Presentation is loading. Please wait.

Presentation is loading. Please wait.

Release 11i Workshops 30 Minute Release 11i Security… Keeping the Bad Guys Away Session Leader Randy Giefer, Solution Beacon Release 11i Workshops San.

Published byLester Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "Release 11i Workshops 30 Minute Release 11i Security… Keeping the Bad Guys Away Session Leader Randy Giefer, Solution Beacon Release 11i Workshops San."— Presentation transcript:

1 Release 11i Workshops 30 Minute Release 11i Security… Keeping the Bad Guys Away Session Leader Randy Giefer, Solution Beacon Release 11i Workshops San Ramon, CA Worthington, MA Los Angeles, CA St. Louis, MO Orlando, FL www.solutionbeacon.com TRAIL to TEXAS sm

2 © 2005 Solution Beacon, LLC. All Rights Reserved. 2 Agenda Welcome Presenter Introduction Presentation Overview 30 Minute R11i Security Audience Survey Questions and Answers

3 © 2005 Solution Beacon, LLC. All Rights Reserved. 3 30 Minute Release 11i Security “Keeping The Bad People Away” Case Studies Case Studies  Disgruntled employee posts names, SSN, birth dates of company executives on website  Ex-Employee Steals CRM and Financials Data and Provides to Competitor  Employee Sells Credit History Database  Employee Manipulates Payroll Data  Employee Sells Email Addresses to Spammer

4 © 2005 Solution Beacon, LLC. All Rights Reserved. 4 30 Minute Release 11i Security “Keeping The Bad People Away” Q. What do all of these Case Studies have in common? Q. What do all of these Case Studies have in common?  Disgruntled Employee  Ex-Employee Steals CRM and Financials Data  Employee Sells Credit History Database  Employee Manipulates Payroll Data  Employee Sells Email Addresses to Spammer A. A firewall didn’t help!!! A. A firewall didn’t help!!!

5 © 2005 Solution Beacon, LLC. All Rights Reserved. 5 What Is Security? What do you think of when someone mentions “security”? What do you think of when someone mentions “security”?  Physical Security  Three G’s (Guards, Gates, Gizmos)  Technology Stack Security  Network (e.g. Firewalls)  Server (e.g. Antivirus)  Database ( Auditing? )  Application ( ? )

6 © 2005 Solution Beacon, LLC. All Rights Reserved. 6 What Is Security? Network / Perimeter Security Network / Perimeter Security  Firewalls  Proxy Servers  Encrypted Traffic Designed to keep the external bad people out Designed to keep the external bad people out Who is keeping out the internal bad people? Who is keeping out the internal bad people?

7 © 2005 Solution Beacon, LLC. All Rights Reserved. 7 Today’s Message Internal Threats Are Real !!! Internal Threats Are Real !!!

8 © 2005 Solution Beacon, LLC. All Rights Reserved. 8 Fact: Internal Threats Are Real Despite most people's fears that hackers will break into the company and destroy data or steal critical information, more often than not, security breaches come from the inside.

9 © 2005 Solution Beacon, LLC. All Rights Reserved. 9 Fact: Internal Threats Are Real Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses... Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses... The FBI is also seeing rampant insider hacking, which accounts for 60% to 80% of corporate computer crimes. The FBI is also seeing rampant insider hacking, which accounts for 60% to 80% of corporate computer crimes.

10 © 2005 Solution Beacon, LLC. All Rights Reserved. 10 Fact: It may Happen To You Through 2005, 20 Percent of Enterprises Will Experience a Serious Internet Security Incident – Gartner Through 2005, 20 Percent of Enterprises Will Experience a Serious Internet Security Incident – Gartner By 2005, 60 percent of security breach incident costs incurred by businesses will be financially or politically motivated – Gartner By 2005, 60 percent of security breach incident costs incurred by businesses will be financially or politically motivated – Gartner Are you prepared? Are you prepared? Can you prevent becoming a statistic? Can you prevent becoming a statistic?

11 © 2005 Solution Beacon, LLC. All Rights Reserved. 11 What Is Security? Security is a PROCESS that occurs (or doesn’t) at multiple levels. Security is a PROCESS that occurs (or doesn’t) at multiple levels. Security awareness at organizations varies due to: Security awareness at organizations varies due to:  Organizational Tolerance  Prior Incidents  Business Core Function

12 © 2005 Solution Beacon, LLC. All Rights Reserved. 12 Security Is A Process “Process” means it occurs more than once! “Process” means it occurs more than once!  Processes and Procedures  Internal and External Checks and Balances  Regular Assessments (Focus = Improve)  Internal  Third Party  Audits (Focus = Identify Problems)

13 © 2005 Solution Beacon, LLC. All Rights Reserved. 13 What Is Applications Security? In an Oracle Applications environment, it’s protection of information from: Accidental Data Loss Accidental Data Loss Employees Employees Ex-Employees Ex-Employees Hackers Hackers Competition Competition

14 © 2005 Solution Beacon, LLC. All Rights Reserved. 14 Application Security Part Technology, Mostly User Access Part Technology, Mostly User Access User Security User Security  Authentication  Authorization  Audit Trail

15 © 2005 Solution Beacon, LLC. All Rights Reserved. 15 Application Security Audit Trail effectiveness is almost useless if you can’t ensure: Audit Trail effectiveness is almost useless if you can’t ensure:  Individual accounts are used  Individuals are who they say they are

16 © 2005 Solution Beacon, LLC. All Rights Reserved. 16 What is 30 Minute R11i Applications Security? Checklist to Easily Implement Two Types/Categories of Security: Checklist to Easily Implement Two Types/Categories of Security:  User Account Policies  Profile Options Quick and Easy to Implement Quick and Easy to Implement Low Investment / High Return Value Low Investment / High Return Value “Big Bang for the Buck” “Big Bang for the Buck”

17 © 2005 Solution Beacon, LLC. All Rights Reserved. 17 Best Practice: No Shared Accounts Difficult or Impossible to Properly Audit Difficult or Impossible to Properly Audit How Hard Is It To Guess A Username? How Hard Is It To Guess A Username? Release 11i Feature to Disallow Multiple Logins Under Same Username Release 11i Feature to Disallow Multiple Logins Under Same Username Uses WF Event/Subscription to Update ICX_SESSIONS Table Uses WF Event/Subscription to Update ICX_SESSIONS Table 11.5.8 MP 11.5.8 MP Patches 2319967, 2128669, WF 2.6 Patches 2319967, 2128669, WF 2.6

18 © 2005 Solution Beacon, LLC. All Rights Reserved. 18 Best Practice: No Generic Passwords Stay Away From ‘welcome’!!! Stay Away From ‘welcome’!!! 11.5.10 Oracle User Management (UMX) 11.5.10 Oracle User Management (UMX) UMX – User Registration Flow UMX – User Registration Flow  Select Random Password  Random Password Generator

19 © 2005 Solution Beacon, LLC. All Rights Reserved. 19 11.5.10 Oracle User Management (UMX) UMX leverages workflow to implement business logic around the registration process. UMX leverages workflow to implement business logic around the registration process. Raising business events Raising business events Provide temporary storage of registration data Provide temporary storage of registration data Identity verification Identity verification Username policies Username policies Include the integration point with Oracle Approval Management Include the integration point with Oracle Approval Management Create user accounts Create user accounts Release usernames Release usernames Assign Access Roles Assign Access Roles Maintain registration status in the UMX schema Maintain registration status in the UMX schema Launch notification workflows Launch notification workflows

20 © 2005 Solution Beacon, LLC. All Rights Reserved. 20 Profile: Signon Password Length Signon Password Length sets the minimum length of an Oracle Applications password value. Signon Password Length sets the minimum length of an Oracle Applications password value. Default Value = 5 characters Default Value = 5 characters Recommendation: At least 7 characters Recommendation: At least 7 characters

21 © 2005 Solution Beacon, LLC. All Rights Reserved. 21 Profile: Signon Password Hard to Guess The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules: Oracle defines a password as hard-to-guess if it follows these rules:  The password contains at least one letter and at least one number.  The password does not contain repeating characters.  The password does not contain the username. Default Value = No Default Value = No Recommendation = Yes Recommendation = Yes

22 © 2005 Solution Beacon, LLC. All Rights Reserved. 22 Profile: Signon Password No Reuse This profile option is set to the number of days that must pass before a user is allowed to reuse a password This profile option is set to the number of days that must pass before a user is allowed to reuse a password Default Value = 0 days Default Value = 0 days Recommendation = 180 days or greater Recommendation = 180 days or greater

23 © 2005 Solution Beacon, LLC. All Rights Reserved. 23 Profile: Signon Password Failure Limit Default Value = 0 attempts Default Value = 0 attempts Recommendation = 3 Recommendation = 3 By default, there is no lockout after failed login attempts. This is just asking to be hacked! By default, there is no lockout after failed login attempts. This is just asking to be hacked! Additional Notes: Additional Notes:  Implement an alert (periodic), custom workflow or report to notify security administrators of a lockout  FND_UNSUCCESSFUL_LOGINS  11.5.10 will raise a security exception workflow

24 © 2005 Solution Beacon, LLC. All Rights Reserved. 24 Profile: ICX:Session Timeout This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to re-authenticate and re-enable their timed- out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work. This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to re-authenticate and re-enable their timed- out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work.

25 © 2005 Solution Beacon, LLC. All Rights Reserved. 25 Profile: ICX:Session Timeout (cont.) Default value = none Default value = none Recommendation = 30 (minutes) Recommendation = 30 (minutes) Also set session.timeout in zone.properties Also set session.timeout in zone.properties Available via Patch 2012308 Available via Patch 2012308 (Included in 11.5.7, FND.E)

26 © 2005 Solution Beacon, LLC. All Rights Reserved. 26 Wrap Up Remember: The Internal Threat Is Real Remember: The Internal Threat Is Real Thanks to OAUG and to NorCal OAUG Thanks to OAUG and to NorCal OAUG Thank you for attending! Thank you for attending! Randy Giefer rgiefer@solutionbeacon.com

Download ppt "Release 11i Workshops 30 Minute Release 11i Security… Keeping the Bad Guys Away Session Leader Randy Giefer, Solution Beacon Release 11i Workshops San."

Similar presentations

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Policies and Standards

Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.

Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.

Similar presentations

Ads by Google