8_3_giefer

8/3/2019 8_3_giefer

http://slidepdf.com/reader/full/83giefer 1/26

Release 11i Workshops

30 Minute Release 11i Security…Keeping the Bad Guys Away

Session LeaderRandy Giefer, Solution Beacon

Release 11i WorkshopsSan Ramon, CA • Worthington, MA •

Los Angeles, CA • St. Louis, MO • Orlando, FL

www.solutionbeacon.com

TRAIL to TEXAS sm

http://www.solutionbeacon.com/

http://www.solutionbeacon.com/

8/3/2019 8_3_giefer


© 2005 Solution Beacon, LLC. All Rights Reserved.2

Agenda

Welcome Presenter Introduction

Presentation Overview 30 Minute R11i Security Audience Survey

Questions and Answers

8/3/2019 8_3_giefer



30 Minute Release 11i Security “Keeping The Bad People Away”

Case StudiesCase Studies Disgruntled employee posts names, SSN,Disgruntled employee posts names, SSN,

birth dates of company executives onbirth dates of company executives on

websitewebsite Ex-Employee Steals CRM and FinancialsEx-Employee Steals CRM and Financials

Data and Provides to CompetitorData and Provides to Competitor Employee Sells Credit History DatabaseEmployee Sells Credit History Database Employee Manipulates Payroll DataEmployee Manipulates Payroll Data Employee Sells Email Addresses toEmployee Sells Email Addresses to

SpammerSpammer

8/3/2019 8_3_giefer



30 Minute Release 11i Security “Keeping The Bad People Away”

Q. What do all of these Case Studies have inQ. What do all of these Case Studies have in

common?common?

Disgruntled EmployeeDisgruntled Employee Ex-Employee Steals CRM and Financials DataEx-Employee Steals CRM and Financials Data Employee Sells Credit History DatabaseEmployee Sells Credit History Database

Employee Manipulates Payroll DataEmployee Manipulates Payroll Data

Employee Sells Email Addresses to SpammerEmployee Sells Email Addresses to Spammer

A. A firewall didn’t help!!! A. A firewall didn’t help!!!

8/3/2019 8_3_giefer



What Is Security?

What do you think of when someoneWhat do you think of when someone

mentions “security”?mentions “security”?

Physical SecurityPhysical Security Three G’s (Guards, Gates, Gizmos)Three G’s (Guards, Gates, Gizmos)

Technology Stack SecurityTechnology Stack SecurityNetwork (e.g. Firewalls)Network (e.g. Firewalls)

Server (e.g. Antivirus)Server (e.g. Antivirus)Database ( Auditing? )Database ( Auditing? )

Application ( ? ) Application ( ? )

8/3/2019 8_3_giefer



What Is Security?

Network / Perimeter SecurityNetwork / Perimeter Security

FirewallsFirewalls

Proxy ServersProxy ServersEncrypted TrafficEncrypted Traffic

Designed to keep theDesigned to keep the external external badbad

people outpeople out Who is keeping out theWho is keeping out the internal internal badbad

people?people?

8/3/2019 8_3_giefer



Today’s Message

Internal Threats Are Real !!!Internal Threats Are Real !!!

8/3/2019 8_3_giefer



Fact: Internal Threats Are Real

Despite most people's fears thathackers will break into the company

and destroy data or steal criticalinformation, more often than not,security breaches come from

the inside.

8/3/2019 8_3_giefer



Fact: Internal Threats Are Real

Gartner estimates that more than 70%Gartner estimates that more than 70%

of unauthorized access to informationof unauthorized access to information

systems is committed by employees, assystems is committed by employees, asare more than 95% of intrusions thatare more than 95% of intrusions that

result in significant financial losses ...result in significant financial losses ...

The FBI is also seeing rampant insiderThe FBI is also seeing rampant insider

hacking, which accounts for 60% tohacking, which accounts for 60% to

80% of corporate computer crimes.80% of corporate computer crimes.

8/3/2019 8_3_giefer



Fact: It may Happen To You

Through 2005, 20 Percent of Through 2005, 20 Percent of Enterprises Will Experience a SeriousEnterprises Will Experience a SeriousInternet Security Incident – GartnerInternet Security Incident – Gartner

By 2005, 60 percent of security breachBy 2005, 60 percent of security breachincident costs incurred by businessesincident costs incurred by businesseswill be financially or politically motivatedwill be financially or politically motivated

– Gartner – Gartner Are you prepared? Are you prepared? Can you prevent becoming a statistic?Can you prevent becoming a statistic?

8/3/2019 8_3_giefer



What Is Security?

Security is a PROCESS that occurs (orSecurity is a PROCESS that occurs (or

doesn’t) at multiple levels.doesn’t) at multiple levels.

Security awareness at organizationsSecurity awareness at organizationsvaries due to:varies due to:

Organizational ToleranceOrganizational Tolerance

Prior IncidentsPrior IncidentsBusiness Core FunctionBusiness Core Function

8/3/2019 8_3_giefer



Security Is A Process

“ “Process” means it occurs more than once!Process” means it occurs more than once! Processes and ProceduresProcesses and Procedures Internal and External Checks andInternal and External Checks and

BalancesBalances Regular Assessments (Focus = Improve)Regular Assessments (Focus = Improve)

InternalInternal

Third PartyThird Party Audits (Focus = Identify Problems) Audits (Focus = Identify Problems)

8/3/2019 8_3_giefer



What Is Applications Security?

In an Oracle Applications environment,In an Oracle Applications environment,

it’s protection of information from:it’s protection of information from:

Accidental Data Loss Accidental Data Loss EmployeesEmployees

Ex-EmployeesEx-Employees

HackersHackers CompetitionCompetition

8/3/2019 8_3_giefer



Application Security

Part Technology, Mostly User AccessPart Technology, Mostly User Access

User SecurityUser Security

Authentication Authentication

Authorization Authorization

Audit Trail Audit Trail

8/3/2019 8_3_giefer



Application Security

Audit Trail effectiveness is almost Audit Trail effectiveness is almost

useless if you can’t ensure:useless if you can’t ensure:

Individual accounts are usedIndividual accounts are used Individuals are who they say theyIndividuals are who they say they

areare

8/3/2019 8_3_giefer



What is 30 Minute R11i Applications Security?

Checklist to Easily Implement TwoChecklist to Easily Implement TwoTypes/Categories of Security:Types/Categories of Security:

User Account PoliciesUser Account PoliciesProfile OptionsProfile Options

Quick and Easy to ImplementQuick and Easy to Implement

Low Investment / High Return ValueLow Investment / High Return Value “ “Big Bang for the Buck” Big Bang for the Buck”

8/3/2019 8_3_giefer



Best Practice: No Shared Accounts

Difficult or Impossible to Properly AuditDifficult or Impossible to Properly Audit

How Hard Is It To Guess A Username?How Hard Is It To Guess A Username?

Release 11Release 11i i Feature to Disallow MultipleFeature to Disallow MultipleLogins Under Same UsernameLogins Under Same Username

Uses WF Event/Subscription to UpdateUses WF Event/Subscription to Update

ICX_SESSIONS TableICX_SESSIONS Table

11.5.8 MP11.5.8 MP

Patches 2319967, 2128669, WF 2.6Patches 2319967, 2128669, WF 2.6

8/3/2019 8_3_giefer



Best Practice: No GenericPasswords

Stay Away From ‘welcome’!!!Stay Away From ‘welcome’!!! 11.5.10 Oracle User Management11.5.10 Oracle User Management

(UMX)(UMX) UMX – User Registration FlowUMX – User Registration Flow

Select Random PasswordSelect Random Password

Random Password GeneratorRandom Password Generator

8/3/2019 8_3_giefer



11.5.10 Oracle User Management(UMX)

UMX leverages workflow to implement businessUMX leverages workflow to implement businesslogic around the registration process.logic around the registration process.

Raising business eventsRaising business events Provide temporary storage of registration dataProvide temporary storage of registration data

Identity verificationIdentity verification Username policiesUsername policies Include the integration point with Oracle ApprovalInclude the integration point with Oracle Approval

ManagementManagement Create user accountsCreate user accounts

Release usernamesRelease usernames Assign Access Roles Assign Access Roles Maintain registration status in the UMX schemaMaintain registration status in the UMX schema Launch notification workflowsLaunch notification workflows

8/3/2019 8_3_giefer



Profile: Signon Password Length

Signon Password Length sets theSignon Password Length sets the

minimum length of an Oracleminimum length of an Oracle

Applications password value. Applications password value. Default Value = 5 charactersDefault Value = 5 characters

Recommendation: At least 7Recommendation: At least 7

characterscharacters

f

8/3/2019 8_3_giefer



Profile: Signon Password Hard toGuess

The Signon Password Hard to Guess profile optionThe Signon Password Hard to Guess profile optionsets internal rules for verifying passwords to ensuresets internal rules for verifying passwords to ensurethat they will be "hard to guess."that they will be "hard to guess."

Oracle defines a password as hard-to-guess if itOracle defines a password as hard-to-guess if it

follows these rules:follows these rules: The password contains at least one letter and atThe password contains at least one letter and at

least one number.least one number. The password does not contain repeatingThe password does not contain repeating

characters.characters. The password does not contain the username.The password does not contain the username.

Default Value = NoDefault Value = No Recommendation = YesRecommendation = Yes

f l d

8/3/2019 8_3_giefer



Profile: Signon Password NoReuse

This profile option is set to theThis profile option is set to the

number of days that must pass beforenumber of days that must pass before

a user is allowed to reuse a passworda user is allowed to reuse a password Default Value = 0 daysDefault Value = 0 days

Recommendation = 180 days orRecommendation = 180 days or

greatergreater

fil Si d il

8/3/2019 8_3_giefer



Profile: Signon Password FailureLimit

Default Value = 0 attemptsDefault Value = 0 attemptsRecommendation = 3Recommendation = 3By default, there is no lockout after failed loginBy default, there is no lockout after failed login

attempts. This is just asking to be hacked!attempts. This is just asking to be hacked! Additional Notes: Additional Notes: Implement an alert (periodic), custom workflowImplement an alert (periodic), custom workflow

or report to notify security administrators of aor report to notify security administrators of a

lockoutlockoutFND_UNSUCCESSFUL_LOGINSFND_UNSUCCESSFUL_LOGINS11.5.10 will raise a security exception workflow11.5.10 will raise a security exception workflow

8/3/2019 8_3_giefer



Profile: ICX:Session Timeout

This profile option determines the length of This profile option determines the length of time (in minutes) of inactivity in a user's formtime (in minutes) of inactivity in a user's formsession before the session issession before the session is disabled disabled . Note. Note

that disabled does not mean terminated orthat disabled does not mean terminated orkilled. The user is provided the opportunitykilled. The user is provided the opportunityto re-authenticate and re-enable their timed-to re-authenticate and re-enable their timed-out session. If the re-authentication isout session. If the re-authentication is

successful, the disabled session is re-enabledsuccessful, the disabled session is re-enabledand no work is lost. Otherwise, the session isand no work is lost. Otherwise, the session isterminated without saving pending work.terminated without saving pending work.

8/3/2019 8_3_giefer



Profile: ICX:Session Timeout (cont.)

Default value = noneDefault value = none Recommendation = 30 (minutes)Recommendation = 30 (minutes)

Also set Also set session.timeout session.timeout ininzone.properties zone.properties

Available via Patch 2012308 Available via Patch 2012308

(Included in 11.5.7, FND.E)(Included in 11.5.7, FND.E)

8/3/2019 8_3_giefer



Wrap Up

Remember: The Internal Threat Is RealRemember: The Internal Threat Is Real

Thanks to OAUG and to NorCal OAUGThanks to OAUG and to NorCal OAUG

Thank Thank you you for attending!for attending!

Randy [email protected]

mailto:[email protected]



8_3_giefer

Documents