SlideShare a Scribd company logo
1 of 33
30 Minute Release 11i Security
Keeping the Bad Guys Away
Welcome

• Today’s Agenda:
      Presenter Introductions
  •
      OAUG Membership Benefits
  •
      Presentation Overview
  •
      30 Minute Release 11i Security
  •
      Minute 31 – Your Next Steps
  •
      Questions and Answers
  •




                 ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Presenter – Kevin Sheehan

• 25+ years of IT experience
   • 13 Years Oracle Core DBA
   • 3 Years Oracle Apps DBA
   • 3 Years Oracle Application Server Administration
• Large Homeland Security Implementations
• Email: kevin.sheehan@unisys.com




                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Co-Presenter – Randy Giefer

• 20+ years of IT experience
        Databases and Applications
    •
        10 years Oracle Apps DBA
    •
        Fortune 1-1000
    •
        Government
    •
    Founder of Solution Beacon, LLC
•
    Security Practice Director
•
    Applications Security Specialist, Consultant, Advisor
•
    Email: rgiefer@solutionbeacon.com
•


                  ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
OAUG Membership

Member Benefits include:
• Advocacy opportunities to influence Oracle on product enhancements, usability,
  new features, Oracle support, pricing and quality.
• Knowledge that showcases the latest trends and techniques used by industry
  leaders through our national and regional events and our publications, such as
  OAUG Insight magazine.
• Communication with other OAUG members worldwide through participation in
  OAUG committees, leadership positions, interaction with Oracle Corporation's
  user initiatives, frequent member surveys, and Oracle management briefings.
• Education through the hundreds of career-enhancing presentations in our
  conference paper database archive, as well as discounts to conferences and
  Oracle education.
• Networking with Oracle customers, industry experts, third-party software firms,
  and other Oracle Applications specialists through our Member Database and
  Online Vendor Directory.



                     ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Presentation Overview

• ½ Awareness
• ½ Real World Best Practices




             ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
What Is Security?

• What comes to mind when someone mentions “security”?
   • Physical Security
      • Three Gs ( Guards, Gates, Gizmos )
   • Technology Stack Security
      • Network (e.g. Firewalls, Proxy Servers)
      • Server (e.g. Antivirus)
      • Database ( Auditing? )
      • Application ( Access Lists? )




                     ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
What Is Security?

• Most often, Security is focused on trying to keep the
  external bad people out …

• But who is keeping out the internal bad people?




               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
30 Minute Release 11i Security
   “Keeping The Bad People Away”

• Case Studies
  • Disgruntled Worldcom employee posts stolen names, SSN,
    birth dates of company executives on public website
  • Ex-Employee Steals CRM and Financials Data and Provides
    to Competitor
  • Employee Sells Credit History Database
  • Employee Manipulates Payroll Data
  • AOL Employee Sells Email Addresses to Spammer




              ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
30 Minute Release 11i Security
   “Keeping The Bad People Away”

• Q. What do all of these Case Studies have in
     common?
           Disgruntled Employee
       •
           Ex-Employee Steals CRM and Financials Data
       •
           Employee Sells Credit History Database
       •
           Employee Manipulates Payroll Data
       •
           Employee Sells Email Addresses to Spammer
       •
• A. A firewall didn’t help!!!




                   ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Today’s Message

• The Internal Threats Are Real!




           ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Fact: Internal Threats Are Real

Despite most people's fears that hackers will
break into the company and destroy data or
steal critical information, more often than not,
security breaches come from the inside.




             ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Fact: Internal Threats Are Real

• Gartner estimates that more than 70% of
  unauthorized access to information systems is
  committed by employees, as are more than 95% of
  intrusions that result in significant financial losses ...
• The FBI is also seeing rampant insider hacking,
  which accounts for 60% to 80% of corporate
  computer crimes




                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Fact: It may Happen To You

• In 2005, 20 percent of enterprises experienced a serious
  internet security incident – Gartner
• In 2005, 60 percent of security breach incident costs incurred by
  businesses were financially or politically motivated – Gartner
• “33% of ‘attacks’ are conducted by employees; another 28% are
  from former employees” (source: Global State of Information
  Security 2005, April 2006)
• Are you prepared?
• Can you prevent becoming a statistic?




                  ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
What Is Security?

• Security is a PROCESS that occurs (or doesn’t
  occur) at multiple levels
• Some organizations are better than others
• Security awareness at organizations vary due to:
   • Business Core Function
   • Organizational Tolerance (e.g. SOX)
   • Prior Incidents




                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Security Is A Process

• “Process” means it occurs more than once!
  • Policies, Processes and Procedures
  • Internal and External Checks and Balances
  • Regular Assessments (Focus = Improve)
      • Internal
      • Third Party
  • Audits (Focus = $ for Auditors)
      • Necessary Evil
      • Many Don’t Understand the Apps



              ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
What Is Applications Security?

In an Oracle Applications environment, it’s protection of
   information from:

       Accidental Data Loss
   •
       Employees
   •
       Ex-Employees
   •
       Hackers
   •
       Competition
   •


                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Application Security – Today’s Focus

• Part Technology, Mostly User Access
• User Security
   • Authentication
   • Authorization
   • Audit
• Start with the basic levels first and work your way up
  (i.e. Why implement a proxy server, DMZ, and
  firewalls if you are running with default passwords?)



                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Application Security

• Authentication – Who are you?
• Authorization – What privileges do you have?
• Audit – Effectiveness is almost useless if you can’t
  ensure:
       Individual accounts are used
   •
       Individuals are who they say they are
   •




                   ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
What is “30 Minute Release 11i
Applications Security”?
• Now that you are “aware” of the need for Security…
• Easily Implement Select Security Controls Consisting
  Of:
   • User Account Policies
   • Profile Options
• Quick and Easy to Implement
• Low Investment / High Return Value
• “Big Bang for the Buck”


                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Best Practice: No Shared Accounts

• Difficult or Impossible to Properly Audit
• Release 11i Feature to Disallow Multiple Logins
  Under Same Username:
   • Uses WF Event/Subscription to Update ICX_SESSIONS
   • 11.5.8 MP
   • Patches 2319967, 2128669, WF 2.6




               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Best Practice: No Generic Passwords

    Stay Away From ‘welcome’!!!
•
    How Hard Is It To Guess A Username?
•
    11.5.10 Oracle User Management (UMX)
•
    UMX – User Registration Flow
•
    • Select Random Password
    • Random Password Generator




               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
11.5.10 Oracle User Management (UMX)

    UMX leverages workflow to implement business logic around the
•
    registration process
    Raising business events
•
    Provide temporary storage of registration data
•
    Identity verification
•
    Username policies
•
    Include the integration point with Oracle Approval Management
•
    Create user accounts
•
    Release usernames
•
    Assign Access Roles
•
    Maintain registration status in the UMX schema
•
    Launch notification workflows
•



                   ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Application Profile Options

    Relating to Passwords
•
    Set according to your IT policies
•
    Consistent with other systems
•
    Don’t change “on-the-fly”
•
    Changes need to be communicated in advance
•




               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Profile: Signon Password Length

• Signon Password Length sets the minimum length of
  an Oracle Applications user password value
• Default Value = 5 characters
• Recommendation: At least 7 characters. Set module
  accounts to a much longer value.




             ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Profile: Signon Password Hard to Guess

• The Signon Password Hard to Guess profile option sets internal
  rules for verifying passwords to ensure that they will be quot;hard to
  guessquot;
• Oracle defines a password as hard-to-guess if it follows these
  rules:
    • The password contains at least one letter and at least one number
    • The password does not contain repeating characters
    • The password does not contain the username
• Default Value = No
• Recommendation = Yes



                   ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Profile: Signon Password No Reuse

• This profile option is set to the number of days that
  must pass before a user is allowed to reuse a
  password
• Default Value = 0 days
• Recommendation = 180 days or greater




               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Profile: Signon Password Failure Limit

• Default Value = 0 attempts
• Recommendation = 3 (adhere to policy)
• By default, there is no lockout after failed login attempts:
  This is just asking to be hacked!
• Additional Notes:
   • Implement an alert (periodic), custom workflow or report to
     notify security administrators of a lockout
   • FND_UNSUCCESSFUL_LOGINS
   • 11.5.10 raises a security exception workflow



                 ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
ATG_PF.H Rollup 3 Enhancements

• Case Sensitivity in User Passwords (Better OID
  integration)
• Profiles Server+Responsibility Hierarchy Type
  (Allows profile values to be set for specific
  combinations of servers and responsibilities)
• Oracle User Management: Configurable User Name
  Policy (Validates a specified format for user names –
  e.g. e-mail address)



               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Profile: ICX:Session Timeout

• The length of time (in minutes) of inactivity in a user's
  form session before the session is disabled.
• Default value = none
• Recommendation = 30 (minutes)
• Also set session.timeout in zone.properties
• Available via Patch 2012308
      (Included in 11.5.7, FND.E)
• Numerous other timeouts defined in Whitepaper



                ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Minute 31 – Your Next Steps

• Be Paranoid!
• Review/Update/Create Security Processes,
  Procedures and Policies
• Be Proactive – Monitor Security Sources
• Oracle Critical Patch Update
   • CPU FAQ: 237007.1
   • Quarterly Releases




               ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
Minute 31 – Your Next Steps (continued)

  Harden Operating System
•
  Harden Database
•
  Harden E-Business Suite Tech Stack
•
  MetaLink Doc 189367.1 – Securing The E-Business
•
  Suite)
• Internal Assessment
• Third Party Assessment
• Continuous Process Improvement



             ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
The Internal Threat is Real!

• Questions & Answers



Kevin Sheehan           kevin.sheehan@unisys.com
Randy Giefer            rgiefer@solutionbeacon.com




             ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.

More Related Content

What's hot

Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data CleanResolver Inc.
 
Securing the New Digital Enterprise: Trackable, Controlled, and Authorized
Securing the New Digital Enterprise: Trackable, Controlled, and AuthorizedSecuring the New Digital Enterprise: Trackable, Controlled, and Authorized
Securing the New Digital Enterprise: Trackable, Controlled, and AuthorizedEnterprise Management Associates
 
Open Source Security - It can be done easily.
Open Source Security - It can be done easily.Open Source Security - It can be done easily.
Open Source Security - It can be done easily.Flexera
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint GovernanceImperva
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
Internal Audit's Role in Ethics, Governance, & Culture
Internal Audit's Role in Ethics, Governance, & CultureInternal Audit's Role in Ethics, Governance, & Culture
Internal Audit's Role in Ethics, Governance, & CultureJim Kaplan CIA CFE
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSolarWinds
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 

What's hot (20)

Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data Clean
 
It22015 slides
It22015 slidesIt22015 slides
It22015 slides
 
Securing the New Digital Enterprise: Trackable, Controlled, and Authorized
Securing the New Digital Enterprise: Trackable, Controlled, and AuthorizedSecuring the New Digital Enterprise: Trackable, Controlled, and Authorized
Securing the New Digital Enterprise: Trackable, Controlled, and Authorized
 
Open Source Security - It can be done easily.
Open Source Security - It can be done easily.Open Source Security - It can be done easily.
Open Source Security - It can be done easily.
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
20160210 webinarslides
20160210 webinarslides20160210 webinarslides
20160210 webinarslides
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
Internal Audit's Role in Ethics, Governance, & Culture
Internal Audit's Role in Ethics, Governance, & CultureInternal Audit's Role in Ethics, Governance, & Culture
Internal Audit's Role in Ethics, Governance, & Culture
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and Intelligence
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
 

Similar to 30 Minute Release11i Security

Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster
Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster
Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster Godlan, Inc
 
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...Amazon Web Services
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...CA Technologies
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
Quick Response Fraud Detection
Quick Response Fraud DetectionQuick Response Fraud Detection
Quick Response Fraud DetectionFraudBusters
 
Your Service Desk is Privileged, Too
Your Service Desk is Privileged, TooYour Service Desk is Privileged, Too
Your Service Desk is Privileged, TooBomgar
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityJoan Weber
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsBomgar
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementCA Technologies
 
Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?Steelwedge
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
How to Protect Your Oracle Database from Hackers
How to Protect Your Oracle Database from HackersHow to Protect Your Oracle Database from Hackers
How to Protect Your Oracle Database from HackersJeff Kayser
 
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Software
 
bal-internet-presence-protection-analysis
bal-internet-presence-protection-analysisbal-internet-presence-protection-analysis
bal-internet-presence-protection-analysisBen Livson
 

Similar to 30 Minute Release11i Security (20)

Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster
Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster
Infor 10x Advantage On Air Summit Presentation - Make Better Decisions Faster
 
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing tool
 
Quick Response Fraud Detection
Quick Response Fraud DetectionQuick Response Fraud Detection
Quick Response Fraud Detection
 
Your Service Desk is Privileged, Too
Your Service Desk is Privileged, TooYour Service Desk is Privileged, Too
Your Service Desk is Privileged, Too
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Primer for Information Security Programs
Primer for Information Security ProgramsPrimer for Information Security Programs
Primer for Information Security Programs
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & Vendors
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
 
Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
How to Protect Your Oracle Database from Hackers
How to Protect Your Oracle Database from HackersHow to Protect Your Oracle Database from Hackers
How to Protect Your Oracle Database from Hackers
 
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
 
bal-internet-presence-protection-analysis
bal-internet-presence-protection-analysisbal-internet-presence-protection-analysis
bal-internet-presence-protection-analysis
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 

30 Minute Release11i Security

  • 1. 30 Minute Release 11i Security Keeping the Bad Guys Away
  • 2. Welcome • Today’s Agenda: Presenter Introductions • OAUG Membership Benefits • Presentation Overview • 30 Minute Release 11i Security • Minute 31 – Your Next Steps • Questions and Answers • ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 3. Presenter – Kevin Sheehan • 25+ years of IT experience • 13 Years Oracle Core DBA • 3 Years Oracle Apps DBA • 3 Years Oracle Application Server Administration • Large Homeland Security Implementations • Email: kevin.sheehan@unisys.com ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 4. Co-Presenter – Randy Giefer • 20+ years of IT experience Databases and Applications • 10 years Oracle Apps DBA • Fortune 1-1000 • Government • Founder of Solution Beacon, LLC • Security Practice Director • Applications Security Specialist, Consultant, Advisor • Email: rgiefer@solutionbeacon.com • ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 5. OAUG Membership Member Benefits include: • Advocacy opportunities to influence Oracle on product enhancements, usability, new features, Oracle support, pricing and quality. • Knowledge that showcases the latest trends and techniques used by industry leaders through our national and regional events and our publications, such as OAUG Insight magazine. • Communication with other OAUG members worldwide through participation in OAUG committees, leadership positions, interaction with Oracle Corporation's user initiatives, frequent member surveys, and Oracle management briefings. • Education through the hundreds of career-enhancing presentations in our conference paper database archive, as well as discounts to conferences and Oracle education. • Networking with Oracle customers, industry experts, third-party software firms, and other Oracle Applications specialists through our Member Database and Online Vendor Directory. ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 6. Presentation Overview • ½ Awareness • ½ Real World Best Practices ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 7. What Is Security? • What comes to mind when someone mentions “security”? • Physical Security • Three Gs ( Guards, Gates, Gizmos ) • Technology Stack Security • Network (e.g. Firewalls, Proxy Servers) • Server (e.g. Antivirus) • Database ( Auditing? ) • Application ( Access Lists? ) ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 8. What Is Security? • Most often, Security is focused on trying to keep the external bad people out … • But who is keeping out the internal bad people? ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 9. 30 Minute Release 11i Security “Keeping The Bad People Away” • Case Studies • Disgruntled Worldcom employee posts stolen names, SSN, birth dates of company executives on public website • Ex-Employee Steals CRM and Financials Data and Provides to Competitor • Employee Sells Credit History Database • Employee Manipulates Payroll Data • AOL Employee Sells Email Addresses to Spammer ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 10. 30 Minute Release 11i Security “Keeping The Bad People Away” • Q. What do all of these Case Studies have in common? Disgruntled Employee • Ex-Employee Steals CRM and Financials Data • Employee Sells Credit History Database • Employee Manipulates Payroll Data • Employee Sells Email Addresses to Spammer • • A. A firewall didn’t help!!! ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 11. Today’s Message • The Internal Threats Are Real! ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 12. Fact: Internal Threats Are Real Despite most people's fears that hackers will break into the company and destroy data or steal critical information, more often than not, security breaches come from the inside. ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 13. Fact: Internal Threats Are Real • Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses ... • The FBI is also seeing rampant insider hacking, which accounts for 60% to 80% of corporate computer crimes ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 14. Fact: It may Happen To You • In 2005, 20 percent of enterprises experienced a serious internet security incident – Gartner • In 2005, 60 percent of security breach incident costs incurred by businesses were financially or politically motivated – Gartner • “33% of ‘attacks’ are conducted by employees; another 28% are from former employees” (source: Global State of Information Security 2005, April 2006) • Are you prepared? • Can you prevent becoming a statistic? ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 15. What Is Security? • Security is a PROCESS that occurs (or doesn’t occur) at multiple levels • Some organizations are better than others • Security awareness at organizations vary due to: • Business Core Function • Organizational Tolerance (e.g. SOX) • Prior Incidents ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 16. Security Is A Process • “Process” means it occurs more than once! • Policies, Processes and Procedures • Internal and External Checks and Balances • Regular Assessments (Focus = Improve) • Internal • Third Party • Audits (Focus = $ for Auditors) • Necessary Evil • Many Don’t Understand the Apps ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 17. What Is Applications Security? In an Oracle Applications environment, it’s protection of information from: Accidental Data Loss • Employees • Ex-Employees • Hackers • Competition • ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 18. Application Security – Today’s Focus • Part Technology, Mostly User Access • User Security • Authentication • Authorization • Audit • Start with the basic levels first and work your way up (i.e. Why implement a proxy server, DMZ, and firewalls if you are running with default passwords?) ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 19. Application Security • Authentication – Who are you? • Authorization – What privileges do you have? • Audit – Effectiveness is almost useless if you can’t ensure: Individual accounts are used • Individuals are who they say they are • ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 20. What is “30 Minute Release 11i Applications Security”? • Now that you are “aware” of the need for Security… • Easily Implement Select Security Controls Consisting Of: • User Account Policies • Profile Options • Quick and Easy to Implement • Low Investment / High Return Value • “Big Bang for the Buck” ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 21. Best Practice: No Shared Accounts • Difficult or Impossible to Properly Audit • Release 11i Feature to Disallow Multiple Logins Under Same Username: • Uses WF Event/Subscription to Update ICX_SESSIONS • 11.5.8 MP • Patches 2319967, 2128669, WF 2.6 ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 22. Best Practice: No Generic Passwords Stay Away From ‘welcome’!!! • How Hard Is It To Guess A Username? • 11.5.10 Oracle User Management (UMX) • UMX – User Registration Flow • • Select Random Password • Random Password Generator ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 23. 11.5.10 Oracle User Management (UMX) UMX leverages workflow to implement business logic around the • registration process Raising business events • Provide temporary storage of registration data • Identity verification • Username policies • Include the integration point with Oracle Approval Management • Create user accounts • Release usernames • Assign Access Roles • Maintain registration status in the UMX schema • Launch notification workflows • ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 24. Application Profile Options Relating to Passwords • Set according to your IT policies • Consistent with other systems • Don’t change “on-the-fly” • Changes need to be communicated in advance • ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 25. Profile: Signon Password Length • Signon Password Length sets the minimum length of an Oracle Applications user password value • Default Value = 5 characters • Recommendation: At least 7 characters. Set module accounts to a much longer value. ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 26. Profile: Signon Password Hard to Guess • The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be quot;hard to guessquot; • Oracle defines a password as hard-to-guess if it follows these rules: • The password contains at least one letter and at least one number • The password does not contain repeating characters • The password does not contain the username • Default Value = No • Recommendation = Yes ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 27. Profile: Signon Password No Reuse • This profile option is set to the number of days that must pass before a user is allowed to reuse a password • Default Value = 0 days • Recommendation = 180 days or greater ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 28. Profile: Signon Password Failure Limit • Default Value = 0 attempts • Recommendation = 3 (adhere to policy) • By default, there is no lockout after failed login attempts: This is just asking to be hacked! • Additional Notes: • Implement an alert (periodic), custom workflow or report to notify security administrators of a lockout • FND_UNSUCCESSFUL_LOGINS • 11.5.10 raises a security exception workflow ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 29. ATG_PF.H Rollup 3 Enhancements • Case Sensitivity in User Passwords (Better OID integration) • Profiles Server+Responsibility Hierarchy Type (Allows profile values to be set for specific combinations of servers and responsibilities) • Oracle User Management: Configurable User Name Policy (Validates a specified format for user names – e.g. e-mail address) ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 30. Profile: ICX:Session Timeout • The length of time (in minutes) of inactivity in a user's form session before the session is disabled. • Default value = none • Recommendation = 30 (minutes) • Also set session.timeout in zone.properties • Available via Patch 2012308 (Included in 11.5.7, FND.E) • Numerous other timeouts defined in Whitepaper ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 31. Minute 31 – Your Next Steps • Be Paranoid! • Review/Update/Create Security Processes, Procedures and Policies • Be Proactive – Monitor Security Sources • Oracle Critical Patch Update • CPU FAQ: 237007.1 • Quarterly Releases ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 32. Minute 31 – Your Next Steps (continued) Harden Operating System • Harden Database • Harden E-Business Suite Tech Stack • MetaLink Doc 189367.1 – Securing The E-Business • Suite) • Internal Assessment • Third Party Assessment • Continuous Process Improvement ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.
  • 33. The Internal Threat is Real! • Questions & Answers Kevin Sheehan kevin.sheehan@unisys.com Randy Giefer rgiefer@solutionbeacon.com ©2006 Kevin Sheehan and Randy Giefer. All Rights Reserved.