Release 11i Workshops 30 Minute Release 11i Security… Keeping the Bad Guys Away Session Leader Randy Giefer, Solution Beacon Release 11i Workshops San.

Slides:



Advertisements
Similar presentations
Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.
Network security policy: best practices
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Quick Reference Guide Welcome TEST USER Version_NSU_ HELP RETIREMENT MANAGER DEMO FEEDBACK.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
BUSINESS B1 Information Security.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.
Chapter 6 of the Executive Guide manual Technology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Today’s Lecture Covers < Chapter 6 - IS Security
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
OAUG Sys Admin SIG Meeting Oracle OpenWorld Conference September 17, 2005 Moscone Center San Francisco, CA.
Profiles, Password Policies, Privileges, and Roles
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Approvals Management with TCA Hierarchy Ajoy A. Devadawson Oracle Corporation - Consulting.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Security in ERP Systems By Jason Rhodewalt & Marcel Gibson.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 10 Case Study: Conducting an Information Systems Audit.
Database Role Activity. DB Role and Privileges Worksheet.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
OAUG Sys Admin SIG Meeting Connection Point Conference September 13, 2004 Orlando, FL Randy Giefer, Chair.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Computer Security By Duncan Hall.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
CPT 123 Internet Skills Class Notes Internet Security Session B.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Microsoft Customer 2 Partner Connector Quick Reference Guide
# 66.
Data and database administration
Common Methods Used to Commit Computer Crimes
Audit Findings: SQL Database
Information Security: Risk Management or Business Enablement?
Red Flags Rule An Introduction County College of Morris
Information Security Awareness
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Release 11i Workshops 30 Minute Release 11i Security… Keeping the Bad Guys Away Session Leader Randy Giefer, Solution Beacon Release 11i Workshops San Ramon, CA Worthington, MA Los Angeles, CA St. Louis, MO Orlando, FL TRAIL to TEXAS sm

© 2005 Solution Beacon, LLC. All Rights Reserved. 2 Agenda Welcome Presenter Introduction Presentation Overview 30 Minute R11i Security Audience Survey Questions and Answers

© 2005 Solution Beacon, LLC. All Rights Reserved Minute Release 11i Security “Keeping The Bad People Away” Case Studies Case Studies  Disgruntled employee posts names, SSN, birth dates of company executives on website  Ex-Employee Steals CRM and Financials Data and Provides to Competitor  Employee Sells Credit History Database  Employee Manipulates Payroll Data  Employee Sells Addresses to Spammer

© 2005 Solution Beacon, LLC. All Rights Reserved Minute Release 11i Security “Keeping The Bad People Away” Q. What do all of these Case Studies have in common? Q. What do all of these Case Studies have in common?  Disgruntled Employee  Ex-Employee Steals CRM and Financials Data  Employee Sells Credit History Database  Employee Manipulates Payroll Data  Employee Sells Addresses to Spammer A. A firewall didn’t help!!! A. A firewall didn’t help!!!

© 2005 Solution Beacon, LLC. All Rights Reserved. 5 What Is Security? What do you think of when someone mentions “security”? What do you think of when someone mentions “security”?  Physical Security  Three G’s (Guards, Gates, Gizmos)  Technology Stack Security  Network (e.g. Firewalls)  Server (e.g. Antivirus)  Database ( Auditing? )  Application ( ? )

© 2005 Solution Beacon, LLC. All Rights Reserved. 6 What Is Security? Network / Perimeter Security Network / Perimeter Security  Firewalls  Proxy Servers  Encrypted Traffic Designed to keep the external bad people out Designed to keep the external bad people out Who is keeping out the internal bad people? Who is keeping out the internal bad people?

© 2005 Solution Beacon, LLC. All Rights Reserved. 7 Today’s Message Internal Threats Are Real !!! Internal Threats Are Real !!!

© 2005 Solution Beacon, LLC. All Rights Reserved. 8 Fact: Internal Threats Are Real Despite most people's fears that hackers will break into the company and destroy data or steal critical information, more often than not, security breaches come from the inside.

© 2005 Solution Beacon, LLC. All Rights Reserved. 9 Fact: Internal Threats Are Real Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses... Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses... The FBI is also seeing rampant insider hacking, which accounts for 60% to 80% of corporate computer crimes. The FBI is also seeing rampant insider hacking, which accounts for 60% to 80% of corporate computer crimes.

© 2005 Solution Beacon, LLC. All Rights Reserved. 10 Fact: It may Happen To You Through 2005, 20 Percent of Enterprises Will Experience a Serious Internet Security Incident – Gartner Through 2005, 20 Percent of Enterprises Will Experience a Serious Internet Security Incident – Gartner By 2005, 60 percent of security breach incident costs incurred by businesses will be financially or politically motivated – Gartner By 2005, 60 percent of security breach incident costs incurred by businesses will be financially or politically motivated – Gartner Are you prepared? Are you prepared? Can you prevent becoming a statistic? Can you prevent becoming a statistic?

© 2005 Solution Beacon, LLC. All Rights Reserved. 11 What Is Security? Security is a PROCESS that occurs (or doesn’t) at multiple levels. Security is a PROCESS that occurs (or doesn’t) at multiple levels. Security awareness at organizations varies due to: Security awareness at organizations varies due to:  Organizational Tolerance  Prior Incidents  Business Core Function

© 2005 Solution Beacon, LLC. All Rights Reserved. 12 Security Is A Process “Process” means it occurs more than once! “Process” means it occurs more than once!  Processes and Procedures  Internal and External Checks and Balances  Regular Assessments (Focus = Improve)  Internal  Third Party  Audits (Focus = Identify Problems)

© 2005 Solution Beacon, LLC. All Rights Reserved. 13 What Is Applications Security? In an Oracle Applications environment, it’s protection of information from: Accidental Data Loss Accidental Data Loss Employees Employees Ex-Employees Ex-Employees Hackers Hackers Competition Competition

© 2005 Solution Beacon, LLC. All Rights Reserved. 14 Application Security Part Technology, Mostly User Access Part Technology, Mostly User Access User Security User Security  Authentication  Authorization  Audit Trail

© 2005 Solution Beacon, LLC. All Rights Reserved. 15 Application Security Audit Trail effectiveness is almost useless if you can’t ensure: Audit Trail effectiveness is almost useless if you can’t ensure:  Individual accounts are used  Individuals are who they say they are

© 2005 Solution Beacon, LLC. All Rights Reserved. 16 What is 30 Minute R11i Applications Security? Checklist to Easily Implement Two Types/Categories of Security: Checklist to Easily Implement Two Types/Categories of Security:  User Account Policies  Profile Options Quick and Easy to Implement Quick and Easy to Implement Low Investment / High Return Value Low Investment / High Return Value “Big Bang for the Buck” “Big Bang for the Buck”

© 2005 Solution Beacon, LLC. All Rights Reserved. 17 Best Practice: No Shared Accounts Difficult or Impossible to Properly Audit Difficult or Impossible to Properly Audit How Hard Is It To Guess A Username? How Hard Is It To Guess A Username? Release 11i Feature to Disallow Multiple Logins Under Same Username Release 11i Feature to Disallow Multiple Logins Under Same Username Uses WF Event/Subscription to Update ICX_SESSIONS Table Uses WF Event/Subscription to Update ICX_SESSIONS Table MP MP Patches , , WF 2.6 Patches , , WF 2.6

© 2005 Solution Beacon, LLC. All Rights Reserved. 18 Best Practice: No Generic Passwords Stay Away From ‘welcome’!!! Stay Away From ‘welcome’!!! Oracle User Management (UMX) Oracle User Management (UMX) UMX – User Registration Flow UMX – User Registration Flow  Select Random Password  Random Password Generator

© 2005 Solution Beacon, LLC. All Rights Reserved Oracle User Management (UMX) UMX leverages workflow to implement business logic around the registration process. UMX leverages workflow to implement business logic around the registration process. Raising business events Raising business events Provide temporary storage of registration data Provide temporary storage of registration data Identity verification Identity verification Username policies Username policies Include the integration point with Oracle Approval Management Include the integration point with Oracle Approval Management Create user accounts Create user accounts Release usernames Release usernames Assign Access Roles Assign Access Roles Maintain registration status in the UMX schema Maintain registration status in the UMX schema Launch notification workflows Launch notification workflows

© 2005 Solution Beacon, LLC. All Rights Reserved. 20 Profile: Signon Password Length Signon Password Length sets the minimum length of an Oracle Applications password value. Signon Password Length sets the minimum length of an Oracle Applications password value. Default Value = 5 characters Default Value = 5 characters Recommendation: At least 7 characters Recommendation: At least 7 characters

© 2005 Solution Beacon, LLC. All Rights Reserved. 21 Profile: Signon Password Hard to Guess The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules: Oracle defines a password as hard-to-guess if it follows these rules:  The password contains at least one letter and at least one number.  The password does not contain repeating characters.  The password does not contain the username. Default Value = No Default Value = No Recommendation = Yes Recommendation = Yes

© 2005 Solution Beacon, LLC. All Rights Reserved. 22 Profile: Signon Password No Reuse This profile option is set to the number of days that must pass before a user is allowed to reuse a password This profile option is set to the number of days that must pass before a user is allowed to reuse a password Default Value = 0 days Default Value = 0 days Recommendation = 180 days or greater Recommendation = 180 days or greater

© 2005 Solution Beacon, LLC. All Rights Reserved. 23 Profile: Signon Password Failure Limit Default Value = 0 attempts Default Value = 0 attempts Recommendation = 3 Recommendation = 3 By default, there is no lockout after failed login attempts. This is just asking to be hacked! By default, there is no lockout after failed login attempts. This is just asking to be hacked! Additional Notes: Additional Notes:  Implement an alert (periodic), custom workflow or report to notify security administrators of a lockout  FND_UNSUCCESSFUL_LOGINS  will raise a security exception workflow

© 2005 Solution Beacon, LLC. All Rights Reserved. 24 Profile: ICX:Session Timeout This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to re-authenticate and re-enable their timed- out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work. This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to re-authenticate and re-enable their timed- out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work.

© 2005 Solution Beacon, LLC. All Rights Reserved. 25 Profile: ICX:Session Timeout (cont.) Default value = none Default value = none Recommendation = 30 (minutes) Recommendation = 30 (minutes) Also set session.timeout in zone.properties Also set session.timeout in zone.properties Available via Patch Available via Patch (Included in , FND.E)

© 2005 Solution Beacon, LLC. All Rights Reserved. 26 Wrap Up Remember: The Internal Threat Is Real Remember: The Internal Threat Is Real Thanks to OAUG and to NorCal OAUG Thanks to OAUG and to NorCal OAUG Thank you for attending! Thank you for attending! Randy Giefer

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.