secure as possible, it is important to increase protection by implementing specific protocols, including data masking.
Data masking is a smart backup for multifactor authentication. If a user is able to make it through one level of security but cannot view other data, the system hides secure information. Only the most basic, non-harmful data is visible. Continued failed login attempts at every level of authentication would result in increased masking of secure materials.
The phone rings, the caller accuses someone of changing their data because their paycheck was not deposited into their account – now the response has to begin. It’s vital to monitor users’ conduct within the system at every level. Specifics are necessary to audit people’s access as well as perform incident response. High-privileged users impact and influence on company data must be tracked within the overall data security solution. Although this security measure is difficult to complete, it can be done with the correct logging software. With a firewall that includes analysis of a user’s record and behaviors within the portal, companies can have a better idea of what secure information is misused.
High-privileged users can wreak just as much havoc on a system as external hackers. In fact, 25 percent of respondents said a malicious insider was the cause of a company breach in the past year, according to Forrester Research. To avoid system intrusions, whether vengeful or not, it’s vital for your company to have a security policy in place to monitor users. Multifactor authentication, data masking and logging analysis are all beneficial tools to protect your organization’s critical information.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
In recent blog posts, we’ve mentioned that PeopleSoft provides a number of security protections out of the box. In this entry, we wanted to go into more detail on this, specifically focusing on what you should know about PeopleSoft and common web application vulnerabilities.
If you hire an organization to perform penetration testing (as any organization deploying PeopleSoft on the public internet should), these are the items that they will primarily focus on.
One of the most important aspects of security within PeopleSoft, is that the platform ensures that security protections are built in globally. As such, PeopleTools differs from other development platforms in the following ways:
So, let’s look at each of the common web vulnerabilities and what PeopleSoft does to remediate them.
Although this should be second nature to anybody deploying a web application, SSL termination is a critical component of ensuring secure data transportation between the end-user and the PeopleSoft system. PeopleSoft has configuration settings specifically for SSL termination and virtual addressing so that all traffic can be sent securely. It also gives organizations the ability to utilize other tiers for SSL termination, such as the load balancer.
Because many web applications access and store data through a relational database, a common attack vector is to inject SQL into edit boxes, URLs, or other user enterable fields to bypass application logic and talk directly to the database. This could allow an unauthorized user to:
The following comic — “Bobby Tables” — pokes fun at this technique:
PeopleTools mitigates this vector through its definitional development infrastructure. When a page is developed in PeopleTools, the developer is rarely writing SQL, but placing the fields on the page. PeopleTools will generate the SQL with the appropriate size, type, and encoding.
However, PeopleTools does not restrict developers from writing their own SQL, frequently using the infamous SQL-Exec PeopleCode function. Therefore, it’s important that organizations incorporate strong change management techniques to review in detail any places where customizations are made with SQLExec functions.
Cross-site scripting occurs when an unauthorized site or form controls a page or form in your application, making unauthorized updates. This is commonly done with JavaScript, but can also be accomplished with other techniques.
PeopleTools protects against cross-site scripting by embedding a random token in each PeopleSoft page that is validated by servlets on the PeopleSoft web server. If the form doesn’t have the token or the token is rejected, the traffic is also rejected.
This vulnerability existed in very early PeopleTools versions (circa 2000), but was remediated quickly platform-wide with a PeopleTools update once the threat vector was discovered and hasn’t been a risk for at least 10 years.
Content spoofing and injection is a whole category of techniques for making unexpected modifications to HTTP traffic between the browser and the application. Examples include:
A common technique followed by the bad guys is to install a proxy between the browser and the application, capture traffic, modify the different aspects of the traffic, and play back the results.
PeopleTools protects against spoofing and injection by acting as a single controller that issues and processes the HTTP traffic. Whenever an unexpected event occurs (such as an unexpected URL), it will either issue a security error (such as You are not authorized to access this component) or will terminate your session.
That said, there are techniques that some implementation decisions that customers can make that would allow an organization to circumvent these protections. These would include the following:
Directory indexing is a threat vector where a person gets a web server to disclose the list of files and folders on it. In some cases, this can be used to determine how the application works behind the scenes, even to point of looking at the code that is running on the server.
PeopleSoft provides a few protections against this:
The last threat vector we will discuss. From the context of this discussion, we will be covering information leakage as it relates to an external attacker trying to learn about how the system operates. Information Leakage can also be discussed from the perspective of an authorized user’s use of sensitive application data, which will be discussed in a future post.
Anybody familiar with PeopleSoft’s Control-J function is familiar with type of data that can be leaked. This page provides information about the version of PeopleTools, the PeopleSoft application, and the ports that are being used on the app servers. At the weblogic level, the weblogic console provides information about the java version being run, etc. Although it is great for troubleshooting issues in a development or test environment, an external person can utilize this to research known vulnerabilities for the versions being utilized to plan an attack.
Fortunately, PeopleSoft provides a configuration option in the web profile to turn off disclosure of this information, and the default PROD web profile has this setting made appropriately.
PeopleTools mitigates this vector through its definitional development infrastructure. When a page is developed in PeopleTools, the developer is rarely writing SQL, but placing the fields on the page. PeopleTools will generate the SQL with the appropriate size, type, and encoding.
However, PeopleTools does not restrict developers from writing their own SQL, frequently using the infamous SQL-Exec PeopleCode function. Therefore, it’s important that organizations incorporate strong change management techniques to review in detail any places where customizations are made with SQLExec functions.
Cross-site scripting occurs when an unauthorized site or form controls a page or form in your application, making unauthorized updates. This is commonly done with JavaScript, but can also be accomplished with other techniques.
PeopleTools protects against cross-site scripting by embedding a random token in each PeopleSoft page that is validated by servlets on the PeopleSoft web server. If the form doesn’t have the token or the token is rejected, the traffic is also rejected.
This vulnerability existed in very early PeopleTools versions (circa 2000), but was remediated quickly platform-wide with a PeopleTools update once the threat vector was discovered and hasn’t been a risk for at least 10 years.
Content spoofing and injection is a whole category of techniques for making unexpected modifications to HTTP traffic between the browser and the application. Examples include:
A common technique followed by the bad guys is to install a proxy between the browser and the application, capture traffic, modify the different aspects of the traffic, and play back the results.
PeopleTools protects against spoofing and injection by acting as a single controller that issues and processes the HTTP traffic. Whenever an unexpected event occurs (such as an unexpected URL), it will either issue a security error (such as You are not authorized to access this component) or will terminate your session.
That said, there are techniques that some implementation decisions that customers can make that would allow an organization to circumvent these protections. These would include the following:
Directory indexing is a threat vector where a person gets a web server to disclose the list of files and folders on it. In some cases, this can be used to determine how the application works behind the scenes, even to point of looking at the code that is running on the server.
PeopleSoft provides a few protections against this:
The last threat vector we will discuss. From the context of this discussion, we will be covering information leakage as it relates to an external attacker trying to learn about how the system operates. Information Leakage can also be discussed from the perspective of an authorized user’s use of sensitive application data, which will be discussed in a future post.
Anybody familiar with PeopleSoft’s Control-J function is familiar with type of data that can be leaked. This page provides information about the version of PeopleTools, the PeopleSoft application, and the ports that are being used on the app servers. At the weblogic level, the weblogic console provides information about the java version being run, etc. Although it is great for troubleshooting issues in a development or test environment, an external person can utilize this to research known vulnerabilities for the versions being utilized to plan an attack.
Fortunately, PeopleSoft provides a configuration option in the web profile to turn off disclosure of this information, and the default PROD web profile has this setting made appropriately.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
Want to sort cybercrime fact from fiction? Do you think you know the difference? Test your knowledge. In this OHUG sponsored webinar, GreyHeller will set the record straight about cybersecurity myths using data from its Annual Cybersecurity Survey, the Sans Survey and live audience polling.
This engaging and interactive webinar session will test your internal and external threat knowledge and give you the tools necessary to assess your organizations’ PeopleSoft security. All participants will be given a copy of GreyHeller’s Confidential Threat Assessment Matrix which identifies the internal, external and data threat vectors the bad guys have used to compromise HCM data.
The session will include information on:
We will conclude with real world case studies of how PeopleSoft customers are protecting their HCM data from cybercrime.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
As a follow-up to our June 3rd post PS_TOKEN vulnerability and prevention, I wanted to share recent activity about which you might be interested.
As you might imagine, some of the more public PeopleSoft customers have started to become concerned especially since an attack could occur offline without being detected by the customer.
At GreyHeller, things escalated when one of our Higher Education customers discovered that they were one of the universities Security Week had found. Due to these concerns, and because this customer had processes dependent on the PS_TOKEN cookie, this customer made the decision to shut down access to its production system until satisfied that this risk was addressed.
Following the shutdown, this organization looked at its options, which included the following:
The first two options would require an extensive outage that would affect employees as well as students.
Fortunately through collaboration with GreyHeller, this customer was able to meet its needs with only a brief outage. The ultimate solution will allow this organization to continue to operate PeopleSoft with the strongest protection possible with respect to this issue:
Additionally, GreyHeller was able to address the customers risk without installing or updating software or accessing the PeopleSoft servers directly, which was extremely beneficial to them as their PeopleSoft systems are managed by a hosting provider.
Contact us to schedule a review of your current environment and learn how you, too, could leverage the GreyHeller ERP Firewall to protect your PeopleSoft system.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
GreyHeller was founded on the idea that much of the available enterprise software needed to be simplified.
Co-Founders Chris Heller and Larry Grey worked at PeopleSoft for years. Now, they are behind a company creating elegant solutions for key business problems in areas such as security and user experience.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
In this two-part series, GreyHeller founders and former, early PeopleSoft Technical Strategists, Larry Grey and Chris Heller will discuss ERP trends and how they affect PeopleSoft customers. Part I will discuss Gartner’s recently published 2015 Strategic Road Map for Postmodern ERP and how the opportunities and challenges affect PeopleSoft customers. Part II will be a demo-intensive session showing how GreyHeller customers are meeting these challenges today.
According to Gartner, Monolithic ERP solutions are being deconstructed into postmodern ERP that will result in a more federated, loosely coupled ERP environment with much of the functionality sourced as cloud services or via business process outsourcers. This direction is driven by a need to support strategic, organization-wide functionality that is more flexible, secure, integrated, and modern.
Where does this leave you as a PeopleSoft customer? Do you need to replace PeopleSoft to achieve the architecture and benefits to drive your organization in the future, or do you have an option to leverage it along with other cloud-based solutions?
This session will answer these questions as well as describe how PeopleSoft can be part of a hybrid approach to utilizing PeopleSoft and the cloud:
This session will discuss how GreyHeller customers are utilizing our technology today to utilize PeopleSoft effectively in their postmodern ERP roadmap. This demo-intensive session will include customer case studies and product demonstrations that illustrate how to flexibly and safely retain your PeopleSoft investment by evolving its role from being a monolithic application to a key component of your hybrid ERP architecture.
Security: how to protect your most sensitive data and processes in an ever-evolving cybercrime landscape
Identity Management: how to leverage multiple identity providers for your different constituents — Candidates, Vendors, Employees using solutions such as Facebook, LinkedIn, Azure, and on-premise resources
User Experience: how to provide a seamless solution that is modern, looks consistent across cloud and on-premise components, and is easy to use
Flexibility: how to evolve the functionality you deploy rapidly
Lifecycle Management: how to keep up with new updates (driven by regulatory or business value requirements) while keeping a low TCO
Integration: how to control all of the integrations between each of the component
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
If you weren’t in Amsterdam last week, you missed out on a session at the Hack in the Box conference that is sure to be of interest to PeopleSoft customers. Presenters from ERPScan presented their latest findings in ERP vulnerability research and how PeopleSoft is affected.
Most critical to their findings is being able to brute force the PeopleSoft specific PS_TOKEN cookie to be able to recover the internal password used to sign the cookies. This means that an attacker could be able to generate their own PS_TOKEN cookies at will for whatever user name that they choose.
Fear not though; there are ways to make sure that your PeopleSoft system is secure.
For those that aren’t familiar, the PS_TOKEN is what PeopleSoft uses to verify that someone has been authenticated by a PeopleSoft system. It is not the same as the regular session cookie that identifies a given login session, but is one of the mechanisms for establishing a new session. For example, someone might login to a PeopleSoft system for Financial data, receive a PS_TOKEN cookie, and then when accessing a PeopleSoft system for Human Resource data, the PS_TOKEN cookie allows them access without needing to login again for the HR system.
This works by defining in the PeopleSoft configuration which nodes are considered to trust each other. In the example above, where someone logged in to the Financials system and was then given a PS_TOKEN cookie, when they went to the HR system, it would only allow that person to continue without authentication if 1) the node that created the cookie (the Financials system) is in the list of the nodes that the HR system trusts. 2) the PS_TOKEN cookie has not expired (the default expiration is 8 hours, but this is configurable) and 3) the user account that the PS_TOKEN cookie was issued for exists in the HR system.
Unfortunately, generating a PS_TOKEN cookie when someone logs in is hard-coded into PeopleSoft. Even if you don’t have multiple PeopleSoft systems. In theory, you can remove all nodes from the trusted node table so that the generated PS_TOKEN can’t be used for establishing new sessions, but this has an impact on some system level functionality as well (e.g. reporting functionality stops working), which makes that impractical.
It turns out though that you don’t even need a PS_TOKEN cookie to work in PeopleSoft. Who knew?!? You can test this yourself by logging in to a PeopleSoft environment with a browser that allows deleting individual cookies, such as Google Chrome, and remove the PS_TOKEN cookie after you have logged in. Everything will continue working properly.
Deleting the cookie manually is not viable either though. This is something that you can do with the Appsian Security Platform for PeopleSoft. You can remove the PS_TOKEN for just the public browsing sessions or for all users if you don’t rely on the PS_TOKEN cookie to transfer users between different PeopleSoft systems.
You can also create rules in the Security Platform that allow you to allow usage of the PS_TOKEN on your internal network, but block it from external users.
If you already have PeopleSoft configured for external authentication, then you definitely don’t need the PS_TOKEN cookie to pass users between different PeopleSoft systems. Once the person crosses from one system to the other, your external authentication kicks in and automatically log them in to the other environment.
If you require two factor authentication each time someone logs in to PeopleSoft, then this greatly reduces the exposure from an attacker being able to generate their own PS_TOKEN cookies. They would be able to start a session, but then would be immediately challenged for the second factor of authentication.
The Appsian Security Platform for PeopleSoft supports requiring a two factor challenge at authentication time, but one issue is that usability suffers dramatically when constantly requiring a second factor at login time. In fact, what we typically see with Appsian customers implementing the Security Platform is that it is preferred to wait until someone accesses sensitive data/actions before requiring the additional factor of authentication. This hits a balance between locking things down and the user experience.
A stronger hashing function will help, but less than you think. If you look at tools like oclHashcat, they show that breaking an SHA-256 hash runs at about 40% of the speed of breaking an SHA-1 hash. Breaking an SHA-512 hash runs at about 14% of the speed of breaking an SHA-1 hash.
So if it would have taken someone 8 hours before to break an SHA-1 hash, now they have to wait overnight in order to break an SHA-256 hash. Or they have to wait a few days to break an SHA-512 hash. Not a big deal if full access to a PeopleSoft environment as any user is the prize.
The other thing to keep in mind is that you can now rent GPU instances from Amazon with over 1500 cores in them and breaking hashes is something that is, as they say, embarrassingly parallel.
For additional information on the Security Platform or Appsian visit www.appsian.com.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
At GreyHeller we speak with hundreds of ERP systems customers every year across all industries. Because we develop and license enterprise-class software products that modernize and secure PeopleSoft, we work closely with them on whether they should stay with their current, older system or migrate to a newer, more modern ERP system.
In order to help ERP customers understand what their peers are doing, we surveyed over 12,000 ERP customers – across all major platforms – about their degree of customization as well as their plans to upgrade.
ERP systems are designed to suit a broad range of industries. The 75% with moderately or highly customized ERP systems built those customizations to specifically address their unique requirements with the key benefits being efficiency/cost savings, competitive advantage, user adoption and security against cyber crime. Considering that an average ERP implementation costs over $7 million, takes nearly 17 months to complete and delivers less than 50% of expected benefits (Panorama Consulting), it makes total sense that 57% have no plans to upgrade their systems in the next 2 years, or ever.
Let’s consider this: according to Cedar Crestone’s 2013-14 HR Systems survey, the #1 reason organizations switch to a modern ERP system is to improve user experience.
Let’s also consider this: according to FBI Director James Comey, there are 2 types of organizations in the US – those that have been breached and those that don’t know they’ve been breached.
Eureka! If the 75% could modernize and secure while maintaining their customizations, and the 57% could offer their users a more modern, secure user experience, organizations could avoid costly migrations to new ERP platforms and eliminate the risk of a failed or underwhelming project…would that not be the most desirable outcome?
We think so.
Of course, our software does exactly that. We focus on modernizing and securing PeopleSoft. We help PeopleSoft ERP customers deliver a richer, more modern user experience while protecting their PeopleSoft assets from cyber crime. Our customers save millions of dollars by not replacing PeopleSoft. Their users are happy. Their customizations remain intact. Cyber criminals are thwarted from stealing sensitive data.
Fore more information, or to schedule a private PeopleMobile® demo contact us.
Click here to take part in our Annual ERP Security Survey. Your input is valuable and can help protect organizations from internal and external threats.
Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives
"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"
Trusted by hundreds of leading brands
