With this article, we are starting a series of articles describing some basic assessment procedures one can carry out on various business applications that would help to expand ERP systems’ immunity to attacks. After providing a comprehensive review of most important SAP NetWeaver ABAP security configurations, we are happy to focus on Oracle Peoplesoft application security and share our knowledge.
As we know, business applications are the core of any large company: it deals with all business-critical processes – payments, purchases, logistics, HR, product management, financial planning, etc. All information stored in ERP systems is sensitive, and any unauthorized access to this data can cause huge damages up to a business interruption.
If you have opened this article, you are likely to consider PeopleSoft security serious, anyway, we will try to emphasize its importance once again and, of course, this blog post is intended to describe what exactly will come next.
Oracle PeopleSoft (in)security
All the reputable security media noticed the trend of skyrocketing number of Oracle patches; the average number of fixes released every quarter has already exceeded 200 (see figure 1). By now, more than 4600 vulnerabilities in all Oracle Products were closed and about 340 address PeopleSoft applications, including the notorious TokenChpoken Attack and XSS in Oracle PeopleSoft.
PeopleSoft applications are intended to fulfill the most complex business requirements. They provide comprehensive business and industry solutions, enabling organizations to increase productivity, accelerate business performance, and lower cost of ownership.
Among Oracle’s PeopleSoft applications, there are Human Capital Management (HCM), Financial Management Solutions (FMS), Supply Relationship Management (SRM), Enterprise Services Automation (ESA), Supply Chain Management (SCM), as well as software solutions for manufacturing and student administration. These solutions can work as a unified portal or separately.
PeopleSoft applications are used worldwide with the largest share of customers in the USA.
Oracle PeopleSoft applications are quite complex and consist of many components, so their security is neither a simple thing. While a comprehensive research on PeopleSoft security lacks, successful attacks against such systems happen from time to time.
Several cases of data breaches caused by vulnerabilities in Oracle PeopleSoft applications were covered in media. In 2007, two students faced 20 years in prison after they hacked California state university’s PeopleSoft system. In August 2007, three students installed keylogging software on computers at Florida A&M University and used the obtained passwords to gain access to the school’s PeopleSoft system to modify grades. A student at the University of Nebraska in 2012 broke into a database linked with the university’s PeopleSoft system, exposing Social Security numbers and other sensitive information on about 654,000 current and former students and employees. In March 2013, Salem State University in Massachusetts notified 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. This is not a full list of PeopleSoft attacks, and it is only against university systems.
The aim of this post is to provide the latest version of EAS-SEC’s “The Enterprise Application System Vulnerability Assessment Guide” that describes 9 most important business application security areas relating to implementation and operation. This list was prepared by the authors during vulnerability assessments of multiple business applications and can be applied to any of them. These areas are weighty factors for many emerging threats and related attacks. Implementing these security measures means getting ready to prevent numerous attacks targeted business application security.
Top 9 critical areas for business applications
Below, you can find the aforementioned list of Top 9 critical areas for vulnerability assessment of business applications. Every item is ranked from 1 to 9 according to their severity and impact on the ERP system, business applications, and related security. For this list, 3 main parameters were considered:
1. initial access required to leverage vulnerability or misconfiguration issue;
2. severity of vulnerability (a potential impact if exploited);
3. complexity of vulnerability exploitation.
This list is the same for all the business applications and these descriptions are stated in a way to ensure understanding of the basic principles relating to vulnerability assessment for any enterprise application systems. We have already posted a security guideline for SAP NetWeaver ABAP and we decided to prepare a special guideline for Oracle PeopleSoft. In the next chapters, checks for each of these items (applied to Oracle PeopleSoft) will be described in detail.
|1. Patch management flaws||Anonymous||High||High|
|2. Default accounts for access to the application||Anonymous||High||High|
|3. Unnecessary functionality||Anonymous||High||High|
|4. Open remote management interfaces||Anonymous||High||Medium|
|5. Insecure settings||Anonymous||Medium||Medium|
|6. Unencrypted connections||Anonymous||Medium||Medium|
|7. Access control and SoD conflicts||User||High||Medium|
|8. Insecure trusted connections||User||High||High|
|9. Security events logging||Administrator||High||Medium|
The Guide description
The authors’ efforts were to make this list as brief as possible nevertheless covering the most critical threats for each area. This approach is the main objective of this Guide: as despite best practices by Oracle and ISACA, our intention was not to create yet another list of issues with no explanation on why a particular issue was (not) listed, but to prepare a document that may be easily used not only by Oracle PeopleSoft security experts. The guideline should also provide a comprehensive coverage of all critical areas of Oracle PeopleSoft Security.
As a result, each of the 9 areas includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom parameters. It is also important that these checks are equally applicable both to production systems and those of testing and development.
In addition to major all-purpose checks, each item contains a subsection titled “Further steps” providing major guidelines and instructions on what should be done secondly and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific Oracle PeopleSoft solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any Oracle PeopleSoft solution (from the Human Capital Management to the Financial Management or Supply Chain Management) based on the PeopleTools toolset and, on the other hand, to cover all issues and give complete recommendations on them.
In terms of quality, this makes the present Guide different from the Oracle PeopleSoft best practices that also contain few items, but do not cover the overall picture, as well as from best practices by ISACA that have a lot of items, but the priorities are unclear and too complicated for the first step (though these papers are highly valuable and necessary). Stay in touch as we’ll come back with a detailed explanation of each area.