1

2

About ERPScanERPScan and Oracle

• ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008

• Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle EBSo Oracle Peoplesofto Oracle JDEo Oracle Oracle Weblogico Oracle BIo Oracle Database

3

Agenda 4

Cybersecurity trends 5

ERP systemsAll business processes are generally contained in ERP systems.Any information an attacker, be it a cybercriminal, industrial spy or competitor, might want is stored in a company’s ERP.

This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective, if targeted at a victim’s ERP system, and cause significant damage to the business.

6

Business application security

The challenges we faceCyber attack killchain

7

The CISO responsibilities

• Network security• Web Application security• Endpoint security• Identity and access governance• Threat Detection and Incident response • Business application security

8

Just detecting/preventinginitial intrusion

that’s where a real attack happens

Why is ERP security critical ?

9

Enterprises need to shed outmoded concepts of SAP and Oracle enterpriseapplication security in light of attackers that have become increasingly adept atfinding high-value targets. A systematic approach to enterprise applicationvulnerability and security risk management is needed not only to assure that thesehigh-value assets get the protection they require, but also to handle them with thecare that their business-critical status typically demands”.

Scott Crawford, Research Director, 451 Research

ERP Security 10

Q: What are the most critical business applications?

Q: What kind of Business applications are used in your company?

Source: ERP Cybersecurity Survey 2017

Business Intelligence (BI/BW) 36% | Supply Chain Management 32% | Product Lifecycle Management (PLM) 30% |Enterprise Asset Management (EAM) 27% | Supplier Relationship Management (SRM) 18% | Manufacturing Execution System (MES) 18%

Microsoft Dynamics

Financial System (FL)

11

Notable news 12

How importantCyberattacks on ERP

13

Source: ERP Cybersecurity Survey 2017

Q: How will the number of cyberattacks against ERP Systems change within the next 2-3 years?

How can they do this?• 2650+ Vulnerabilities in all Oracle Products• 338+ Vulnerabilities in Oracle PeopleSoft

14

0

50

100

150

200

250

300

350

Number of PeopleSoft vulnerabilities

Top 10 Oracle Vulnerabilities

• Default Database Passwords• Default Application Passwords• Direct Database Access• Poor Application Security Design• External Application Access Configuration• Poor Patching Policies and Procedures• Access to SQL Forms in Application• Weak Change Control Procedures• No Database or Application Auditing• Weak Application Password Controls

15

PeopleSoft SecurityWhy hacking PeopleSoft?

• EspionageTo steal financial or HR data, supplier and customer lists or disclose corporate secrets.

• Sabotage To cause denial of service, counterfeit financial records and accounting data, access technology network (SCADA).

• FraudTo carry out false transactions, modify master data.

16

Challenges

• Complexity Complexity kills security. There are a lot of various vulnerabilities on all levels from network to application

• CustomizationNumerous vulnerable Java Server Pages, PeopleSoft Forms, Core Services, Web Servlets and other …

• Closed natureMostly available inside a company (closed world)

17

of securing PeopleSoft

Responsibility 18

Q: Who will be responsible if your ERP System is breached?

Source: ERP Cybersecurity Survey 2017

Security issuesSome real Hacks

Oracle PeopleSoftTypical Security Issues

• Default Users and passwords• Authentication bypass (Decrypt Access ID)• Data sniffing (Plaintext protocol Tuxedo)• WebLogic Remote Code Execution• SSO vulnerabilities (TokenChpoken)• Vulnerable Servlets

20

Default UsersInformation

• In WebLogic (when PS is installed):o system: Passw0rd (password) – main administratoro operator: password – operator roleo monitor: password – monitor role

• In PeopleSoft:o Before PeopleTools 8.51: password = login Like, PS:PS, VP1:VP1, PTDMO:PTDMOo After PeopleTools 8.51: password = PS’s password, PS:Password, VP1:Password, PTDMO:Password

• In PSIGW (PeopleSoft Integration Gateway):o Username is usually “Administrator” pass is password

PS account is not protected against bruteforce attacks by default

21

PeopleSoft vulnerabilitiesAuthentication bypass

• User ID – an account in PeopleSoft Application.

• Connect ID – a low privileged account in the RDBMS

• Access ID – a high privileged account in the RDBMS

22

Authentication Process 23

RDBMS accounts

Some facts: • Common Connect ID – “people”

o with password “people”/ “ peop1e”o max password length is 8 chars

• Default Access ID: o “SYSADM” for Oracle o “sa” for MSSQL

• Connect ID password is often the same as Access ID password

Let’s try to conduct a dictionary attack on RDBMS

24

Connect ID accessin RDBMS

Connect ID has:• Access to 3 tables• Where Access ID and the password are encrypted• Is Access ID really encrypted? – NO it’s XORed• If we have Connect ID and network access to RDMBS, we can get

Access ID

25

SolutionProtecting PeopleSoft from Cyberattacks

• Current security solutions like Vulnerability Management, SIEM, Code Scanners provide very little PeopleSoft coverage

• Solutions focused only on ERP security are more effective but typically cover one of the fields: SoD, Vulnerability Management or Code Security

• ERP security tools, in general, are oriented on those who work with ERP systems, not on security specialists.

About the companyThe challenge

27

ERPScan Security Monitoring Suite360-degree Oracle

PeopleSoft Protection

Identify• Vulnerability Management• Customization protection• Segregation of Duties

Remediate• Transparent Integration• Virtual Patching

Analyze• Threat Map• Trend Analysis

28

Architecture 29

How does it work

DEMOProtecting PeopleSoft from Cyberattacks

Uniqueness & BenefitsThe Only solution for PeopleSoft protection

360-degree approach: SoD, Source Code, Vulnerability Management

Identification, Analysis & Remediation of security issues

Threat map (patent-pending)

Module-specific checks: for HR, CRM, Finance, Campus and other

Nonintrusive solutions: implementation doesn’t require any agents or modification of PeopleSoft

31

Conclusion 32

To do: Implement latest CPU Configure security-relevant parameters Perform Security Audits Continuously monitor PeopleSoft security

Thank you 33

USA HQ:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

EU office:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

erpscan.cominbox@erpscan.com

Eugene NeyolovHead of R&Dneyolov@erpscan.com

Read our blogerpscan.com/category/press-center/blog/

Join our webinarserpscan.com/category/press-center/events/

Subscribe to our newsletterseepurl.com/bef7h1