On November 5, 2014, OHUG sponsored the webinar: GreyHeller and Fluid UI– The Best of Both Worlds.

GreyHeller’s Responsive Design technology for Mobile and Desktop has been very well received by PeopleSoft customers. PeopleTools 8.54 Fluid UI makes PeopleSoft 9.2 pages responsive for Mobile and Desktop. GreyHeller’s Responsive Design technology has been built to be complementary to Fluid UI.

To see a recording of the demo, please visit:  http://ohug.org/p/do/si/topic=82&type=0

Ethical Hackers at Rhino Security Labs released information about serious security holes within Oracle applications this week. Millions of records were at risk across numerous state and federal agencies, colleges and ports.

There are several causes of an event like this. Lax security and poor change control policies are at the forefront. Isn’t it time to stop “hoping” that you do not get hacked? Utilizing the ERP Firewall for multi-factor authentication could have stopped access like this before it started.

Oracle released the patch for this issue more than two years ago. Two years and it is still an issue in production systems around the world. Maintenance and security go hand in hand. If your organization cannot stay current on maintenance – then you owe it to you customers to implement the ERP Firewall to protect their data. If your organization stays current with maintenance you still owe your customers the same protection level of the ERP Firewall.

As the article states, “This is somewhat bigger than, than some of the major data breaches we’ve seen in the credit card industry,” said Caudill. “Even though there’s many fewer records here, only a few million, we’re talking about Social Security numbers, date of births, everything you need for identity theft, as opposed to credit card theft.”

Securing your applications is not an option it is mandatory. Make the call today, because it is not just your job your saving it is your identity.

June phishing attacks accounted for over $400 million in global losses. 57% of global phishing attacks are targeted at the U.S.

The attacks in June were a 43% increase over May attacks.

Protect your systems before it is too late.

A Russian crime ring has collected over 1.2 billion user names and passwords. The statistics within this breach are stunning. 420,000 websites, 4.5 billion records, 542 million unique email addresses.

According to the article – most of the sites are still vulnerable to the hacker’s exploits. The hackers used SQL injection attacks to gain access to this data.

The average breach cost increased 15% last year from $3.1 million to $3.5 million. These costs will continue to rise for the foreseeable future.

As a consumer, create unique user ids and passwords for EVERY site you use. Use an algorithm to make them easy to remember and make them long. An example might be concatenating two of your favorite things together with something separating them. $k11n6Fb$n0wB0@rd1ng! for example. Other techniques can be found

As a company, stay on the offensive. Mine your logging data, keep your defenses up to date, insist on tough security protocols over convenience and do not assume you are safe.

Homeland Security issued a new report warning about hackers attacking remote access software. Checking in from home leaves entry for hackers. Victims of these attacks include Target, P. F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and Goodwill Industries International, the nonprofit agency that operates thrift stores around the country.

The report recommends….making two factor authentication the status quo.

Seattle University got caught with scanned images on an internal drive without permissions. Seattle University donor checks exposed. Incorrect permission settings on an internal drive made it possible for anyone with a Seattle University computer account to view the information.

Two-factor authentication invoked upon accessing the drive would have prevented unauthorized access without first passing a two-factor challenge

Top 10 Data Breaches of the Past Five Years
(Infographic)
By TSC Advantage, Holistic Security Consultancy

Kevin R. Brock, a leading cybersecurity expert and the FBI’s former Principal Deputy Director, National Counterterrorism Center and Assistant Director for Intelligence, in a recent Forbes article stated –

“The impacts of cyber intrusions and disruptions are much greater and often devastatingly public—bringing to bear significant risk to company reputation, shareholder value and creating an entire new set of liabilities. Historically, the management of this risk has been delegated down in the organization. Current studies still show that upper management in most companies is rarely briefed on cyber threats.”

When working with PeopleSoft customers to help them understand their security risks, we often find that these organizations believe they are better protected than they actually are.

Our advice? Stop being reactive. Be proactive.

Correct preparation makes incidents far easier to resolve.  Detailed and specific event-driven logging can alleviate some of the frustrations.   Within the PeopleSoft application stack, it is often difficult to understand what users are doing after the fact.  Sometimes effective dated pages make that easier, but nothing can replace a great logging solution.

Case in point….a user gets phished and the attacker then impersonates that user to update data within the PeopleSoft application.  It might be easy to see the one row the attacker updated, but what about the data the attacker just looked at?  How would you like to definitively answer what that attacker did?

Correct preparation would give you these answers – all the components, pages, and records that attacker saw.  Yes, that’s right – know what the attacker accessed.   Correlate by times, IP address or other information that you choose to log. 

How about another scenario in which a professor travels abroad, accesses their personal data and updates an address? Later on in the day the organization is attacked from the country visited. The security staff at the University wants validation of the transaction(s).  With the right logging this is an easy question to definitively answer – a quick resolution to a false positive.

Detailed, specific, event driven, customizable logging designed for your business processes greatly simplifies incident response.

The costs of resolving an incident continue to increase.

Our advice? Minimize the risks by being proactive with your security.

Organizations seek protection of their Oracle PeopleSoft applications from cybercrime

San Ramon, California – July 15, 2014

Today, GreyHeller announced the hiring of Greg Wendt as the Executive Director of Security Solutions to further develop GreyHeller’s security products suite and to work directly with Oracle’s PeopleSoft customers to protect their sensitive data from cybercrime. In his role, Wendt will assume oversight of the security platform and operations, with responsibility for product and customer solutions. “I believe Oracle’s PeopleSoft is the best ERP system on the planet. I’ve worked with the platform since 2009 and with GreyHeller since 2011 when we implemented GreyHeller’s mobile and security systems at TCU. GreyHeller is well positioned to help organizations extend their investment in PeopleSoft,” said Greg.

Wendt is a recognized leader in PeopleSoft application architecture, data security and business operations and comes to GreyHeller with more than 17 years of experience. Greg has held top technology positions at industry-leading organizations, including RadioShack and Texas Christian University (TCU). “Greg has extensive experience as a PeopleSoft security expert. Together, we understand what is needed to help protect PeopleSoft users from cybercrime. We expect to establish GreyHeller’s security software suite as the de facto standard for protecting customers’ PeopleSoft systems,” stated Hendrix Bodden, GreyHeller’s CEO.

Wendt led implementations and PeopleSoft upgrades at TCU and RadioShack and the implementation of GreyHeller at TCU. He served as the Chairman of HEUG Tag (Technical Advisory Group), an international organization consisting of Higher Education institutions that use Oracle application software and helps guide its members on product strategy. As a certified ethical hacker, Greg has taught numerous criminal justice and cyber security courses focusing on hacking techniques. “I look forward to helping PeopleSoft customers understand their security risks and to developing tools to resolve these risks. Cyber criminals have figured out that ERP systems store as much sensitive information as do banks. I am honored to join GreyHeller in its mission to protect PeopleSoft customers from criminal breach,” said Wendt.

Trademarks

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.