×
[searchandfilter taxonomies="search"]

Social Engineering: Defending the Weakest Link

By Scott Lavery • November 2, 2018

In today’s information security environment, great technological strides have been made in the areas of network protection, data encryption, intrusion detection, and response. However, you can’t put firewalls or IDS controls on a human being – and hackers are well aware.  This is why social engineering is both extremely ubiquitous and extremely successful.

Social engineering attacks seek to obtain malicious access to systems via manipulating human behavior to facilitate the compromise of legitimate authentication and authorization credentials.  In short, I, the hacker, will fool you into clicking a link that will send me your login information, or verbally convince you to pass along sensitive information over the phone.

We previously discussed some of the more common attacks, but in this post, I’d like to focus on some methods an organization can employ to defend against such attacks.

Education

Anti-social engineering training is one of the most effective ways to combat these attacks.  The training should focus on the current attack methods with actual examples and lessons on how to spot the illegitimate aspects of the attack.

Another key component of an effective training program is having actual members of the organization that have fallen victim to a social engineering attack share their experiences and discuss what induced them to fall for the malicious requests.

Many organizations are also employing artificial phishing campaigns as a form of training.  Utilizing a controlled attack methodology allows for identifying employees who seem to be more susceptible and may require more extensive training.

Multi-Factor Authentication

 Implementing multi-factor authentication (MFA) is an effective way to protect sensitive data.  Multi-factor authentication requires another level of identity validation beyond just a username and password.  This is commonly applied via a text message to user’s phone, or an approval request to an app on a user’s phone.  The key is, even if a user gives up their login information, sensitive data can be further protected by requiring that an additional level of authentication (that cannot be manipulated by the hacker) be required for access.

Anti-Social Engineering Technologies

There are many platforms offering anti-malware, web site filtering and anti-spam capabilities.  These can help prevent phishing attacks from ever reaching a user.  And while they are effective, the attackers tend to be one step ahead of these technologies and are constantly evolving their attacks to subvert these protections.

Summary

Social engineering will remain one of the most effective ways to gain malicious access to information and systems.  While attackers are evolving their approaches, a robust training regimen and the appropriate implementation of targeted technologies can reduce a company’s exposure.

To learn more, be sure to join us on Thursday November 8th at 1 PM CST for our UPCOMING security webinar,  PeopleSoft & Social Engineering Attacks: Common Techniques & How to Prevent Them.

REGISTER TODAY!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Social Engineering Attacks:  Exploiting the “Human Element”

By Scott Lavery • October 26, 2018
In the digital security world, social engineering is defined as the act of tricking someone into doing something that is often detrimental to themselves or others. Social engineering attacks can come in many forms: over the web, email, phone, postal mail or even in person.  Attackers can be very creative in how they disguise a malicious request into a seemingly legitimate call to action.  And these attacks have proven to be a very effective way for a criminal to get inside your organization. A successful social engineering attack typically results in a hacker obtaining an individual’s trusted credentials to one or more systems.  They can use those credentials to log in and snoop around for sensitive data or cause havoc in the digital network. Some of the more popular social engineering attacks include:

Phishing

Phishing emails or web sites are set up to fool a user into using their logon credentials to attempt to log into what appears to a trusted site (bank, credit card portal, etc).  The ‘fake’ site then captures those credentials which then can be used to maliciously access the real site equivalents.  

Over the Phone

 Hackers utilize phone-based attacks by posing as representatives of tech support, customer assistance or any number of other groups to obtain login credentials under the guise of helping the individual with a ‘problem’.  Often that problem is represented as a malware program that may have infected the recipient’s computer  or an issue with their bank account or credit card. Another popular phone-based attack vector is a hacker posing as a debt collector, tax agency or even law enforcement in an attempt to fool the recipient into sending money.  

Social Network Harvesting

A more recent social engineering attack is accomplished via setting up ‘fake’ social network app or page (Facebook, LinkedIn, etc). that is designed to target people who are interested in a particular subject, storyline or individual.  Many celebrity fan sites, for example, are set up for this very purpose. The attacker is then able to access the individual’s contacts and other information that allows them to build out a network of potentially favorable targets. Social engineering attacks are always evolving, so it is critical for an organization to implement an awareness training program that is maintained as new threats evolve.  Education is key in helping to ensure that employees recognize these threats and don’t ‘click that link’. In our next post we’ll discuss some other methods of combatting social engineering… Be sure to join us on Thursday November 8th at 1 PM CST for our UPCOMING security webinar,  PeopleSoft & Social Engineering Attacks: Common Techniques & How to Prevent Them.

Register Today!

 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Appsian Customer, Hackensack Meridian Health, Honored as PeopleSoft Innovator at Oracle OpenWorld

By Scott Lavery • October 24, 2018

This week, Hackensack Meridian Health (HMH), a New Jersey-based not-for-profit health care organization (and Appsian customer) was identified as a PeopleSoft Innovator for their use of PeopleSoft Fluid UI for HCM Employee Self Service; including the successful native implementation of Appsian’s two-factor authentication solution.

With an initiative to make PeopleSoft available to their 33,000 users via the open internet, HMH began an adoption of Fluid for HCM in early 2018. A “mission critical” objective to this project was pairing Fluid with a solution that provided secure access, while also limiting the amount of clicks and passwords required for users to access PeopleSoft.

HMH turned to Duo as the selected two-factor authentication platform, but still required a solution that natively integrated into PeopleSoft to extend Duo’s functionality. Appsian’s PeopleSoft Application Security Platform was evaluated and quickly selected as the right solution to ensure HMH’s project to make PeopleSoft available to the open internet (via Fluid) was successful.

As an Innovator, Hackensack Meridian Health has been included in the new PeopleSoft Innovators section on www.peoplesoftinfo.com and was announced as an Innovator during the 2018 Oracle OpenWorld conference.

To learn more about Appsian’s solutions for PeopleSoft security, please email us at [email protected] or your can simply Request a Demo

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Appsian Name Change FAQ

By Scott Lavery • September 11, 2018

Can’t find your answer? Email us at [email protected]

Why are you changing your brand?

We are rebranding in order to position our organization as a leading security and user experience provider for PeopleSoft customers. The new name reflects our mission to make PeopleSoft exceptional and our commitment to invest in our existing software platform.

Does the new name signal a change in offering?

No. We will continue to enhance our security and UX offerings. We plan to accelerate investment in our platform and partner with Oracle to help PeopleSoft customers achieve a better ROI from their investments in PeopleSoft.

In addition, we will continue to work with our partners to ensure they reference Appsian consistently.

What does this change for our existing customers?

Nothing changes other than the name.  Our customers should expect the same great service and products as they have grown accustomed to receiving from our organization.

Will we be changing the website and email?

Yes, our new wesbite will be Appsian.com. All of our employee email will transition from …@greyheller.com to …@stgappsian.wpengine.com.

Will the support portal be changing?

The support portal URL of https://support.appsian.com/login will continue to work, but officially the URL will change to https://support.appsian.com/login.  You will notice the branding of the portal will change to support our new name and e-mail notifications will reference the new Appsian URL. Your login ID and password will remain unchanged.

Do we need to update your existing legal contract?

No, all existing legal agreements will stay the same. If you have any specific question, please reach out to [email protected]

Does this move impact Larry Grey and Chris Heller’s roles in the company?

No, there will be no change in their roles. Chris will continue to be the CTO driving the Security and UX platform. Larry will continue to lead of solution and engineering efforts.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

California Raisin’ the Bar on Data Privacy

By Scott Lavery • July 23, 2018

June was an interesting legislative month in the state of California. 

In the face of an impending ballot initiative that would’ve imposed stringent privacy rules around the retention and use of consumer data, the state legislature stepped in and drafted an alternative privacy law that, in its current form, appears to be a GDPR-lite set of regulations.

Before we discuss the components of the resulting California Consumer Privacy Act of 2018, it is interesting to speculate as to why state legislators stepped in to stop the ballot initiative.  I see three primary factors driving that decision:

1) The ballot initiative contained a provision that specifically prohibited companies from giving away applications (games, etc) in return for the right to monetize the user data of those applications (a common practice.)

2) The ballot initiative imposed draconian penalties on violators

3) Introducing the law via legislation enables the state to evolve and clarify the bill as needed, whereas if implemented via the ballot initiative, it would be much harder to change.

I think we can safely assume that the lobbying of the tech industry led to the scuttling of the data monetization restrictions and the re-examination of penalties.  The California legislature changed the focus of the initiative to follow a version of the already implemented GDPR regulations.

So, in a first for the United States, we have the California Consumer Privacy Law of 2018, which goes into effect on January 1, 2020.

As I mentioned, the regulations are more similar to GDPR than not, but do currently leave out some of GDPR’s more stringent requirements.  The California law contains three key components (and these relate to data associated with any resident of the state of California):

  • Consumers have the right to know what information is being collected about them.
  • Consumers have the right to know why that data is being collected.
  • Consumers have the right to know who that data may be being shared with / sold to.

Many questions arise when looking at these regulations.  Primarily, what is the mechanism that a consumer can employ to obtain this information?

I believe that between now and January 1, 2020, California legislators will be working to better define the scope of the law, the associated penalties and the paths to consumer enablement.

But the law is coming, and it represents the Unites States first real comprehensive attempt to protect consumers and their private information.  I fully expect more states to model similar regulations.

In our next post, we will dive into the differences between GDPR and the current form of the California law.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Ensure a successful Fluid Enablement project with PeopleUX

By Scott Lavery • July 3, 2018

With the support for PeopleSoft 9.1 ending earlier this year (Jan 2018), most PeopleSoft customers are busy upgrading to PeopleSoft 9.2. As you upgrade to v9.2, Fluid becomes the inevitable frontline UI of your PeopleSoft applications. Consequently, upgrading to Fluid is a significant investment in terms of time, effort, and skilled resources. We at GreyHeller feel that the operational disruption and added investment that come with these upgrades are an extremely worthwhile endeavor for your journey toward a modern UI for PeopleSoft HCM, CRM, Financials, SCM and more. That being said, if productivity and engagement are the benchmarks for success with a UX/UI project, shouldn’t you do everything in your power to ensure your upgrade is fully enabled?

It should be acknowledged that a lack of certain best practices can prevent you from achieving your end goal of delivering the user experience you intended – and your users have come to expect from modern applications. Here are some tips to identify indicators that can potentially have a negative impact on your efforts of achieving a flawless adoption of PeopleSoft Fluid UI:

Fluid is the future – get with it!

Before we get into the details of ensuring a successful Fluid enablement project, let’s address the most crucial question first – Why is making the transition from Classic to Fluid important – and why now? The answer lies in Oracle’s announcement of the traditional Classic UI being on a retirement schedule. Oracle’s support doc ID 2238983.2 illustrates the timeline for pages that will be “desupported” at the end of each year. Since, Fluid is going to be the frontier of all PeopleSoft applications upgraded to 9.2, adopting Fluid has become a necessity for organizations to stay current with PeopleSoft.

Inconsistency can prove to be the death of a positive UX

A Fluid adoption should be a project centered around your end-users. Whether you are in the middle of a Fluid adoption or haven’t embarked upon it yet, it is important to consider the specific business needs of your users carefully (i.e., how are you intending them to work and on what mobile devices.) With the end goal of a Fluid upgrade being PeopleSoft applications that are readily available on mobile devices and with a streamlined user experience – it is ultimately user engagement that will prove to be the defining benchmark for success. However, the selective roll-out schedule of Fluid pages can potentially create an inconsistent UX in the interim, as users are likely to encounter existing Classic pages throughout a workflow. The result being (despite your best intentions) a UX that fails to deliver a 100% consistent experience. After all, inconsistency can prove to be the death of a positive UX.

Fluid requires new development skills

Fluid UI uses the same architectural foundation as the Classic layout. However, building design components in Fluid requires extra development work, meaning the required acquisition of skills such as HTML, CSS, JavaScript, etc. To ensure optimum preparedness for your Fluid enablement project, you need to have developers who are well versed in PeopleTools along with these additional skills. To fulfill project requirements, you can choose to invest your time and money in training existing team members or (like most organizations) you can hire new resources. However, the time spent in acquiring skilled resources can slow down the progress of your Fluid enablement project.

Consider the diversity and abundance of mobile devices.

A myriad of mobile devices are released every year, all with different screen sizes and resolutions. To compliment all the available device variables, your UI needs to be responsive. A truly responsive UI is the most critical parameter in mobilizing an application, thus allowing it to fit perfectly on any form factor. Fluid is an adaptive UI which means that it was designed to fit a predetermined set of form factors, i.e., small, medium, large and extra-large. Since there’s an abundance of mobile devices available on the market, and each one of them comes with different display standards, the pre-set form factors might not display content cleanly on every available screen.

How you can make Fluid UI exceptional with PeopleUX

PeopleUX by GreyHeller delivers a fully responsive and consistent user experience regardless of your current version of PeopleSoft. No matter what your upgrade status or your underlying UI (Classic/Classic Plus or Fluid), PeopleUX re-renders the existing HTML without impacting the original PeopleCode – creating a user experience that is visually engaging and uniform throughout the application. PeopleUX optimizes workflows with usability and intuition in mind, allowing users to execute transactions quickly and efficiently without requiring any additional training or technical support.

 A seamless and consistent user-experience allows users to be more productive no matter where they work or what device they use. The best part – PeopleUX can be implemented in a short span of time (60-90 days*) without any operational disruption or intermittent consistency. Lastly, PeopleUX saves you time and boosts Fluid adoption project ROI by eliminating the need to hire or train developers!

Interested to know more about making the Fluid experience truly exceptional? Request a free demo to speak to a PeopleSoft user experience specialist today, or write to us at [email protected]

As a BONUS opportunity – join us on Wednesday July 18th for our latest webinar where you can see for yourself how you can ensure a successful Fluid adoption – Register Today!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

PeopleSoft and GDPR: Accelerate Breach Detection and Remediation

By Scott Lavery • June 25, 2018

The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25th, 2018 and made a far-spreading impact on how organizations record, manage and process personal data of European citizens. As an organization leveraging PeopleSoft, you house personally identifiable information (PII) on hundreds of pages, making your PeopleSoft applications a crucial variable in regards to sustaining GDPR compliance. Even though the security of your PeopleSoft applications has always been your priority, GDPR just upped the ante! Non-compliance with several clauses in GDPR can potentially knockout significant profit margins – 4% of global revenue or € 20 million to be precise.

Discover a data breach? The clock is NOW ticking!

Imagine all the chaos a data breach brings – the investigation, remediation, financial liabilities, and the overwhelming task of drafting an internal and external communication plan. The timeline of this process was previously driven by your organization – now that GDPR is in effect, communications with affected parties and relevant regulatory agencies all must be completed before the GDPR hourglass empties, i.e., in 72 hours. GDPR’s mandate is a clear message that the ‘wait and see’ approach that organizations could once get away with is no longer going to work! To establish compliance with GDPR, organizations need to evaluate all possible means that data can be breached, leaked, or manipulated and focus on equipping their PeopleSoft applications with internally layered security features, most specifically enhanced logging, in an effort toward being proactive rather than reactive.

Step 1 to GDPR compliance is getting to know your data

Your PeopleSoft applications are inherently built with robust security features, but modern threats demand data security be taken beyond the standard User ID/Password model. Under GDPR, more PII translates to more liability. Therefore, it’s crucial that organizations:

  • Establish measures to track the lifecycle of sensitive data in their PeopleSoft applications
  • Define control protocols on how and by whom PII is accessed
  • Limit unnecessary exposure of sensitive information

For access controls to be effective, each user’s activity and transaction data must be available for tracking and monitoring by security teams so they can identify and remediate a breach effectively and efficiently.

High-level logging is NOT enough

Unfortunately, out-of-the-box PeopleSoft applications are only capable of high-level logging (login and log out instances), and that information is not sufficient for identifying what specific data fields may be compromised, who has viewed it, and when a user may have viewed specific data. This context is necessary for piecing together the narrative for effectively remediating a breach, and thus, making the initial steps towards complying with GDPR.

How GreyHeller’s Application Security Platform can solve the challenge

The key to preparing your PeopleSoft applications for GDPR is equipping them with advanced and robust security measures, that not only help you prevent a breach but allow you to detect and react to it promptly. With GreyHeller’s Application Security platform (ASP) organizations can effectively control the unwanted exposure of PII and accelerate breach detection and remediation. ASP enables security teams to gain maximum influence over what data is accessed, by whom, and how it is used.

Record each transaction as it happens

Designed to log field level transaction activity, ASP provides you with all the details you need to identify a data breach in time and fulfill the requirements imposed by GDPR. The logging features record all transactions within PeopleSoft on a granular level, providing information on what data was accessed, where it was accessed from, user ids and IP address effected and more.

Seeing is believing

The ASP also features an integrated analytics extension that uses the enhanced logging data to populate and display access activity on engaging dashboards. Comprising of elegant charts, graphs, and maps – these dashboards can be grouped by usage patterns, access trends, geographical locations, etc. to gain a holistic picture of user activity in a single view. The dashboards are equipped with deep drill-down capabilities, allowing security teams to investigate the activity and perform root-cause analysis thoroughly.

We are here to answer any questions you may have – Get a free security consultation for GDPR compliance today or write to us at [email protected].

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Best Practices for Approaching Oracle Cloud Applications – March 29th Gartner Report

By Scott Lavery • May 8, 2018

Gartner recently released a report addressing the speculations around Oracle’s on-premise and cloud ERP applications. Focusing on Oracle ERP customers’ frequently asked questions, the report is aimed at helping CIOs make informed decisions on whether Cloud applications are a viable replacement for their on-premises suites. Here are the most important takeaways and highlights from the report:

On-premises ERP suites are not at the “end-of-life” stage.

From thousands of client interactions, Gartner concluded that Oracle’s ERP customers are unsure about Oracle’s commitment to its on-premises suite. To put their doubts to rest, Gartner highlighted several factors that reiterate Oracle’s continued investment in their on-premise applications:

Revenue from on-premise applications remains strong

“Oracle’s on-premises suites are not at the end-of-life stage” assures Gartner. “Oracle receives the majority of its software license revenue from customers paying for maintenance, and new sales of its on-premises products,” (68% and 65% in 2016 & 2017 respectively). According to Oracle’s co-founder Larry Ellison, “Oracle spends over $5 billion per year on research and development (R&D) and continues to invest in all its on-premises application products.”

Fluid symbolizes the future for (on-premise) PeopleSoft 

Specific to PeopleSoft, the report mentions that the “…extended Support timeline for PeopleSoft is stated through at least 2027,” and with the launch of enhancement features such as Fluid UI for PeopleSoft, Oracle continues to demonstrate its continued investment in their existing on-premise ERP applications.

Best Practice: Map Your Business Requirements Against the Maturity of Oracle’s Cloud Applications

According to Gartner, Oracle’s cloud applications are the inevitable future of ERP functions, but having been released to different timetables, cloud applications have differing levels of maturity and may not (at this time) offer true parity to Oracle’s legacy, on premise suite. As a best practice, Gartner recommends that decision-makers must consider the development roadmap of the respective cloud applications and avoid confusing the desire to source a new technology with the objective of fulfilling a specific business requirement. In other words, stating that “a full ‘rip and replace’ of your current applications may not be your best option.” Gartner goes on to urge customers to map business requirements carefully against the maturity of Oracle’s cloud applications and ensure that present day business objectives can be met so costly and unexpected change management can be avoided. In addition, the report offers a detailed outline of various situations and subsequent appropriate actions for ERP customers using Oracle’s on-premise suites.

Best Practice: “Take the postmodern approach”

Gartner emphasizes that the decision to move to the cloud must be based solely on the value proposition cloud applications offer over existing on-premises applications. While talking about moving to Cloud applications “as part of a business transformation initiative” Gartner asks decision makers to be aware of “the risks and limitations of recent releases.” Instead of a complete “rip and replace” Gartner suggests a “postmodern approach,” where an organization could decide to replace only parts of their on-premises footprint. Gartner also advises Oracle customers to not “assume that the level of expertise that exists for application support and implementation services for on-premises suites also exists for cloud applications.”

Summary

As stated above, while the future appears to be headed towards the cloud, the fact remains that a “look before you leap” approach is recommended. A cloud migration project must begin with a  thorough evaluation of your business objectives in order to ensure proper alignment between the cloud technology you are adopting and the expected results. Change management can add significant cost and disruption to a project, and while complete elimination of change management is impossible, the more evaluation you undergo prior to the start of a migration project – the more likely to avoid “budget busting” surprises.

So, consider the postmodern approach – what objectives do you need to achieve today vs. what do you need to achieve 5 years from now? Are there specific ERP functions that are working just fine today? If not, are there lightweight optimizations that can be done in the meantime to enhance current functionality? Gartner recommends a postmodern approach in order to avoid a scenario where you go “all in” on the cloud and are left to address an unexpected mess.

Appsian is here to help you make PeopleSoft exceptional. Email us at [email protected] and let us know how PeopleSoft can be working better for you today!       

Access the full version of the report HERE

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Universities are wasting $60K/mo. (avg.) by NOT having a SAML Single Sign On for PeopleSoft

By Scott Lavery • May 3, 2018

Did you know that…

A *2014 Forrester study of a major US-based University showed that over 50% of user password resets could not be completed via self-service – thus resulting in (approx.) 890 calls to support per month (avg.)

  • The study further concluded that “the average help desk labor cost for a single password reset is about $70.”
  • 890 calls to support each month means IT is wasting $62,300 each month, resetting and troubleshooting user password issues

View Data Sheet

*https://solutionsreview.com/identity-management/forrester-passwords-are-here-to-stay-heres-how-to-deal-with-it/

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands