8_3_giefer
TRANSCRIPT
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 1/26
Release 11i Workshops
30 Minute Release 11i Security…Keeping the Bad Guys Away
Session LeaderRandy Giefer, Solution Beacon
Release 11i WorkshopsSan Ramon, CA • Worthington, MA •
Los Angeles, CA • St. Louis, MO • Orlando, FL
www.solutionbeacon.com
TRAIL to TEXAS sm
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 2/26
© 2005 Solution Beacon, LLC. All Rights Reserved.2
Agenda
Welcome Presenter Introduction
Presentation Overview 30 Minute R11i Security Audience Survey
Questions and Answers
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 3/26
© 2005 Solution Beacon, LLC. All Rights Reserved.3
30 Minute Release 11i Security “Keeping The Bad People Away”
Case StudiesCase Studies Disgruntled employee posts names, SSN,Disgruntled employee posts names, SSN,
birth dates of company executives onbirth dates of company executives on
websitewebsite Ex-Employee Steals CRM and FinancialsEx-Employee Steals CRM and Financials
Data and Provides to CompetitorData and Provides to Competitor Employee Sells Credit History DatabaseEmployee Sells Credit History Database Employee Manipulates Payroll DataEmployee Manipulates Payroll Data Employee Sells Email Addresses toEmployee Sells Email Addresses to
SpammerSpammer
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 4/26
© 2005 Solution Beacon, LLC. All Rights Reserved.4
30 Minute Release 11i Security “Keeping The Bad People Away”
Q. What do all of these Case Studies have inQ. What do all of these Case Studies have in
common?common?
Disgruntled EmployeeDisgruntled Employee Ex-Employee Steals CRM and Financials DataEx-Employee Steals CRM and Financials Data Employee Sells Credit History DatabaseEmployee Sells Credit History Database
Employee Manipulates Payroll DataEmployee Manipulates Payroll Data
Employee Sells Email Addresses to SpammerEmployee Sells Email Addresses to Spammer
A. A firewall didn’t help!!! A. A firewall didn’t help!!!
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 5/26
© 2005 Solution Beacon, LLC. All Rights Reserved.5
What Is Security?
What do you think of when someoneWhat do you think of when someone
mentions “security”?mentions “security”?
Physical SecurityPhysical Security Three G’s (Guards, Gates, Gizmos)Three G’s (Guards, Gates, Gizmos)
Technology Stack SecurityTechnology Stack SecurityNetwork (e.g. Firewalls)Network (e.g. Firewalls)
Server (e.g. Antivirus)Server (e.g. Antivirus)Database ( Auditing? )Database ( Auditing? )
Application ( ? ) Application ( ? )
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 6/26
© 2005 Solution Beacon, LLC. All Rights Reserved.6
What Is Security?
Network / Perimeter SecurityNetwork / Perimeter Security
FirewallsFirewalls
Proxy ServersProxy ServersEncrypted TrafficEncrypted Traffic
Designed to keep theDesigned to keep the external external badbad
people outpeople out Who is keeping out theWho is keeping out the internal internal badbad
people?people?
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 7/26
© 2005 Solution Beacon, LLC. All Rights Reserved.7
Today’s Message
Internal Threats Are Real !!!Internal Threats Are Real !!!
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 8/26
© 2005 Solution Beacon, LLC. All Rights Reserved.8
Fact: Internal Threats Are Real
Despite most people's fears thathackers will break into the company
and destroy data or steal criticalinformation, more often than not,security breaches come from
the inside.
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 9/26
© 2005 Solution Beacon, LLC. All Rights Reserved.9
Fact: Internal Threats Are Real
Gartner estimates that more than 70%Gartner estimates that more than 70%
of unauthorized access to informationof unauthorized access to information
systems is committed by employees, assystems is committed by employees, asare more than 95% of intrusions thatare more than 95% of intrusions that
result in significant financial losses ...result in significant financial losses ...
The FBI is also seeing rampant insiderThe FBI is also seeing rampant insider
hacking, which accounts for 60% tohacking, which accounts for 60% to
80% of corporate computer crimes.80% of corporate computer crimes.
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 10/26
© 2005 Solution Beacon, LLC. All Rights Reserved.10
Fact: It may Happen To You
Through 2005, 20 Percent of Through 2005, 20 Percent of Enterprises Will Experience a SeriousEnterprises Will Experience a SeriousInternet Security Incident – GartnerInternet Security Incident – Gartner
By 2005, 60 percent of security breachBy 2005, 60 percent of security breachincident costs incurred by businessesincident costs incurred by businesseswill be financially or politically motivatedwill be financially or politically motivated
– Gartner – Gartner Are you prepared? Are you prepared? Can you prevent becoming a statistic?Can you prevent becoming a statistic?
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 11/26
© 2005 Solution Beacon, LLC. All Rights Reserved.11
What Is Security?
Security is a PROCESS that occurs (orSecurity is a PROCESS that occurs (or
doesn’t) at multiple levels.doesn’t) at multiple levels.
Security awareness at organizationsSecurity awareness at organizationsvaries due to:varies due to:
Organizational ToleranceOrganizational Tolerance
Prior IncidentsPrior IncidentsBusiness Core FunctionBusiness Core Function
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 12/26
© 2005 Solution Beacon, LLC. All Rights Reserved.12
Security Is A Process
“ “Process” means it occurs more than once!Process” means it occurs more than once! Processes and ProceduresProcesses and Procedures Internal and External Checks andInternal and External Checks and
BalancesBalances Regular Assessments (Focus = Improve)Regular Assessments (Focus = Improve)
InternalInternal
Third PartyThird Party Audits (Focus = Identify Problems) Audits (Focus = Identify Problems)
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 13/26
© 2005 Solution Beacon, LLC. All Rights Reserved.13
What Is Applications Security?
In an Oracle Applications environment,In an Oracle Applications environment,
it’s protection of information from:it’s protection of information from:
Accidental Data Loss Accidental Data Loss EmployeesEmployees
Ex-EmployeesEx-Employees
HackersHackers CompetitionCompetition
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 14/26
© 2005 Solution Beacon, LLC. All Rights Reserved.14
Application Security
Part Technology, Mostly User AccessPart Technology, Mostly User Access
User SecurityUser Security
Authentication Authentication
Authorization Authorization
Audit Trail Audit Trail
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 15/26
© 2005 Solution Beacon, LLC. All Rights Reserved.15
Application Security
Audit Trail effectiveness is almost Audit Trail effectiveness is almost
useless if you can’t ensure:useless if you can’t ensure:
Individual accounts are usedIndividual accounts are used Individuals are who they say theyIndividuals are who they say they
areare
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 16/26
© 2005 Solution Beacon, LLC. All Rights Reserved.16
What is 30 Minute R11i Applications Security?
Checklist to Easily Implement TwoChecklist to Easily Implement TwoTypes/Categories of Security:Types/Categories of Security:
User Account PoliciesUser Account PoliciesProfile OptionsProfile Options
Quick and Easy to ImplementQuick and Easy to Implement
Low Investment / High Return ValueLow Investment / High Return Value “ “Big Bang for the Buck” Big Bang for the Buck”
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 17/26
© 2005 Solution Beacon, LLC. All Rights Reserved.17
Best Practice: No Shared Accounts
Difficult or Impossible to Properly AuditDifficult or Impossible to Properly Audit
How Hard Is It To Guess A Username?How Hard Is It To Guess A Username?
Release 11Release 11i i Feature to Disallow MultipleFeature to Disallow MultipleLogins Under Same UsernameLogins Under Same Username
Uses WF Event/Subscription to UpdateUses WF Event/Subscription to Update
ICX_SESSIONS TableICX_SESSIONS Table
11.5.8 MP11.5.8 MP
Patches 2319967, 2128669, WF 2.6Patches 2319967, 2128669, WF 2.6
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 18/26
© 2005 Solution Beacon, LLC. All Rights Reserved.18
Best Practice: No GenericPasswords
Stay Away From ‘welcome’!!!Stay Away From ‘welcome’!!! 11.5.10 Oracle User Management11.5.10 Oracle User Management
(UMX)(UMX) UMX – User Registration FlowUMX – User Registration Flow
Select Random PasswordSelect Random Password
Random Password GeneratorRandom Password Generator
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 19/26
© 2005 Solution Beacon, LLC. All Rights Reserved.19
11.5.10 Oracle User Management(UMX)
UMX leverages workflow to implement businessUMX leverages workflow to implement businesslogic around the registration process.logic around the registration process.
Raising business eventsRaising business events Provide temporary storage of registration dataProvide temporary storage of registration data
Identity verificationIdentity verification Username policiesUsername policies Include the integration point with Oracle ApprovalInclude the integration point with Oracle Approval
ManagementManagement Create user accountsCreate user accounts
Release usernamesRelease usernames Assign Access Roles Assign Access Roles Maintain registration status in the UMX schemaMaintain registration status in the UMX schema Launch notification workflowsLaunch notification workflows
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 20/26
© 2005 Solution Beacon, LLC. All Rights Reserved.20
Profile: Signon Password Length
Signon Password Length sets theSignon Password Length sets the
minimum length of an Oracleminimum length of an Oracle
Applications password value. Applications password value. Default Value = 5 charactersDefault Value = 5 characters
Recommendation: At least 7Recommendation: At least 7
characterscharacters
f
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 21/26
© 2005 Solution Beacon, LLC. All Rights Reserved.21
Profile: Signon Password Hard toGuess
The Signon Password Hard to Guess profile optionThe Signon Password Hard to Guess profile optionsets internal rules for verifying passwords to ensuresets internal rules for verifying passwords to ensurethat they will be "hard to guess."that they will be "hard to guess."
Oracle defines a password as hard-to-guess if itOracle defines a password as hard-to-guess if it
follows these rules:follows these rules: The password contains at least one letter and atThe password contains at least one letter and at
least one number.least one number. The password does not contain repeatingThe password does not contain repeating
characters.characters. The password does not contain the username.The password does not contain the username.
Default Value = NoDefault Value = No Recommendation = YesRecommendation = Yes
f l d
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 22/26
© 2005 Solution Beacon, LLC. All Rights Reserved.22
Profile: Signon Password NoReuse
This profile option is set to theThis profile option is set to the
number of days that must pass beforenumber of days that must pass before
a user is allowed to reuse a passworda user is allowed to reuse a password Default Value = 0 daysDefault Value = 0 days
Recommendation = 180 days orRecommendation = 180 days or
greatergreater
fil Si d il
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 23/26
© 2005 Solution Beacon, LLC. All Rights Reserved.23
Profile: Signon Password FailureLimit
Default Value = 0 attemptsDefault Value = 0 attemptsRecommendation = 3Recommendation = 3By default, there is no lockout after failed loginBy default, there is no lockout after failed login
attempts. This is just asking to be hacked!attempts. This is just asking to be hacked! Additional Notes: Additional Notes: Implement an alert (periodic), custom workflowImplement an alert (periodic), custom workflow
or report to notify security administrators of aor report to notify security administrators of a
lockoutlockoutFND_UNSUCCESSFUL_LOGINSFND_UNSUCCESSFUL_LOGINS11.5.10 will raise a security exception workflow11.5.10 will raise a security exception workflow
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 24/26
© 2005 Solution Beacon, LLC. All Rights Reserved.24
Profile: ICX:Session Timeout
This profile option determines the length of This profile option determines the length of time (in minutes) of inactivity in a user's formtime (in minutes) of inactivity in a user's formsession before the session issession before the session is disabled disabled . Note. Note
that disabled does not mean terminated orthat disabled does not mean terminated orkilled. The user is provided the opportunitykilled. The user is provided the opportunityto re-authenticate and re-enable their timed-to re-authenticate and re-enable their timed-out session. If the re-authentication isout session. If the re-authentication is
successful, the disabled session is re-enabledsuccessful, the disabled session is re-enabledand no work is lost. Otherwise, the session isand no work is lost. Otherwise, the session isterminated without saving pending work.terminated without saving pending work.
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 25/26
© 2005 Solution Beacon, LLC. All Rights Reserved.25
Profile: ICX:Session Timeout (cont.)
Default value = noneDefault value = none Recommendation = 30 (minutes)Recommendation = 30 (minutes)
Also set Also set session.timeout session.timeout ininzone.properties zone.properties
Available via Patch 2012308 Available via Patch 2012308
(Included in 11.5.7, FND.E)(Included in 11.5.7, FND.E)
8/3/2019 8_3_giefer
http://slidepdf.com/reader/full/83giefer 26/26
© 2005 Solution Beacon, LLC. All Rights Reserved.26
Wrap Up
Remember: The Internal Threat Is RealRemember: The Internal Threat Is Real
Thanks to OAUG and to NorCal OAUGThanks to OAUG and to NorCal OAUG
Thank Thank you you for attending!for attending!
Randy [email protected]