Greg Kelly, part of Oracle’s PeopleTools team, presented to Quest users about how to develop best practices to help harden and protect their PeopleSoft applications. Some of the latest PeopleTools security features can help users protect PeopleSoft against both internal and external threats to their system and data.

The presentation walked through recent threat scenarios and how they could have been avoided, or at least considerably reduced in scope. Greg also covered monitoring tools and how they can be used as part of behavioral analysis to detect and respond to threats.

Prepare for a Crisis

During a discussion with a few PeopleSoft customers, the tagline, “When a crisis arises the time for preparation has passed” came up. It shows how important it is to have security best practices in place now instead of when your system is being attacked and it’s too late to devise a plan. Hardening and protecting your PeopleSoft applications can help prevent an attack before it even happens. Putting expensive defense mechanisms in place is useless if there are ways to simply get around them.

Areas of Concern for Threats

Email Servers, other servers in the same domain, PeopleSoft Stack, WebLogic/Proxies, Tuxedo AppServer, IDE/LCM, and PeopleSoft Database are the main areas of concern for threats. This graphic shows concerns with different areas and potential methods for mitigating those concerns.

Within email, phishing is a major concern. Phishing messages often utilize click bait to lure users into clicking on malicious links. Phishing attackers now utilize Ransomware, crypto mining malware, sextortion email, Business Email Compromise, False Spam, and Massive Shibboleth IDP Attack.  Some mitigations that could be utilized to avoid phishing attacks include monitoring, URL Request Filtering, Site Advisor, and IP Reputation. Security experts say that IoT BotNet threats and DDoS attacks are also likely to become more common. EHRs and other hospital IT systems could face dramatic new risks.

Sources of Threats

Of the abuse, only 40 percent is performed by outsiders. The other 60 percent is performed by insiders. Insider abuse can either be malicious or inadvertent. According to the presentation, 44.5 percent of insider abuse is malicious, and the other 15.5 percent is inadvertent. Some examples of inadvertent abuse would be forgetting your laptop or forgetting your USB drive with important data in an unsecured location. Contributing factors for insider abuse include moral luck, moral hazard, normalization of deviance, Broken Pane Syndrome, willful blindness, hubris, and disengagement/disenchantment.

PeopleSoft Resources

Hardening Security Red Paper, a document by PeopleSoft and Oracle, provides information to securing the network infrastructure. This Security red paper (Doc ID 747524.1) includes a list of secure setups, and additional methods for network protection like intrusion detection systems, intrusion prevention systems, web application firewalls, and Oracle Adaptive Access Manager. In addition, the document provided information about securing PeopleSoft Internet Architecture, PeopleTools security hardening, and securing customized PeopleSoft applications.

There have also been several security enhancements in PeopleTools 8.55. Some of these security enhancements include:

• Extended Access and Connect ID DB Password Length
• New Cookie rules
• Implementation of SHA-2 Certificate and Hash
• Event Mapping Framework
• Authentication for Cloud File Attachment
• Input only field
• Robust forgotten password
• Updated Open SSL Libraries
• Cross-origin resource sharing