1
2
About ERPScanERPScan and Oracle
• ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008
• Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle EBSo Oracle Peoplesofto Oracle JDEo Oracle Oracle Weblogico Oracle BIo Oracle Database
3
Agenda 4
Cybersecurity trends 5
ERP systemsAll business processes are generally contained in ERP systems.Any information an attacker, be it a cybercriminal, industrial spy or competitor, might want is stored in a company’s ERP.
This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective, if targeted at a victim’s ERP system, and cause significant damage to the business.
6
Business application security
The challenges we faceCyber attack killchain
7
The CISO responsibilities
• Network security• Web Application security• Endpoint security• Identity and access governance• Threat Detection and Incident response • Business application security
8
Just detecting/preventinginitial intrusion
that’s where a real attack happens
Why is ERP security critical ?
9
Enterprises need to shed outmoded concepts of SAP and Oracle enterpriseapplication security in light of attackers that have become increasingly adept atfinding high-value targets. A systematic approach to enterprise applicationvulnerability and security risk management is needed not only to assure that thesehigh-value assets get the protection they require, but also to handle them with thecare that their business-critical status typically demands”.
Scott Crawford, Research Director, 451 Research
ERP Security 10
Q: What are the most critical business applications?
Q: What kind of Business applications are used in your company?
Source: ERP Cybersecurity Survey 2017
Business Intelligence (BI/BW) 36% | Supply Chain Management 32% | Product Lifecycle Management (PLM) 30% |Enterprise Asset Management (EAM) 27% | Supplier Relationship Management (SRM) 18% | Manufacturing Execution System (MES) 18%
Microsoft Dynamics
Financial System (FL)
11
Notable news 12
How importantCyberattacks on ERP
13
Source: ERP Cybersecurity Survey 2017
Q: How will the number of cyberattacks against ERP Systems change within the next 2-3 years?
How can they do this?• 2650+ Vulnerabilities in all Oracle Products• 338+ Vulnerabilities in Oracle PeopleSoft
14
0
50
100
150
200
250
300
350
Number of PeopleSoft vulnerabilities
Top 10 Oracle Vulnerabilities
• Default Database Passwords• Default Application Passwords• Direct Database Access• Poor Application Security Design• External Application Access Configuration• Poor Patching Policies and Procedures• Access to SQL Forms in Application• Weak Change Control Procedures• No Database or Application Auditing• Weak Application Password Controls
15
PeopleSoft SecurityWhy hacking PeopleSoft?
• EspionageTo steal financial or HR data, supplier and customer lists or disclose corporate secrets.
• Sabotage To cause denial of service, counterfeit financial records and accounting data, access technology network (SCADA).
• FraudTo carry out false transactions, modify master data.
16
Challenges
• Complexity Complexity kills security. There are a lot of various vulnerabilities on all levels from network to application
• CustomizationNumerous vulnerable Java Server Pages, PeopleSoft Forms, Core Services, Web Servlets and other …
• Closed natureMostly available inside a company (closed world)
17
of securing PeopleSoft
Responsibility 18
Q: Who will be responsible if your ERP System is breached?
Source: ERP Cybersecurity Survey 2017
Security issuesSome real Hacks
Oracle PeopleSoftTypical Security Issues
• Default Users and passwords• Authentication bypass (Decrypt Access ID)• Data sniffing (Plaintext protocol Tuxedo)• WebLogic Remote Code Execution• SSO vulnerabilities (TokenChpoken)• Vulnerable Servlets
20
Default UsersInformation
• In WebLogic (when PS is installed):o system: Passw0rd (password) – main administratoro operator: password – operator roleo monitor: password – monitor role
• In PeopleSoft:o Before PeopleTools 8.51: password = login Like, PS:PS, VP1:VP1, PTDMO:PTDMOo After PeopleTools 8.51: password = PS’s password, PS:Password, VP1:Password, PTDMO:Password
• In PSIGW (PeopleSoft Integration Gateway):o Username is usually “Administrator” pass is password
PS account is not protected against bruteforce attacks by default
21
PeopleSoft vulnerabilitiesAuthentication bypass
• User ID – an account in PeopleSoft Application.
• Connect ID – a low privileged account in the RDBMS
• Access ID – a high privileged account in the RDBMS
22
Authentication Process 23
RDBMS accounts
Some facts: • Common Connect ID – “people”
o with password “people”/ “ peop1e”o max password length is 8 chars
• Default Access ID: o “SYSADM” for Oracle o “sa” for MSSQL
• Connect ID password is often the same as Access ID password
Let’s try to conduct a dictionary attack on RDBMS
24
Connect ID accessin RDBMS
Connect ID has:• Access to 3 tables• Where Access ID and the password are encrypted• Is Access ID really encrypted? – NO it’s XORed• If we have Connect ID and network access to RDMBS, we can get
Access ID
25
SolutionProtecting PeopleSoft from Cyberattacks
• Current security solutions like Vulnerability Management, SIEM, Code Scanners provide very little PeopleSoft coverage
• Solutions focused only on ERP security are more effective but typically cover one of the fields: SoD, Vulnerability Management or Code Security
• ERP security tools, in general, are oriented on those who work with ERP systems, not on security specialists.
About the companyThe challenge
27
ERPScan Security Monitoring Suite360-degree Oracle
PeopleSoft Protection
Identify• Vulnerability Management• Customization protection• Segregation of Duties
Remediate• Transparent Integration• Virtual Patching
Analyze• Threat Map• Trend Analysis
28
Architecture 29
How does it work
DEMOProtecting PeopleSoft from Cyberattacks
Uniqueness & BenefitsThe Only solution for PeopleSoft protection
360-degree approach: SoD, Source Code, Vulnerability Management
Identification, Analysis & Remediation of security issues
Threat map (patent-pending)
Module-specific checks: for HR, CRM, Finance, Campus and other
Nonintrusive solutions: implementation doesn’t require any agents or modification of PeopleSoft
31
Conclusion 32
To do: Implement latest CPU Configure security-relevant parameters Perform Security Audits Continuously monitor PeopleSoft security
Thank you 33
USA HQ:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU office:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
Eugene NeyolovHead of R&[email protected]
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1