steps to stay secure with security configuration console
TRANSCRIPT
Session ID:
Prepared by:
Remember to complete your evaluation for this session within the app!
Steps to Stay Secure with Security Configuration Console in Oracle E-Business Suite
Cristian PequeOracle Security SpecialistOnapsis, Inc.
Mike MillerProduct ArchitectOnapsis Inc.
10739
April 8, 2019
About Onapsis
2
• Oracle EBS Security Resources
• What Is the Security Console
• Defining a Process and Program for Security
Agenda
3
Oracle E-Business Suite Security Resources
4
Evolution of the Security Console
2017: Additional checks added
2016: Security Console launched (Doc ID 2311308.1)
2015: Security Configuration and Auditing Scripts (Doc ID 2069190.1)
2011: E-Business Suite Diagnostic Tests Catalog for 12.1.2 (Doc ID 942527.1)
Prior: Security check scripts as part of the EBS Security Guide
EBS Security Documentation
Security Guide: APPENDIX E
Security Configuration Scripts SQL Scripts
● Check Profile Errors - EBSCheckProfileErrors.sql ● Check Profile Warnings - EBSCheckProfileWarnings.sql● Check Missing Profiles - EBSCheckProfileMissing.sql● Check if new Security Features (in 12.2) are enabled -
EBSCheckSecurityFeatures.sql ● Check Application Users With Default Passwords -
EBSCheckUserPasswords.sql● Check DB Users With Default Passwords -
EBSCheckDBPasswords.sql● Secure APPLSYSPUB - EBSCheckApplsyspubPrivs.sql● Migrate to Password Hash -
EBSCheckHashedPasswords.sql ● Use Secure Flag on DBC File (Implement Server Security) -
EBSCheckServerSecurity.sql● Enable Application Tier Secure Socket Layer (SSL) -
EBSCheckSSL.sql● Encrypt Credit Card Data - EBSCheckCCEncryption.sql● Separation of Duties: Review Access To "Sensitive
Administrative Pages" - EBSCheckSensitivePageAccess.sql● Check status of 12.2 security features -
EBSCheckSecurityFeatures.sqlShell scripts:
● Validate that Forms Block Characters is set correctly - EBSCheckFormsBlockChar.sh
● Turn on ModSecurity - EBSCheckModSecurity.sh
Support Doc ID (2069190.1)
EBS Diagnostic Scripts
What Is the Security Console
10
Oracle EBS Security Console
• What is it?– Standard functionality of EBS to provide a snapshot of security health– Set of High Priority security configuration checks– For more info, see the Security Guide Release 12.2 ( E22952-22)
• How to get it? – Upgrade to the latest ATG_PF Release Update Pack with 12.2.6+– 12.1.3 backport with patch 26090737
Where Is the Security Console and What Does It Look Like?
20+ High Priority Checks
Technical notes, documentation and detailed instructions - highly technical
Checks: 1-10
Look Familiar?
Checks: 11-20
Looking for ModSecurity setup note: Fusion Middleware Administrator's Guide for Oracle HTTP Server https://docs.oracle.com/cd/E29542_01/web.1111/e10144/config_mod_sec.htm#CIHDAHJI
Checks: 21-24
Security Console: Key Design Features● Provides a graphical user interface to existing security health check
scripts● After installation (or upgrade/patching), end-user logins are completely
restricted and blocked in "Locked Down" mode○ No users can access the system!
● EBS can only be “unlocked” after an admin resolves, acknowledges or mutes security issues within the Security Console○ One time event
● Once “unlocked” the Security Console is available in the ‘'Functional Administrator' responsibility
Is it the Easy Button for Security?
How to Stay Secure As A Process
18
How to Stay Secure with the Security Console
• By all means– Read the documentation to use the security config health check scripts– Use the Diagnostic Utilities (additional checks for: database, SOA
Gateway etc...)– Use the Security Console– Make full use of all the tools and utilities that Oracle gives you
• The question is HOW to use them– When they should be used– Who is receiving what output and information– Who is making what decisions
Security Is a Process- Security is NOT provided by any one tool, team, technology or vendor
- The Security Console only looks for High Priority issues- The process of security is continuous
- What happens to things after go-live - People create security through discussion and decision making
- Target audience for the Security Console is not risk decision makers- Not possible and/or feasible for the Security Console to automatically
send issues to IT governance solutions such as ticket systems, GRC or SIEM solutions
- Need formal processes to continuously communicate risk to all parties: Risk, Security, Compliance and IT- “Power checking” to “unlock” EBS does not create security
Be Curious - There Is Much More to Think AboutHere are a few recommendations for securing the Oracle EBS
Model based on Gartner’s Adaptive Attack Protection (April 2018)
Continuous Monitoring, Measuring & Learning
Detect & Respond Prevent & Protect
Discover & Define
Remediate & Comply
Assess & Prioritize
ERP Cybersecurity Is a Continuous Process
Security Is Created by People Communicating
23
Onapsis Sessions At Collaborate & Visit Booth #327Oracle E-Business Suite: Key Audit & Compliance Advantages to Running in the CloudMonday, April 8 3:15 PM GH 4TH FL Texas Salon D
Steps to Stay Secure with Security Configuration Console in Oracle E-Business SuiteMonday, April 8 4:30 PM GH 4TH FL Texas Salon B
Hackproofing and Protecting Oracle E-Business SuiteWednesday, April 10 8:00 AM GH 4TH FL Crockett D
How to Implement Oracle Critical Patch Updates for EBSThursday, April 11 10:30 AM GH 4TH FL Seguin B
24
