sheehankevingieferrandy-30minrelease11isecurityoaug06wp

8/6/2019 SheehanKevinGieferRandy-30minRelease11iSecurityOAUG06WP

1/7

COLLABORATE 06 Copyright 2005-2006 by Kevin Sheehan & Randy Giefer Page 1

30 Minute Release 11i Security Keeping the Bad Guys Away

Kevin SheehanUnisys Corp.

Randy GieferSolution Beacon, LLC

Introduction

Terrorism. Identity theft. 9/11. Its no longer a safe world, and corporate data needs to be protected fromnot only the external bad guys, but also the internal ones as well! Many companies believe this wonthappen to them until its too late. This paper discusses numerous ways to quickly and easily improve thesecurity of your Release 11i environment and protect your valuable data. With minimal effort required toimplement, real world examples of how substantial security benefits can be obtained by performing simpleconfiguration tasks such as modifying the default values of select profile settings and timeout parameters.Security tips and tricks specific to the Oracle Applications will also be provided to enable administrators toprotect their data from "the bad guys".

The Need for Security Case Study Examples

The following Case Studies provide examples for the need for better security.

Case Study #1. A disgruntled Worldcom employee posts the names, social security numbers, and birthdates of company executives that he stole from the corporate system onto a public website.

Case Study #2. A terminated employee whose userid and password was not expired upon termination,accesses the company CRM system via the internet and downloads customer and financials data andprovides it to a competitor of the former employer.

Case Study #3. A IT department administrator downloads the contents of a Credit History Database andsells the data to a competitor.

Case Study #4. A HR/payroll clerk accesses the HR system and adjusts the salary of her boyfriend whoworks at the same company.

Case Study #5. An AOL employee downloads tens of millions of AOL email addresses and sells them to aspammer.

Q. What do all of these Case Studies have in common?A. A firewall didnt help!!!

Common Security Controls

Often, people interact with security controls the moment they arrive at work. Physical security controlsallow employees and authorized visitors access to the building they work in. These facility controls forindividual users are usually along the lines of the three Gs (Guards, Gates, Gizmos), with Gizmos beingcard readers or biometric devices life fingerprint, eye, or facial scans.

Other than IT department staff member, most users do not interact with systems level security controls. Asfar as Technology Stack Security controls go, some of the most common controls are listed below:


2/7


Network Layer Security (Firewalls, Proxy Servers) Server Security (Antivirus, Host Intrusion Detection (HIDS)) Database (Auditing) Application (Authentication and Authorization, Access Lists)

The real problem that needs to be recognized, is that most of the above controls are designed to keep the

external bad people out of our systems. But the real question that needs to be asked is Who is keeping outthe internal bad people? The internal threats are real!

Statistics That Support The Need For Security

Despite most people's fears that hackers will break into the company and destroy data or steal criticalinformation, more often than not, security breaches come from the inside. Gartner estimates that more than70% of unauthorized access to information systems is committed by employees, and that more than 95% ofintrusions result in significant financial losses. The FBI is also seeing rampant insider hacking, whichaccounts for 60% to 80% of corporate computer crimes.

Statistics are what you make them to be. Even if the following statistics are off or exaggerated, what is leftpresents a compelling enough reason to recognize that better security is significantly needed.

Businesses and financial institutions suffered $48 billion in losses due to the 9.9 millionAmericans who had their identities stolen in 2003. (New York Times, October, 2004)

IT security breaches doubled from 2001 to 2003 (CERT) 80% of security breaches are done by insiders (2003 CSI/FBI Survey) In 2005, 20 percent of enterprises experienced a serious internet security incident Gartner In 2005, 60 percent of security breach incident costs incurred by businesses will be financially or

politically motivated Gartner More than 25 percent of critical data within Fortune 1000 businesses will be inaccurate or

incomplete through 2007. (Gartner) Data volume doubles every 18 months (Gartner)

Are you prepared? Do you have the controls in place to prevent becoming a statistic?

Understanding Application Security

Application security is part technology, and mostly control. Specifically, the area of User Security is thebasic starting point for a good application security strategy. The best approach is a multi-layered securitymodel that increasingly adds controls. The following for example:

Authentication Authorization Audit Trail

Authentication asks Who are you? Once the Application has determined you are who you say you are,

Authorization asks What privileges do you have? Or another way of saying it, What can you do?.Audit Trail asks What did you do? In this model, the accuracy and security of each level is dependant ofthe accuracy and security of the prior level. The effectiveness of each level is only as good as the priorlevel. For example, the effectiveness of an audit trail is almost useless if you cant ensure that individualaccounts are used and individuals are who they say they are. If every user uses a shared or commonaccount, what good does an audit trail do?

Start with basic user controls and work your way up. It does no good to implement other security controlsif the internal bad guys have easy access to your data by exploiting weak user access controls.


3/7


What is 30 Minute R11i Applications Security?

30 Minute R11i Applications Security is a guide to easily implement select security controls consisting ofbest practices for user accounts and profile options to set within the Oracle E-Business Suite. These stepsare quick and easy to implement, have a low investment in time and effort, and a high return on value (i.e.Big Bang for the Buck).

Best Practice: No Shared Accounts Best Practice: Treat All Non-Production Instances With Same Care As Production Best Practice: No Generic Passwords Application Profile Values Relating to User Sign On Application Profile Values Relating to ICX Application Profile Values Relating to CRM Jserv (Java) Timeout Settings Apache HTTP Timeout Settings Forms 60 Environment Timeout Variables Oracle Single Sign-On Server Timeouts

The following section of this paper provides details behind the components listed above.

Best Practice: No Shared Accounts

One of the most common security failures is the ability to uniquely identify a user and audit their actions.When a shared or common account is utilized, it becomes exponentially more difficult with each additionalshared user to track and audit what changes are being made.

A feature in Release 11i is available to disallow multiple logins under the same username. It uses aworkflow event/subscription to update ICX_SESSIONS table and only allow a single session for a userid.It is available in the 11.5.8 MP, or individually via patches 2319967, 2128669 (requires Workflow 2.6).

Best Practice: No Generic Passwords

Another common security failure is the use of generic passwords especially prevalent during passwordreset calls or initial account creation. Think about it. If the standard procedure for creating a new accountis to use the combination of the first initial of the first name and the entire last name for a userid, and thedefault password is set to welcome, how hard would it be for an internal bad guy to know the useridand password of a newly hired HR Director?

In 11.5.10 and above, Oracle has provided a new UMX module to help with User Management. It providesthe following benefits and features:

User Registration Flowo Select Random Passwordo Random Password Generator

UMX leverages workflow to implement business logic around the registration process Raising business events Provide temporary storage of registration data Identity verification Username policies Include the integration point with Oracle Approval Management Create user accounts Release usernames Assign Access Roles


4/7


Maintain registration status in the UMX schema Launch notification workflows

Best Practice: Treat All Non-Production Instances With Same Data Protection As

Production

Another common security failure that some companies go to great length to lock down and protect theirproduction environment, but end up neglecting the environments (DEV, TEST, QA) that have copies of theproduction data. Oftentimes, they do not purge, obfuscate or encrypt sensitive data refreshed fromproduction. In other cases, this same unprotected production data residing in non-productionenvironments is accessed by third party development or business partners working on co-operative projects further exposing corporate risk.

Application Profile Values Relating to User Sign On

The following E-Business Suite profile options address the basic User Authentication level in aApplications Security model.

Profile Default RecommendationSignon Password Failure Limit None 3 (attempts)

Signon Password Hard to Guess No Yes

Signon Password Length 5 7 (characters)

Signon Password No Reuse None 180 (days)

Signon Password Custom None *1

Sign-On:Notification No Yes *2

*1 Used if you want to define your own password scheme in a custom Java class*2 Only works with GUI, not the Personal Home Page

Signon Password Failure LimitBy default, there is no account lockout after a failed number of login attempts. This is just askingto be hacked! Implement an alert (periodic), custom workflow or report to notify securityadministrators of a lockout by monitoring FND_UNSUCCESSFUL_LOGINS.

Note: New functionality released in 11.5.10 initiates a security exception workflow when this limit

occurs!

Signon Password Hard to GuessThe Signon Password Hard to Guess profile option sets internal rules for verifying passwords toensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it followsthese rules:

- The password contains at least one letter and at least one number- The password does not contain repeating characters.- The password does not contain the username.

Signon Password LengthSignon Password Length sets the minimum length of an Oracle Applications password value. Thedefault length is 5 and the recommended value is 7.

Signon Password No ReuseThis profile option is set to the number of days that must pass before a user is allowed to reuse apassword.


5/7


Application Profile Values Relating to ICX

The following E-Business Suite profile options relate to controlling timeouts relating to Inter-CartridgeExchange (ICX).

Parameter Default Recommendation

ICX:Session Timeout none 30 (minutes)ICX: Limit Time 4 (hours) 10 (hours)

ICX: Limit Connect 1000 1000

ICX:Session TimeoutThis profile option determines the length of time (in minutes) of inactivity in a user's form sessionbefore the session is disabled. Note that disabled does not mean terminated or killed. The user isprovided the opportunity to re-authenticate and re-enable their timed-out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, thesession is terminated without saving pending work. This functionality is available via Patch2012308 (included in 11.5.7, FND.E). Note: Setting the profile value to greater than 30 minuteswill drain the JVM resources and can also cause out of memory errors.

ICX: Limit timeThis profile defines the maximum connection time for a connection regardless of user activity.If 'ICX:Session Timeout' is set to NULL, then the session will last only as long as 'ICX: LimitTime', regardless of user activity.

ICX: Limit connectThis profile defines the maximum number of hits (each request by the browser for a new HTMLpage constitutes a hit) that a user may make in a single session.

Application Profile Values Relating to CRM

CRM applications utilize the following timeout controls: ICX:Session Timeout, ICX:Limit Time, and

JTF_INACTIVE_SESSION_TIMEOUT.

JTF_INACTIVE_SESSION_TIMEOUTThis profile affects CRM-based products only, and serves the same purpose as the ICX:SessionTimeout profile. This profile exists for legacy reasons, and its value should be set to the same asICX:Session Timeout

Jserv (Java) Timeout Settings


disco4iviewer.properties:session.timeout 5400000 (milliseconds)

formservlet.ini:FORMS60_TIMEOUT 55 (minutes)

formservlet.properties:session.timeout 5400000 (milliseconds) jserv.conf:ApJServVMTimeout 360 (secon

mobile.properties:session.timeout 5400000 (milliseconds)

zone.properties:session.timeout 5400000 (milliseconds)

zone.properties:servlet.framework.initArgs 5400000 (milliseconds)

These settings are located: ../*ora/iAS/Apache/Jserv/etc


6/7


JServ Timeout is specified by the value of the property session.timeoutin the JServconfiguration filezone.properties, and represents the number of milliseconds to wait beforeending an idle JServ session (the default is 30 minutes). This timeout is used by products basedon Oracle Applications Framework (OAF).

Apache HTTP Timeout Settings

The following parameter settings control timeout behavior within Apache.


httpd.conf:Timeout 300 (seconds)

httpd.conf:KeepAliveTimeout 15 (seconds)

httpd.conf:SSLSessionCacheTimeout 300 (seconds)

These settings are located: ../*ora/iAS/Apache/Apache/conf

Forms 60 Environment Timeout Variables

The following parameter settings control timeout behavior within Oracle Forms.


FORMS60_TIMEOUT None 55 (minutes)

FORMS60_CATCHTERM None 0

Modify the APPL_TOP/.env setting to include the following settings:

FORMS60_CATCHTERM=0FORMS60_TIMEOUT=55 (minutes)

We recommend using a timeout value of 55 because it is less than the 60 minute value used for theweb apache timeout values. Note that these values may vary depending on security policies.

Oracle Single Sign-On Server Timeouts

The following parameter settings control timeout behavior within Oracle Single Sign-On.

Single Sign-On Session Duration represents the number of hours a user can be loggedin to the server without being timed out and having to log in again. This timeout valuecan be specified from "Edit SSO Server Configuration" link on the SSO ServerAdministration page. When a user logs in to Release 11i via the Single Sign-OnServer, an SSO login session is created and remains valid for the duration specified bythis setting.

Global User Inactivity Timeout is not currently supported with Oracle E-BusinessSuite Single Sign-On integration.


7/7


Minute 31 What Is Next?

After the base level security controls defined previously in this paper, the following items can be addressed(of course, they may take longer than 30 minutes).

Be Paranoid! Think like one of the bad people and assume the worse case scenario, rather than theoptimistic approach of It will never happen to me.

Review/Update/Create Security Processes, Procedures and Policies. Many organizations do nothave defined and documented policies and procedures relating to security-related controls. Theseare needed to provide to auditors as well as serving as a educational tool for new employees.

Be Proactive. The are many ways to be proactive in the area of security. Monitoring securitysources (e.g. CERT) and subscribing to security Alert distribution lists (e.g. from MetaLink) arejust a few ways to stay abreast of security alerts related to the E-Business Suite.

Stay current on critical Oracle patches for the E-Business Suite. Oracle releases a quarterlyCritical Patch Update (CPU) patchset to address corrected vulnerabilities in the OracleTechnology Stack. Refer to the FAQ for Security Alerts and Critical Patch Updates, DocumentID: 237007.1

Harden your software. The Operating System, Database, and E-Business Suite Tech Stack allcan be configured, changed, and modified to be more secure. Hardening consists of disabling

unneeded services, changing default configurations (passwords, ports, etc.). Many documents,papers, and books exist on how to accomplish the hardening for each of the software tiers. Ahardening procedure should be created and documented as a corporate standard, and adapted onlywith proper approval when situations merit.

Perform Internal Assessments. Having another organization within your corporate structure isbeneficial because it usually stimulates a lot of why? questions. When handled and facilitatedproperly, these questions often point out breakdowns in procedures, security failures, and brokenprocesses that can be corrected internally.

Perform a Third Party Assessment. This is an especially beneficial because it bringsknowledgeable security (and hopefully E-Business) assessors in to review the security controlsand setups for a system. The benefit here, is that these third parties are contracted or employed byyour organization with the intent of working with the organization to improve security. This is inopposition to auditors, who often just want to point out what they believe are security failures.Oftentimes, auditors do not have enough knowledge about the E-Business suite (e.g. What do youmean every database user is Apps?) to be able to provide beneficial feedback and meaningfulsuggestions for improvement.

Continuous Process Improvement. Security is not just a one-time event, it is a continuous processthat needs to change and adapt with the organization.

Conclusion

The internal threat is real! Protection of your corporate data from internal bad guys is as important asprotecting the data from the external bad guys. Follow the items described in this paper to more securelyprotect your data and avoid becoming a statistic!

sheehankevingieferrandy-30minrelease11isecurityoaug06wp

Documents